Privacy Policy

Calculator inputs: When you use our calculators (affordability, EMI, fuel cost etc.), your inputs are processed entirely in your browser using JavaScript. We do not transmit or store your income, salary, down payment or financial details on our servers.

Contact form: When you contact us, we collect your name, email address, optional bike reference, and message. This is used only to respond to your enquiry.

Newsletter subscription: If you subscribe to our weekly digest, we collect your email address and the source page that prompted you to sign up. You can unsubscribe at any time using the link in any email we send.

Bike launch alerts: If you click "Alert Me" on an upcoming bike, we store your email address against that specific bike. Once the bike launches we send you a single notification email.

Photo submissions: If you upload a bike photo via the public gallery, we collect: your name (shown publicly as photo credit), an optional social-media profile link (clickable on your credit), an optional email (for admin contact only — never shown publicly), the photo itself, plus your IP address and browser user-agent (used internally to prevent duplicate submissions and abuse). Detail in Section 06.

Bike reviews & replies: If you write a review or reply on a bike page, we store your text, ratings, and optional ownership-period and mileage data, linked to your account.

Blog comments: Optional name, optional email (for moderation contact, not displayed), and the comment text.

Wishlist (saved bikes): If you save bikes to your wishlist while signed in, we store the bike-to-account mapping. If you save bikes while signed out, we store them locally in your browser only (no server-side data) and merge them into your account if you later sign in.

Account data (only if you sign up): Your name, email address, optional phone number, password (stored as a one-way bcrypt hash — we cannot read it), and email-verified status. If you sign in with Google, we additionally receive your Google profile name, email and avatar URL via OAuth.

Rate-limit & abuse-prevention logs: We log a hashed/sanitised version of your IP address against form submissions for short periods (15 minutes to 1 hour depending on the form) to prevent spam and brute-force attacks. These logs are not used for any other purpose and are auto-pruned.

Analytics: We collect anonymised usage data — pages viewed, time on site, browser type, city-level location (not precise GPS), and Core Web Vitals samples (1% of pageviews) for performance monitoring. This data cannot identify you personally and is used only to improve the website.

We use the information collected to:

• Respond to contact-form submissions and support requests
• Send the weekly digest to newsletter subscribers who opted in
• Send launch-alert emails when an upcoming bike you tracked goes live
• Display approved user-submitted photos with the uploader's chosen credit
• Operate sign-in, password-reset, OTP verification and (admin) two-factor authentication flows
• Detect and block automated/abusive form submissions (rate-limit logs + reCAPTCHA scores)
• Understand how users navigate the site and improve it (anonymised analytics)
• Monitor site performance and fix errors

We do not use your data for targeted advertising, sell it to third parties, or share it with bike brands or dealers.

We use a minimal set of cookies:

• Essential cookies: Required for basic site functionality (e.g. remembering your selected city). These cannot be disabled.
• Analytics cookies: Used to collect anonymised usage statistics. You can decline these.

We do not use advertising cookies or third-party tracking pixels. Our cookie usage is minimal by design.

We use the following third-party services. Each receives only the minimum data needed to do its job:

• Google reCAPTCHA v3: Runs invisibly on every form (sign-in, sign-up, contact, photo upload, comment, review, newsletter, bike alert, etc.) to detect bots. Google receives your IP address, browser fingerprint and interaction patterns; we receive only a 0.0–1.0 fraud score. Subject to Google's Privacy Policy and Terms.
• Google OAuth: If you choose "Sign in with Google", Google authenticates you and sends us your name, email and avatar URL. We do not receive your Google password and we do not access any other Google data (no Calendar, Drive, contacts, etc.).
• Google Analytics (GA4): Anonymised site usage statistics. IP addresses are anonymised at collection. Google Privacy Policy →
• Google AdSense (when active): Once enabled, AdSense uses cookies to serve relevant ads and measure performance. You can opt out at Google Ads Settings. Currently AdSense is feature-flagged off.
• Google Fonts: Typography assets served from Google's CDN.
• SMTP email provider: Sends contact-form auto-replies, newsletter emails, OTP codes, password-reset links and launch-alert notifications. Email content is transmitted to the SMTP host but not stored by them beyond delivery logs.

We do not embed social-media tracking pixels on our pages.

Creating an account is optional — you can browse the catalog, use every calculator and read the blog without ever signing up. An account is required only for: writing reviews, replying on review threads, and syncing your wishlist across devices.

Email + password sign-up: We store your name, email, optional phone, and a one-way bcrypt hash of your password (we cannot read or recover the original — if you forget it you must reset it). Email verification uses a 6-digit OTP that expires in 15 minutes.

Google OAuth sign-in: Google verifies your identity and sends us your name, email and avatar URL. We treat that the same as an email+password account, except we never receive or store any password.

Admin two-factor authentication (admin users only): When 2FA is enabled, an admin login generates a 6-digit OTP, sends it to the admin's email, and stores a one-way bcrypt hash of the code with a 10-minute expiry. The OTP is wiped immediately after use or expiry. This applies only to staff/admin accounts — regular visitors are not subject to admin 2FA.

Account deletion: You can request full account deletion at any time via the email in Section 11. We will remove your name, email, password hash, phone, wishlist, reviews, replies, and any photo submissions you uploaded — typically within 7 days of the request.

You can contribute three kinds of content: bike photos (via the public gallery on each bike's page), reviews (on each bike-detail page, requires sign-in), and blog comments (no sign-in required).

