Zwift Route Planner logo
Sign in

Privacy Policy

Zwift Route Planner Effective date: March 24, 2026 Last updated: April 25, 2026

1. Introduction

Zwift Route Planner ("we", "us", "our") is operated by Dave J. Schoepel. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data.

By using the Service at zwiftrouteplanner.com, you agree to the collection and use of information as described in this Policy.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — required for sign-in and account management
  • Display name — optional; used to identify you to other members of riding groups you belong to
  • Password — stored as a salted hash (bcrypt); we never store plain-text passwords

2.2 OAuth Sign-In (Google)

If you sign in with Google, we receive from Google:

  • Your name and email address as registered with Google
  • A Google account identifier

We do not receive your Google password or payment information.

2.3 Preferences and Settings

We store your preferences, including:

  • Unit preference (metric or imperial)
  • Default average speed
  • Two-factor authentication (TOTP) configuration (secret stored encrypted)

2.4 User-Generated Content

We store content you create on the Service:

  • Riding group memberships, route lists, notes, and votes
  • Calendar events you schedule
  • Shortlists (saved route sets) and their share settings
  • Route corrections you submit
  • Public route pool submissions
  • Rebel Route completion records

2.5 Usage Data

We do not currently operate analytics or tracking beyond basic application logging. We do not use third-party advertising trackers.

3. How We Use Your Data

We use collected data to:

  • Operate and maintain the Service
  • Authenticate your identity when you sign in
  • Display your display name to other members of riding groups you belong to
  • Send transactional emails (magic link sign-in, password reset, club invitations)
  • Provide push notifications about account activity (in-app only)
  • Investigate and resolve abuse or security incidents

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

4. Data Sharing

4.1 Within the Service

  • Your display name is visible to members of riding groups you belong to.
  • Your email address is visible only to you, club admins managing your membership, and site administrators.
  • Content you submit to public features (public route pool, public calendars) is visible to all visitors.

4.2 Third-Party Processors

We use the following third-party services to operate the Service. These processors may handle your data as necessary to provide their services:

ProcessorPurposeData Shared
SupabaseDatabase and file storageAll stored account and content data
ResendTransactional emailEmail address, name
GoogleOAuth sign-inEmail address, name (received from Google)
DynuDNSIP address (standard web traffic)

We do not share your data with any other third parties without your consent, except where required by law.

5. Data Retention

  • Account data is retained for as long as your account is active.
  • You may request deletion of your account at any time via the Account settings page. Deletion removes your personal data from the Service, subject to the conditions described in the account deletion flow.
  • Anonymised or aggregate data (e.g. route popularity counts) may be retained after account deletion.

6. Security

We implement reasonable technical and organisational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all traffic
  • Passwords stored as bcrypt hashes
  • API keys and secrets stored as environment variables, never in source code
  • Role-based access controls on the database

No system is completely secure. We cannot guarantee absolute security of your data.

7. Your Rights

Depending on your location, you may have rights including:

  • Access — request a copy of the data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and associated data (available self-service via Account settings)
  • Portability — download your data in a structured format (available via Account settings → Export data)
  • Objection — object to certain uses of your data

To exercise any right not available via self-service, contact us at dave@theschoepels.com.

8. Cookies and Local Storage

The Service uses:

  • Session cookies — for authentication (required for sign-in to work)
  • Browser localStorage — for saving UI preferences (sidebar state, unit preference) locally on your device; this data is not transmitted to our servers
  • sessionStorage — for temporary in-page state; cleared when you close the browser tab

We do not use advertising cookies or third-party tracking cookies.

9. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last updated" date above. Continued use of the Service after changes constitutes acceptance of the updated Policy.

11. Contact

For privacy-related questions or requests: dave@theschoepels.com

This Privacy Policy was last updated on April 25, 2026.