Introduction and scope

This Privacy Policy describes how the RIDERS project processes personal data collected through riders.fr and its related services (waitlist sign-up, product communications, beta access).

It applies to anyone interacting with the website before the public launch of the RIDERS mobile application. It will be extended at launch with provisions specific to in-application data (geolocation, user-generated content, etc.).

This policy is issued under EU Regulation 2016/679 (GDPR), the French Data Protection Act of 6 January 1978 as amended, and Directive 2002/58/EC (ePrivacy) as transposed into French law.

Data controller

Data controller (provisional): The RIDERS project, pre-company stage.
General contact: contact@riders.fr
Data protection contact: contact@riders.fr (a Data Protection Officer will be appointed if our processing activities meet the criteria of Article 37 GDPR).

Data we collect

We limit collection to what is strictly necessary for the purposes described in section 4 (data minimisation principle, Article 5 GDPR). The categories collected are:

Identity and contact data: Email address you voluntarily provide when joining the waitlist.
Declared data: Information you choose to share: motorcycle type, riding level, city, language, sign-up source.
Technical metadata: Sign-up timestamp, IP address (pseudonymised), device and browser type, technical session identifier. These come from application logs required for the operation and security of the site.
Usage data: Pages visited, visit duration, traffic source. Collected via analytics tools only if you have consented through the cookie banner.
Cookies and tracking technologies: See section 11 and our dedicated cookie policy for the detailed list.

We do not collect special categories of data under Article 9 GDPR (health, opinions, sexual orientation, etc.) through the riders.fr website.

Purposes of processing

Your data is processed for the following specified and explicit purposes:

Waitlist management: record your sign-up and keep you informed about the launch.
Beta programme: coordinate invitations to test the application early and collect your feedback.
Product communications: send you RIDERS updates when you have consented (launch, new features, community events).
Service improvement: measure site audience, analyse usage and improve user experience, subject to your consent.
Security and compliance: prevent fraud and abuse, ensure the technical integrity of the site, comply with legal obligations.
Exercise of your rights: handle your access, rectification, erasure and similar requests.

Legal bases

Under Article 6 GDPR, each processing operation relies on an identified legal basis:

Purpose	Legal basis (Art. 6 GDPR)
Waitlist sign-up and product communications	Consent (Art. 6(1)(a))
Invitation-only beta programme	Consent (Art. 6(1)(a))
Audience measurement and non-essential cookies	Consent (Art. 6(1)(a)), collected via the cookie banner
Site security, technical logging, abuse prevention	Legitimate interests (Art. 6(1)(f))
Service improvement (aggregated analytics, anonymised statistics)	Legitimate interests (Art. 6(1)(f))
Compliance with legal obligations (judicial order, accounting retention, etc.)	Legal obligation (Art. 6(1)(c))

Where processing relies on consent, you may withdraw it at any time, without affecting the lawfulness of processing prior to withdrawal (see section 10).

Recipients and processors

Your data is processed by the RIDERS team and, where applicable, by technical processors acting on our documented instructions under agreements compliant with Article 28 GDPR.

Current categories of recipients are:

Hosting and infrastructure: cloud providers hosting the site and databases, located within the European Union.
Email and waitlist: transactional and marketing email providers used to confirm your sign-up and keep you informed.
Observability and security: logging, application monitoring and anomaly detection tools.
Analytics: audience measurement tools activated only after your consent.
Competent authorities: disclosures limited to cases required by law (judicial order, administrative request).

The detailed, named list of our processors is available on request at contact@riders.fr. None of these recipients use your data for their own purposes.

International transfers

We favour providers established within the European Economic Area (EEA). Where a transfer outside the EU is technically necessary: for example when a processor uses a support service located in a third country: it is governed by one of the mechanisms set out in Articles 44 to 49 GDPR:

An adequacy decision from the European Commission recognising an equivalent level of protection (for instance the EU–US Data Privacy Framework for certified US recipients);
Failing that, Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented where appropriate by additional measures (encryption, pseudonymisation, access restrictions);
Or, in exceptional cases, one of the derogations listed in Article 49 GDPR.

You may obtain a copy of the safeguards applicable to a specific transfer by writing to contact@riders.fr.

Retention periods

Your data is kept only for as long as necessary for the purposes for which it was collected, then archived or deleted in line with the following retention periods:

Category of data	Retention period
Waitlist sign-up (email, declared data)	Until the public launch of the application, then 12 months in active storage, then deletion or anonymisation. Immediate deletion on request.
Product communications (marketing consent)	Until consent is withdrawn, and at most 3 years from your last active interaction.
Technical and security logs	Up to 12 months, in line with ANSSI and CNIL guidance.
Cookies and tracking technologies (analytics, marketing)	Up to 13 months from placement, in line with CNIL guidance.
Record of consent choices (cookies)	6 months.
Data needed to prove consent or comply with legal obligations	Applicable statutory limitation period (5 years by default, Art. 2224 of the French Civil Code).

Data security

We implement appropriate technical and organisational measures (Article 32 GDPR) to ensure a level of security suited to the risk, including:

Encryption in transit (TLS 1.2+) and at rest for sensitive data;
Strong authentication and least-privilege access control for administrators;
Hosting with providers offering recognised security guarantees (ISO/IEC 27001, SOC 2, etc.);
Logging of access to personal data and anomaly monitoring;
Regular backups and a documented business-continuity procedure;
Ongoing training and security awareness for the team.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you individually where required by law (Articles 33 and 34 GDPR).

Your rights

To exercise your rights, write to contact@riders.fr stating the purpose of your request. Proof of identity may be requested in case of reasonable doubt. We respond within one month, extendable by two months for complex requests.

If, after contacting us, you believe your rights have not been respected, you may lodge a complaint with the French Data Protection Authority (CNIL): cnil.fr/fr/plaintes.

Cookies and tracking technologies

The site uses cookies and similar technologies for its operation, to record your consent preferences, to measure audience and, where applicable, for marketing campaigns.

In line with the ePrivacy Directive and CNIL guidelines, no non-essential cookies are placed without your prior consent. You can change your choices at any time via the "Manage cookies" button at the bottom of every page.

Full details of the cookies in use (name, purpose, duration, issuer) are available in our dedicated cookie policy.

Minors

Waitlist sign-up and RIDERS communications are reserved for individuals aged 15 years or older (the digital age of consent in France under Article 7-1 of the French Data Protection Act). Below this age, the consent of a holder of parental responsibility is required.

We do not knowingly request or collect data from children below this age. If you become aware that a minor has shared data with us without authorisation, please write to contact@riders.fr and we will delete it without delay.

Changes to this policy

This policy may be updated to reflect legal, technical or product changes (for example: a new processor, the launch of the mobile application, the appointment of a DPO).

The version in force is the one published on this page. The effective date and last update date appear at the top of the document. For material changes, we will inform you by an appropriate means (email, on-site notice) before they take effect.

Contact

For any question regarding this policy or to exercise your rights:

Email: contact@riders.fr
Postal address: To be provided after the company is incorporated. In the meantime, please use email.
Supervisory authority: Commission nationale de l'informatique et des libertés (CNIL): 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. cnil.fr/fr/plaintes

1. Introduction and scope

2. Data controller

3. Data we collect

4. Purposes of processing

5. Legal bases

6. Recipients and processors

7. International transfers

8. Retention periods

9. Data security

10. Your rights

11. Cookies and tracking technologies

12. Minors

13. Changes to this policy

14. Contact