Privacy Policy

1. Data controller

The controller responsible for processing under the GDPR is Bytebandits OÜ, a private limited company incorporated in Estonia, registration code 17265228, with its registered address at Tartu mnt 67/1-13b, Kesklinna linnaosa, Tallinn 10115, Estonia.

You may contact us for privacy matters at max@byte-bandits.com. Where we are not legally required to appoint a Data Protection Officer, you may nonetheless use this address for all data subject requests; please include a concise description of your request and any information that helps us verify your identity without excessive duplication of sensitive documents.

2. Scope of this Policy

This Policy applies to processing carried out in connection with the MotoLean X web presence, account registration and login (including social sign-in), password recovery, the rider dashboard and analytics views offered through the website (including processing of files you upload for analysis in the browser), support communications, and security logging incident to operating a public website.

The MotoLean X mobile application, if and as distributed through third-party app stores, may perform additional or distinct processing (for example local sensor sampling, background location policies, or store-specific analytics). Such processing is governed by the in-app disclosures, store listings, and any separate privacy notice published for the application version you install. This website Policy should be read together with those materials where both touchpoints apply to you.

3. Categories of personal data

Depending on how you use the Services, we or our processors may process the following categories of data, not all of which will apply to every user:

• Account and identity data: identifiers supplied by an authentication provider (for example Google Sign-In), such as a stable user ID, email address, display name, and profile image URL; internally assigned user keys; and optional profile fields you choose to maintain in the product.
• Credentials and security data: for email-password accounts, a password hash held by the authentication infrastructure (not accessible to us in plaintext); security tokens, session identifiers, device hints, and fraud-prevention signals processed by our authentication vendor.
• Riding and telemetry-related content: when you upload GPX or similar files to the web dashboard, the file contents may include time series of positions, speeds, elevations, heart-rate or cadence extensions where present in the file, timestamps, and file names you provide. Depending on configuration, such data can reveal where and when you rode, possibly including sensitive locations.
• Derived analytics: aggregates, statistical summaries, charts, lap or sector estimates, lean-angle proxies, quality metrics, and other computed outputs generated from your uploaded content or mock demonstration datasets where applicable.
• Usage and technical data: IP address, approximate location derived from IP, user agent string, browser type, operating system, referral URL, pages viewed, interaction events, error logs, performance timings, and similar diagnostics needed to operate and secure the site.
• Communications: the content of emails or form messages you send us, metadata (headers, timestamps), and internal notes created to handle your request.
• Payment and billing data (future): if paid plans are introduced, billing name, billing address, transaction identifiers, tax indicators, and partial payment instrument details as processed by payment service providers under their own terms; we typically do not store full card numbers on our servers.

4. Sources of personal data

We obtain personal data directly from you (for example when you create an account, upload a file, or email us), automatically from your device and browser when you access the Services, and from third parties such as Google when you choose Google Sign-In. We may also receive abuse or security signals from infrastructure partners.

5. Purposes, legal bases, and legitimate interests

Under the GDPR, we process personal data only where a legal basis applies. The table below summarises typical processing operations. Where we rely on legitimate interests (Article 6(1)(f) GDPR), we have balanced those interests against your rights; you may object as described in Section 12.

6. Recipients and subprocessors

We use vetted service providers who process personal data on our instructions (processors under Article 28 GDPR) or who determine their own purposes in limited cases (independent controllers), including:

• Google / Firebase (Google LLC and affiliates):authentication (including Google Sign-In), identity token validation, and related security features. Google's privacy materials and data processing terms apply in addition to this Policy. Data may be processed in the United States and other countries where Google operates infrastructure, subject to appropriate safeguards such as Standard Contractual Clauses and supplementary measures as required by case law.
• Hosting, DNS, and content delivery: providers that store website assets, execute server-side logic, terminate TLS, and distribute content globally. The specific vendor may change; we maintain internal records of subprocessor updates for accountability.
• Email and productivity tools: providers used to send transactional messages, receive support mailboxes, and collaborate internally on incident response.
• Professional advisers: lawyers, accountants, or auditors bound by confidentiality, where disclosure is necessary to obtain advice or meet compliance obligations.

We do not sell your personal data in the sense of exchanging it for money with data brokers. If we ever introduce partnerships involving revenue-sharing based on personal advertising profiles, we will update this Policy and, where required, obtain consent or offer opt-outs consistent with applicable law.

7. International transfers

As an Estonian company serving users globally, your data may be processed in the European Economic Area (EEA) and, where service providers are located elsewhere, transferred subject to GDPR Chapter V mechanisms (for example EU Commission adequacy decisions, Standard Contractual Clauses, UK International Data Transfer Addenda where relevant, or derogations under Article 49 GDPR for occasional transfers). Copies of safeguards may be provided upon request where not already published by the vendor.

