← back to vargpilot

Privacy Policy

Last updated: 2026-05-08

VargPilot is built and operated by RapidFusion (Ben Selinger). This page describes what we collect when you use this website (vargpilot.rapidfusion.net) and the VargPilot Android app, and what we do with it. We try to collect as little as possible.

What we collect

Account data

  • Email address — used as your login identifier and for service-related messages (security alerts, expiry reminders).
  • Password — stored only as a bcrypt hash; we never see or store the plaintext.
  • Display name — only if you provide one.
  • Google account ID, name, avatar URL — only if you sign in with Google. We receive these from Google's OAuth profile (scopes: openid, email, profile); we do not receive or store any other Google-account data.

Subscription + entitlement data

  • Which plan you're on (currently always "beta") and when it started/expires.
  • Any entitlement tokens you've generated and their expiry. These are what the Android app uses to confirm you're on an active subscription.

Server logs

  • HTTP request logs (IP address, user agent, URL, response code, timestamp) generated by the reverse proxy in front of the site. Used for debugging and abuse mitigation. Rotated on a regular schedule.

Cookies

  • One session cookie that proves you're logged in. httpOnly, SameSite=Lax, secure-when-on-HTTPS. No third-party cookies.
  • We do not use analytics or advertising cookies.

Bike + ride data (Android app)

The VargPilot Android app talks to your bike directly over Bluetooth. Speed, drive mode, battery state, throttle position, and similar telemetry stay on your phone by default — none of it is sent to us. The app may offer optional telemetry export in the future; that will be off by default and require explicit opt-in.

What we use it for

  • Letting you log in and use the service.
  • Issuing entitlement tokens to your app installs.
  • Sending occasional service-related emails (e.g. account changes, beta-plan expiry warnings). No marketing email until you opt in.
  • Debugging crashes + investigating abuse from server logs.

What we don't do

  • We don't sell your data. To anyone.
  • We don't share your data with advertisers or analytics providers.
  • We don't profile your bike data, route, or location.
  • We don't use your data to train any AI / machine-learning model.

Third parties we use

  • Google — only if you choose Sign in with Google. Google sees that you signed in to VargPilot. We see the basic profile (email, name, avatar, Google account ID) Google sends back.
  • Google Fonts — the site loads the Chakra Petch and Audiowide fonts from Google's font CDN. Google receives your IP and user-agent as part of that request. If you'd rather avoid this, block fonts.googleapis.com in your browser; the site degrades gracefully to system fonts.
  • That's it for now. If we add a payment processor later (e.g. Stripe) for paid subscriptions, this page will be updated and you'll see the disclosure on the checkout page.

Data retention

  • Account records persist until you delete your account.
  • Entitlement tokens auto-expire (default 30 days) and are pruned from the database soon after.
  • Sessions expire 30 days after last activity.
  • Server logs are kept for at most 90 days, then rotated out.
  • Database backups are kept on the same server for 30 days, then deleted.

Your rights

You can email ben.selinger@rapidfusion.net to:

  • Get a copy of every piece of data we hold about you.
  • Correct anything that's wrong.
  • Delete your account and all associated data. We'll do it within 7 days.
  • Opt out of any non-essential email.

If you're in a jurisdiction that grants you specific privacy rights (GDPR, CCPA, etc.), the same email address is the contact for those requests.

Security

Data lives on a server we operate ourselves (no third-party cloud DB). HTTPS only on the public site. Passwords stored as bcrypt hashes (cost factor 12). Sessions backed by signed, httpOnly cookies. Backups encrypted at rest on the host volume. We do not claim perfect security — if you discover a vulnerability, please email us at the address above and we'll fix it as a priority.

Children

VargPilot is not aimed at anyone under 16. We don't knowingly collect data from children. If you believe we have, contact us and we'll delete it.

Changes to this policy

If we change this policy materially we'll update the date at the top and, for existing accounts, send a one-time email to your registered address.

Contact

RapidFusion / Ben Selinger
ben.selinger@rapidfusion.net