Wolfi's Cycling Academy - Privacy Policy

Last updated: 14 May 2026 Effective date: 14 May 2026

This Privacy Policy explains how Wolfi's Cycling Academy ("WCA", "we", "us" or "our") collects, uses, shares, retains and protects personal data of Parents and Riders who use our booking portal at https://wolfiscyclingacademy.ae (the "Portal") and who participate in our cycling programs in the United Arab Emirates ("Programs").

This Privacy Policy should be read together with our Terms and Conditions and our Cookie Notice. Capitalised terms used but not defined here have the meaning given in our Terms and Conditions.

This service is designed for children. Section 6 ("Children's Personal Data") sets out additional safeguards that apply to Riders, who are typically under 18 years of age. By creating an Account and registering a Rider, you confirm you are the Rider's parent or legal guardian (or are otherwise lawfully authorised to act on their behalf) and consent to the processing of the Rider's personal data described in this Privacy Policy.

1. Who We Are (Data Controller)

1.1 The data controller responsible for personal data processed through the Portal is Wolfi's Cycling Academy, based in the United Arab Emirates.

1.2 You can contact us about this Privacy Policy or about any personal data we hold about you or your Rider at:

Email: customercare@wolfis.ae Web: https://wolfiscyclingacademy.ae

If we appoint a data-protection officer or representative in the future, their contact details will be added here.

2. Scope

2.1 This Privacy Policy applies to personal data processed when you: (a) browse the Portal; (b) create or use an Account; (c) register a Rider; (d) make, view or cancel a Booking; (e) attend a Session at one of our Venues; or (f) contact us by email or other means.

2.2 The Portal may link to third-party websites or services (for example, our payment service provider's checkout page, our social media profiles, or Venue operators' sites). This Privacy Policy does not apply to those third parties. Please review their own privacy notices.

3. Personal Data We Collect

We collect and process the categories of personal data set out below. Most of this data is provided by you directly; some is generated automatically when you use the Portal.

3.1 Parent (Account holder) data

Identity: First name, last name. Contact: Email address (used as your sign-in identifier). Account credentials: Hashed password, password reset and unlock tokens, email confirmation status. Account security and session data: Sign-in count, current and last sign-in timestamps, current and last sign-in IP addresses, failed sign-in attempts, lockout status, JWT identifiers used for revocation. Device and connection data: IP address, browser type and version, device type, language and time-zone settings, and other technical data when you use the Portal.

3.2 Rider (child) data

Identity: First name, last name. Date of birth: Used to verify Program age-range eligibility. Demographics: Gender, grade, school class. Locality: Whether the Rider is a UAE local (used for reporting on participation). Photography preference: A "no pictures" flag indicating whether the Rider should be excluded from photography and video at Sessions (see Section 13 of our Terms). Health and safety information: Any allergies, medical conditions, medication, learning needs or other safety-relevant information you choose to provide so we can deliver Sessions safely. Participation data: Sessions attended, absences recorded by coaches, skill level assessments, progress notes and similar coaching records.

3.3 Booking, payment and financial data

Booking data: Event booked, Sessions, Venue, Rider associated with the Booking, Booking state (Pending, Paid, Confirmed, Cancelled), creation/payment/confirmation/cancellation/expiry timestamps, cancellation reason, idempotency identifiers. Payment data: Amount, currency (AED), payment service provider transaction reference, payment status. What we do NOT store: Your full payment card number, CVV, or full bank details. Card data is collected and processed by our payment service provider directly.

All credit/debit card details and personally identifiable information will NOT be stored, sold, shared, rented or leased to any third parties.

3.4 Communications data

Correspondence: Emails and messages you send to us at customercare@wolfis.ae and our replies. Service emails sent to you: Booking confirmations, payment receipts, schedule changes, safety notices, account-security emails (sign-in, password reset, account unlock, email confirmation) and similar operational messages.