8. Retention periods

We retain personal data only as long as necessary for the purposes collected, unless a longer period is required or permitted by law. Indicative defaults (subject to product evolution) include:

• Account data for the lifetime of the account plus a short wind-down period to handle disputes and backups, unless you request earlier deletion and no overriding retention duty applies.
• Telemetry files and derived analytics for as long as you keep them in the product or until you delete them, and thereafter in backups until overwritten according to technical rotation schedules.
• Security and server logs on a rolling basis typically ranging from days to a few months, unless extended for incident investigation.
• Tax and commercial records for statutory limitation periods (often several years) where applicable.

During phases where dashboard data is demonstrative or mock, retention may be minimal or ephemeral; we will align this Policy with production behaviour when persistent cloud sync ships.

9. Security measures

We implement technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), access controls, separation of environments where feasible, dependency patching practices, and least-privilege credentials for operational staff. No method of transmission or storage is completely secure; you should protect your devices, use unique passwords, and enable multi-factor authentication where offered by your identity provider.

10. Automated decision-making and profiling

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. Analytics outputs are assistive and informational; human judgment remains essential for safety-critical riding decisions.

11. Children's privacy

The Services are not directed at children below the age at which they can lawfully provide consent for information society services in their country without parental authorisation (often 16 under the GDPR, subject to member state reductions down to 13). If you believe we have collected data from a child without appropriate authority, contact us and we will take steps to delete the information where required.

12. Your rights under the GDPR

Subject to conditions and exceptions in the GDPR, you may have the following rights in relation to your personal data:

• Access (Article 15): obtain confirmation whether we process your data and receive a copy.
• Rectification (Article 16): correct inaccurate data.
• Erasure (Article 17):request deletion where applicable ("right to be forgotten").
• Restriction (Article 18): request limitation of processing in certain cases.
• Data portability (Article 20): receive structured, commonly used, machine-readable data where processing is based on consent or contract and carried out by automated means.
• Objection (Article 21): object to processing based on legitimate interests or to direct marketing.
• Withdraw consent: where processing is consent-based, withdraw at any time.
• Complaint: lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise rights, email max@byte-bandits.com. We may need to verify your identity before fulfilling certain requests. Where we refuse a request, we will explain the reasons and inform you of your right to complain to a supervisory authority or seek judicial remedy.

13. Cookies, local storage, and similar technologies

A dedicated, inventory-oriented explanation of how the MotoLean X website uses cookies and comparable storage — including what we audited in source code, Firebase Authentication persistence, Google Sign-In, and map tiles — is published in our Cookie Policy. The summary below remains part of this Privacy Policy for GDPR transparency.

In the current public web build, we do not operate first-party HTTP cookies for analytics or advertising. Session and account features rely on Firebase Authentication, which typically uses IndexedDB and related browser storage on your device to keep you signed in. Google Sign-In may involve cookies on Google-controlled domains. These mechanisms support functionality you request (authentication) and are described in more detail in the Cookie Policy.

Strictly necessary technologies are those required to deliver a service you explicitly requested — for example keeping you logged in, honouring security settings, or load-balancing traffic. Under EU ePrivacy implementations, such technologies typically do not require consent, though this Policy still informs you of their presence.

Non-essential technologies include analytics or advertising cookies that go beyond core functionality. If we deploy them, we will provide a consent mechanism where legally required and document your choices in the Cookie Policy. You can also control cookies and site data through your browser settings; disabling strictly necessary storage may impair authentication or dashboard features.

14. California and other US state privacy notices

If you reside in a US state with comprehensive consumer privacy laws (including California, Colorado, Virginia, Connecticut, Utah, and others as enacted), you may have additional rights regarding access, deletion, correction, opt-out of certain sales/sharing, and appeal of decisions, subject to scope and entity thresholds. We do not intend to "sell" or "share" personal information as defined in the California Consumer Privacy Act, as amended, based on our current understanding of our practices; if that changes, we will update this section and provide legally required links and preference controls.

California residents may designate an authorised agent; we may require signed permission and identity verification. We do not discriminate against you for exercising privacy rights.

15. Representative in the Union (if applicable)

Because our controller establishment is within the EU, a separate Article 27 GDPR representative in the Union is generally not required for processing activities limited to our Estonian establishment. Should we offer services to persons in the EEA solely from a non-EU establishment in the future, we will appoint a representative where mandated and publish their contact details.

16. Contact

For privacy questions and requests: max@byte-bandits.com. General legal and company information: see our Impressum.