CyclingRoutes.cc

Deutsch ist neu auf CyclingRoutes.cc — einige Übersetzungen können ungenau sein. Hilf uns, es besser zu machen →

Legal

Privacy Policy

Effective 17 April 2026

This privacy policy explains how we collect, use and protect your personal data when you visit CyclingRoutes.cc. It is written to comply with the EU General Data Protection Regulation (GDPR).

Who we are

CyclingRoutes.cc is operated by Tommy Nielsen, based in Norway. We are the "data controller" for the purposes of GDPR.

Contact: hello@cyclingroutes.cc

What data we collect

We collect only what we need to run the site and offer the features you use.

Collected automatically

  • Usage data (page views, device type, country, referrer) via Google Analytics 4
  • Technical performance data (Core Web Vitals) via Vercel Speed Insights
  • Server access logs (IP, timestamp, URL) retained by our hosting provider

Submitted by you

  • Newsletter: email address when you subscribe
  • Reviews: name, optional city, optional ride date, rating and review text when you leave a review on a route
  • Translation feedback: the original text, your suggested correction and the page URL — anonymous unless you choose to identify yourself
  • Route submissions (Strava Connect): your Strava athlete ID, name, selected activity or route data, GPX track, photos you choose to include, and any text you add. We store this as a pending submission for editorial review.
  • "I've ridden this" counter: an anonymous increment per route. We use localStorage in your browser to prevent double-counts — no personal data is stored on our side.

Why we use your data — legal basis

  • Legitimate interest: site analytics, security, abuse prevention, editorial quality control
  • Consent: newsletter subscription, Strava OAuth authorization, review submission
  • Contract performance: processing your submissions and reviews once you choose to send them

Third-party processors

We share data with the following sub-processors, who act on our behalf:

  • Vercel (USA) — hosting and serverless infrastructure
  • Cloudflare (USA) — CDN and DNS
  • Supabase (EU, Stockholm) — database for reviews, translation feedback, route statistics and route submissions
  • Brevo (France) — newsletter and transactional email
  • Google (USA) — Analytics 4 and Search Console
  • Strava (USA) — OAuth authentication and activity/route data, only when you choose to connect your Strava account
  • Tally.so (Belgium) — legacy route-submission form; being phased out
  • Make.com (Czech Republic) — automation between Tally and Brevo

Transfers to processors outside the EEA are protected by Standard Contractual Clauses as defined by the European Commission.

Cookies and similar technologies

We use a minimal set of cookies and storage mechanisms:

Strictly necessary

  • admin_session — editor login (HttpOnly, 24 hours)
  • contributor_session — Strava OAuth session during route submission (HttpOnly, 6 hours)
  • contributor_oauth_state — CSRF protection during Strava login (HttpOnly, 10 minutes)

Analytics

  • Google Analytics 4 cookies (_ga, _ga_*) — aggregated site usage
  • Vercel Speed Insights — Core Web Vitals measurement, no personal identifiers

Local storage

  • routeRidden_* — prevents double-counting the "I've ridden this" button
  • chunk_reload — one-shot flag for recovering from failed JavaScript chunk loads
  • i18nextLng — remembers your preferred language

Retention

  • Newsletter subscriptions: until you unsubscribe
  • Reviews: until you ask us to remove them or the review is deleted
  • Route submissions: indefinitely if approved; pending drafts are kept 90 days then deleted
  • Translation feedback: kept in perpetuity in anonymous form
  • Server logs: 30 days
  • Google Analytics: default 14 months

Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion ("right to be forgotten")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent at any time (does not affect prior lawful processing)
  • Lodge a complaint with your local supervisory authority — in Norway, the Datatilsynet

To exercise any of these rights, email hello@cyclingroutes.cc. We will respond within 30 days.

Strava integration — what you authorize

When you click "Connect with Strava" to submit a route, Strava asks for your permission to share the following with us:

  • Your athlete profile (name, ID)
  • Your public and private activities (scope activity:read_all)

The access is read-only. We never upload, delete or modify anything on your Strava account. You can revoke access at any time at strava.com/settings/apps.

Children

CyclingRoutes.cc is not directed at children under 16. We do not knowingly collect personal data from children.

Changes to this policy

We may update this policy over time. Material changes will be announced on the site. The "Effective" date at the top of this page indicates when the current version took effect.

Contact

Questions? Email hello@cyclingroutes.cc.