Privacy Policy
Last updated: May 2026
Data Controller
Michael Fraß Wiener Straße 10a 8020 Graz, Austria Brand: BikeGraz (bikegraz.at) Email: hello@bikegraz.at
Hosting
This website is hosted on servers operated by Uberspace (uberspace.de) in Germany. When you visit our pages, your browser automatically transmits connection data (IP address, date, time, page requested, browser type) as server log files, which are stored for a maximum of 7 days. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the security and operation of the website).
Cookies & Local Storage
We use only technically necessary cookies and browser local storage. Specifically: • Session cookie (bikegraz_session): An encrypted session cookie for login status and CSRF protection. Expires when you close your browser. • Tour access cookie (tour_access_*): Set when you purchase or unlock a sightseeing tour. Stores in encrypted form that you are entitled to use the tour. Duration: 1 year. This cookie is technically necessary to maintain your purchased access without requiring you to log in again. • Referral partner cookie (partner_ref): Set when you reach our site via a referral partner's tracking link or QR code (e.g. a hotel or bike rental). Stores in encrypted form which partner referred you, so that a later tour purchase can be correctly attributed. Duration: 90 days. See the "Referral Partner Programme" section below for details. • localStorage (navigation app only): The guided navigation app stores which tour stops have already been visited in your browser's local storage. This data never leaves your browser and is reset at the start of each navigation session. No third-party advertising cookies (e.g. retargeting, cross-site tracking) are used.
Web Analytics (Matomo)
We use Matomo (formerly Piwik), a self-hosted open-source analytics platform, to statistically evaluate user behaviour on our website. Matomo runs on our own server; no data leaves this server or is shared with third parties. Matomo is configured to set no cookies (cookieless tracking). Instead, an anonymised fingerprint is derived from the IP address and browser information; this fingerprint cannot be traced back to individual persons. IP addresses are fully anonymised before processing. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in improving our service). As no cookies are set and all data remains exclusively on our server, no separate consent is required.
User Accounts
You can create an account to use community features (RideAlong, photo uploads) or to access the business partner dashboard. We collect your name, email address, and password (stored in encrypted form). Your display name is visible to other registered users in the context of RideAlong (as an organiser or participant of a ride). The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(a) GDPR (consent) for community features.
RideAlong (Group Rides)
RideAlong allows registered users to organise and join group cycling rides. The following data is processed: • When creating a ride: title, description, meeting point (text), date/time, difficulty, maximum participants, and visibility (public, community, or private). • The organiser's display name is shown publicly on the ride detail page (for public and community rides). • For private rides, a random invite token is generated. Anyone with the invite link can view the ride without logging in; however, participation requires an account. • Confirmed participants are listed by their display name on the detail page. Ride data is retained until you delete your account or the organiser removes the ride. The legal basis is Art. 6(1)(a) GDPR (consent given by actively using the feature).
Business Directory (Graz Bike Guide)
The Graz Bike Guide lists cycling-relevant businesses (bike shops, repair workshops, cafés, hotels, etc.) using publicly accessible information: name, address, contact details, opening hours, and description. This data is sourced exclusively from publicly available sources (the business's own website, Google Maps, trade directories). No non-public data is collected. The legal basis is Art. 6(1)(f) GDPR (legitimate interest of cyclists in finding local services, and the legitimate interest of businesses in being discoverable). Businesses may request the deletion or correction of their listing at any time by emailing hello@bikegraz.at — we will action this within 7 working days.
Newsletter
When you subscribe to our newsletter, we store your email address and preferred language. Each newsletter contains a personalised unsubscribe link as well as open and click tracking: a 1×1 pixel image and personalised links allow us to measure whether and how the newsletter is used. All data is processed exclusively on our own server and is never shared with third parties. You can cancel your subscription at any time with a single click; your email address will then be blocked from future mailings. The legal basis for both sending and tracking is your explicit consent (Art. 6(1)(a) GDPR).
Community Moments (Photo Uploads)
When you upload a photo as part of Community Moments, the image is stored on our server and displayed publicly. Please do not upload images that show identifiable people without their consent. Uploaded images can be deleted upon request at hello@bikegraz.at. The legal basis is Art. 6(1)(a) GDPR (consent given by the act of uploading).
