Pelori Privacy Policy

Last updated: 5 May 2026

Pelori ("we", "us") makes a ride-coordination app for cyclists. You use it to plan group rides with friends, RSVP per occurrence, chat with the crew, and find public rides nearby. This policy explains what we collect, how we use it, and the controls you have.

Information we collect

Information you provide

• Account profile — email, first and family name, date of birth (used to verify the 16+ minimum age), country, and an optional profile picture you upload.
• Ride content — ride names, descriptions, schedules, and meeting points you create or are invited to, plus your membership of each ride.
• RSVP responses — per-occurrence "going / not going / maybe" answers. Visible to other members of the same ride.
• Chat messages — text you send in a ride's group chat. Visible to other members of that ride.
• Feedback — text you submit through the in-app feedback form, along with the app version and platform.

Information collected automatically

• Location (foreground only) — if you grant the permission, your device's coordinates are read at app start and sent with each Discover query so we can sort public rides by distance from you. Coordinates are not persisted server-side. You can deny the permission and Discover still works (without distance sorting).
• Diagnostic information — anonymised crash and performance reports via Sentry. We do not attach request bodies or user-identifying details to these reports.

Calendar (optional, write-only)

When you tap Add to calendar after RSVPing or joining a ride, Pelori requests write-only calendar permission and pre-populates the system add-event sheet with the ride's name, time, and meeting point. We never read your existing calendar contents and never write to your calendar without your explicit confirmation in the system sheet.

Deep links

When you share a ride, Pelori generates a link of the form pelori://rides/<id> (or https://pelori.fit/rides/<id>). The link encodes only the ride's unique identifier; recipients still need to be a member of the ride to open it.

How we use your information

• Operate the service: authenticate you, deliver invitations, render rides, deliver chat messages.
• Enforce the 16+ age requirement.
• Investigate bugs and improve the app via crash reports and feedback.

We do not sell your personal information and we do not use it for third-party advertising.

Where your data is stored

• Amazon Web Services (London region, eu-west-2) — Cognito for authentication, DynamoDB for ride / chat / RSVP data, S3 for profile pictures.
• Sentry — anonymised crash and performance diagnostics.

Data retention

• Account data — retained while your account is active. Deleting your account removes your profile, every ride you organise, every membership, every chat message you've posted, your RSVPs, and your avatar.
• Feedback messages — retained indefinitely so we can act on them.
• Crash diagnostics — retained per Sentry's default retention (90 days).

Your rights

• Access — request a copy of the data we hold about you by contacting us at the address below.
• Deletion — open Profile → Delete account in the app. Your Cognito user, every ride you organise (and its members), all your memberships, all your chat messages, your RSVPs, and your avatar files are permanently removed. Deletion is immediate and not recoverable.
• Correction — edit your profile in the app, or contact us if a field is not directly editable.
• Withdraw consent — revoke calendar or location permission in iOS Settings → Pelori at any time, or delete your account.

EU / UK users have the right under the GDPR to lodge a complaint with their local data protection authority. California users may request access, deletion, or correction under the CCPA / CPRA without discrimination.

Children

Pelori is for users aged 16 and older. We do not knowingly collect data from children under 16. If we learn we have, we delete the account.

Security

We use HTTPS for all transport, JWT-authenticated APIs, and least-privilege IAM roles. Profile pictures are stored in private S3 buckets and served via signed URLs. We rotate third-party credentials through AWS Secrets Manager. No system is perfectly secure — use a strong unique password and enable a screen lock on your device.

Changes to this policy

We will update the "Last updated" date when this policy changes. Material changes are surfaced in-app the next time you sign in.

Contact

hello@pelori.fit