We collect only what we need to run the club and its services. We don't sell your data, we don't run ads, and we don't share your information with third parties except where necessary to deliver the services described below (payment processing, Strava integration, map rendering). You can request deletion of your data at any time.
ARDECCI is a cycling club based in Slovenia, operating at ardecci.com. We are the data controller for all personal data collected through this website and its associated services.
For data protection enquiries, contact us at: info@ardecci.com
This policy applies to all visitors, registered users, and members of ardecci.com, regardless of membership tier.
The data we collect depends on how you interact with the site. Below is a full breakdown.
| Data type | What it includes | When collected |
|---|---|---|
| Account data | Name, email address, username, password (hashed) | On registration |
| Membership data | Membership tier, purchase date, expiry date | On membership purchase |
| Order data | Billing name, address, email, order history, payment status | On purchase via WooCommerce |
| Strava credentials | OAuth access token, refresh token, token expiry, Strava athlete ID, first name, last name | When you connect your Strava account |
| Activity data | Activity name, distance, sport type, date, GPS route (polyline), altitude stream, athlete name | Via Strava webhook when you log an activity |
| Location data | Your device's current GPS coordinates | Only when you use "Near me" — not stored |
| GPX file data | Route coordinates, elevation points | When you upload a GPX file — processed in-browser, not stored on our server |
| Technical data | IP address, browser type, referring URL, pages visited | Automatically on site visit (server logs) |
| Cookie data | Session identifiers, login persistence, Strava connection state | On login and Strava OAuth completion |
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
The data we collect depends on how you interact with the site. Below is a full breakdown.
| Purpose | Data used |
|---|---|
| Creating and managing your account | Name, email, password |
| Processing membership purchases | Order data, billing address, payment status |
| Displaying the club activity feed | Activity name, athlete name, distance, sport type, date |
| Route overlay on the café map | Strava route polyline, altitude stream |
| Determining café proximity to your route | Route polyline — compared against café coordinates, not stored |
| "Near me" café sorting | Device GPS — used in-browser only, never transmitted to our server |
| Enforcing membership tier access | Membership tier, expiry date |
| Sending transactional emails | Email address, order details |
| Security and fraud prevention | IP address, login attempts |
| Legal compliance | Order records, billing data |
We do not sell your personal data to any third party. We do not use your data for advertising or profiling. We do not use your Strava activity data for any purpose other than displaying it on ardecci.com as described above.
Under GDPR (General Data Protection Regulation), we are required to identify a legal basis for each type of data processing. We rely on the following:
| Processing activity | Legal basis |
|---|---|
| Account creation and management | Contract — necessary to provide the service you registered for |
| Membership and order processing | Contract — necessary to fulfil your purchase |
| Strava OAuth connection and activity processing | Consent — you explicitly authorise this by connecting your Strava account |
| Displaying your activity on the club feed | Consent — granted via Strava OAuth authorisation |
| Retaining order records | Legal obligation — required for tax and accounting purposes |
| Security logging (IP addresses) | Legitimate interest — protecting the integrity of the service |
| Transactional emails | Contract — necessary to communicate order and membership status |
Connecting your Strava account is optional and available to Espresso and Doppio members. When you connect, the following happens:
You can disconnect your Strava account at any time from your profile page. Disconnecting removes your stored tokens from our system. You can also revoke access directly in your Strava account under Settings → My Apps. Once disconnected, no new activity data will be collected. Previously stored activities will be retained for 30 days before being permanently deleted, unless you request immediate deletion.
We access Strava data under Strava's API Agreement. Strava is an independent data controller for data held on their platform — their privacy policy applies to data you share with Strava directly.
The café map is publicly accessible without login. The following applies to location-related features:
Memberships are processed through WooCommerce. Payment transactions are handled by our payment processor — we do not store full card details on our servers at any point.
We retain the following order data for legal and accounting compliance:
This data is retained for a minimum of 7 years as required by Slovenian and EU accounting regulations, even if you delete your account.
All memberships are annual. When a membership expires, your account automatically reverts to the free Ristretto tier. No automatic renewal occurs — you must actively renew. You will receive an email reminder before expiry.
