Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account registration: name, email address, password (hashed; never stored in plain text), date of birth, profile photo, and username.
• Profile information: biography, location (city / state / country), vehicle information (make, model, year, modifications), riding terrain preferences, activity interests, and links to social accounts.
• Business profiles: business name, phone number, website URL, service categories, and physical address if provided.
• Community content: posts, comments, photos, videos, route files (KML/GPX/GeoJSON), event listings, trip plans, and messages you send through the Service.
• Payment information: subscription purchase and billing data processed through Stripe, Inc. We do not store full card numbers; Stripe holds payment card data under PCI-DSS compliance.
• Emergency contact: name, phone number, and relationship for the emergency contact you optionally add to your profile.
• Communications: support requests, feedback, and correspondence you send to us.

1.2 Information Collected Automatically

• Usage data: pages visited, features used, search queries, timestamps, referring URLs, and session duration.
• Device and log data: IP address, browser type and version, operating system, device identifiers, and crash reports.
• Location data (mobile app, when permitted): GPS coordinates during active ride tracking if you grant location permission. Precise location is used only for features you explicitly activate (route recording, map display). You can revoke this permission in your device settings at any time.
• Cookies and similar technologies: We use server-set httpOnly session cookies for authentication. Analytics and performance cookies may be set by Vercel Analytics and Sentry (see Section 4). See our Do Not Sell My Personal Information page for a full list of third parties and opt-out options.

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account and authenticate your sessions.
• Provide core platform features: discovery feed, route builder, trip planning, community events, messaging, and the business operator suite.
• Process payments for subscription plans via Stripe.
• Send transactional emails: email verification, password reset, subscription receipts, and event reminders.
• Send marketing communications if you have opted in (you can opt out at any time via your notification settings or by emailing us).
• Personalize your experience: surface relevant rides, events, and riders based on your terrain preferences and location.
• Ensure platform safety: detect fraud, enforce our Terms of Service, and investigate reported content.
• Improve the Service: analyze usage patterns, conduct A/B tests, fix bugs, and develop new features.
• Comply with legal obligations: respond to lawful requests from courts or government authorities.

2.1 Lawful Bases (GDPR)

For users in the European Economic Area (EEA) and United Kingdom (UK), our lawful processing bases under the GDPR / UK GDPR are:

• Contract performance — providing the Service you signed up for (Articles 6(1)(b)).
• Legitimate interests — security, fraud prevention, analytics, and product improvement, where our interests do not override your fundamental rights (Article 6(1)(f)).
• Legal obligation — complying with applicable law (Article 6(1)(c)).
• Consent — marketing emails and non-essential cookies, where you have given explicit consent (Article 6(1)(a)). You may withdraw consent at any time.

3. How We Share Your Information

We do not sell your personal information to third parties. We share information only as described below:

• Public profile content: Your display name, username, profile photo, bio, terrain preferences, and activity history are visible to other authenticated users as part of the community experience. You can control your privacy settings from your profile.
• Service providers (processors): We share limited data with third parties who help us operate the Service under strict data processing agreements:
  • Vercel, Inc. — hosting and edge delivery (Analytics + Speed Insights)
  • Sentry, Inc. — error monitoring and performance tracing (PII scrubbed before transmission)
  • Mapbox, Inc. — maps, geocoding, and route rendering
  • Stripe, Inc. — payment processing
  • Resend, Inc. — transactional and marketing email delivery
  • Upstash, Inc. — session rate limiting (IP addresses only)
  • Cloudflare, Inc. — bot protection (Turnstile CAPTCHA)
• Business transfers: If Lets Ride LLC is acquired, merges, or sells substantially all its assets, your information may be transferred as part of that transaction. We will notify you via email and a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.
• Legal requirements: We may disclose your information if required by law, subpoena, or court order, or to protect the rights, property, or safety of Lets Ride, our users, or the public.

4. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

You can manage cookie preferences at any time via the cookie consent banner or by contacting us. Your browser's “Do Not Track” signal and the Global Privacy Control (GPC) are honored for analytics cookies.