3.5 Deletion-request data

If you ask us to delete a Rider or other data, we keep a record of the request (the data subject, your reason if provided, the status of the request, the admin who reviewed it and timestamps) so we can demonstrate that the request was handled.

4. How We Collect Personal Data

4.1 Directly from you - when you create an Account, register a Rider, make a Booking, contact us or otherwise interact with us.

4.2 Automatically - when you use the Portal we collect device and connection data, sign-in history, security events and similar technical data. See our Cookie Notice for more on cookies and similar technologies.

4.3 From our coaches and staff - for example, attendance, skill assessments and progress notes generated during Sessions.

4.4 From third parties - including our payment service provider (for example, transaction references, payment status, and chargeback notifications) and Venue operators (for example, where access controls or sign-in sheets generate participation data).

5. Purposes and Legal Basis

We process personal data for the purposes set out below. Where the law that applies to us requires a legal basis (for example, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, or other data-protection laws), the basis on which we rely is shown.

1. To create and manage your Account and authenticate you on the Portal. Categories: Parent identity, contact, credentials, security/session data. Legal basis: Performance of a contract (our Terms) with you; our legitimate interests in account security.
2. To register Riders and check Program age-range eligibility. Categories: Rider identity, date of birth. Legal basis: Performance of a contract; consent of the Rider's parent/guardian.
3. To accept, process, confirm, cancel and refund Bookings. Categories: Booking, payment, Parent and Rider data. Legal basis: Performance of a contract.
4. To process payments and prevent fraud. Categories: Payment data, parts of Booking and Parent data. Legal basis: Performance of a contract; compliance with legal obligations; our legitimate interests in preventing fraud.
5. To deliver Sessions safely, including using health/safety information you provide. Categories: Rider identity, health and safety information, participation data. Legal basis: Performance of a contract; consent of the Rider's parent/guardian; vital interests where emergency treatment is needed.
6. To photograph and record Sessions for coaching, safety, record-keeping and (subject to the "no pictures" flag) marketing. Categories: Rider images and video; photography preference. Legal basis: Consent of the Rider's parent/guardian (you can change this at any time in the Rider's profile); our legitimate interests in safe coaching and internal record-keeping for non-public uses.
7. To send service communications (confirmations, reminders, schedule changes, safety notices, account-security emails). Categories: Parent contact data, Booking data. Legal basis: Performance of a contract; our legitimate interests in operating the Programs safely.
8. To send marketing emails (only where we have a lawful basis). Categories: Parent contact data. Legal basis: Consent, which you can withdraw at any time.
9. To handle complaints, queries and disputes. Categories: All categories as needed. Legal basis: Our legitimate interests in managing our business; compliance with legal obligations.
10. To comply with legal, accounting, tax, audit and reporting obligations. Categories: Booking, payment, Parent and (in limited cases) Rider data. Legal basis: Compliance with legal obligations.
11. To protect the safety of Riders, coaches, staff and the public. Categories: All categories as needed. Legal basis: Our (and others') legitimate interests; vital interests.
12. To report on participation in aggregate (for example, the split between Emirati and non-Emirati Riders, or by skill level). Categories: Demographic and locality data, aggregated where possible. Legal basis: Our legitimate interests in operating our business; compliance with legal obligations where required.
13. To handle deletion and other data-subject rights requests. Categories: All categories as needed to action the request. Legal basis: Compliance with legal obligations.

We will not use personal data for a materially new purpose without informing you and, where required, obtaining your consent.

6. Children's Personal Data

6.1 Our Programs are designed for children. We rely on you, as the Rider's parent or legal guardian (or as a person lawfully authorised to act on their behalf), to provide and authorise the processing of the Rider's personal data.

6.2 We collect only the Rider data we need to deliver the Programs safely and to verify eligibility (see Section 3.2). You do not need to provide health information, but if you choose not to, we may be unable to deliver Sessions safely to your Rider and may need to decline or cancel a Booking.

6.3 We do not knowingly allow Riders to create their own Accounts. The Portal is intended to be used by Parents on behalf of Riders.

