Privacy Policy

Effective date: April 16, 2026 · Last updated: April 16, 2026

Endless Rally is operated by Swell Farms Inc., a company registered in British Columbia, Canada ("we", "us", "Swell Farms"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and your rights over it. We try to collect as little as we can, never sell it, and let you delete it whenever you want.

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and provide protections consistent with the EU/UK General Data Protection Regulation (GDPR) where applicable to our users. If you have a privacy question or request, email fun@endlessrally.com and we will respond within 30 days.

1. Who we are and how to reach us

Data controller: Swell Farms Inc., British Columbia, Canada.
Privacy contact: fun@endlessrally.com (subject line "Privacy").

2. What we collect

When you create an account:

Email address — for login, account recovery, and service notices.
Password — stored as a one-way bcrypt hash. We cannot read your actual password.
Username and display name — public, shown on the leaderboard and your profile.
Founding Rider number — an internal identifier (1 through 2000 or null) assigned at signup to track eligibility for the founding subscription rate.

When you use the Service:

Bikes you add — year, make, model, nickname, color, odometer reading, starting odometer, optional build thread URL.
Log entries — service entries, modifications, fuel stops, mileage updates, parts catalog entries.
Photos you upload — bike photos, service receipts, odometer pictures, mod photos, parts photos.
Optional profile information — bio, location (city/region, free-text), ADVRider, Reddit, Instagram handles.
Usage data from server logs — IP address, browser user agent, page requested, timestamp. Retained in nginx logs for up to 14 days for security and diagnostics, then rotated out.

Things we do not collect:

Your real name, unless you put it in your display name or bio.
Your home address.
Your payment card details directly (Stripe handles all payment data when paid subscriptions launch — see Section 5).
GPS coordinates embedded in photos — we strip all EXIF metadata (including GPS, camera model, timestamps) client-side before photos are uploaded.
Third-party analytics or advertising trackers. No Google Analytics, no Facebook Pixel, no ad SDKs.

3. How we use your data and our legal basis

Data	Purpose	Legal basis (GDPR)
Email, password, username	Create and secure your account; let you log in.	Performance of contract
Bikes, logs, parts, photos	Store and display your records to you; calculate leaderboard ranking if you've made a bike public.	Performance of contract
Display name, bio, location, social handles	Show your public rider profile if you choose to fill these in.	Consent (you chose to enter them)
Server logs (IP, user agent)	Security, abuse prevention, diagnostics, service availability.	Legitimate interest
Email address	Send you essential service emails: confirmation, password reset, material changes to terms/privacy, security notices.	Performance of contract / legitimate interest
Payment data (via Stripe)	Process subscription payments when paid tier launches.	Performance of contract

We do not send marketing emails without your explicit opt-in. We do not target advertising based on your data. We do not sell your personal data to anyone, ever.

4. What's public vs private

Public by default:

Your username and display name.
Your bike's year, make, model, nickname (only if you've marked that bike public).
Your bike's current odometer reading and KM-ridden count (for leaderboard ranking).
Your bio, location, and social handles if you've filled them in.
Your Founding Rider number.

Always private (only you can see):

Service log entries, mod entries, fuel logs, mileage history, parts catalog.
Photos attached to any log entry.
Your email address.
Your subscription and payment status.

You can toggle any individual bike between public and private from the bike detail page at any time.

5. Third-party processors and where your data lives

We use the following service providers to operate Endless Rally. Each processes data only on our instructions and each has its own privacy policy.

Provider	Role	Data location	Policy
Supabase	Database, authentication, auth email routing	AWS Canada Central (ca-central-1)	supabase.com/privacy
Cloudflare	File storage (R2), CDN, upload worker	Global edge + Cloudflare R2 object storage	cloudflare.com/privacypolicy
Resend	Transactional email delivery (signup confirmation, password reset)	AWS USA	resend.com/privacy
UptimeRobot	Uptime monitoring (pings the site every 5 minutes)	USA	uptimerobot.com/privacy
Stripe (future)	Payment processing (when paid subscriptions launch)	USA / Canada	stripe.com/privacy
Digital Ocean	Virtual private server hosting	Toronto, Canada	digitalocean.com/privacy
Hostinger	Domain registration and DNS	Lithuania / EU	hostinger.com/privacy

Cross-border transfers: primary storage is in Canada. Some providers may process limited operational data (e.g., email, IP) in the United States or EU. Where transfers occur outside your country, we rely on the providers' Standard Contractual Clauses, Data Processing Agreements, or equivalent safeguards. By using the Service, you consent to these transfers.

