Privacy Policy

Effective Date: 1 February 2026
Last Updated: 1 February 2026

This Privacy Policy explains how Never Bored VR OÜ (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you use:

  • https://neverbored.ee
  • https://ridematch.cc
  • RideMatch (Cycling Passport & Ride Compatibility Service)
  • Related integrations and applications (collectively, the “Service”).
This policy is designed to comply with:

  • EU General Data Protection Regulation (GDPR)
  • Strava API Agreement
  • Garmin Developer Program Policies
By using the Service and connecting third-party accounts, you consent to the practices described below.

1. Legal Basis
We process personal data based on:

  • Explicit user consent (via OAuth authorization)
  • Performance of a contract (providing RideMatch functionality)
  • Legitimate interest (security, fraud prevention)
Users may withdraw consent at any time by disconnecting integrations or deleting their account.

2. Data We Collect
2.1 Website Data
When visiting our websites, we may collect:
  • IP address
  • Browser type
  • Device type
  • Interaction timestamps
We use essential cookies only.
We do not use advertising or tracking cookies.

2.2 Data from Strava
When a user connects their Strava account via OAuth 2.0, we request only the minimum scopes necessary to provide RideMatch functionality.
Currently, these scopes include:

  • profile:read_all
  • activity:read
We access:
  • Athlete profile (name, profile photo, city, country, weight)
  • Activity data (distance, duration, elevation, speed, power if available)
  • Year-to-date and all-time statistics
  • FTP value if available
  • Public segment efforts
We do NOT:
  • Post content to Strava
  • Modify activities
  • Delete activities
  • Upload activities
  • Access private messages
  • Access payment or subscription information
We do not request write permissions.
Strava data is used exclusively to:

  • Calculate RideMatch Score
  • Generate compatibility metrics
  • Display user-authorized public profile data
We do not use Strava data for advertising, marketing, or resale.

2.3 Data from Garmin Connect
When a user connects Garmin Connect, we request only read access required for RideMatch scoring.

We may access:

  • Activity metrics (power, heart rate, cadence, speed, elevation)
  • VO2max estimates
  • Training load and status
  • FTP if available
We do NOT:
  • Push workouts
  • Modify device settings
  • Send commands to Garmin devices
  • Alter Garmin data
Garmin data is used solely to calculate performance metrics within RideMatch.

3. Derived Data
We generate:
  • RideMatch Score (0–100)
  • Estimated FTP and W/kg
  • Compatibility score between users
Derived metrics are algorithmic outputs and are not shared back to Strava or Garmin.

4. Public Profile Visibility
If a user creates a RideMatch Passport, the following may be publicly visible via a shared link:
  • Name
  • Profile photo
  • City and country
  • RideMatch Score
  • Key cycling metrics (FTP, W/kg, yearly distance)
Users control whether they share their passport link.

5. Data Sharing
We share personal data only with:

  • Strava (OAuth authentication process)
  • Garmin (OAuth authentication process)
  • Hosting providers (under Data Processing Agreements)
  • Legal authorities if required by law
We do not sell personal data.

We do not share user data with advertisers.

6. Data Security
We implement:
  • TLS encryption in transit
  • Encryption at rest
  • Secure storage of OAuth access tokens
  • Access control restrictions

OAuth tokens are encrypted and deleted upon account deletion.

7. Data Retention
Data is retained while the user account is active.

Upon account deletion:

  • Personal data
  • Derived metrics
  • OAuth tokens
are permanently deleted within 30 days.
Users may independently revoke access via:
Strava → Settings → My Apps
Garmin Connect → Account Settings

8. User Rights (GDPR)
Users have the right to:
  • Access personal data
  • Correct inaccuracies
  • Request deletion
  • Restrict processing
  • Withdraw consent
Requests may be submitted to the contact address below.

9. Children’s Privacy
The Service is not intended for individuals under 16 years of age.

10. Changes
We may update this Privacy Policy. Continued use constitutes acceptance of changes.

Contact

Never Bored VR OÜ
Email: hello@neverbored.ee
GO TO THE MAIN PAGE

© All Rights Reserved. Never Bored VR
hello@neverbored.ee