Privacy Policy
Last updated: May 4, 2026 Effective date: May 4, 2026
This Privacy Policy describes how Throttle (“Throttle”, “we”, “us”) collects, uses, and shares information when you use the Throttle service (“Service”). By using the Service, you agree to the practices described here.
1. Information We Collect
1.1 Information you provide
- Account information: email address (required), display name (optional), avatar URL (when signing in via Google or Apple)
- Authentication tokens: provider-specific identifiers from Google and Apple Sign In; one-time magic link tokens we issue
- Trip data: waypoints (latitude/longitude), trip names, route preferences (curviness profile, target leg distance, tank range, break preferences)
- Account preferences: theme, units, rider defaults
1.2 Information collected automatically
- IP address: used for approximate geolocation (city-level) to center the initial map view, for rate-limit keying, and for security audit. Stored in transient logs (not associated with accounts) and in in-memory caches that expire within 1 hour.
- Device information: browser type, viewport size, time zone — used to render the appropriate UI.
- Usage events: timestamps of routes computed, trips saved, smart-stop suggestions accepted or skipped, and exports generated. The rider identifier on these events is a one-way SHA-256 token (not your account ID) so the events feed back into product improvement — POI reliability scoring, per-rider stop preferences, and narration cache — without exposing your raw identity in the events table.
- Cookies and similar technologies: see our Cookie Policy.
1.3 Information from third parties
- OAuth providers (Google, Apple): when you choose to sign in via Google or Apple, we receive the email address, display name, avatar URL, and provider subject identifier they share with us under the scopes you approve.
2. How We Use Your Information
We use the information described above to:
- Operate, maintain, and improve the Service
- Authenticate you and secure your account
- Generate and store your saved trips
- Send service-related emails (sign-in links, account approval, security notifications)
- Detect, prevent, and respond to fraud, abuse, or security incidents
- Comply with legal obligations
- Communicate with you about product updates, when you opt in (we do not currently send promotional email)
We do not sell your personal information. We do not use your trip data to target advertising. We do not share your trip data with anyone except as described in Section 4.
3. Legal Bases (EU/EEA users)
For users in the EU/EEA, our legal bases under GDPR are:
- Contract performance (Article 6(1)(b)): operating the account you signed up for
- Legitimate interests (Article 6(1)(f)): security, fraud prevention, basic service analytics
- Consent (Article 6(1)(a)): cookies that are not strictly necessary, marketing emails (when applicable)
- Legal obligation (Article 6(1)(c)): tax, accounting, regulatory requests
4. How We Share Your Information
We share information only as follows:
Service providers (data processors)
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Edge networking, TLS termination, bot protection (Turnstile) | Global |
| Resend | Transactional email delivery (sign-in links, admin notifications) | USA |
| Google Cloud (OAuth) | Authentication if you use Google Sign In | Global |
| Apple (OAuth, StoreKit) | Authentication if you use Apple Sign In; iOS subscription billing | Global |
| Stripe | Subscription billing for Throttle Pro (web and Android). We never store full card numbers. | USA |
| Anthropic | Powers the natural-language trip-intake bar (“3 hours from Half Moon Bay, twisties…”) and the one-line “why this stop” narration on smart-suggest cards. Only the typed sentence or the POI metadata you’d see on screen is sent — never your email, account ID, or saved trips. | USA |
| Google (Routes API) | Pre-checks each trip leg against Google’s routing before the Maps handoff so we can warn you about broken legs (e.g. a chain restaurant pin resolving to the wrong town). Only waypoints for the trip you’re about to ride are sent. | Global |
| ip-api.com | Approximate IP geolocation for initial map centering (no PII stored) | Global |
These providers process information only on our instructions and are contractually required to protect it.
Aggregated and anonymized data
We may publish aggregated, anonymized statistics about Service usage (e.g., “Users planned X miles of routes this month”). This data cannot be used to identify any individual.
Legal disclosures
We may disclose information when required by law (subpoena, court order, lawful government request) or to protect our rights, the rights of users, or public safety.
Business transfers
If Throttle is involved in a merger, acquisition, or sale of assets, information may transfer as part of that transaction. You will be notified by email and via a prominent notice on the Service before any material change in this policy.
What we do NOT share
- We do not sell your personal information.
- We do not rent, lease, or trade your contact list.
- We do not share trip data with marketing networks.
5. Data Retention
| Data type | Retention |
|---|---|
| Account email and profile | Until you close your account |
| Saved trips | Until you delete them or close your account; deleted trips are anonymized (owner association removed) and may be retained for service analytics |
| Magic-link tokens | 15 minutes (expiry) |
| OAuth session cookies | 30 days from last sign-in |
| IP geolocation cache | 1 hour (in-memory; not persisted) |
| Server logs | 30 days |
| Backups containing PII | 30 days rolling |
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: request a copy of the personal data we hold about you
- Correction: request that we correct inaccurate data
- Deletion: request that we delete your personal data
- Portability: receive your data in a portable format
- Objection: object to certain processing (legitimate-interests basis)
- Restriction: request that we limit how we process your data
- Withdrawal of consent: where processing is consent-based
You can exercise rights to access, deletion, and portability directly in the Service via the “My Account” page. For other rights, or if you prefer to email, contact hello@throttlerides.com. We will respond within 30 days.
California (CCPA/CPRA)
California residents have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact hello@throttlerides.com.
Quebec (Law 25)
Quebec residents have additional rights regarding the processing of personal information by businesses operating in Quebec. To exercise those rights, contact hello@throttlerides.com.
7. International Transfers
We may transfer your information to, and process it in, countries other than your country of residence (including the United States). When we transfer personal data out of the EU/EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.
8. Security
We use reasonable administrative, technical, and physical safeguards to protect your information, including:
- TLS/HTTPS for all data in transit (terminated at Cloudflare’s edge)
- At-rest encryption for the database
- Hashed magic-link tokens (raw tokens never stored)
- Argon2id password hashing (NIST/OWASP-recommended; raw passwords never stored)
- Network isolation (application services not exposed to the public internet; only Cloudflare Tunnel terminates)
- Rate limiting and bot protection on signup-side endpoints
- Regular security updates of host OS and dependencies
No system is completely secure. If we discover a breach affecting your personal data, we will notify you and the relevant supervisory authorities as required by law.
9. Children
The Service is not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact hello@throttlerides.com and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version with a new “Last updated” date. For material changes that affect your rights, we will notify registered users by email at least 30 days before the changes take effect.
11. Contact
To exercise your rights, ask questions, or report a privacy concern:
Throttle Email: hello@throttlerides.com
For EU/EEA users, you also have the right to lodge a complaint with your local data protection authority. A list of authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.