Back to home

Privacy Policy

Last updated: January 28, 2025
Version: 1.0

Privacy Policy

Last updated: January 29, 2026 Version: 1.0

1. Data Controller

Cyclora (hereinafter, “we”, “our” or “the Platform”) is the data controller for personal data collected through our mobile application and website.

This document constitutes the Personal Data Treatment Policy (Manual de Políticas de Tratamiento) in accordance with Article 4 of Law 1581 of 2012 and Decree 1377 of 2013. For a summarized version, see our Privacy Notice.

This policy is governed by the following regulations:

  • Law 1581 of 2012 — General personal data protection regime (Habeas Data), Colombia
  • Decree 1377 of 2013 — Partial regulation of Law 1581
  • Decree 1074 of 2015, Chapter 26 — National Database Registry (RNBD)
  • Law 1266 of 2008 — Financial Habeas Data (for billing and credit data)
  • Law 1273 of 2009 — Information and data protection (cybercrime)
  • Law 527 of 1999 — Electronic commerce and digital signatures
  • GDPR (EU) — General Data Protection Regulation
  • CCPA/CPRA (California) — Consumer Privacy Act
  • LGPD (Brazil) — Lei Geral de Proteção de Dados
  • LFPDPPP (Mexico) — Federal Data Protection Law

National Database Registry (RNBD)

In accordance with Chapter 26 of Decree 1074 of 2015 and Decree 090 of 2018, Cyclora will register its databases with the Superintendence of Industry and Commerce (SIC) when total assets exceed the 100,000 UVT threshold established by regulation.

2. Data We Collect

We collect the following personal data to provide our services:

2.1 Registration and Account Data

  • Email address: For authentication and communications
  • First and last name: To personalize your profile
  • Password: Stored in encrypted form

2.2 Vehicle Data

  • Bicycle photos: For identification and inventory management
  • Maintenance history: Records of services performed
  • Digital property cards: Ownership verification documents

2.3 Third-Party Authentication Data

If you choose to register through third-party services, we collect:

  • Google OAuth: Name, email, and profile picture
  • Facebook Login: Name, email, and profile picture
  • Apple Sign In: Name and email

2.4 Technical Data

  • IP address
  • Device type and browser
  • Operating system
  • Application usage data

3. Camera Usage

Our application requests access to your device’s camera for:

  • Photographing bicycles: Uploading images of your vehicles
  • Scanning QR codes: Verifying property cards
  • Documenting maintenance: Recording before/after service status

Important: Photos are securely stored on our servers. We do not access other photos in your gallery without your explicit consent.

4. Authorization for Data Processing

4.1 Authorization Requirements (Law 1581, Art. 9)

In accordance with Law 1581 of 2012, authorization for processing your personal data is:

  • Prior: Requested before data collection
  • Express: Clear and unambiguous
  • Informed: You understand the processing that will be performed
  • Verifiable: We can demonstrate that you granted it

By registering on Cyclora, you grant your express and informed authorization for the processing of your data in accordance with this policy. We retain evidence of such authorization.

4.2 Sensitive Data

Cyclora does not routinely collect sensitive data (racial or ethnic origin, political orientation, religious beliefs, health data, sexual life, biometric data). If such data is required in the future:

  • We will inform you that you are not obligated to authorize its processing
  • We will explicitly state which data is sensitive
  • We will inform you of the specific purpose of the processing

We process your personal data under the following legal bases:

  • Consent (Law 1581, Art. 9): When you register and accept this policy, you grant prior, express, and informed authorization
  • Contract performance: To provide contracted services per the Terms of Service
  • Legitimate interest: To improve our services and prevent fraud. Specifically:
    • Detection of fraudulent activity on the platform
    • Prevention of stolen bicycle registration
    • Platform security improvements
    • Aggregated and anonymous service usage analysis
  • Legal obligation: To comply with Law 1581 of 2012, Law 1266 of 2008 (billing financial data), tax obligations with DIAN, and other applicable regulations

4.4 Financial and Billing Data (Law 1266 of 2008)

For billing and payment data, Law 1266 of 2008 (Financial Habeas Data) also applies. This data includes transaction information, subscription payment history, and electronic invoicing data. It is shared with MercadoPago (payment processor) and retained according to DIAN tax obligations.

