Privacy Policy

Last updated: 2026-05-14

1. Who we are

ALLR is a motorcycle gear price-comparison service. The data controller responsible for your personal data is the operator of https://allr.io. To contact us about anything in this policy, email privacy@allr.io.

2. What we collect

We collect the minimum we need to run the site:

  • Account data: email address, hashed password (handled by AWS Cognito), and any optional fields you fill in your profile (riding history, sizes, preferred region).
  • Activity data: products you save, price alerts you create, items you add to your Fitting Room. Used to show you those products on subsequent visits.
  • Technical data: IP address, browser/device user-agent, request timestamps, and inferred country (from your IP via ipapi.co) so we can show region-appropriate prices and pre-fill currency. Logged for at most 30 days.
  • Cookies: a session cookie for sign-in, a CSRF cookie for form security, and (only with your consent) an affiliate-network cookie set by Impact when you click an outbound retailer link.

We do not collect payment data — all purchases happen on the retailer's own site, not ours.

3. Why we collect it (lawful basis under GDPR)

  • Contract (Art. 6(1)(b) GDPR): account creation, saved gear, price alerts.
  • Legitimate interests (Art. 6(1)(f) GDPR): site analytics, fraud / abuse prevention, security logging.
  • Consent (Art. 6(1)(a) GDPR): non-essential cookies (affiliate tracking).

4. Who we share it with

  • AWS hosts our infrastructure (Cognito for auth, DynamoDB for storage, SES for email). Data stays in our chosen AWS region.
  • Impact (affiliate network) receives a click signal — but no personal data — when you tap an outbound Buy link and have accepted cookies.
  • Retailers see whatever your browser sends to their site when you click through (referrer header, IP).
  • We do not sell your data and do not share it with advertisers.

5. How long we keep it

  • Account data: until you delete your account.
  • Saved gear and alerts: until you remove them or delete your account.
  • Technical logs: 30 days.
  • Backups: rolling 7-day retention.

6. Your rights

If you are in the EU/UK, you can:

  • Request a copy of your data (Art. 15).
  • Correct inaccurate data (Art. 16).
  • Delete your account and associated data (Art. 17).
  • Object to or restrict processing (Art. 18 / 21).
  • Withdraw consent for non-essential cookies at any time (clear them from your browser or use the cookie banner on your next visit).
  • Lodge a complaint with your local data-protection authority.

Email privacy@allr.io to exercise any of these.

7. International transfers

Our hosting region is Canada (AWS ca-central-1, Montreal). If you are in the EU/EEA, your data is transferred to Canada on the basis of the European Commission's adequacy decision for Canada (Commercial Organizations) under PIPEDA. If you are in the UK, the equivalent UK adequacy regulations for Canada apply. No Standard Contractual Clauses are required for these transfers; we will adopt them and notify you on this page if either adequacy decision is revoked.

8. Children

ALLR is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, email privacy@allr.io and we'll delete it.

9. Changes to this policy

We will update this page when our practices change. Material changes will be highlighted at the top of the page; the "Last updated" date will tell you when the most recent revision happened.