Map Integration (MapLibre GL, OpenStreetMap)
For interactive maps and the guided sightseeing navigation, we use the open-source library MapLibre GL JS and map tiles from OpenStreetMap (© OpenStreetMap contributors). The library is loaded from the CDN services unpkg.com (Cloudflare) and jsDelivr (ProspectOne, France) when you open the navigation app; your IP address is transmitted to these providers at that point. Map tiles are fetched directly from OpenStreetMap servers. We have no influence over the privacy practices of these third-party providers. Further information: openstreetmap.org/privacy. Legal basis: Art. 6(1)(f) GDPR.
Live Location During Guided Navigation
While you actively use the guided navigation for a purchased sightseeing tour, your device periodically (roughly every 20 seconds) transmits your current GPS position to our server. This is used solely so that, in a support situation (e.g. technical problems or safety concerns), we can see where you currently are. No movement history is stored — each new position overwrites the previous one. As soon as you end the navigation, your position is deleted immediately. If the app is closed without actively ending the tour, the last known position is automatically deleted after 30 minutes at the latest. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in supporting and ensuring the safety of our customers during the tour).
Weather Data (OpenWeatherMap)
The weather information displayed on this website (current conditions, hourly and 3-day forecast) is retrieved via the API of OpenWeather Ltd. (United Kingdom). Weather requests are made server-side; the IP address of our server — not your personal IP address — is transmitted to OpenWeather. Retrieved weather data is cached on our server for 30 minutes. No personal user data is transmitted to OpenWeather. Further information: openweathermap.org/privacy-policy. Legal basis: Art. 6(1)(f) GDPR.
Payment Processing (Stripe)
For paid services — in particular the purchase of sightseeing tours and business partner campaigns — we use the payment service provider Stripe (Stripe, Inc., USA / Stripe Payments Europe, Ltd., Ireland). Payment processing takes place on Stripe's hosted checkout page; payment data (credit card numbers etc.) is processed exclusively by Stripe and is not stored on our servers. Stripe is certified under the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Further information: stripe.com/privacy.
Strava Event Import
Publicly available event data from Strava (Strava, Inc., USA) is imported via the Strava API. No personal user data is transmitted or stored in this process.
AI Services (Gemini, OpenAI)
We use AI services exclusively for editorial and internal tasks — without involving personal user data: • Google Gemini (Google LLC, USA): Text generation and analysis for blog content.\n• OpenAI GPT-4o / gpt-image-1 (OpenAI, Inc., USA): Text translations, cover image generation, and automated creation of audio guide scripts for sightseeing tours.\n• OpenAI TTS (Text-to-Speech): Server-side conversion of tour texts into MP3 audio files. The generated audio files are stored on our server and played back during sightseeing navigation. No voice data or user data is transmitted. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in automating editorial processes).
Social Media Publishing (Bluesky)
Editorial content (news, tours) may optionally be published on the official bikegraz.at profile on Bluesky (Bluesky Social, PBC, USA). The title, teaser text, a link to the post, and optionally a preview image are transmitted to the Bluesky AT Protocol API. The bikegraz.at account credentials are stored server-side only and are never shared with end users. No personal user data is transmitted to Bluesky. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in public communication). Further information: bsky.social/about/support/privacy-policy.
Advertising (Partner Campaigns)
We display advertising banners from partner businesses on our website. We technically count how many times an ad is shown (impression) and whether a click on the banner occurs. This measurement is performed in aggregate on our own server; no personal data (e.g. IP address or device information) is stored in the process. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the contractual billing of advertising services).
Referral Partner Programme (Tour Recommendations)
Selected local businesses (e.g. hotels, accommodation providers, bike rental shops, tourism offices, restaurants) can recommend sightseeing tours as referral partners via a personal tracking link or QR code. When you click such a link, we set the partner_ref cookie described in the "Cookies & Local Storage" section, which stores for 90 days which partner referred you to our site. If you purchase a paid tour within this period, that purchase (tour, purchase date, purchase amount) is attributed to the referring partner for the purpose of calculating their commission. The partner does not gain access to your email address or name. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in accurately settling commissions with our referral partners).
Your Rights (GDPR)
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal. Please direct requests to: hello@bikegraz.at
Right to Lodge a Complaint
You have the right to lodge a complaint with the competent supervisory authority: Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, dsb.gv.at