Privacy Policy for Go-Bike

Effective Date: March 30, 2026

This Privacy Policy explains how BlossomEdge ltd ("we," "us," or "our") collects, uses, processes, stores, and protects the personal data of users ("you") of the Go-Bike mobile application (the "Service"). Go-Bike is open to users aged 16 and over (or the minimum age required by applicable law in your jurisdiction). If you are under 18, a parent or legal guardian must have reviewed and consented to the Terms and Conditions on your behalf.

We are committed to protecting your privacy and handling your data in an open and transparent manner, in compliance with the UK General Data Protection Regulation (GDPR), the EU GDPR, and other applicable data protection laws.

We also share aggregated or de-identified information that cannot reasonably be used to identify you, as described in this Policy and in our Terms and Conditions.

1. Data Controller

The data controller responsible for your personal data is:

BlossomEdge ltd
Email: support@blossomedge.ai

2. Information We Collect and Legal Basis for Processing

We collect the following types of information, relying on specific legal bases under GDPR:

Type of Data Collected:

• Account Data (Email, Password hash): To create, manage, and secure your user account. Legal Basis: Performance of a Contract (Art. 6(1)(b)). Storage: Cloud (Secure)
• Real-Time Camera Feed: Used for on-device computer vision processing only, for immediate collision detection. This feed is NOT recorded or stored in the cloud. Legal Basis: Legitimate Interest (Art. 6(1)(f)). Storage: Local (Processed in device memory only)
• Real-Time GPS Data (Speed, Heading, Position): Used for immediate collision detection and distance calculation. Legal Basis: Legitimate Interest (Art. 6(1)(f)). Storage: Local (Processed in device memory only)
• Inertial Measurement Data (Accelerometer, Gyroscope): Used for motion analysis and to improve collision detection accuracy. Legal Basis: Legitimate Interest (Art. 6(1)(f)). Storage: Local (On device)
• Ride Data (GPS location and timestamps, IMU data, video clips around detected events, outputs derived from these data by the computer vision and risk models used, and an anonymous identifier linking your rides): Collected locally during each ride. You can review and delete all locally stored ride data at any time through the app. Legal Basis: Legitimate Interest (Art. 6(1)(f)) — necessary to provide the core safety function. Storage: Local (On device)
• Uploaded Ride Data: If you choose to upload ride data to our cloud, it is used to provide and improve the Service and may be anonymised and aggregated. The use and sharing of uploaded data is governed by the licence in the Terms and Conditions (Section 5.2) and, where applicable, the additional consents described below. Legal Basis: Legitimate Interest (Art. 6(1)(f)) — improving the Service and cycling safety. Storage: Cloud (Secure)
• Aggregated or De-Identified Data Shared with Third Parties: Once data is fully anonymised, it is no longer personal data under GDPR and its sharing is not subject to GDPR restrictions. The licence for this sharing is granted in the Terms and Conditions (Section 5.2). For ride-level sharing with named partners: Legal Basis: Consent (Art. 6(1)(a)), explicit opt-in, revocable at any time.
• Analytics Data: We use third-party analytics tools to understand how the app is used (e.g., which features are accessed, session duration, crash reports). These tools may collect device identifiers, app usage patterns, and technical information. We do not use this data to identify you personally. Legal Basis: Legitimate Interest (Art. 6(1)(f)).

3. Local Processing, Cloud Upload, and Data Sharing

3.1 On-Device Processing: The core function of Go-Bike (collision detection for cyclists and e-scooter riders) relies entirely on processing camera, GPS, and inertial measurement data on your mobile device. This data is processed in real-time and deleted from the device's volatile memory immediately after use.

3.2 Local Storage: During each ride, data is stored locally on your device: GPS location and timestamps, inertial measurement data, short video clips around detected events, and any outputs derived from these data by the computer vision and risk models used. This data is entirely under your control.