5. Purpose of Processing

We use your data to:

  1. Create and manage your user account
  2. Provide platform services
  3. Process transactions and billing
  4. Send service-related communications
  5. Send marketing communications (only with your consent)
  6. Improve our products and services
  7. Prevent fraud and unauthorized activities
  8. Comply with legal obligations

6. Data Recipients

We may share your data with:

6.1 Service Providers

  • Cloud storage: AWS/Google Cloud
  • Authentication: Google, Facebook, Apple
  • Payments: MercadoPago (for billing)
  • Analytics: Google Analytics (anonymized data)

6.2 Authorities

When required by law or to protect our legal rights.

We do not sell your personal data to third parties.

7. International Transfers

Your data may be transferred and stored on servers located outside Colombia. To ensure the protection of your data during these transfers, we use the following mechanisms:

  • Standard Contractual Clauses (SCCs): Approved by the European Commission (Decision 2021/914) for transfers to countries without adequacy decisions
  • Data Privacy Framework (DPF): For transfers to the USA where the provider is certified under the EU-US framework
  • Adequacy decisions: Where the European Commission has determined that the destination country provides an adequate level of protection

Destination Countries

CountryProviderTransfer Mechanism
United StatesAWS, Google, ExpoSCCs + DPF
ArgentinaMercadoPagoEU adequacy decision
ColombiaCyclora primary serversCountry of origin

Compliance with Law 1581 of 2012 (Art. 26)

Law 1581 of 2012 prohibits the transfer of personal data to countries that do not provide adequate levels of protection. In accordance with the SIC’s Circular Única (Title V, Chapter 3), the destination countries for our transfers (United States, Argentina) are on the list of countries with adequate protection levels recognized by the SIC.

If it becomes necessary to transfer data to a country not on the list, we will request the corresponding Declaration of Conformity from the SIC or apply the exceptions provided in Article 26 of Law 1581 (express authorization from the data subject, transfers necessary for contract performance, among others).

For more details, see our Data Processing Agreement (DPA).

8. Retention Period

We retain your data while your account is active. After account deletion:

  • Account data: Deleted immediately (soft delete) or permanently upon request
  • Billing data: Retained for 5 years (legal obligation)
  • Backups: Deleted within a maximum of 90 days

9. Your Rights by Region

9.1 General Rights (All Users)

Regardless of your location, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data
  • Object: Object to the processing of your data
  • Withdraw consent: At any time, without affecting the lawfulness of prior processing

9.2 European Union / EEA (GDPR)

If you reside in the EU or the European Economic Area, you additionally have:

  • Portability (Art. 20): Receive your data in a structured, commonly used, and machine-readable format
  • Restriction of processing (Art. 18): Restrict processing in certain circumstances
  • Object to profiling (Art. 21): Object to processing based on legitimate interests, including profiling
  • Not be subject to automated decisions (Art. 22): Not be subject to decisions based solely on automated processing that produce legal effects

Supervisory authority: You may file a complaint with your local data protection authority. For EU users, see the list of authorities.

Response time: 30 days (extendable by an additional 60 days for complex requests).

9.3 California, USA (CCPA/CPRA)

If you reside in California, you have the following rights under the CCPA/CPRA:

  • Right to know: What personal data we collect, use, share, or sell
  • Right to delete: Request deletion of your personal data
  • Right to opt-out: Of the sale or sharing of personal data. Cyclora does not sell personal data
  • Right to non-discrimination: You will not be discriminated against for exercising your privacy rights
  • Right to correct: Correct inaccurate data
  • Right to limit: Limit the use and disclosure of sensitive data

Categories of data collected in the last 12 months: Identifiers (name, email), commercial information (purchase history), Internet activity data (app usage), and geolocation data (when applicable).

We do not sell or share personal data for cross-context behavioral advertising purposes.

9.4 Brazil (LGPD)

If you reside in Brazil, you have the following rights under the LGPD:

  • Confirmation and access: Confirm the existence of processing and access your data
  • Correction: Correct incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion: Of data processed excessively or unlawfully
  • Portability: To another service provider
  • Deletion: Of data processed with consent
  • Information: About the entities with which we share your data
  • Revocation of consent: At any time

Authority: ANPD (Autoridade Nacional de Proteção de Dados).

