Last updated: 21 March 2025
BikeTagz (“we”, “our”, “us”) operates the website at biketagz.com. We provide NFC-based bike ownership verification and registration services. Our contact address is [email protected].
We use Google OAuth 2.0 solely to authenticate your identity. When you sign in with Google we receive your name, email address, and Google profile picture. We use this information to create and maintain your account. We do not access your Google Drive, Gmail, contacts, or any other Google service. We do not use your Google data for advertising or share it with third parties for marketing.
Payments are processed by Stripe, Inc. We never see or store your card number, CVV, or full payment details — these are handled entirely by Stripe on their PCI-compliant infrastructure. We do receive and store your billing name, billing address (line 1, city, postcode, country), and Stripe customer ID. This is required to verify owner identity.
When you register a bike we store the NFC chip UID, bike serial number, and your ownership record including the date of registration.
Every time your bike’s NFC sticker is scanned we log the chip UID, tap counter value, cryptographic MAC, verification result, timestamp, and the IP address of the scanning device. This log is used for replay-attack detection and forensic audit.
Photos you upload to your bike profile are stored in our Supabase Storage bucket. They are publicly accessible to anyone who scans your bike’s NFC tag so they can visually verify the bike. Do not upload photos containing sensitive personal information.
We may collect standard server logs including browser type, operating system, referring URL, and pages visited. This is used for debugging and service improvement.
We do not sell your data, use it for advertising, or share it with third parties except as described in section 4.
The following information is visible to anyone who scans your bike:
Your email address, full street address, phone number, and payment details are never shown publicly.
We retain your account data for as long as your account is active. If you request account deletion, we will remove your personal profile data within 30 days. Ownership and tap log records may be retained in anonymised form for audit and anti-fraud purposes. Bike serial numbers remain in our database to preserve the integrity of the historical ownership chain.
We use only functional cookies necessary for authentication (Supabase session cookies). We do not use advertising cookies or third-party tracking cookies.
Depending on your location you may have the right to access, correct, or delete your personal data, and to object to or restrict processing. To exercise any of these rights, email us at [email protected].
We take reasonable technical measures to protect your data, including encrypted connections (HTTPS), database row-level security, and service-key separation (the database service key is never exposed to the browser). Cryptographic verification of every tap is performed server-side.
Our service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal data from children.
We may update this policy from time to time. Material changes will be notified by email to registered users. Continued use of the service after changes constitutes acceptance of the updated policy.
Questions about this policy? Contact us at [email protected].