3.3 Cloud Upload: You may choose to upload ride data from your device to our cloud service. Uploaded data is used to provide and improve the Service, and may be anonymised and aggregated by BlossomEdge. The use and sharing of your data with third parties is governed by the licence in the Terms and Conditions (Section 5.2) and, where applicable, by the additional consents described in Section 3.6.

3.4 Anonymisation and Privacy Measures: Video clips are processed to blur faces and licence plates before being shared with any third party. BlossomEdge takes reasonable technical and organisational measures to ensure that data shared with third parties cannot reasonably be used to identify you. You may share unblurred video clips stored on your device with others at your own discretion; BlossomEdge is not responsible for any such sharing by you. We will not attempt to re-identify any data that has been fully anonymised.

3.5 Anonymous Identifier: If you opt in to data sharing (see Section 3.7), an anonymous identifier is assigned to your ride data. This identifier allows multiple rides to be analysed together (e.g., to understand route patterns over time) but cannot be used to identify you personally. It is not linked to your email address, account, or any other personal information. The anonymous identifier is only included in data shared under the consents described in Section 3.7.

3.6 Deletion of Uploaded Data: You can delete your uploaded data from the cloud at any time before it is anonymised (see Section 6.1 for instructions). Once data has been fully anonymised and aggregated, it is no longer personal data and cannot be deleted, as it cannot be linked back to you.

3.7 Sharing Data with Third Parties

3.7.1 Aggregated and De-Identified Data (Baseline — Terms Section 5.2): Aggregated or de-identified data derived from all uploaded rides — such as ride volume heatmaps, alert density heatmaps, anonymised video clips of risk events (with faces and licence plates blurred), and average risk scores per street segment — may be shared with third parties and made publicly available without additional consent. This data cannot reasonably be used to identify you. This sharing is authorised by the licence you grant in the Terms and Conditions (Section 5.2).

3.7.2 General Data Sharing (Opt-In): If you opt in via the app, ride-level data linked by an anonymous identifier may be shared with third parties for cycling safety and urban mobility purposes. This includes: full ride routes (with start and end points trimmed for privacy), ride timestamps, geolocated alert events (location, timestamp, risk score), blurred video clips of alert events (faces and licence plates obscured), continuous risk scores along routes, and IMU/sensor data during the ride. Data is linked by an anonymous identifier (see Section 3.5) that cannot be used to identify you personally. No account email or other personal identifiers are included. You can give or withdraw consent at any time in Settings. Withdrawal stops future sharing of your data. Data that has already been shared with third parties prior to withdrawal cannot be recalled by BlossomEdge.

3.7.3 Partner-Specific Data Sharing (Opt-In): During onboarding, you may also choose to share your ride data with specific named partner organisations. Each partner is identified along with their purpose. You can accept or decline sharing with each partner individually, and you can change these choices at any time in Settings. Partner-specific sharing includes the same data types as General Data Sharing (Section 3.7.2). The same anonymisation measures apply.

3.7.4 Who We Share With: Third parties may include local authorities, transport authorities, insurance companies, fleet operators, mapping and navigation services, urban planning organisations, academic institutions, and other commercial partners. Before sharing data with any third party, BlossomEdge ensures that the data has been processed so that it cannot reasonably be used to identify you. Where formal data sharing agreements are in place with a partner, these include provisions prohibiting re-identification.

4. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of all transmitted data (TLS/SSL).
• Password hashing for account security.
• Secure server environments for cloud storage.
• Strict access controls to prevent unauthorized access to uploaded data before anonymization.

5. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

• Local Data: Data stored locally on your device remains under your control and can be deleted at any time through the app (see Section 6.1 below).
• Account Data: Retained until you request account deletion.
• Cloud-Stored Personal Data: Retained in cloud storage until you delete it, request account deletion, or until it is anonymised. You can delete uploaded data at any time through the app (see Section 6.1 below). Upon account deletion, all personal data stored in our cloud systems will be deleted.
• Anonymised or De-Identified Data: Once data has been fully anonymised and aggregated, it can no longer reasonably be used to identify you. It is no longer personal data and may be retained indefinitely for the purpose of maintaining and improving public safety data and the Service.
• Data Shared with Third Parties: Once anonymised or de-identified data has been shared with a third party, it cannot be recalled or deleted by BlossomEdge, as it is no longer personal data and cannot be linked back to you.