9.5 Colombia (Law 1581 of 2012)

If you reside in Colombia, you have ARCO rights:

  • Access: Know, update, and rectify your personal data
  • Rectification: Update partial, inaccurate, incomplete, or fragmented data
  • Cancellation: Request the deletion of data when principles, rights, and constitutional and legal guarantees are not respected
  • Opposition: Object to the processing of personal data

Supervisory authority: Superintendencia de Industria y Comercio (SIC) of Colombia.

Response timeframes (Decree 1377 of 2013):

  • Queries: 10 business days (extendable by 5 additional business days)
  • Complaints: 15 business days (extendable by 8 additional business days)

9.6 Mexico (LFPDPPP)

If you reside in Mexico, you have ARCO rights under the Federal Data Protection Law:

  • Access: Know what personal data we are processing
  • Rectification: Correct inaccurate data and object to automated decision-making
  • Cancellation: Request deletion of data from our systems and records
  • Opposition: Object to processing, including automated decisions producing significant effects

Authority: Ministry of Anti-Corruption and Good Governance (since March 2025, formerly INAI).

9.7 Chile (Law 21.719)

If you reside in Chile, starting December 2026 (when Law 21.719 takes effect), you will have the following rights:

  • Access, rectification, erasure, opposition, and blocking
  • Portability: Receive data in structured, machine-readable format
  • Not to be subject to automated decisions: Including AI and profiling

Authority: Personal Data Protection Agency (APDP).

9.8 Peru (Law 29733)

If you reside in Peru, you have rights under the Personal Data Protection Law:

  • Information: Transparency about data processing
  • Access: Information about data processed in data banks
  • Rectification: Correct incomplete, inaccurate, or erroneous data
  • Erasure: Delete data found to be inadequate

Authority: National Personal Data Protection Authority (APDP), attached to the Ministry of Justice.

9.9 Ecuador (LOPDP)

If you reside in Ecuador, you have ARCO+ rights under the Organic Law on Personal Data Protection (2021):

  • Access, rectification, cancellation, opposition
  • Portability: Data transfer in structured format
  • Not to be subject to automated processing: Protection against automated decisions, including AI systems

Authority: Superintendence of Personal Data Protection (SPDP).

9.10 Uruguay (Law 18.331)

If you reside in Uruguay, you have rights under the Personal Data Protection and Habeas Data Law:

  • Access, rectification, erasure, opposition
  • Portability: Request data in structured, machine-readable format

Authority: Regulatory and Data Control Unit (URCDP). Note: Uruguay has held EU adequacy status since 2012.

9.11 Argentina (Law 25.326)

If you reside in Argentina, you have Habeas Data rights under the Personal Data Protection Law:

  • Access: Obtain information about personal data being processed
  • Rectification: Correct inaccurate, incomplete, or outdated data
  • Erasure: Delete personal data
  • Information: Transparency about processing

Authority: Public Information Access Agency (AAIP). Note: Argentina has held EU adequacy status since 2003.

How to Exercise Your Rights

  1. From the app: Go to Settings > Privacy > Manage my data
  2. By email: Send your request to privacy@cyclora.app including your name, identification document, data description, and requested action
  3. Account deletion: Available in Settings > Account > Delete account

Response timeframes:

  • Colombia (queries): 10 business days (Art. 14, Law 1581)
  • Colombia (complaints): 15 business days (Art. 15, Law 1581)
  • European Union (GDPR): 30 days (extendable by 60 additional days)
  • Brazil (LGPD): 15 days (simplified statement immediately)
  • California (CCPA): 45 days
  • Other countries: Per applicable local legislation

10. Data Security

We implement technical and organizational measures to protect your data:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest (AES-256)
  • Role-based access controls
  • Continuous security monitoring
  • Regular backups

11. Children’s Privacy

Our services are not directed at minors under 18 years old. We do not intentionally collect data from minors. If we detect that we have collected data from a minor, we will delete it immediately.

12. Changes to This Policy

We may update this policy occasionally. We will notify you of significant changes through:

  • Email to your registered address
  • In-app notification
  • Prominent notice on our website

The “Last updated” date at the beginning indicates when the last modification was made.

