Privacy Policy
Effective date: March 14, 2026
1. What ChainLog Is
ChainLog is a service that helps bicycle shops track maintenance intervals for their customers' bikes. Shops use ChainLog to monitor accumulated mileage and send service reminders automatically. ChainLog connects to Strava on behalf of individual cyclists at the direction of the bike shop they are registered with.
2. Strava API Monitoring Disclosure
ChainLog uses the Strava API to access activity and gear data on behalf of bike shops. Per the Strava API Agreement, you acknowledge that: “Strava may monitor and collect certain usage data and information related to your use of the Strava API Materials.”
ChainLog uses this integration in compliance with Strava's API Agreement and Brand Guidelines.
3. Data We Collect
Strava Data (with your authorization via OAuth 2.0):
- Activity data (distance, gear ID, sport type)
- Gear data (bike name, brand, model)
- Athlete ID
We do not access GPS route data, heart rate, power data, personal records, social features, or any other Strava data.
Shop Account Data:
- Shop name and email address
- Subscription and billing information (managed via Clerk and Stripe)
- Usage data and logs for service operation and troubleshooting
Cyclist Contact Information:
- Name and phone number provided by the bike shop for service notifications
Cookies:
ChainLog uses session cookies only, provided by our authentication provider (Clerk). We do not use analytics cookies, tracking pixels, or advertising cookies.
4. How We Use Your Data
- To calculate accumulated mileage on tracked bikes and trigger service reminders
- To manage your shop account, authentication, and subscription (via Clerk)
- To process subscription payments (via Stripe, through Clerk Billing)
- To send service reminder notifications via email (SendGrid) or SMS (Twilio)
- To monitor application errors and maintain service reliability (Sentry)
We do not sell, rent, or share your data with third parties for marketing or advertising purposes.
5. Subprocessors
ChainLog uses the following third-party service providers (subprocessors) to operate the service. All subprocessors are contractually bound to protect data and process it only as directed.
| Subprocessor | Purpose | Location |
|---|---|---|
| Clerk | Authentication and subscription billing | United States |
| Strava | OAuth 2.0 authorization and activity data | United States |
| Twilio | SMS delivery | United States |
| SendGrid (Twilio) | Transactional email delivery | United States |
| Stripe | Payment processing (via Clerk Billing) | United States |
| Railway | Application hosting and infrastructure | United States |
| Sentry | Error monitoring and diagnostics | United States |
6. Data Retention
- Active shop accounts: Retained for the duration of the active subscription
- Cyclist Strava tokens: Deleted immediately upon Strava access revocation
- Cyclist activity data: Retained while the customer record is active
- Deleted customer records: Anonymized within 30 days of a shop deletion request
- Cancelled shop subscriptions: Shop and customer data retained for 30 days after cancellation, then permanently deleted
- Contact form submissions: Retained for 90 days
7. GDPR — Lawful Basis for Processing
For individuals in the European Economic Area (EEA), ChainLog processes personal data under the following legal bases (GDPR Article 6):
- Shop account data (name, email, billing): Contract performance — Art. 6(1)(b)
- Cyclist data processed for shops (activity, mileage): Legitimate interests — Art. 6(1)(f) — enabling the service the shop has contracted for
- Strava OAuth data: Explicit consent — Art. 6(1)(a) — cyclist provides affirmative Strava OAuth authorization
- SMS communications: Consent — Art. 6(1)(a) — affirmative opt-in captured with timestamp
8. GDPR — Data Controller
The data controller for personal data processed by ChainLog is:
[PLACEHOLDER: Legal Entity Name]
[PLACEHOLDER: Registered Address]
Email: privacy@chainlog.app
For B2B customers (bike shops), ChainLog acts as a data processor processing cyclist data on behalf of the shop (the data controller). A Data Processing Agreement (DPA) is available upon request at hello@chainlog.app.
9. California Residents (CCPA)
California residents have the following rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA:
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to opt out of the sale of personal information — ChainLog does not sell personal information
- Right to non-discrimination for exercising CCPA rights
To exercise these rights, California residents may submit a request to privacy@chainlog.app.
10. SMS Communications
If you consent to receive SMS service reminders, your consent is captured with an affirmative opt-in (not pre-checked) and stored with a timestamp. You may opt out at any time by replying STOP to any message. No further SMS will be sent after an opt-out.
Mobile opt-in data and consent will not be shared with third parties, lead generators, or affiliates for marketing or promotional purposes.
Message frequency varies based on your service schedule. Message and data rates may apply. Reply STOP to unsubscribe. Reply HELP for help.
11. Your Rights
Regardless of your location, you have the right to:
- Access the personal data ChainLog holds about you
- Request correction of inaccurate data
- Request deletion of your data (subject to legal retention obligations)
- Withdraw consent for Strava access at any time via Strava account settings (Settings → My Apps)
- Withdraw SMS consent at any time by replying STOP
To exercise these rights, contact us at privacy@chainlog.app.
12. Policy Updates
We will notify you of material changes to this policy by email at least 30 days before the changes take effect. The effective date at the top of this page reflects the date of the most recent update. Continued use of ChainLog after a policy update constitutes acceptance of the revised policy.
13. Contact
For privacy questions, contact us at: privacy@chainlog.app