Legal

Privacy Policy

Last updated: . This Privacy Policy describes how Boneshelbow collects, uses, stores, and protects your personal data when you visit our website or use our services.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Boneshelbow
Hartmansstraat 26
3012 VA Rotterdam
Netherlands
Email: assist@boneshelbow.world
Phone: +31 10 786 2760

As the data controller, Boneshelbow determines the purposes and means of processing personal data collected through this website and in connection with our cycling meetup services, educational products, and consulting offerings.

2. Personal Data We Collect

We collect personal data in the following categories depending on how you interact with our website and services:

2.1 Data You Provide Directly

  • Contact form submissions: name, email address, and message content
  • GDPR consent confirmation when submitting the contact form
  • Information provided during consulting sessions or programme enrolment requests
  • Communication records from email correspondence or telephone conversations

2.2 Data Collected Automatically

  • IP address and approximate geographic location derived from IP
  • Browser type, version, and operating system
  • Device type and screen resolution
  • Pages visited, time spent on pages, and navigation paths
  • Referring website or search engine
  • Cookie identifiers and consent preferences stored in local storage

2.3 Data We Do Not Collect

We do not collect sensitive personal data such as health records, medical history, biometric data, racial or ethnic origin, political opinions, religious beliefs, or trade union membership. Our services relate to recreational cycling meetups and general educational content only.

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

  • Consent (Article 6(1)(a)): When you submit the contact form and check the GDPR consent box, or when you accept non-essential cookies through our cookie banner.
  • Contractual necessity (Article 6(1)(b)): When processing is required to respond to your enquiry, register you for a meetup, or deliver a purchased educational product or programme.
  • Legitimate interests (Article 6(1)(f)): For website security, fraud prevention, service improvement, and aggregated analytics that do not override your fundamental rights.
  • Legal obligation (Article 6(1)(c)): When we are required to retain data for tax, accounting, or regulatory compliance under Dutch and EU law.

4. Purpose of Data Usage

We use your personal data exclusively for the following purposes:

  • Responding to contact form submissions and email enquiries
  • Processing meetup registration requests and communicating session details
  • Delivering personalised ride plans, educational products, and multi-week programmes
  • Conducting consulting sessions as requested
  • Maintaining records of consent and communication history
  • Improving website functionality, content, and user experience
  • Generating anonymised, aggregated statistics about website usage
  • Complying with legal obligations and responding to lawful requests from authorities
  • Protecting the security and integrity of our website and services

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

5. Data Retention Period

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Contact form data: Retained for 24 months from the date of submission, unless an ongoing service relationship requires longer retention.
  • Email correspondence: Retained for 36 months from the last communication in the thread.
  • Meetup registration records: Retained for 12 months after the final attended session.
  • Programme and plan records: Retained for the duration of the programme plus 12 months.
  • Cookie consent preferences: Stored locally on your device until you clear browser data or change preferences.
  • Server log files: Retained for 90 days, then automatically deleted.
  • Financial and transaction records: Retained for 7 years as required by Dutch tax legislation.

When retention periods expire, personal data is securely deleted or anonymised so that it can no longer be associated with you.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to third parties. We may share data with the following categories of recipients when necessary:

  • Hosting provider: Our website is hosted on secure servers within the European Economic Area (EEA).
  • Email service provider: Used to send and receive business correspondence related to your enquiries.
  • Analytics provider: Only when you have consented to analytics cookies, and only in anonymised or pseudonymised form where possible.
  • Legal and regulatory authorities: When required by law, court order, or governmental request.

All third-party processors are bound by data processing agreements that require them to protect your data in accordance with GDPR standards and to process data only according to our documented instructions.

7. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

  • HTTPS encryption for all data transmitted between your browser and our servers
  • Secure server infrastructure with regular security updates and patches
  • Access controls limiting personal data access to authorised personnel only
  • Password policies and multi-factor authentication for administrative accounts
  • Regular review of data processing activities and security practices
  • Incident response procedures for detecting, reporting, and investigating data breaches
  • Employee training on data protection principles and GDPR compliance

While we take reasonable precautions, no method of electronic transmission or storage is completely secure. If you believe your data has been compromised, please contact us immediately.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
  • Right to erasure (Article 17): Request deletion of your personal data when it is no longer necessary or when you withdraw consent.
  • Right to restriction (Article 18): Request that we limit processing of your data under certain circumstances.
  • Right to data portability (Article 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: File a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl.

To exercise any of these rights, contact us at assist@boneshelbow.world or +31 10 786 2760. We will respond within 30 days of receiving your request.

9. Cookies and Tracking

Our website uses cookies and similar technologies. For detailed information about the types of cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

10. International Data Transfers

Your personal data is primarily processed within the European Economic Area. If data must be transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transfers to countries with an adequacy decision.

11. Children's Privacy

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically. Material changes will be communicated through a notice on our website.

13. Contact Information

For questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact:

Boneshelbow
Hartmansstraat 26, 3012 VA Rotterdam, Netherlands
Email: assist@boneshelbow.world
Phone: +31 10 786 2760