Privacy Policy
Last updated: 2026-06-21
1. Who we are
Tailwind GPS("Tailwind", "we", "us") is operated by [DATA CONTROLLER NAME] of [REGISTERED ADDRESS]. We provide a wind-aware route scoring service for cyclists at tailwindgps.com.
For data protection questions, contact: [email protected]
We are the data controller for personal data described in this policy.
2. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account | Email, name, profile image | Google sign-in, email magic link, Strava sign-in |
| Profile | Riding goal, average speed, base location, timezone, scoring hours | You provide during onboarding |
| Routes & fitness | GPX files, route names, coordinates, wind scores, Strava activities/routes | You upload, import, or connect Strava |
| Location | GPS coordinates when you use current location or map features | Your browser (with permission) |
| Billing | Stripe customer ID, subscription status, trial/period dates | Stripe (we do not store card numbers) |
| Technical | Session cookies, IP address, device/browser type | Automatically when you use the service |
| Analytics | Page views, usage patterns | Google Analytics (all visits) |
Strava users without email: If you sign in with Strava and we cannot obtain your email, we assign a placeholder address (strava-{id}@users.tailwind.app) to operate your account.
Guest users: If you use the map without signing in, up to 3 routes may be stored locally in your browser (IndexedDB) and are not sent to our servers until you create an account.
3. Why we use your data and our lawful bases
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Provide the service (accounts, routes, scores, forecasts) | Contract — necessary to perform our agreement with you |
| Process subscriptions and payments | Contract; Stripe processes payment data as our processor |
| Send magic-link login emails | Contract |
| Send product emails (e.g. wind alerts, if enabled) | Contract or Legitimate interests (service you subscribed to) |
| Improve security and prevent abuse (rate limiting) | Legitimate interests |
| Website analytics | Legitimate interests (and notice via cookie banner) |
| Comply with law | Legal obligation |
We do not use your data for automated decisions that produce legal or similarly significant effects.
4. Where your data is stored and who we share it with
Data on our infrastructure
Most personal data — accounts, routes, wind scores, and subscription metadata — is stored in a PostgreSQL database on Infrastructure we operate (self-hosted application and PostgreSQL database). We do not use a separate third-party application host for this core data.
Weather forecasts and elevation: Self-hosted Open-Meteo API on our infrastructure — forecast and elevation (DEM) queries are not sent to the public Open-Meteo service. Coordinates from your routes are used to query that self-hosted service on our servers. We do not send your account or route data to Open-Meteo GmbH's public API.
Third-party processors and services
We use the following providers where personal data leaves our infrastructure or is processed on our behalf. Each processes data only for the purpose described:
| Provider | Purpose | Where processing may occur |
|---|---|---|
| Stripe (Stripe Payments Europe Ltd for UK/EU accounts) | Payments, subscriptions, invoicing | Ireland and other countries where Stripe operates; may include the United States. Stripe uses the UK Extension to the EU-US Data Privacy Framework and/or Standard Contractual Clauses. |
| Resend | Transactional email (magic links) | Account and email metadata are stored in the United States. Messages may be sent from regional endpoints (e.g. Ireland). Resend is certified under the EU-US Data Privacy Framework and UK Extension. |
| Google (Sign-in) | Authentication when you choose "Continue with Google" | Processed by Google entities (e.g. Google Ireland Limited in the EEA/UK). Google may process data globally under its own privacy terms. |
| Google (Analytics) | Website usage statistics (Google Analytics 4) | For UK, EU, and Swiss visitors, Google states that collection uses regional Google servers and that IP addresses are not logged for those users; data may still be processed on Google's global infrastructure (including the US). See Google's EU/UK analytics documentation. |
| Strava (optional) | Sign-in and import of activities/routes when you connect Strava | UK users: Strava Limited; EEA users: Strava Ireland Ltd. Strava states that personal data may be transferred to and stored in the United States and other countries, using Standard Contractual Clauses where required. Governed by Strava's privacy policy. |
| Nominatim (OpenStreetMap) | Location search geocoding | Search text and coordinates are sent to the public Nominatim service at nominatim.openstreetmap.org (operated by the OpenStreetMap Foundation; servers are typically in the EU). Their usage policy applies. |
| OpenFreeMap | Map tiles and styles | Your browser requests tiles from tiles.openfreemap.org; the provider may log request metadata such as IP address. |
We do not sell your personal data.
5. International transfers
Your core Tailwind data (accounts, routes, scores) stays on infrastructure we operate. Some third parties above process or store data outside the UK — commonly the United States — including Stripe, Resend, Google, and Strava (if you connect it).
Where UK GDPR requires safeguards for those transfers, we rely on mechanisms offered by our providers, such as the UK Extension to the EU-US Data Privacy Framework, EU Standard Contractual Clauses, and the UK International Data Transfer Addendum, as described in their DPAs and privacy documentation.
6. How long we keep data
| Data | Retention |
|---|---|
| Account and routes | Until you delete your account or ask us to delete; stored on our self-hosted infrastructure |
| Billing records | As long as required for tax/accounting (typically 6 years UK) |
| Sessions | Until expiry or sign-out |
| Analytics | Per Google's retention settings |
| Deleted accounts | Personal data is removed or anonymised within a reasonable period after a verified deletion request |
7. Your rights
Under UK GDPR you have the right to: access, rectification, erasure, restriction, portability, object (including to processing based on legitimate interests), and withdraw consent where processing is based on consent.
To exercise rights, email [email protected]. We respond within one month.
You may complain to us about how we handle your data (see section 8) or to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.
To request account deletion, email [email protected] from the address linked to your account.
8. Complaints about data protection
If you believe we have infringed UK data protection law in relation to your personal data, you may complain to us at [email protected] with the subject "Data protection complaint". Please describe your concern and how we can contact you.
We will acknowledge your complaint within 30 days and work to resolve it without undue delay. You may still refer your complaint to the ICO if you are not satisfied.
9. Security
We use technical and organisational measures including encrypted connections (HTTPS), access controls, and secure payment handling via Stripe (we never see full card numbers).
10. Children
Tailwind is not directed at children under 13. We do not knowingly collect data from children.
11. Cookies and similar technologies
See our Cookie Policy. You can reopen cookie settings from the site footer or manage cookies in your browser.
12. Changes
We may update this policy. We will post the new version on this page with an updated date. Material changes may be notified by email or in-app notice.