6. We do not share your data except:

With the service providers above, strictly as needed to run the Service.
If required by law, such as in response to a valid court order, subpoena, or legal process in Canada.
To protect rights or safety, where we reasonably believe disclosure is necessary to prevent fraud, abuse, imminent harm, or to enforce these Terms.
In a business transfer, if Swell Farms Inc. merges, sells assets, or is acquired. We will notify registered users in advance, and the acquirer will be bound by this Privacy Policy until formally replaced.

7. Cookies and similar technologies

We use exactly one browser-storage mechanism: a Supabase authentication token stored in your browser's localStorage. This is what keeps you logged in between pages. It is first-party, set by our domain, and used only for authentication. It is not shared with advertisers or analytics providers.

We do not use Google Analytics, Facebook Pixel, Hotjar, Mixpanel, or any third-party analytics or advertising tracker. If we ever add one, we will update this policy first and give existing users a chance to opt out.

8. Data retention

Account data (profile, bikes, logs, photos): retained as long as your account is active.
Account deletion: when you email us to delete your account, we wipe your personal data from active systems within 7 days. Backup copies age out of our weekly backup rotation within an additional 7 days.
Server logs: IP address and request logs auto-rotate out within 14 days.
Transactional emails: handled by Resend and retained per their policy (typically 30-90 days of deliverability logs).
Legal hold: we may retain limited data longer if required by law (e.g., tax records for payments, where applicable).

9. Your rights

Under PIPEDA and the GDPR (where applicable), you have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your account and data ("right to erasure").
Export your data in a portable format.
Withdraw consent for any processing based on consent.
Object to processing based on legitimate interest.
Lodge a complaint with your local data protection authority. In Canada, that's the Office of the Privacy Commissioner of Canada. In the EU/UK, your national supervisory authority.

How to exercise: Access, edit, and delete bike/log data directly from your account. For account deletion or full data export, email fun@endlessrally.com. We respond to requests within 30 days, as PIPEDA requires. Most simple requests are handled within 1-3 business days.

10. Children's privacy

Endless Rally is not intended for anyone under 18 years of age (or the age of majority in your jurisdiction, whichever is greater). We do not knowingly collect personal data from minors. If you become aware that a minor has created an account, please contact us and we will delete the account and any associated data promptly.

11. Security

All site traffic uses HTTPS (TLS) encryption in transit.
Passwords are one-way bcrypt-hashed by Supabase. We cannot see or recover your actual password.
Row-level security (RLS) in our database ensures users can only read and write their own records.
Photo uploads are authenticated with a short-lived JWT, resized and re-encoded as JPEG with EXIF (including GPS) stripped before storage.
Database is encrypted at rest by our provider (Supabase).
Object storage is encrypted at rest by our provider (Cloudflare R2).
Weekly encrypted database backups stored in R2. Backup retention: 8 weeks rolling.

Your part: keep your password strong and unique, enable 2FA on your email account, and don't upload anything in photos you would not want stored (for example, don't upload a photo of a credit card or ID).

12. Data breach notification

If we become aware of a data breach affecting your personal information, we will notify you and the Office of the Privacy Commissioner of Canada as required by PIPEDA and applicable law (generally "as soon as feasible" after we confirm the breach poses a real risk of significant harm). Notifications will describe what happened, what data was affected, what we're doing about it, and what you can do to protect yourself.

13. GPS / location data

Currently, Endless Rally does not track your GPS location, real-time position, or route data. EXIF GPS coordinates from uploaded photos are stripped before storage. "Location" on your profile is a free-text field you type yourself (e.g., "Vancouver Island, BC").

If we add GPS-based features in the future (for example, ride tracking, route recording, or real-time leaderboards), we will update this Privacy Policy, notify existing users, and make GPS features opt-in with clear controls.

14. Marketing communications

We will not send you marketing, promotional, or advertising emails without your explicit opt-in. Transactional emails (signup confirmation, password reset, material policy changes, security notices) are not marketing and are sent as part of operating the Service. If we ever launch a marketing newsletter, subscription will be opt-in only and every such email will include a working unsubscribe link.

15. Photos and sensitive information

You control what you photograph and upload. Please avoid uploading photos that show credit card numbers, licence plates, government ID, home addresses, or other sensitive information. Photos are stored at unguessable UUID URLs but are not behind authentication, so treat them as effectively public to anyone with the URL. If you accidentally upload something sensitive, delete the photo from your log entry immediately — the photo file will be removed from active storage within 7 days.

16. Changes to this Privacy Policy

We may update this Policy from time to time. When we make a material change (new categories of data, new processors, new purposes), we will update the "Last updated" date at the top, notify registered users by email, and where required by law, obtain fresh consent. Minor wording or formatting fixes won't trigger a notification.

17. Contact

Privacy questions, access requests, deletion requests, or complaints: fun@endlessrally.com.

Swell Farms Inc. — British Columbia, Canada.