# Privacy policy

**Effective date:** 2026-05-26
**Last updated:** 2026-05-26
**Controller:** FabiRide UAB, [registered address], Lithuania, contact `privacy@fabiride.lt`

This policy explains what data FabiRide ("we") collects when you use the FabiRide mobile app, the FabiRide bike display, and the cloud services that connect them, and what your rights are under the EU General Data Protection Regulation (GDPR).

> **TL;DR**: We collect the minimum data needed to run your account, your bike, and your warranty. We never sell your data. We store EU customer data in EU data centres. You can export or delete everything at any time.

## 1. Data we collect

| Category | Examples | Why we need it | Legal basis |
|---|---|---|---|
| **Account** | Email, full name, password hash, phone (optional) | Identify you, contact you, sign you in | Contract (Art. 6(1)(b)) |
| **Display registration** | Display serial number, purchase shop, invoice scan, claim date | Warranty + theft chain-of-custody | Contract + legal obligation (10 yr invoice retention, LT Accounting Law) |
| **Bike telemetry** | Speed, distance, GPS trail (when you record a trip), battery state, motor temp | Show you your rides, your range, your bike's health | Contract + your consent for GPS |
| **Device usage** | Firmware version, last-seen time, IP for OTA | Push updates, support tickets | Legitimate interest |
| **Email + push notifications** | Your email and (if enabled) push token | Verification, password reset, optional alerts | Contract + consent for marketing |
| **Diagnostics logs** | Crash reports, BLE link quality (no PII) | Fix bugs | Legitimate interest |

We do **not** knowingly collect data from children under 16. If we learn we have, we delete it.

## 2. What we do with the data

- Run your account, your bike pairing, your warranty.
- Send transactional emails: signup confirmation, password reset, ownership-transfer confirmations.
- Detect tamper attempts on your display (anti-theft).
- Improve the product via anonymous, aggregated metrics.
- **We do not sell, rent, or trade your personal data.**

## 3. Sharing

We share data only with:
- **Our infrastructure providers** (Coolify VPS, Postgres database, SMTP provider) under EU GDPR-compliant Data Processing Agreements. All data resides in the EU.
- **Apple / Google** as part of normal app-store telemetry — see their privacy policies for the specific signals they collect.
- **Law enforcement** when legally compelled (court order or equivalent).

We will never share location, ride history, or telemetry with insurers, employers, or advertisers without your explicit opt-in.

## 4. Retention

| Data | How long |
|---|---|
| Account profile | Until you delete it (right to erasure, see §6) |
| Invoice + sales-chain rows | 10 years from sale (Lithuanian Accounting Law) |
| Telemetry / ride history | While the device is registered to you, or 30 days after you remove it |
| Diagnostics logs | 90 days, then aggregated |
| Email-server logs | 30 days |

## 5. Cookies & similar

The mobile app uses local storage only (your phone) — no third-party tracking. The web admin sets a single session cookie that contains your refresh token (HttpOnly, Secure, SameSite=Strict).

## 6. Your rights under GDPR

You have the right to:
- **Access** — request a copy of all data we hold about you (`privacy@fabiride.lt` or in-app: Settings → My account → Export my data).
- **Rectification** — correct anything wrong, from inside the app.
- **Erasure** — delete your account; we anonymise sales/invoice rows we must keep for legal reasons.
- **Restriction** — pause processing while a dispute is resolved.
- **Portability** — get your data in machine-readable JSON.
- **Object** — refuse processing based on our legitimate interest.
- **Withdraw consent** — turn off marketing, GPS, push, at any time.
- **Lodge a complaint** — Lithuanian State Data Protection Inspectorate, https://vdai.lrv.lt.

Requests are handled within 30 days (extendable to 90 for complex ones).

## 7. Security

- All API traffic is HTTPS-only (TLS 1.2+, HSTS).
- Passwords are hashed with Argon2id.
- The display–phone Bluetooth link uses encrypted-bonded BLE pairing.
- Firmware is signed (Secure Boot v2) and encrypted on the chip (Flash Encryption). A stolen `firmware.bin` cannot be reflashed onto another device.
- We log all administrative actions and notify you within 72 hours of any breach affecting your personal data, per Art. 33 GDPR.

## 8. International transfers

All data is processed within the EU/EEA. Apple and Google may transfer push-notification metadata to the US under EU–US Data Privacy Framework adequacy.

## 9. Changes

We will notify you in-app at least 30 days before a material change. Continued use after that constitutes acceptance.

## 10. Contact

`privacy@fabiride.lt` · FabiRide UAB · [postal address]