Privacy Policy
Last updated: 10 March 2026
1. Who we are
Combatif is a cycling competition platform that allows users to create and participate in cycling competitions, connect GPS tracking platforms, and track their performance. References to "we", "us", or "our" refer to Combatif.
For questions about this policy or your personal data, contact us at: privacy@combatif.com
2. What data we collect
We collect the following categories of personal data:
- Account data: display name, email address, password (stored as a bcrypt hash — we never store your plaintext password), phone number (optional), date of account creation, and the timestamp of your consent to this policy.
- Activity data: cycling activities imported from connected platforms, including activity name, distance, elevation, duration, start time, and data source.
- Platform connection data: when you connect a third-party platform (e.g. Strava), we store your external user ID, connection timestamp, last sync timestamp, and OAuth access tokens necessary to retrieve your activities.
- Competition and group data: competitions you participate in, groups you are a member of, and your competition results.
- Usage data: standard server logs (IP address, request timestamps) used for security and operational purposes.
3. How we use your data
We use your personal data for the following purposes:
- To create and manage your account.
- To provide the competition and group features of the platform.
- To import your cycling activities from connected platforms and calculate competition results.
- To allow other participants to see your name and competition results within competitions you have joined.
- To ensure the security and correct operation of the platform.
Legal basis (GDPR Article 6): We process your data on the basis of your consent (Article 6(1)(a)) given at registration, and as necessary to perform the contract for the services you have requested (Article 6(1)(b)).
4. Data sharing and third parties
We do not sell your personal data. We share data only with the following service providers, strictly to deliver the platform:
- Fly.io — cloud hosting provider for the API and database (EU region).
- Netlify — hosting provider for the frontend.
- Upstash — Redis cache provider used for background job processing.
- Strava — if you choose to connect your Strava account, activity data is retrieved from Strava's API under the permissions you grant.
- PostHog — if you accept analytics cookies, we use PostHog (EU cloud, hosted in the European Union) to collect anonymised usage data such as pages visited, features used, and session behaviour. No personally identifiable information such as your name or email is sent to PostHog. You can opt out at any time by declining or withdrawing analytics consent.
All service providers are bound by their own privacy policies and applicable data protection regulations.
5. Analytics cookies
If you accept analytics cookies, we use PostHog to collect anonymised usage data to help us understand how the platform is used and improve the user experience. This data includes pages visited, features used, and general session behaviour. PostHog uses cookies and local storage to track sessions across page loads.
You can accept or decline analytics cookies when you first visit the platform. If you decline, no analytics data is collected. You can change your preference by clearing your browser's local storage for this site.
We do not use advertising cookies or share data with advertising networks.
7. Data retention
We retain your personal data for as long as your account is active. When you delete your account, all personal data — including your profile, activities, competition history, group memberships, and platform connections — is permanently deleted from our systems.
Server logs may be retained for up to 30 days for security purposes.
8. Your rights (GDPR)
As a data subject under the GDPR, you have the following rights:
- Right of access (Article 15): You can export a copy of all personal data we hold about you from the Profile page.
- Right to rectification (Article 16): You can update your display name, email, and phone number on the Profile page at any time.
- Right to erasure (Article 17): You can permanently delete your account and all associated data from the Profile page.
- Right to data portability (Article 20): Your data export is provided in machine-readable JSON format.
- Right to withdraw consent (Article 7): You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority.
To exercise any right not directly available in the platform, contact us at privacy@combatif.com.
9. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the platform following notice of changes constitutes acceptance of the updated policy.