Privacy Policy
Effective date: June 2026 · diyduro.com
This policy explains what personal data DIYDURO collects, why we collect it, how it is stored, and your rights as a user.
1. Data Controller
DiyDuro.com
Website: diyduro.com
Contact: privacy@diyduro.com
2. Data We Collect
| Data | Source | Purpose |
|---|---|---|
| Display name | Provided by you on sign-up or via your Google account | Identify you on leaderboards and event results |
| Email address | Provided by you or via Google Sign-In | Authentication and account recovery |
| Firebase Auth UID | Assigned automatically by Firebase on account creation | Link your data across events, segments, and attempts |
| Last seen timestamp | Recorded automatically on each app session | Account activity and dormant account management |
| GPS track points | Collected from your device while you ride a timed stage | Detect stage start and finish, calculate your time |
| Stage times | Derived from GPS data during a timed ride | Populate leaderboards and event results |
| Event membership | Created when you accept an event invitation or join via link | Control access to event stages and results |
We do not collect payment card data, phone numbers, or precise home addresses.
3. Lawful Basis for Processing
| Data | Lawful basis |
|---|---|
| Account data (display name, email, UID) | Contract — necessary to provide the account and authentication service you have requested |
| GPS track points and stage times | Legitimate Interests — required to deliver the core timing service; our interest in providing accurate, verified stage times is not overridden by your interests given the sporting context and the notice provided at join time |
| Last seen timestamp, event membership | Legitimate Interests — necessary for service operation, account management, and event access control |
4. How We Use Your Data
- Authenticate you and maintain your account session
- Detect when you pass through a stage start or finish gate using your GPS location
- Record and display your stage times on event leaderboards, visible to other event participants
- Allow event organisers to invite you to events and manage participation
- Support replay and analysis features for completed stages
We do not sell your data. We do not use your data for advertising.
5. Data Sharing and Processors
Your data is stored and processed using Google Firebase (Firestore database and Firebase Authentication), operated by Google LLC. Google acts as a data processor under a Data Processing Agreement with Google. Firebase infrastructure is hosted within Google Cloud regions. For details see firebase.google.com/support/privacy.
Your display name and stage times are visible to other participants in the same event. Your email address is never shared with other participants.
We do not share your data with any other third parties.
6. Data Retention
Your personal data is retained for as long as your account exists. When you delete your account, your profile, event membership records, and associated data are permanently removed from our systems. Stage times and leaderboard entries attributed to your display name may be anonymised rather than deleted where removal would materially disrupt the integrity of event results — in that case, your UID and email are removed and the record is detached from your account.
7. Your Rights
Under UK and EU data protection law you have the following rights:
- Right of access — you may request a copy of the personal data we hold about you
- Right to erasure — you may request deletion of your account and associated data; you can also initiate this yourself via Settings → Delete account within the app
- Right to object — where we rely on Legitimate Interests, you may object to that processing; we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests
- Right to rectification — you may correct inaccurate data, including your display name, via your account profile
- Right to data portability — you may request an export of your data in a machine-readable format
To exercise any of these rights, contact us at privacy@diyduro.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
8. Cookies and Local Storage
DIYDURO uses browser local storage to cache your authentication session and app preferences (such as dark/light mode). No third-party tracking cookies are used. We do not use advertising cookies or analytics trackers.
9. Children
DIYDURO is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please contact us at privacy@diyduro.com and we will remove it promptly.
10. Changes to This Policy
If we make material changes to this policy we will update the effective date above and, where appropriate, notify users via the app. Continued use of DIYDURO after a change takes effect constitutes acceptance of the updated policy.
11. Contact
Data controller: DiyDuro.com
Email: privacy@diyduro.com
DIYDURO · Home