6. Your Rights Under Data Protection Law

Under applicable data protection law (including the UK GDPR and EU GDPR), you have the right to:

• Right to be Informed: To be informed about how your personal data is being used (which is the purpose of this policy).
• Right of Access: To request a copy of the personal information we hold about you.
• Right to Rectification: To have inaccurate personal data corrected.
• Right to Erasure ('Right to be Forgotten'): To request that we delete your personal data. You can exercise this right directly through the app (see Section 6.1 below) or by contacting us. Withdrawing data sharing consent stops future sharing but does not recall data already provided to third parties.
• Right to Restrict Processing: To ask us to suspend the processing of your personal data.
• Right to Data Portability: To request the transfer of your personal data to another party.
• Right to Object: To object to the processing of your personal data where we are relying on a legitimate interest. You can withdraw consent for third-party data sharing at any time via Settings, without affecting your use of the app.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, nor does it affect the sharing of anonymised or de-identified data under the Terms and Conditions (Section 5.2).
• Rights in Relation to Automated Decision Making and Profiling: We do not use automated decision-making processes that significantly affect you.

To exercise any of these rights (other than deletion and consent withdrawal, which can be done in-app), please contact us using the details provided in Section 8 below. You also have the right to lodge a complaint with your local data protection supervisory authority.

6.1 How to Delete Your Data and Manage Consent

You have full control over your data and can delete it at any time through the following methods:

Delete Individual Rides (Local Data Only):

• Go to the "View Rides" screen in the app
• Select a ride you want to delete
• Tap the delete option
• What gets deleted: This action deletes the ride data from your device only (local files including video clips, GPS data, and metadata). If the ride was previously uploaded to the cloud, the cloud copy remains unless you delete it separately (see below).

Delete All Uploaded Data from Cloud:

• Go to "Settings" in the app
• Tap "Delete All Uploaded Data"
• Confirm the deletion
• What gets deleted: This action permanently deletes all your uploaded data from our cloud storage, including:
  • All uploaded ride data (video files, GPS data, metadata)
  • All associated files stored in cloud storage
  • All ride records from our database
• Note: This only deletes data that has been uploaded to the cloud. Local data on your device remains unless you delete it separately.
• Important: Once data has been anonymised and aggregated, it cannot be deleted as it is no longer personal data and cannot be linked back to you.

Delete Your Account:

• To delete your account and all associated data, please contact us at support@blossomedge.ai
• We will process your account deletion request within 30 days
• What gets deleted: Your account data, all cloud-stored personal data, and all ride records. Anonymised, aggregated data that can no longer reasonably be used to identify you may be retained indefinitely.

Withdraw Data Sharing Consent:

• Go to Settings > Data Sharing in the app
• You can withdraw General Data Sharing consent and/or individual partner consents independently
• What happens: No further ride data will be shared with those parties. Data that has already been shared with third parties prior to withdrawal cannot be recalled by BlossomEdge, as it has been anonymised and can no longer be linked to you. Withdrawing these consents does not affect the sharing of anonymised or de-identified data under the Terms and Conditions (Section 5.2).

Deletion Timeframes:

• Local deletion: Immediate — data is deleted from your device right away
• Cloud deletion: Usually completed within 48 hours of your request
• Account deletion: Processed within 30 days of your request

7. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top of this document. Material changes to this Privacy Policy will be communicated via in-app notification or email before they take effect.

International Data Transfers

Your data may be processed and stored in countries outside the United Kingdom or the European Economic Area. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office, or adequacy decisions by the relevant authorities.

8. Contact Information

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

BlossomEdge ltd
Email: support@blossomedge.ai