Privacy Policy

Quiver is built and maintained by Allan Noer, an individual developer based in Denmark. There is no company behind it and no team — just a private side project.

Because of how the app is built (more on that in section 2), I do not host your data on a server I operate. I cannot see your bikes, your rides, or anything else you record in Quiver. The only way for me to learn anything about your use of the app is if you choose to email me.

Reach me at support@getquiver.app.

Quiver stores everything you record in a private database on your iPhone, inside Apple's app sandbox. On iOS, this data also syncs to your personal iCloud via Apple's CloudKit service — see section 3 for details. There is no Quiver server. Your data does not pass through any system Allan Noer operates.

The data on your device:

• Bikes: the bikes you add — make, model, type, cover photo, and odometer.
• Components: chains, cassettes, tyres, brake pads and similar parts you track on each bike, with installation dates, wear thresholds, and an optional component photo.
• Service checklists and history: the tools and tasks you tick off when servicing a part, plus snapshotted historical replay so a service entry shows exactly what you did.
• Attachments: photos and documents you attach to bikes or components — for example, receipts, invoices, or warranty cards — stored as files inside the Quiver app sandbox.
• Rides: rides you log manually or import from Strava, including date, distance, indoor/outdoor flag, and which bike was ridden.
• Service log: every service event you record, with date, km, action category, and free-text notes.
• Strava cache: if you connect Strava, a copy of the activity data Quiver fetches (date, distance, gear ID) is stored locally so the app works offline.

Strava OAuth access and refresh tokens are stored in the iOS Keychain, which is encrypted by the device and protected by your passcode or Face ID.

The app does not collect location data, heart rate, power data, or any other fitness or health metrics. It does not use advertising trackers, analytics SDKs, or telemetry of any kind. See section 3 for how iCloud sync works and section 4 for how the website is handled separately.

On iOS, Quiver syncs your garage data — bikes, components, rides, service history, checklists, and bike photos — to your personal iCloud via Apple's CloudKit service. Sync runs automatically across all your Apple devices signed into the same iCloud account, so a change on your iPhone appears on your iPad within seconds.

The data is stored in a private CloudKit database that only your own devices can decrypt. Apple encrypts it in transit and at rest. Allan Noer has no access — the data lives in your iCloud, not on any server he operates.

Photos (bike cover photos, component photos) and document attachments (receipts, invoices, warranty cards) sync as CKAssets in the same private database, with the same privacy guarantees as the rest of your data.

On Android, garage data is automatically backed up to your Google account via Android's built-in backup service. This is restore-on-reinstall, not live cross-device sync.

You can manage or delete your iCloud data in Settings → [your name] → iCloud, or your Android backup data in your Google account settings.

The Quiver website uses Google Analytics 4to measure aggregate traffic — which pages are visited, how long visitors stay, and roughly where traffic comes from (country-level). Google Analytics sets cookies in your browser and sends anonymous usage data to Google's servers.

This only runs if you click Accept in the cookie notice when you first visit. If you click Decline — or ignore the banner — no tracking cookies are set and no data is sent to Google. None of your iOS app data (bikes, rides, components) is ever involved; this is website measurement only.

To opt out after accepting, clear cookies for this site in your browser settings, or install the Google Analytics Opt-out Browser Add-on. Google acts as a data processor under a data processing agreement with Allan Noer. Google's privacy policy applies to how it handles this data: policies.google.com/privacy.

Under the EU General Data Protection Regulation (GDPR), data is processed on the following legal bases:

• Performance of a contract (Article 6(1)(b)): the app processes the data you enter — bikes, components, rides, service notes — to deliver the functionality you installed it for. Cloud backup to iCloud or Google is part of this, ensuring your data survives a device change or reinstall.
• Consent (Article 6(1)(a)):connecting Strava is entirely optional and requires your explicit approval through Strava's OAuth flow. You can revoke it at any time from Settings → Disconnect Strava. Google Analytics on the website likewise runs only after you give explicit consent through the cookie banner; you can withdraw by clearing cookies for this site.

