Privacy Policy

1. Introduction

Segment Club ("we," "us," "our") operates a cycling community platform at www.segmentclub.com ("the Service"). We are committed to protecting your privacy and handling your personal information in accordance with Australian law.

This Privacy Policy explains how we collect, hold, use, and disclose your personal information in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as the Spam Act 2003 for electronic marketing communications.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. This policy is freely available on our website at all times.

2. Our Identity and Contact Details

For all privacy-related inquiries, access requests, corrections, complaints, or to exercise any of your rights under this policy, please contact us using the details above. We will respond within 30 days in accordance with Australian privacy law.

3. Information We Collect

3.1 Account Information (Collected Directly from You)

When you create an account, we collect:

• Full name — to identify you on the platform
• Email address — for account authentication, transactional emails, and (with your consent) marketing communications
• Password — stored in hashed form only (we never store or have access to your plain-text password)

You may also sign up using Google OAuth or Strava OAuth, in which case we receive your name and email from the respective provider. We ask you to set a password during this process so you can also sign in with email.

3.2 Profile Information (Collected During Onboarding)

During onboarding, we collect:

• Phone number (with country code) — for account identification and potential future SMS notifications
• Gender (male, female, non-binary, or prefer not to say)
• Age range (18–24, 25–34, 35–44, 45–54, 55–64, 65+)
• City/location — to connect you with local cycling events and groups
• Cycling profile — rider level, weekly distance, goals, riding styles, interests, and group ride availability
• Bike details (optional) — bike name, type, brand, model, year, and service history

3.3 Strava Activity and Performance Data

If you connect your Strava account (via OAuth with scope read,activity:read_all), we collect and store:

• Athlete profile — name, username, city, state, country, gender, weight, profile photo URL, measurement preference
• Activity data — ride distance, duration, speed, elevation gain, start/end coordinates, route polylines (GPS data), sport type, timezone
• Performance metrics — average/max speed, average/max heart rate, average/max power (watts), kilojoules, cadence
• Gear data — bikes registered in Strava (name, brand, model, distance)
• Statistics — recent (4-week), year-to-date, and all-time ride totals
• Personal bests — longest ride, most elevation, fastest speed (tracked for display only)

Strava data is synced in real time via webhooks when you create, update, or delete activities. You can disconnect Strava at any time from your account settings, which will stop future data collection. Previously synced data will be retained unless you request its deletion.

3.4 Social Media Profiles

You may optionally link social media profile URLs (not login credentials) for the following platforms: Facebook, Instagram, X (Twitter), LinkedIn, YouTube, TikTok, and Reddit. These are used for community connection and points eligibility only.

3.5 Contact Form Submissions

When you contact us via the website contact form, we collect your name, email, phone (optional), subject, and message content. This data is stored in our database and used to respond to your inquiry.

3.6 Bug Reports and Feature Suggestions

When you submit a bug report or feature suggestion, we collect the content you provide (title, description, steps to reproduce) and any screenshots you upload. Screenshots are stored in secure cloud storage.

3.7 Automatic Technical Data

We automatically collect technical data through:

3.8 Cookies and Tracking Technologies

We use the following cookies:

• Authentication cookies (essential) — managed by Supabase to maintain your login session
• Referral cookie (sc_ref) — stores a referral code for 30 days to attribute sign-ups to the referring member. Browser-specific; does not persist across browsers or devices.
• Google Analytics cookies — for usage analytics (see 3.7 above)
• Microsoft Clarity cookies — for session recording and heatmaps (see 3.7 above)

4. Why We Collect Your Information

We collect personal information that is reasonably necessary for the following purposes (APP 3):

4.1 Service Provision

• Creating and managing your account
• Providing personalised cycling insights, statistics, and performance tracking
• Operating the points system (earning and redeeming rewards)
• Processing reward redemptions and generating voucher codes
• Connecting you with cycling events, partners, and the community
• Sending transactional emails (account verification, password resets, voucher codes)

4.2 Service Improvement

• Analysing usage patterns to improve features and user experience
• Monitoring platform performance and fixing bugs
• Conducting research to develop new features

4.3 Direct Marketing

We may use your personal information to send you marketing communications about our services, partner offers, events, and news that we think may interest you. You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Contacting us via our Contact Us page

We will action your opt-out request within 5 working days at no cost to you, in compliance with the Spam Act 2003.

4.4 Aggregated Data and Analytics

We may create aggregated, anonymised datasets from cycling activity data, performance metrics, and usage patterns. This data cannot identify individual users and may be used for:

• Internal analytics and reporting
• Market research and trend analysis for the cycling industry
• Partnerships with cycling brands, event organisers, and research organisations

5. What Happens If You Don't Provide Information

Providing your personal information is voluntary. However, if you choose not to provide certain information:

• Account creation requires a name, email, and password at minimum
• Onboarding requires phone number, gender, age range, and city to complete
• Strava connection is optional — without it, cycling activity tracking and distance-based points will not be available
• Marketing communications — you can use the Service without receiving marketing emails

6. How We Share Your Information

6.1 Third-Party Service Providers

We share personal information with the following service providers who process data on our behalf:

We take reasonable steps to ensure these overseas recipients handle your personal information in accordance with the Australian Privacy Principles (APP 8).