5. Data Retention

• Account data: Retained for the lifetime of your account plus 30 days after deletion (to allow recovery if the deletion was accidental). After 30 days, personal identifiers are permanently purged.
• Community content (posts, routes, events): When you delete an item, it is removed from public view immediately and purged from our databases within 30 days.
• Messages: Direct and group messages are retained for as long as the conversation exists. Deleted messages are soft-deleted and purged within 30 days.
• Payment records: Billing history is retained for 7 years to comply with tax and financial reporting obligations.
• Log data and analytics:Aggregated and anonymized after 90 days. Sentry error events are purged after 90 days per Sentry's data retention policy.
• Backups: Database backups may retain deleted data for up to 30 days before rotation.

6. Security

We implement industry-standard safeguards to protect your information:

• Authentication tokens stored in server-set httpOnly, Secure, SameSite=Strict cookies — never accessible to JavaScript.
• Passwords hashed using bcrypt with a per-user salt.
• All data in transit encrypted with TLS 1.2+.
• Content Security Policy (CSP) enforced to mitigate XSS.
• Rate limiting on all authentication endpoints.
• CAPTCHA on registration and password-reset to prevent automated attacks.
• PII scrubbed from error reports before transmission to Sentry.
• Optional two-factor authentication (TOTP) for your account.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to industry-standard protection and prompt notification if a breach affects your personal data.

7. Children's Privacy (COPPA)

The Service is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. Our sign-up form requires a date of birth and blocks registrations from users under 13.

If you believe a child under 13 has provided us with personal information, please contact us at privacy@letsrideoffroad.com and we will promptly delete that information.

Full participation in community features (creating events, purchasing subscriptions, and messaging) requires users to be at least 18 years of age, consistent with our Terms of Service.

8. Your Privacy Rights

8.1 All Users

• Access and correction: Update your profile information at any time from the app settings.
• Account deletion:Delete your account from Profile → Settings → Delete Account. Data is purged within 30 days.
• Data export:Request a copy of your personal data from Profile → Settings → Export My Data. We will deliver a JSON export within 30 days.
• Marketing opt-out: Unsubscribe from marketing emails using the link in any email or via notification preferences in the app.

8.2 California Residents (CCPA / CPRA)

California residents have additional rights under the CCPA and CPRA. For a full description and instructions on exercising your rights (including the right to know, the right to delete, the right to correct, and the right to opt out of data sharing), please see our Do Not Sell My Personal Information page.

We will not discriminate against you for exercising your CCPA rights.

8.3 EEA and UK Residents (GDPR / UK GDPR)

If you are located in the EEA or UK, you have the following rights under the GDPR / UK GDPR:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your data in certain circumstances.
• Right to restriction of processing (Art. 18) — request that we restrict how we use your data.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making (Art. 22) — we do not use solely automated decision-making that produces legal effects concerning you.
• Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting lawfulness of prior processing.

To exercise any of these rights, email privacy@letsrideoffroad.com. We will respond within 30 days (extendable by two further months for complex requests, with notice). You also have the right to lodge a complaint with your local Data Protection Authority.

Lets Ride LLC acts as the data controller for personal data processed under this policy. For data transferred from the EEA to the United States, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) with applicable service providers.

9. California Online Privacy Protection Act (CalOPPA)

Pursuant to CalOPPA, Lets Ride discloses the following:

• This privacy policy applies to the Lets Ride website and mobile apps.
• We will notify users of material changes to this policy by updating the “Last updated” date and, for significant changes, by email or in-app notification.
• Users can update their personal information at any time via the profile settings page.
• We honor Do Not Track (DNT) signals for analytics cookies. DNT does not affect essential authentication cookies required for the Service to function.
• Third-party behavioral tracking: we do not enable third-party behavioral advertising networks on the Service.

10. Third-Party Links and Services

The Service may contain links to third-party websites (e.g., linked businesses, partner websites). This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you visit.

11. International Data Transfers

Lets Ride LLC is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to this transfer.

For transfers from the EEA or UK, we implement appropriate safeguards (Standard Contractual Clauses) with our service providers.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, if the changes are significant, notify you by email or via an in-app banner. Continued use of the Service after the effective date of any update constitutes your acceptance of the revised policy.

13. Contact Us

For privacy-related inquiries, data subject rights requests, or complaints, please contact us:

We will acknowledge your request within 5 business days and respond substantively within 30 calendar days.