App data lives on your device, in the Quiver app sandbox. It also syncs to your personal iCloud (iOS, via CloudKit) or backs up to your Google account (Android) — see section 3. There is no copy on any server Allan Noer operates.

Website analytics data (if you accepted cookies) is stored on Google's servers in the United States under Google's standard data processing terms.

For as long as you keep Quiver installed. Removing the app removes its sandboxed database with it.

To wipe your data without deleting the app, open Settings → Reset all data. This wipes both the local database on your device and your private CloudKit zone immediately, on every device signed into the same iCloud account. It is final — there is no recovery.

Strava disconnection: Settings → Disconnect Stravadeletes your access and refresh tokens from the Keychain immediately, and clears the locally cached Strava activity data at the same time. Quiver does not call Strava's revoke endpoint on your behalf — to fully revoke access, also visit Strava → My Apps and remove Quiver there.

Quiver has no server of its own, so there is no advertising network or error-reporting backend that sees the inside of your bike fleet. The following third parties receive data in limited, specific circumstances:

• Apple (iCloud / CloudKit)— your garage data (bikes, components, rides, service history) syncs to your personal iCloud via Apple's CloudKit service as described in section 3. Photos (bike cover photos, component photos) and document attachments sync as CKAssets in the same private database. Allan Noer cannot access this data; it is governed by Apple's Privacy Policy.
• Google (Android backup)— on Android, your garage data is backed up to your Google account via Android's built-in backup service as described in section 3. This is governed by Google's Privacy Policy.
• Strava— only if you connect your Strava account. Quiver calls Strava's API on your behalf to fetch your activity history. Strava sees that an authorised request came from a Quiver client; nothing about your bikes or service log is sent to them.
• Google Analytics — only if you accept cookies on the website. Anonymous page-view data (pages visited, session duration, approximate country) is sent to Google Analytics. This does not include your name, email, or any data from the app.

GDPR gives you the following rights. Because Quiver stores your data on your own devices and iCloud, most of them are exercised directly in the app rather than by writing to me:

• Access: you already have every piece of data Quiver holds about you — it is on your phone, visible in the app.
• Rectification: edit any record directly in the app.
• Erasure: Settings → Reset all data, or uninstall the app.
• Portability: Settings → Export garage generates a structured JSON file containing all your bikes, components, rides, service entries, checklist tasks, and attachments. You can share or archive it however you like.
• Withdraw consent: Settings → Disconnect Strava revokes the only consent the app asks for.

For any question that the app cannot answer for you, email support@getquiver.app. I will respond within 30 days.

If you believe your data is being handled incorrectly, you have the right to lodge a complaint with the Danish supervisory authority:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
www.datatilsynet.dk

Quiver relies on the security guarantees the iOS platform provides:

• The app database is stored inside the Quiver app sandbox, which iOS isolates from every other app on your phone.
• Strava OAuth tokens are stored in the iOS Keychain — encrypted at rest by the device and protected by your passcode or Face ID.
• All network traffic between Quiver and Strava goes over HTTPS (TLS) and is enforced by iOS App Transport Security.
• CloudKit data — the garage data synced to your iCloud — is encrypted by Apple in transit and at rest, in a private database that only your own Apple devices can decrypt.
• The app's catalogue of bike models is bundled into the build as a read-only file. It is signed by Apple as part of the app and cannot be tampered with at rest.

The strongest practical security recommendation is the same as for any iPhone app: keep iOS up to date and keep a passcode on your device. Both directly protect the Quiver data on it.

Quiver is not directed at children under the age of 13 and the app does not collect personal data through traditional means. If you are a parent or guardian and you have concerns about a minor's use of the app, email support@getquiver.app.

If this policy changes, the “Last updated” date at the top of the page will change with it. Material changes will also be flagged in the app the next time you launch it. Continued use of Quiver after a material change indicates acceptance of the updated policy.