Privacy Policy
Last updated: 20 February 2026
1. Who we are
WrenchLog is the data controller for your personal data. We are a UK-based company.
- Registered address: [Registered address placeholder]
- Contact email: hello@wrenchlog.app
2. Data we collect
We collect the following personal data when you use WrenchLog:
Account information
Your name (from Strava) and email address (provided by you).
Strava data
Athlete ID, profile avatar URL, OAuth access and refresh tokens, and activity data including ride names, distances, durations, dates, and gear IDs.
Bike and component data
Information about your bikes, components, wear levels, and service records that you create within the app.
Subscription data
Stripe customer ID and plan status. We do not store your payment card details — these are held securely by Stripe.
Notification preferences
Your choices about which email notifications you want to receive (wear alerts, weekly digest).
3. How and why we use your data
Under UK GDPR, we need a lawful basis to process your personal data. Here is how we use your data and the legal basis for each:
| Purpose | Lawful basis |
|---|---|
| Account creation and Strava sync (service delivery) | Contract |
| Payment processing via Stripe | Contract |
| Wear alert emails (component replacement reminders) | Legitimate interest |
| Weekly digest email (ride and maintenance summary) | Consent (opt-in) |
| Session cookie for authentication | Contract (strictly necessary) |
4. Third-party processors
We share your data with the following trusted service providers who process it on our behalf:
- Strava — OAuth authentication and activity data synchronisation.
- Stripe — Payment processing for Pro subscriptions.
- Vercel (US) — Application hosting and serverless functions.
- Supabase (cloud-hosted) — Database storage.
- Resend (US) — Email delivery for notifications and digests.
5. International data transfers
Some of our processors are based in the United States (Vercel, Resend). Where your data is transferred outside the UK, it is protected by appropriate safeguards including Standard Contractual Clauses (SCCs) and/or the UK-US Data Bridge extension to the EU-US Data Privacy Framework.
6. Data retention
- Account data: Kept for as long as your account is active. Deleted within 30 days of account deletion.
- Strava data: Deleted within 48 hours if you deauthorise WrenchLog through Strava.
7. Your rights
Under UK GDPR, you have the following rights over your personal data:
- Access — Request a copy of the data we hold about you.
- Rectification — Ask us to correct inaccurate data.
- Erasure — Ask us to delete your data.
- Portability — Request your data in a portable format (data export).
- Restrict processing — Ask us to limit how we use your data.
- Object — Object to processing based on legitimate interest.
- Withdraw consent — Where processing is based on consent (e.g. weekly digest), you can withdraw at any time via your Settings page.
To exercise any of these rights, email us at hello@wrenchlog.app. We will respond within one month.
8. Right to complain
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO). You can contact them at ico.org.uk.
9. Cookies
WrenchLog uses a single session cookie (wrenchlog_session) which is strictly necessary for authentication. Because it is essential for the service to function, no cookie consent is required.
We do not use any analytics, advertising, or tracking cookies.
10. Children
WrenchLog is not directed at children. You must be at least 16 years old to use this service. We do not knowingly collect data from anyone under 16.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email. The “last updated” date at the top of this page will always reflect the most recent version.
12. Contact
If you have any questions about this Privacy Policy or how we handle your data, please contact us at hello@wrenchlog.app.