Privacy Policy

Account Information: Name, email address, password (encrypted), phone number, profile photo

Listing Data: Bike details, photos, frame serial numbers, pricing information, location

Usage Data: Browser type, device information, pages visited, time spent, search queries, timezone, language preference

Location Data: We derive approximate location (city/country) from your IP address for analytics. The IP address is anonymized (last octet zeroed) during processing and is never stored. Only the derived location is retained.

Browser Geolocation: With your explicit permission, we may access your device's precise location via browser geolocation to show you distance to bike listings (e.g., "12 miles away"), find nearby shops, and auto-fill your listing location. Your coordinates are sent to third-party geocoding services (OpenStreetMap Nominatim and postcodes.io) to convert them into a city name or postcode. We may also use your IP address with ipapi.co to detect your approximate location without browser permission. None of these services receive your name or account details. The resolved location (city/postcode) is stored locally on your device only and is never sent to our servers. You can revoke location permission at any time through your browser or device settings.

Communications: Messages between users, support requests, feedback, abuse reports

Payment Information: Processed by third-party payment processors (Stripe). We do not store full card details.

Passkey & Device Authentication Data: If you enable passkey or biometric authentication (such as Face ID or fingerprint) for sign-in or app lock, we use the WebAuthn standard to create a cryptographic passkey tied to your device. Biometric data (e.g. facial recognition or fingerprint data) is processed entirely by your device's secure enclave and is never sent to or stored on our servers. We store only the public key, credential identifier, and signature counter needed to verify your identity, along with device information (device name, browser, operating system), authenticator type, backup status, and timestamps. You can view and remove your passkeys at any time from your account Security page.

Cookies and Tracking: See our Cookies Policy for details

We process your personal data under the following legal bases:

• Contract Performance: To provide advertising services when you create listings
• Legitimate Interests: To operate and improve our platform, prevent fraud, ensure security
• Consent: For marketing communications and non-essential cookies
• Legal Obligation: To comply with tax, accounting, and legal requirements

We share your data with:

• Other Users: Your public profile, listings, and messages are visible to other users
• Payment Processors: Stripe (for processing advertising fees); see Stripe Privacy
• Hosting and infrastructure: Railway (application hosting), Backblaze B2 (object storage), Cloudflare (CDN, WAF, DNS)
• Payments: Stripe Payments UK Ltd (card processing and Buyer Protection escrow)
• Email: Postmark (transactional and marketing email)
• Analytics: Google Analytics 4 and Google Search Console (aggregate, non-identifying platform analytics)
• Advertising: Google Ads (conversion tracking and remarketing, only where you have consented to marketing cookies)
• Geocoding: OpenStreetMap Nominatim, postcodes.io, and ipapi.co (coordinates / postcodes only, no account data)
• Shipping carriers (for Buyer Protection transactions only): Paisley Freight, Parcel2Go and Bike Services UK
• Social distribution: Bluesky (where we cross-post public listing content we are authorised to share)
• Legal authorities: Where required by law or to prevent or investigate fraud, crime, or stolen-bike offences

We DO NOT sell your personal data to third parties.

Your public listing content (descriptions, photographs, pricing) may be accessed by search engines and AI systems, including Google, Bing, OpenAI, and Anthropic, for the purpose of indexing, improving search results, and enhancing discoverability of your listings.

What is shared: Only publicly visible listing information. Your personal account details, messages, payment information, and contact details are never shared with search engines or AI systems.

Why: Search engine and AI indexing helps buyers find your listings through Google, Bing, ChatGPT, and other search tools. This increases the visibility and reach of your listing beyond Cyclesite itself.

Your right to opt out: You can request that your listing content be excluded from AI training datasets by contacting us at support@cyclesite.co.uk. We will add technical markers to your listings to instruct AI crawlers to exclude your content. Note that search engine indexing (Google, Bing) cannot be opted out of for public listings, as this is essential for the marketplace to function.

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR): making your listings discoverable serves both your interest as a seller and the interest of potential buyers in finding relevant bikes.

We retain your personal data for:

• Active Account: While your account is active
• After Account Deletion: Up to 7 years for legal, tax, and fraud prevention purposes
• Marketing Data: Until you unsubscribe or withdraw consent
• Logs and Analytics: Typically 12-24 months

You have the following rights regarding your personal data:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Restrict Processing: Request we limit how we use your data
• Right to Withdraw Consent: Where processing is based on consent
• Right to Complain: Lodge a complaint with the ICO (see below)

To exercise your rights, email support@cyclesite.co.uk or use our GDPR Request Form.

We will respond to requests within 30 days. Some requests may take longer if they are complex.

Under Article 22 of the UK GDPR, you have the right to know about and challenge decisions made solely by automated means that significantly affect you. We use the following automated systems:

9.1 Fraud & Trust Scoring

We use automated systems to assess the risk of fraudulent activity on listings and accounts. This may include analysis of listing content, account behaviour, and device information. A low trust score may result in additional verification requirements or listing removal.

9.2 Search Ranking & Personalisation

Search results are ranked using automated scoring that considers listing quality, relevance, seller reliability, and your browsing history. This affects the visibility of listings but does not restrict access to any content.

9.3 Pricing Intelligence

We provide automated pricing suggestions to sellers based on market data, comparable sales, and demand signals. These are recommendations only; sellers set their own prices.

9.4 Your Rights

• Right to human review: You can request that any automated decision affecting your account be reviewed by a member of our team
• Right to contest: You can challenge the outcome of any automated decision
• Right to an explanation: You can request an explanation of the logic involved in any automated decision

To request human review of an automated decision, contact dpo@cyclesite.co.uk

We use cookies and similar technologies to improve your experience, analyze usage, and deliver personalized content.

Cookie Categories:

• Essential Cookies: Required for the site to function (e.g., login sessions)
• Performance Cookies: Help us understand how visitors use the site
• Functionality Cookies: Remember your preferences
• Marketing Cookies: Used for targeted advertising (requires consent)

See our Cookies Policy for full details. Manage your preferences in Account Settings.

We implement industry-standard security measures to protect your data:

• TLS/SSL encryption for data transmission
• Encrypted password storage (bcrypt)
• Secure cloud hosting with access controls
• Regular security audits and penetration testing
• Staff training on data protection
• Incident response procedures

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.