Privacy policy
1. Controller
The controller responsible for the processing of personal data described below is:
Steffen Klein
Breitenbachplatz 21
14195 Berlin
Germany
Email: info@kadnz.cc
Phone: +49 202 49617999
2. Scope and design of this service
kadnz is a client-side web application. All ride data you load, whether from a JSON file, the demo set, the Wahoo integration, or a custom URL, is stored exclusively in your browser's IndexedDB on the device you use. The operator does not run a backend server for ride data. Your ride data is never transmitted to the operator and the operator has no means of accessing it.
3. Local storage on your device (IndexedDB)
The application uses three IndexedDB stores in your browser:
- rides — ride records you have loaded or imported.
- tokens — Wahoo OAuth access and refresh tokens, plus PKCE verifier, only if you connect a Wahoo account.
- meta — application preferences such as the active data source, your display name, the configured custom URL, and sync timestamps.
Purpose: providing the dashboard functionality you have
requested.
Legal basis: Art. 6 (1) (b) GDPR (performance of the service
you have invoked). Storage is strictly necessary for the application
to function and is therefore covered by § 25 (2) Nr. 2 TDDDG without
separate consent.
Retention: until you delete it. You can erase all locally
stored data at any time via Settings → Delete data, or by clearing
your browser's site data for this domain.
4. Server logs of the hosting provider
When you load the static files of this site, the hosting provider may process technical data such as your IP address, the user-agent string of your browser, the requested URL, and a timestamp, in order to deliver the page and to ensure technical operation and security.
Hosting provider: IFAS Consult SRL (trading as DanubeData)
CUI: RO46614360
Trade Register: J30/870/2022
Satu Mare, Satu Mare County, Romania
Further information:
DanubeData's privacy policy
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in
secure and reliable provision of the website).
Retention: as defined by the hosting provider.
5. Third-party resources loaded by the page
5.1 Wahoo (optional, only if you connect)
If you choose Wahoo as a data source, the application redirects you
to api.wahooligan.com for OAuth 2.0 authentication
(PKCE flow). Wahoo Fitness is operated by Wahoo Fitness L.L.C., 90
W Wieuca Rd NE, Atlanta, GA 30342, USA. After successful
authentication, your browser exchanges tokens with Wahoo and fetches
your ride data directly. The resulting tokens and ride data are
stored only in your browser's IndexedDB; the operator never sees
them.
Depending on the data available in your Wahoo account and the data you choose to load, ride data may include activity dates, durations, distance, speed, elevation, route or location data, cadence, power, heart-rate data, and derived ride statistics. The operator does not receive or access this data. It is processed locally in your browser for the sole purpose of displaying the dashboard and related statistics requested by you.
Legal basis: Art. 6 (1) (a) GDPR (your consent, given by
actively connecting Wahoo) and Art. 6 (1) (b) GDPR (performance of
the requested service).
Third-country transfer: the connection runs against
Wahoo-operated servers, which may be located in the United States.
For details, see Wahoo's privacy policy.
Withdrawal: you can disconnect at any time via Settings →
Delete data, and revoke access in your Wahoo account at
wahooligan.com.
5.2 Custom URL (optional, only if you configure one)
If you enter a custom URL as a data source, your browser issues a direct GET request to that URL. The operator never sees the URL or the response. Whether the destination of that URL processes personal data is outside the operator's control; consult the privacy policy of the URL's operator.
5.3 Error reporting (AppSignal)
When the application encounters an error, an anonymous error report is sent to AppSignal so operational problems can be diagnosed.
Processor: AppSignal B.V., Singel 542, 1017 AZ Amsterdam,
Netherlands. Data is processed and stored on servers within the EU.
What is sent: the error message and stack trace, the URL path
(without query string or fragment), the browser user-agent, and the
application's build version. Query strings, request and response
bodies, and the Authorization header are stripped before
sending. No IP address is stored (suppressed at ingest). No personal
identifier is attached to events, so individual reports cannot be
located or deleted after they have been sent.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in
operational error diagnosis on anonymous data).
Retention: as configured in AppSignal, by default 30 days.
Opt-out: Settings → Privacy → uncheck Send anonymous error
reports. The application also honours the
Sec-GPC (Global Privacy Control) header and the
DNT (Do Not Track) signal — when either is set by your
browser, no error reports are sent and the toggle is locked off.
Further information:
AppSignal's privacy policy.
5.4 Anonymous usage statistics (Simple Analytics)
The site loads a small script from
scripts.simpleanalyticscdn.com (Simple Analytics B.V.,
Dordrecht, Netherlands) that counts page visits and a small set of
named in-app events such as a data source completed a sync,
labelled only with the data-source type.
The implementation is configured to operate without cookies and
without intentionally attaching persistent identifiers to visits or
events. Events are recorded to understand general usage patterns
and improve the application.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in
understanding and improving the service in a privacy-minimising manner).
Opt-out: Settings → Privacy checkbox that disables error reporting
also stops this script from loading; the Sec-GPC and
DNT browser signals are honoured in the same way.
Further information:
Simple Analytics — what we collect.
6. Cookies
This site does not set any cookies of its own. If you use optional third-party resources as described in section 5, those providers may process technical request data required to deliver their services in accordance with their own privacy policies.
7. Your rights
Under the GDPR you have the following rights with respect to personal data processed by the controller:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent at any time, with effect for the future (Art. 7 (3) GDPR)
To exercise any of these rights, contact the operator using the details in section 1.
For data stored locally in your browser (IndexedDB), you can exercise control directly by exporting or deleting it via the application's Settings. The operator has no access to this data.
8. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The supervisory authority for the controller is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Germany
datenschutz-berlin.de
9. Automated decision-making
The application does not perform automated decision-making within the meaning of Art. 22 GDPR and does not engage in profiling.
10. Changes to this policy
This policy may be updated to reflect changes in the application or in legal requirements. The current version is always published at this URL. The date below records the most recent revision.