We use the following cookies. We do not use advertising cookies or third-party tracking cookies.
| Cookie name | Purpose | Duration | Type |
|---|---|---|---|
| wordpress_logged_in_* | Maintains your login session | Session / 14 days if "Remember Me" selected | Strictly necessary |
| wordpress_sec_* | Security token for authenticated requests | Session | Strictly necessary |
| wp-settings-* | Stores your WordPress display preferences | 1 year | Functional |
| woocommerce_cart_hash | Tracks cart contents for session continuity | Session | Strictly necessary |
| woocommerce_items_in_cart | Indicates whether cart contains items | Session | Strictly necessary |
| ardecci_strava_athlete | Stores your Strava athlete ID to show connect/disconnect state on the map page | 1 year | Functional |
Strictly necessary cookies are required for the site to function and cannot be disabled. Functional cookies can be cleared via your browser settings at any time, though this may affect certain features such as the Strava connect button state.
We do not use Google Analytics, Facebook Pixel, or any other third-party analytics or advertising trackers.
We use a small number of third-party services to deliver ardecci.com. Each is listed below with a link to their privacy policy.
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Strava | Activity data via OAuth and webhooks | OAuth tokens, activity IDs | strava.com/legal/privacy |
| MapTiler | Vector map tile rendering | IP address (tile requests) | maptiler.com/privacy-policy |
| OpenStreetMap | Map data underlying all map tiles | None directly | osmfoundation.org |
| WooCommerce / Automattic | E-commerce and order processing | Order and billing data | automattic.com/privacy |
| WooPayments | Secure card payment handling | Payment details (not stored by us) | Provided at checkout |
| Neoserv | Server infrastructure | Server logs including IP addresses | Provided on request |
| Google Fonts | Typography (Cormorant Garamond, DM Sans) | IP address on font file request | policies.google.com/privacy |
All third-party processors we use are either based in the EU/EEA or operate under standard contractual clauses (SCCs) approved by the European Commission, ensuring adequate protection for any data transferred outside the EU.
| Data type | Retention period | Reason |
|---|---|---|
| Account data | Until account deletion, or 2 years of inactivity | Service provision |
| Strava tokens | Until disconnected or account deleted | Service provision |
| Strava activity data | Up to 5 most recent activities stored at any time; older entries overwritten automatically | Club activity feed display |
| Strava activity data after disconnect | 30 days, then deleted permanently | Grace period for reconnection |
| Order and billing records | 7 years minimum | Legal/accounting obligation |
| Membership tier and expiry | Duration of membership + 1 year | Dispute resolution |
| Server logs (IP addresses) | 30 days | Security monitoring |
| "Near me" location | Not stored — browser only | N/A |
| GPX file data | Not stored — browser only | N/A |
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
Under GDPR, you have the following rights regarding your personal data. To exercise any of them, contact us at info@ardecci.com.
| Right | What it means |
|---|---|
| Right of access | You can request a copy of all personal data we hold about you |
| Right to rectification | You can correct inaccurate data. Most account data can be updated directly in your profile |
| Right to erasure | You can request deletion of your personal data. We will comply except where we are legally required to retain certain records (e.g. order data) |
| Right to restriction | You can ask us to pause processing your data in certain circumstances, for example while a dispute is resolved |
| Right to data portability | You can request your data in a structured, machine-readable format |
| Right to object | You can object to processing based on legitimate interest. You can withdraw Strava consent at any time by disconnecting your account |
| Right to withdraw consent | Where processing is based on consent (Strava integration), you can withdraw consent at any time without affecting prior processing |
| Rights related to automated decisions | We do not make automated decisions that significantly affect you |
We will respond to all requests within 30 days. If we are unable to fulfil a request, we will explain why.
We take appropriate technical and organisational measures to protect your personal data, including:
We may update this policy from time to time to reflect changes in our services, legal requirements, or data practices. When we make material changes, we will:
For any questions, requests, or concerns about how we handle your personal data, contact us directly at:
Email: info@ardecci.com
Website: ardecci.com
Country: Slovenia, European Union
If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with the Slovenian supervisory authority:
Information Commissioner of the Republic of Slovenia
(Informacijski pooblaščenec)
Website: ip-rs.si
Email: gp.ip@ip-rs.si
Phone: +386 1 230 97 30
You also have the right to lodge a complaint with the supervisory authority in your country of residence if it differs from Slovenia.
