Privacy Policy

This Privacy Policy describes how Shoulderhip ("we," "us," or "our") collects, uses, stores, and protects personal data when you visit our website at shoulderhip.world or interact with our services related to cycling meetups and group rides in Stockholm, Sweden. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR), the Swedish Data Protection Act (Dataskyddslagen), and other applicable international data protection laws.

1. Data Controller Information

The data controller responsible for your personal data is:

• Company Name: Shoulderhip
• Address: Södermannagatan 21, 116 40 Stockholm, Sweden
• Phone: +46 10 516 44 80
• Email: hello@shoulderhip.world
• Website: shoulderhip.world

For any questions or concerns regarding this Privacy Policy or the processing of your personal data, you may contact us using the details above. We aim to respond to all privacy-related inquiries within 30 days.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through our website, contact forms, email correspondence, phone communications, and any other channels through which you interact with Shoulderhip. It covers data collected from visitors, prospective members, registered participants in rides and meetups, purchasers of educational products, and individuals who subscribe to our communications.

This policy does not apply to third-party websites or services that may be linked from our platform. We encourage you to review the privacy policies of any external sites you visit through links on our website.

3. Categories of Personal Data We Collect

3.1 Data You Provide Directly

When you interact with our website or services, you may voluntarily provide the following categories of personal data:

• Identity Data: Your full name and any username or identifier you choose to provide when contacting us or registering for events.
• Contact Data: Your email address, telephone number, and postal address when provided through our contact form or direct correspondence.
• Communication Data: The content of messages, inquiries, and feedback you submit through our contact form, email, or phone conversations.
• Consent Data: Records of your consent to data processing, including GDPR consent checkbox confirmations and cookie preference selections.
• Event Registration Data: Information related to your participation in rides, meetups, and themed ride programs, including preferred dates, experience level, and equipment details you choose to share.
• Transaction Data: Payment-related information when you purchase educational products or paid programs, including billing name and transaction references. We do not store full payment card details on our servers.

3.2 Data Collected Automatically

When you visit our website, certain data may be collected automatically through cookies and similar technologies, subject to your cookie preferences:

• Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage Data: Pages visited, time spent on pages, navigation paths, referral sources, and interaction patterns within the website.
• Location Data: General geographic location derived from your IP address (country and city level), not precise GPS coordinates.

4. Purposes of Data Processing and Legal Bases

We process your personal data only for specified, explicit, and legitimate purposes. The table below outlines our primary processing activities and their corresponding legal bases under GDPR Article 6:

• Responding to Inquiries: We process your contact data and message content to respond to questions, ride registrations, and meetup attendance requests. Legal basis: Performance of a contract (Article 6(1)(b)) or Legitimate interest (Article 6(1)(f)).
• Event Coordination: We process registration data to organize rides, meetups, and programs, including communicating meeting points, schedules, and preparation notes. Legal basis: Performance of a contract (Article 6(1)(b)).
• Website Functionality: We process technical data necessary for the operation, security, and maintenance of our website. Legal basis: Legitimate interest (Article 6(1)(f)) and Legal obligation (Article 6(1)(c)).
• Analytics: With your consent, we process usage data to understand how visitors interact with our website and improve user experience. Legal basis: Consent (Article 6(1)(a)).
• Marketing Communications: With your consent, we may process your contact data to send information about upcoming events, new programs, and community updates. Legal basis: Consent (Article 6(1)(a)).
• Legal Compliance: We may process data as required by applicable laws, regulations, or legal proceedings. Legal basis: Legal obligation (Article 6(1)(c)).
• Transaction Processing: We process transaction data to fulfill purchases of educational products and paid programs. Legal basis: Performance of a contract (Article 6(1)(b)).

5. Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Our standard retention periods are as follows:

• Contact Form Submissions: Retained for 24 months from the date of submission, unless an ongoing relationship requires extended retention.
• Event Registration Records: Retained for 36 months following the event date to facilitate repeat participation and community records.
• Transaction Records: Retained for 7 years in accordance with Swedish accounting and tax regulations.
• Cookie Consent Records: Retained for 12 months from the date of consent, after which we request renewed consent.
• Analytics Data: Aggregated analytics data retained for 26 months; individual-level data anonymized after 14 months.
• Marketing Consent Records: Retained until consent is withdrawn, plus 12 months for audit purposes.
• Server Log Files: Retained for 90 days for security monitoring and troubleshooting purposes.

Upon expiration of the applicable retention period, personal data is securely deleted or anonymized so that it can no longer be associated with an identified or identifiable individual.

6. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data to third parties. We may share your data with the following categories of recipients, strictly for the purposes described in this policy:

• Hosting and Infrastructure Providers: Companies that provide web hosting, server management, and content delivery services necessary to operate our website.
• Email Service Providers: Platforms used to send transactional and informational emails in response to your inquiries and event registrations.
• Analytics Providers: Services that help us understand website usage patterns, activated only with your explicit cookie consent.
• Payment Processors: Secure third-party payment gateways that handle transactions for educational products and paid programs.
• Legal and Regulatory Authorities: Government bodies, courts, or law enforcement agencies when required by applicable law or legal process.

All third-party processors are bound by data processing agreements that require them to protect your data in accordance with GDPR standards and process it only according to our documented instructions.

7. International Data Transfers

Your personal data is primarily processed within the European Economic Area (EEA). If any of our service providers process data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms under GDPR Chapter V.

8. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, destruction, and other risks. These measures include:

• HTTPS encryption for all data transmitted between your browser and our website.
• Access controls limiting personal data access to authorized personnel on a need-to-know basis.
• Regular security assessments and updates to our website infrastructure and software.
• Secure storage of contact form submissions and registration records with encrypted databases where applicable.
• Employee training on data protection principles and secure handling of personal information.
• Incident response procedures for detecting, reporting, and addressing potential data breaches within 72 hours as required by GDPR Article 33.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

9. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data. You may exercise these rights by contacting us at hello@shoulderhip.world:

• Right of Access (Article 15): You may request a copy of the personal data we hold about you, along with information about how it is processed.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You may request deletion of your personal data when it is no longer necessary for the purposes collected, you withdraw consent, or processing is unlawful.
• Right to Restriction of Processing (Article 18): You may request that we limit the processing of your data under certain circumstances.
• Right to Data Portability (Article 20): You may request your data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
• Right to Object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to file a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se if you believe your data protection rights have been violated.

We will respond to all rights requests within one month of receipt. In complex cases, this period may be extended by two additional months, in which case we will inform you of the extension and the reasons for the delay.

10. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children without verifiable parental consent. Family-friendly rides may include participants of all ages when accompanied by a parent or guardian, but registration and communication are handled through the accompanying adult. If you believe we have inadvertently collected data from a child, please contact us immediately and we will take steps to delete such information.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any ride difficulty recommendations or route suggestions provided through our consulting services involve human review and are based on general informational criteria, not automated profiling of your personal characteristics.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our data practices, legal requirements, or service offerings. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website. We encourage you to review this policy regularly to stay informed about how we protect your data.

13. Contact Us About Privacy

If you have questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us:

• Email: hello@shoulderhip.world
• Phone: +46 10 516 44 80
• Address: Södermannagatan 21, 116 40 Stockholm, Sweden

We are committed to resolving any privacy concerns promptly and transparently.