Privacy Policy
Last updated: 2026-05-03
BonkCoach is a one-person project. This page describes what we collect from you, what we do with it, what we don't do, and how to delete everything.
1. What we collect
From Strava OAuth (when you connect)
- Your Strava athlete ID (a number)
- Your display name and profile picture URL
- Your email address (only if you grant the
profile:read_allscope) - An OAuth access token + refresh token, both encrypted at rest with AES-256-GCM
From Strava webhooks (when you upload an activity)
- The activity's numeric ID
- After fetching the activity from Strava using your token: name, sport type, distance, moving time, elevation, average/max speed, heart rate, power, kilojoules, start time
What we generate from that
- A short roast script (text)
- An audio voice note (MP3, generated from the script)
- An unguessable URL slug for sharing
2. What we explicitly do NOT collect
- GPS routes / map data. Strava provides a polyline of your ride; we never request, fetch, store, or display it.
- Personal contact details beyond the Strava-provided email.
- Payment information. BonkCoach is currently free.
- Browser fingerprints, ad identifiers, cross-site cookies.
- Other athletes' data. Strava OAuth scopes us to your own data only — we couldn't access your friends' rides even if we wanted to.
3. Where it's stored
- User records and roast metadata: Amazon DynamoDB, eu-west-1 region, encrypted at rest.
- Audio files: Amazon S3, eu-west-1 region, encrypted at rest, private bucket. Audio is served via short-lived presigned URLs (15 minute expiry).
- OAuth tokens: Encrypted with a separate AES-256-GCM key before being written to DynamoDB. The key lives in AWS Systems Manager Parameter Store.
4. Third parties that see your data
To generate roasts, we share derived data with two AI providers:
- OpenAI receives your activity stats (distance, time, elevation, HR, power, etc.) along with the activity name and sport type. We use their API per their API data usage policy, which means OpenAI does not train models on this data.
- ElevenLabs receives the generated roast text (no Strava data) to synthesize audio. Per their privacy policy, API usage is not used for model training.
We do not share your data with any other third party.
5. What we do NOT do with your data
- We do not train AI models on your Strava data.
- We do not auto-post on Strava. We never request the
activity:writescope. We will never comment on your activities or modify your activity descriptions. - We do not display your data to anyone but you. Roasts live at unguessable URLs (12 random characters). Only you receive the URL via email. If you choose to share that URL with someone, they can listen to the audio and read the roast text — but never see your raw Strava stats.
- We do not sell or rent your data. Ever.
- We do not run advertising or third-party tracking.
6. Webhook subscription
Connecting BonkCoach subscribes your athlete account to Strava's webhook events for your activities only. Strava notifies us when you create, update, or delete an activity. We act only on create events to generate one roast per new activity. We ignore update/delete events for now (deleting an activity on Strava does NOT delete the roast we already generated — that's a manual action you take from your dashboard).
7. How to delete your data
Self-serve options on your dashboard:
- Disconnect Strava — removes your encrypted OAuth tokens from our database. New activities will no longer trigger roasts. Your existing roasts remain accessible (and shareable). Useful if you want to stop syncing but keep your archive.
- Delete account — irreversibly removes your user record, all your roasts (text and audio files), and your encrypted OAuth tokens. After this, BonkCoach retains no data about you.
By email:
Email bonkcoach@malaysiacyclist.com with your Strava athlete ID (visible at strava.com/athletes/<id>) and request deletion. We aim to comply within 7 days.
8. Data retention
We keep your user record and roasts for as long as your account is active. If you disconnect Strava but don't delete your account, we keep the roast archive indefinitely (since you may still want to access them). If you delete your account, everything is removed within 7 days.
AWS S3 lifecycle rules abort incomplete multipart uploads after 7 days (operational hygiene, no impact on stored roasts).
9. Email notifications
When a new roast is ready, we email you a link to listen. Every email includes a one-click List-Unsubscribe header (visible to Gmail and Outlook clients) and a plain unsubscribe link in the body. Unsubscribing turns off email notifications but does not delete your account.
10. Security
- HTTPS enforced for all traffic via CloudFront.
- Strava OAuth tokens encrypted at rest with AES-256-GCM.
- Audio bucket is private; access only via short-lived presigned URLs.
- No public API endpoints accept data without authentication or signed payloads.
- Operational secrets (encryption keys, API tokens) live in AWS Systems Manager Parameter Store, accessed via narrowly-scoped IAM roles.
11. Your rights (GDPR, CCPA, etc.)
Even though BonkCoach is a tiny side project, we honor the spirit of GDPR / CCPA / Malaysia's PDPA: you have the right to access, correct, export, or delete your data. To exercise any of these rights, email bonkcoach@malaysiacyclist.com.
12. Changes to this policy
If we change anything material about how we handle your data, we'll update this page, bump the "Last updated" date at the top, and email connected users to flag the change.
13. Contact
Questions, complaints, or anything else: bonkcoach@malaysiacyclist.com.