13. Contact

For inquiries about this policy or the processing of your data:

14. Location Data and GPS

Cyclora plans to integrate location-based features in future versions of the mobile application. When this functionality is implemented:

  • Your explicit consent will be requested before accessing GPS location data
  • You will be able to enable or disable location at any time from the app settings
  • Location data will be used exclusively for service features (e.g., cycling routes, nearby stores)
  • We will not track your location in the background without your express consent

Current status: GPS functionality is not currently active. This section will be updated when implemented.

15. Mobile App Permissions

Our mobile application may request the following permissions from your device:

PermissionPurposeRequired
CameraPhotograph bicycles, scan QR codesNo (required for specific features)
Storage/PhotosUpload bicycle images from galleryNo (required for uploading photos)
Push notificationsMaintenance alerts, service updatesNo
LocationFuture functionality — nearby stores, routes (not currently active)No

You can revoke any permission from your device settings. Revocation may limit certain app features.

Data collected by the mobile platform (Expo/React Native):

  • Device type and model
  • Operating system version
  • App version
  • Crash reporting data (anonymous) to improve stability

16. Security Breach Notification

In the event of a security breach affecting your personal data:

Procedure

  1. Detection and assessment: We will assess the nature and scope of the breach
  2. Authority notification: We will notify the competent data protection authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33)
  3. User notification: If the breach poses a high risk to your rights and freedoms, we will notify you without undue delay

Information We Will Provide

  • Nature of the breach and data affected
  • Measures we have taken or propose to take
  • Recommendations so you can protect yourself
  • Contact details for further inquiries

Notification Channels

  • Email to your registered address
  • In-app notification
  • Website notice (for breaches affecting many users)

For more details, see our Data Processing Agreement (DPA).

17. Sub-processors

We use the following service providers (sub-processors) to operate the platform:

ProviderPurposeCountryPrivacy Policy
Amazon Web Services (AWS)Cloud infrastructure and storageUSAAWS Privacy
Google Cloud PlatformAuthentication (OAuth)USAGoogle Privacy
MercadoPagoPayment processingArgentina/ColombiaMP Privacy
Google AnalyticsWeb analytics (anonymized data)USAGoogle Privacy
Expo (React Native)Mobile services, push notificationsUSAExpo Privacy
CloudflareCDN, security, DNSGlobalCF Privacy
Facebook/MetaAuthentication (Login) and marketingUSAMeta Privacy
AppleAuthentication (Sign In)USAApple Privacy

The updated list of sub-processors is available in our DPA. We will notify changes at least 30 days in advance.

18. Automated Decisions and Profiling

Currently, Cyclora does not use fully automated decision-making processes that produce legal effects or similarly significantly affect you (pursuant to GDPR Art. 22).

We may use automated processing for:

  • Fraud detection: Automated alerts based on suspicious activity patterns on the platform. These alerts are reviewed by human staff before any action is taken
  • Recommendations: Product or service suggestions based on your activity, without legal effects

If we implement automated decisions with significant effects in the future, we will inform you and ensure your right to obtain human intervention, express your point of view, and contest the decision.

19. “Do Not Track” (DNT) Signal

Cyclora respects your browser’s “Do Not Track” signal. When we detect an active DNT signal:

  • We do not set analytics or marketing cookies
  • We do not activate third-party tracking pixels
  • We only use strictly necessary cookies for site operation

For more information about managing cookies, see our Cookie Policy.

20. Mobile Analytics

Our mobile application uses default Expo/React Native services for:

  • Crash reporting: Anonymous collection of error reports to improve app stability
  • Performance metrics: Load times and overall performance (anonymized)

This data is anonymous and does not allow personal identification. We do not use additional third-party analytics services in the mobile app.

21. Supervisory Authority

If you believe that the processing of your data violates regulations, you may file a complaint with:

  • Colombia: Superintendencia de Industria y Comercio (SIC)
  • European Union: Your local data protection authority (list of authorities)
  • Brazil: ANPD (Autoridade Nacional de Proteção de Dados)
  • California: California Attorney General’s Office

This policy complies with Law 1581 of 2012 (Colombia), the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA/CPRA), and Brazil’s Lei Geral de Proteção de Dados (LGPD).