6.2 Reward Partners

When you redeem a reward, we share your name, email, and voucher code with the relevant reward partner (e.g., Bespoke CC, Ciovita) via a shared Google Sheet so they can fulfil your voucher. This is limited to the specific redemption and is necessary to provide the reward.

6.3 Legal Requirements

We may disclose your personal information if required or authorised by law, including in response to court orders, subpoenas, or requests from Australian government agencies.

7. Marketing Communications and Consent

7.1 Privacy Act (APP 7)

Where your personal information is collected directly by us and you would reasonably expect to receive marketing communications (for example, because you signed up for an account and were notified that marketing is one of the purposes), we may use your information for direct marketing. We always provide a simple, free opt-out mechanism.

7.2 Spam Act 2003

In compliance with the Spam Act 2003, every commercial electronic message we send will:

• Clearly identify Segment Club as the sender, including our contact details
• Include a functional unsubscribe facility that remains working for at least 30 days
• Be actioned within 5 working days of receiving an unsubscribe request, at no cost to you

We keep records of consent (who consented, when, and how) as required by the Australian Communications and Media Authority (ACMA).

8. Australian Privacy Principles Compliance

APP 1 — Open and Transparent Management

This Privacy Policy is our primary instrument for complying with APP 1. It is freely available on our website, clearly expressed in plain English, and kept up to date. We review this policy regularly and update it when our practices change.

APP 3 — Collection of Personal Information

We only collect personal information that is reasonably necessary for our functions and activities. We do not collect sensitive information (such as health data, racial origin, or political opinions) unless expressly provided by you through third-party integrations (e.g., heart rate data from Strava, if you choose to share it).

APP 5 — Notification of Collection

At or before the time of collection, we notify you of the purposes for which your information is collected, as described in Sections 3 and 4 of this policy.

APP 6 — Use and Disclosure

We only use or disclose your personal information for the purposes for which it was collected, or for directly related secondary purposes that you would reasonably expect.

APP 7 — Direct Marketing

See Section 7 above for our full direct marketing practices and your opt-out rights.

APP 8 — Cross-Border Disclosure

We disclose personal information to overseas recipients as described in Section 6.1. We take reasonable steps to ensure these recipients comply with the APPs.

APP 11 — Security of Personal Information

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Password hashing (bcrypt via Supabase Auth)
• Row Level Security (RLS) policies restricting database access to authorised users
• OAuth 2.0 for third-party integrations (Google, Strava)
• Service role separation for administrative operations

No method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

9. Your Privacy Rights

Under the Australian Privacy Principles, you have the following rights:

9.1 Access (APP 12)

You can request access to the personal information we hold about you. Much of your data is accessible directly through your account (My Garage, Settings). For a comprehensive data access request, contact our Privacy Officer.

9.2 Correction (APP 13)

You can update most of your personal information directly in your account settings and onboarding profile. If information is inaccurate, out-of-date, incomplete, or misleading, you can request correction by contacting us.

9.3 Deletion

You can request deletion of your account and personal information by contacting us via our Contact Us page. We will process your request within 30 days. Please note:

• We may retain certain data as required by law (e.g., for tax or accounting purposes)
• Aggregated, anonymised data that cannot identify you may persist in analytics datasets
• Strava data synced to your account will be deleted along with your account

9.4 Marketing Opt-Out

You can opt out of receiving marketing communications at any time by clicking "unsubscribe" in any marketing email or by contacting us. We will action your request within 5 working days at no cost. This does not affect transactional emails (e.g., password resets, voucher codes).

9.5 Strava Disconnection

You can disconnect your Strava account at any time from your account settings. This will stop future data syncing. To have previously synced data deleted, please contact us.

9.6 Complaints

If you believe we have breached the Australian Privacy Principles, you can lodge a complaint with us using the contact details in Section 2. We will investigate and respond within 30 days.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

10. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfil the purposes outlined in this policy:

• Account data — retained while your account is active
• Activity and performance data — retained while your account is active
• Contact form submissions — retained for 2 years
• Points transaction history — retained for the life of the account plus any legal retention period
• Redemption records — retained for 7 years for tax and accounting purposes

After account deletion, we destroy or de-identify personal information unless retention is required or authorised by law.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us immediately and we will take steps to delete it.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date at the top
• Sending an email notification for significant changes that affect your rights

We encourage you to review this policy periodically.

13. Governing Law

This Privacy Policy is governed by the laws of the Commonwealth of Australia, including the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the Spam Act 2003. Any disputes arising from this policy will be subject to the jurisdiction of the courts of New South Wales, Australia.