6.4 We do not use Rider data to send marketing to Riders, and we do not sell Rider data.

7. Sharing Your Personal Data

We share personal data only as described below.

7.1 Our staff and contractors

Our coaches, administrators and contractors access personal data on a need-to-know basis to deliver and administer the Programs and the Portal.

7.2 Service providers (processors)

We share personal data with carefully selected service providers who process it on our behalf, including:

Payment service provider (currently Mastercard Payment Gateway Services / MPGS): Processing card payments, fraud prevention, refunds, chargebacks. Data shared: Booking amount, currency, transaction reference, limited Parent identity/contact data; card details are collected by the provider directly.

Email and transactional messaging provider (currently Brevo): Sending account-security and booking-related emails, and (subject to consent) marketing. Data shared: Parent name, email address, message content.

Cloud and hosting providers: Hosting the Portal, databases, backups and logs. Data shared: All categories as needed to operate the Portal.

Engineering, security and analytics tooling: Error monitoring, security monitoring, performance monitoring. Data shared: Technical and security data; limited identifiers.

Professional advisers: Legal, accounting, tax and audit. Data shared: As needed.

We require service providers to process personal data only on our instructions, to keep it confidential and secure, and to delete or return it when no longer needed.

7.3 Venue partners

Where required for access, sign-in, safety, insurance or compliance, we may share limited Rider and Parent data with Venue operators (currently including Al Hudayriyat Island, Abu Dhabi, and the Skoda Ali & Sons – Sheikh Zayed Road Showroom, Dubai).

7.4 Emergency services and medical professionals

In an emergency, we may share Rider data (including health information you have provided) with paramedics, doctors, hospitals or other medical professionals so they can treat your Rider.

7.5 Authorities and legal process

We may share personal data with regulators, courts, law-enforcement and other authorities where we are required to do so by law, or where we reasonably consider it necessary to protect our legal rights or the safety of others.

7.6 Business transfers

If we sell or reorganise our business, personal data may be transferred to the buyer or successor entity, subject to this Privacy Policy or an equivalent successor policy.

7.7 We do not sell your data

We do not sell personal data of Parents or Riders to third parties. All credit/debit card details and personally identifiable information will NOT be stored, sold, shared, rented or leased to any third parties.

8. International Transfers

8.1 We are based in the UAE. Some of our service providers (in particular cloud, hosting, payment and email providers) may be located outside the UAE, which means your personal data may be transferred to, stored in or processed in countries outside the UAE.

8.2 Where required by applicable law, we put in place safeguards to protect personal data when it is transferred outside the UAE, including by using providers in jurisdictions that the UAE recognises as offering adequate protection, by entering into contractual safeguards (such as standard data-protection clauses), and by selecting providers with strong technical and organisational security.

8.3 You can ask us at customercare@wolfis.ae for information about the specific safeguards we use.

9. How Long We Keep Personal Data (Retention)

We keep personal data only for as long as we need it for the purposes set out in Section 5. The general retention periods we apply are:

Active Account and Rider profiles: While your Account is active. If you stop using the Portal but do not request deletion, we may keep your Account and Rider profiles indefinitely so you can return and re-book.

Cancelled / expired Bookings: Retained alongside paid Bookings for the periods described below.

Booking, payment and financial records: At least the period required by UAE tax, accounting, audit and consumer-protection law (typically several years from the end of the relevant financial period).

Account-security and sign-in logs: Up to 24 months from the event, and longer where needed to investigate a specific incident.

Marketing data and consents: Until you withdraw consent or unsubscribe, and for a short period afterwards to record the withdrawal.

Health/safety information about Riders: While the Rider remains active in our Programs, plus a short post-participation period for incident review.

Photographs and video: As described in Section 13 of our Terms and Conditions, taking into account the "no pictures" flag; published imagery may persist on third-party platforms outside our control.

