TOPCYCLE PRIVACY POLICY

Notice: This Privacy Policy explains how we collect, process, store, and protect personal data of users within the European Union (EU). It is drafted in strict compliance with the EU General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and applicable EU e-commerce and innovation regulations. You (the user) are responsible for checking this page regularly to review the most recent version of these Policies.

Last Updated: 10/01/2025

By using our platform, you acknowledge that you have read and understood this Privacy Policy. This is the first version of the policy. TopCycle is currently an early-stage startup and not yet incorporated as a legal entity; this document is subject to updates, and users are required to review it periodically for changes. Continued use of our services after any changes shall constitute acceptance of the updated version.

  1. Data Controller and Scope

The “Controller” (TopCycle) is responsible for the processing of personal data. Our servers and data processing activities are strictly located within the European Union. No data is transferred outside the EEA. If in the future such transfers become necessary, we will implement appropriate safeguards (such as Standard Contractual Clauses) as required under GDPR.

This policy applies to all users who access or use our services within the EU.

  1. Data We Collect

We collect and process the following categories of data in accordance with GDPR’s principles of data minimization and transparency:

  • Identity and Contact Data: Name, email address, phone number, and similar identifiers.
  • Technical and Log Data: IP address, device identifiers, browser type, operating system, and activity logs.
  • Account and Transaction Data: Payment method, billing data, and transaction history (securely processed).
  • Voluntary Data: Any information voluntarily submitted by the user (e.g., profile picture, preferences).
  • Anonymized Biometric & Motion Data: For exercise tracking and AI model training, stored and used in fully anonymized form and not linked to identifiable users.
  1. Legal Basis and Purposes of Processing

Processing is carried out under GDPR Article 6 on the following lawful bases:

  • Contractual Necessity (Art. 6(1)(b)): To create and maintain user accounts, deliver core services, provide customer support, and process transactions.
  • Legal Obligation (Art. 6(1)(c)): To comply with EU regulatory requirements, financial, or tax obligations.
  • Legitimate Interests (Art. 6(1)(f)): To ensure platform security, prevent fraud, improve services, and conduct internal analytics, provided such interests do not override user rights.
  • Consent (Art. 6(1)(a)): For optional activities such as marketing communications, analytics cookies, and third-party integrations. Users may withdraw consent at any time.
  1. Cookies and Tracking Technologies

We use cookies and similar technologies to improve user experience, analyze usage patterns, and optimize our services.

  • Essential Cookies: Required for platform functionality and do not require consent.
  • Analytics/Marketing Cookies: Activated only after obtaining explicit user consent in accordance with the EU ePrivacy Directive (Art. 5(3)).

Users may revoke or adjust their cookie consent at any time through their browser or account settings. Data collected for analytics purposes is anonymized and cannot be used to identify individual users.

  1. Data Sharing and Third Parties

We do not sell or rent personal data. Data may be shared with carefully selected processors (e.g., hosting providers, payment processors, analytics providers) under strict GDPR-compliant Data Processing Agreements.

If legally required (e.g., by a court order or regulatory authority), we may disclose limited user data in compliance with applicable laws.

  1. Data Retention

We retain personal data only as long as necessary to fulfill the purposes outlined above or as required by law.

  • Account-related data is retained for the duration of the user’s relationship with the platform.
  • Financial records may be retained for longer periods in compliance with EU accounting and tax regulations.
  • After retention periods expire, data will be securely deleted or irreversibly anonymized.
  1. Data Subject Rights

Under GDPR, users have the following rights:

  • Right of Access (Art. 15)
  • Right to Rectification (Art. 16)
  • Right to Erasure (Art. 17)
  • Right to Restriction (Art. 18)
  • Right to Data Portability (Art. 20)
  • Right to Object (Art. 21)
  • Right to Withdraw Consent
  • Right to Lodge a Complaint with a supervisory authority

Requests can be submitted via our contact details below, and will be processed according to GDPR timelines and verification requirements.

  1. Data Security

We implement appropriate technical and organizational measures to secure personal data, including encryption (TLS/HTTPS), access control, firewalls, regular backups, and penetration testing.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33, and inform affected users if the breach poses a high risk to their rights and freedoms.

  1. Limitation of Liability

To the maximum extent permitted by applicable law:

  • TopCycle shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, goodwill, or other intangible losses, arising from or related to any personal data breach, system outage, or unauthorized access.
  • Our total aggregate liability for any claims under this Privacy Policy shall not exceed the amount paid by the user (if any) for use of the platform in the 12 months preceding the event giving rise to liability.
  • Nothing in this section limits liability where prohibited by law, including for willful misconduct or gross negligence.
  1. Policy Updates

This Privacy Policy may be updated periodically to reflect changes in our data practices or legal requirements. The latest version will always be published on this page, and the “Last Updated” date will be revised accordingly. Users are required to review this page regularly to stay informed.

  1. Contact Information

For any inquiries, requests, or complaints regarding this Privacy Policy, you may contact our Data Protection Officer (DPO) at: dpo@topcycle.co