Photo submissions specifically collect:

• Your name — shown publicly as the photo credit. Required.
• Social-media link — optional. If provided, your credit name links to it.
• Email address — optional, internal only. Used only if our admin needs to contact you about the submission. Never displayed publicly.
• Caption — optional, displayed under the photo if approved.
• Photo file — stored on our servers if approved; rejected files are deleted immediately.
• IP address & browser user-agent — internal only. Used to enforce the "one photo per person per bike" rule and to flag abusive submissions.

Every submission lands as pending and is held back from the public gallery until an admin reviews it. Approved photos appear with your chosen credit (and optional clickable social link). Rejected photos have their image file deleted from disk; only the metadata is kept for audit.

By submitting a photo, review or comment, you grant BikeCostCalc a non-exclusive licence to display it on the site with appropriate attribution. You can request removal at any time. Full details are in our Terms & Conditions.

We keep different categories of data for different lengths of time:

• Account data: Until you delete your account.
• Reviews, replies, comments: Until you (or we, for moderation reasons) remove them.
• Approved photo submissions: Until you request removal or the bike is delisted.
• Rejected photo submissions: Image file deleted immediately; metadata row kept up to 90 days for audit then purged.
• Contact-form messages: Up to 12 months after the issue is resolved.
• Newsletter subscriptions: Until you unsubscribe.
• Bike launch alerts: Removed once the bike launches and the notification email is sent.
• Login OTPs / password-reset tokens: Wiped immediately after use, or after 10–15 min expiry — whichever comes first.
• Rate-limit logs: 15 minutes to 1 hour depending on the endpoint, then auto-pruned.
• Admin activity log: Kept indefinitely for security audit, but contains no visitor data — only admin action history.
• Analytics: Per Google's GA4 retention setting (default 14 months).

We take reasonable steps to protect any information you share with us:

• The site is served over HTTPS (TLS encryption) at all times — HSTS header forces it
• Passwords are stored as one-way bcrypt hashes; the plain password is never written to disk
• OTPs and 2FA codes are also stored as bcrypt hashes, with short expiries
• Admin sessions use a separate session cookie from public-visitor sessions, with timeout enforcement
• SQL queries use prepared statements throughout to prevent injection attacks
• Form submissions are protected by reCAPTCHA v3, per-IP rate limits and CSRF tokens (admin)
• Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) reduce browser-side attack surface

Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), you (the "Data Principal") have the following rights against us (the "Data Fiduciary"):

• Right to information — to know what personal data we hold about you, how it is processed, and with whom it is shared. Use the export tool at /account/export (logged in) for an instant JSON download.
• Right to correction and erasure — to update inaccurate data via your account page, or to request full deletion at /account/delete. Deletion completes within 7 days, or 30 days for derived analytics records.
• Right to grievance redressal — to escalate any privacy concern to our Grievance Officer (see Section 12). We acknowledge within 24 hours and resolve within 7 working days. If unresolved, you may approach the Data Protection Board of India.
• Right to nominate — to nominate another individual to exercise these rights on your behalf in case of death or incapacity. Submit nomination via email.
• Right to withdraw consent — to revoke consent at any time. Use the cookie banner's "Customise" option (or the "Open cookie preferences" link below) to change cookie choices. Other consents (newsletter, marketing) can be withdrawn from your account or via the unsubscribe link in our emails.
• Right to opt out of automated decision-making — none of our calculators or recommendation engines make legally significant automated decisions about you, but you may still request human review of any output.

→ Open cookie preferences

To exercise any non-self-service right, email us at privacy@bikecostcalculator.com. We will verify your identity (by sending an OTP to your registered email) before acting on any request involving personal data.

Your data is primarily stored on servers located in India. Some processing involves third-party services that may transfer data outside India:

• Google Analytics 4 — anonymised behavioural data may be processed in the United States and EU. Subject to Google's data-protection commitments.
• Google AdSense — ad personalisation data may be processed globally.
• Cloud email (SMTP) provider — newsletter and transactional emails are sent via a service that may relay through US infrastructure.

The DPDP Act permits such transfers unless restricted by Government notification. We will update this section if/when the Government issues a restricted-country list.

BikeCostCalc is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact us using the email below and we will delete it promptly.

For users between 13 and 18 in jurisdictions where parental consent is required for online accounts, please ensure you have parental permission before creating an account or submitting any content.

BikeCostCalc keeps the public site free by running a small, clearly-labelled set of revenue features. None of them require us to sell your personal data — and we don't.

• Display advertising (Google AdSense): When AdSense is active, Google's ad scripts may set their own cookies to serve and measure ads. Google's data practices for ad personalisation are documented in their Privacy Policy; you can manage your ad personalisation at Google Ads Settings.
• Affiliate links: Some outbound links to insurance partners, used-bike marketplaces and finance providers are tagged so the partner can attribute a commission to BikeCostCalc when you complete a transaction. The partner sees only what you click through to and the data you share with them — we don't pass them any of your BikeCostCalc account data.
• Dealer-quote / loan-application forms: If you submit one of these forms (currently feature-flagged off), the contact details you enter are forwarded to the relevant dealer or lending partner so they can respond. This is the only flow in which we pass your information to a third party for commercial follow-up, and it happens only with your active form submission.
• Newsletter: Operated entirely by us via our SMTP provider — no third-party email-marketing platform is involved.

We do not sell your email address, contact information, or browsing history to any third party for marketing purposes.

As required by Section 10(8) of the DPDP Act 2023, BikeCostCalculator has appointed a Grievance Officer to handle data-protection concerns:

If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India established under the DPDP Act. Once notified, the Board's contact details will be linked here.

This policy may be updated periodically. The "Last updated" date at the top reflects when changes were made. For material changes (new data categories, new third-party services, retention-period changes) we will display a notice on the homepage and trigger the cookie consent banner to re-appear. Continued use of the site after changes constitutes acceptance of the updated policy.