Soft-deleted records: When you request deletion or we deactivate a profile, we typically retain the record in a "soft-deleted" state - flagged as deleted and excluded from active use - for the legal, accounting, audit, safety and dispute-resolution periods above, after which it may be deleted or anonymised.

Deletion requests: Retained as an audit record.

When personal data is no longer needed, we will delete or anonymise it.

10. Your Rights

Subject to applicable law (in particular the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and any other data-protection laws that apply to you), you have the following rights in relation to personal data about you, and you may exercise them on behalf of your Rider:

1. Access - request a copy of the personal data we hold about you or your Rider, and information about how we process it.
2. Rectification - ask us to correct inaccurate or incomplete personal data. You can update most Parent and Rider details directly in the Portal.
3. Erasure ("right to be forgotten") - ask us to delete personal data we hold about you or your Rider, where there is no overriding reason to keep it. Some Booking and financial data must be retained as described in Section 9.
4. Restriction - ask us to limit how we use personal data while a request or complaint is being resolved.
5. Objection - object to processing we carry out on the basis of our legitimate interests, and to direct-marketing processing at any time.
6. Withdraw consent - where we rely on consent (for example, for marketing, or for the use of imagery under Section 13 of our Terms), you can withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
7. Portability - where applicable, receive certain personal data in a structured, commonly used and machine-readable format, and ask us to transmit it to another controller.
8. Lodge a complaint - with the relevant UAE data-protection authority (in particular the UAE Data Office under Federal Decree-Law No. 45 of 2021), and with any other competent regulator in your jurisdiction.

How to exercise your rights:

For most updates - change the relevant Parent or Rider details directly in the Portal. For deletion of a Rider - use the in-Portal deletion request workflow where available, or email us at customercare@wolfis.ae. For all other requests - email us at customercare@wolfis.ae.

We may need to verify your identity before acting on a request. We will respond within the time limit required by applicable law.

If you withdraw consent for, or ask us to delete, data that is necessary for an active Booking, we may be unable to continue delivering the Program for the relevant Rider, and may need to cancel the Booking in accordance with our Terms and Conditions.

11. Automated Decisions and Profiling

11.1 We do not make decisions about you or your Rider based solely on automated processing that produce legal or similarly significant effects.

11.2 The Portal applies basic automated checks at the time of Booking (for example, an age-range check against the Event, a duplicate-Booking check, and a capacity check). These checks are deterministic, are based on the data you provide, and can be reviewed and overridden by us on request.

12. Security

12.1 We use a combination of technical and organisational measures to protect personal data, including:

• encryption in transit (HTTPS/TLS) for traffic to and from the Portal;
• secure storage of credentials (passwords are stored only as salted hashes);
• short-lived authentication tokens with revocation on sign-out and on suspicious activity;
• account lockout after repeated unsuccessful sign-in attempts;
• access controls and role-based permissions so that staff only access the data they need;
• security monitoring, logging and rate-limiting; and
• security review of new features and providers before they go live.

12.2 No system is perfectly secure. We encourage you to use a strong, unique password for your Account, to keep your sign-in credentials confidential, and to tell us at customercare@wolfis.ae if you suspect any unauthorised access.

13. Cookies and Similar Technologies

The Portal uses a small number of cookies that are necessary to keep you signed in and to keep the Portal secure. We do not use cookies for advertising. For full details, see our Cookie Notice.

14. Changes to this Privacy Policy

14.1 We may amend this Privacy Policy from time to time. Where the changes are material, we will notify you by email and/or by a notice in the Portal before they take effect. The "Last updated" date at the top of this Privacy Policy shows when it was last amended.

14.2 By continuing to use the Portal or making a new Booking after changes take effect, you accept the amended Privacy Policy. If you do not accept it, you must stop using the Portal and may ask us to delete your data as described in Section 10.

15. Contact

If you have any questions about this Privacy Policy, or if you would like to exercise any of your rights:

Wolfi's Cycling Academy Email: customercare@wolfis.ae Web: https://wolfiscyclingacademy.ae

This Privacy Policy was last updated on 14 May 2026.