Privacy Policy
Who processes your data
Bonk is operated from France. For any question about your personal data, write to us at contact@bonk-app.com. We are the data controller within the meaning of the GDPR.
What data we collect
Data from Strava (after your explicit authorization): athlete ID, first name, last name, profile picture, and your sports activities (distance, duration, elevation, heart rate, pace, etc.). Technical data needed for the service: session token stored encrypted on your device, Strava access tokens encrypted in the database with AES-256-GCM, push notification token, language and time zone. Data generated by usage: preferences (chosen coach, history depth), sports goals you set, messages exchanged with your coach. We do not collect any postal address, phone number or payment information. Subscription purchases are handled by Apple, who only sends us the result of the transaction.
Why we use them
Run the service: fetch your activities, authenticate you, send you relevant analyses. Legal basis: performance of the contract. Send you push notifications (workout debrief, weekly recap). You can disable them at any time from your device settings. Legal basis: performance of the contract. Detect abuse, fraud and fix bugs. Legal basis: legitimate interest in protecting the service.
Who we share them with
NPTN (France): to host the database and the API. Your data is stored on infrastructure located in France. Amazon Web Services (Frankfurt region, European Union): to generate analyses through the Bedrock service. AI processing takes place exclusively in Europe. Strava: to fetch your activities after your explicit authorization via OAuth. Apple: to process subscription payments and route push notifications via APNs. Expo: to relay push notifications to Apple. No data is sold or used for advertising purposes.
Transfers outside the European Union
Storage and AI processing of your data take place exclusively within the European Union (France for the database, Frankfurt for the analyses). Only Apple's peripheral services (subscription payments, push notifications via APNs) and Expo (push notification relay) involve transit through the United States. These transfers are governed by the Data Privacy Framework adopted by the European Commission and by the corresponding standard contractual clauses.
How long we keep them
As long as your Bonk account is active. After you delete your account: your personal data is deleted within 30 days, except where the law requires longer retention (billing, fraud prevention — usually 5 years). Technical logs: 12 months maximum.
Your rights
You can at any time: • access your data and obtain a copy; • correct it if it is inaccurate; • request its deletion; • object to processing or restrict its scope; • withdraw your consent by signing out and revoking Strava access. Write to contact@bonk-app.com. We respond within one month. You can also lodge a complaint with the competent data protection authority in your country of residence if you believe your rights are not respected.
Security
Your Strava tokens are encrypted in the database with AES-256-GCM. Your session is stored in the secure keychain of your device (iOS Keychain). Communications with our servers go over HTTPS.
Changes
This policy may evolve. Significant changes are announced inside the app and on this page. The last update date is shown at the top.