Privacy Policy

Last updated: March 1, 2026

This privacy policy applies to all apps and services operated by Bundle Moose, including Grinding Gears ("the App"), the bundlemoose.com website, and the api.bundlemoose.com backend. By using our services, you agree to the collection and use of information as described here.

1. Data We Collect

Bluetooth Sensor Data

The App uses Bluetooth Low Energy (BLE) to communicate with FTMS-compatible cycling trainers. During workouts, the App receives power (watts), cadence (RPM), speed, and heart rate readings at one-second intervals. This data is processed and stored locally on your device only.

Workout History

Completed workout summaries—including date, duration, average and maximum power, cadence, speed, heart rate, and distance—are stored locally on your device. Full second-by-second telemetry is retained on-device for review and optional upload to Strava.

User Preferences

Settings such as your FTP (Functional Threshold Power), speed unit preference, and custom workout definitions are stored locally on your device.

Strava Integration (Optional)

If you connect your Strava account, we receive and store:

• An OAuth access token and refresh token (encrypted at rest on our server using AES-256-GCM)
• Basic athlete profile information: your Strava user ID, first name, last name, and profile photo URL

When you explicitly tap "Upload to Strava," the App sends your workout data (power, cadence, speed, heart rate, duration, distance) to Strava via our server. We do not upload workouts without your action.

Subscription Data

In-app purchases are managed by Apple (App Store) or Google (Play Store) through RevenueCat. We receive only an anonymous identifier and your entitlement status (e.g., whether you have an active subscription). We never receive or store your payment card details, billing address, or Apple/Google account credentials.

Session & Authentication Data

When you connect to Strava, we create a signed session token to authenticate subsequent requests. On the web, this is stored as an HttpOnly, Secure cookie (gg_session) with a 30-day expiration. On mobile, the token is stored in your device's secure keychain (iOS Keychain or Android Keystore).

2. Data We Do Not Collect

• We do not collect personal identifying information (name, email, phone number) unless provided through Strava integration.
• We do not use analytics, tracking, advertising, or crash-reporting SDKs.
• We do not collect GPS or location data.
• We do not sell, rent, or share your data with third parties for marketing purposes.
• We do not use your data to build advertising profiles.

3. How We Use Your Data

• Bluetooth sensor data is used to display real-time metrics and record workouts.
• Strava tokens are used solely to upload workouts to your Strava account on your behalf.
• Subscription status is used to determine whether you have access to unlimited rides.
• Session tokens are used to authenticate your requests to our server.

4. Data Storage & Security

• On your device: Workout history, preferences, and custom workouts are stored in on-device storage (localStorage on web, AsyncStorage on mobile). Strava auth tokens on mobile are stored in the platform's secure keychain.
• On our server: Strava OAuth tokens are encrypted with AES-256-GCM and stored in Cloudflare Workers KV. Session tokens are signed with HMAC-SHA256. Temporary OAuth state values are automatically deleted after 10 minutes.
• In transit: All communication between the App and our server uses HTTPS.

5. Third-Party Services

• Strava (optional): When connected, your workout data is shared with Strava. Subject to Strava's Privacy Policy.
• RevenueCat: Manages subscription state using an anonymous identifier. Subject to RevenueCat's Privacy Policy.
• Apple App Store / Google Play Store: Process in-app purchase payments. Subject to their respective privacy policies.
• Cloudflare: Hosts our API and website. Subject to Cloudflare's Privacy Policy.

6. Bluetooth & Device Permissions

The App requires Bluetooth permission to discover and connect to cycling trainers. On iOS, background Bluetooth is enabled so workout recording continues if you briefly switch apps. On Android (API 31+), the App requests BLUETOOTH_SCAN and BLUETOOTH_CONNECT permissions. On older Android versions, ACCESS_FINE_LOCATION is required by the operating system for BLE scanning—however, the App does not access your GPS location.

7. Data Retention & Deletion

• Local data: Workout history and preferences remain on your device until you delete individual workouts or uninstall the App.
• Server data: Strava OAuth tokens are deleted immediately when you disconnect Strava in Settings. Temporary authentication data (OAuth state, exchange codes) expires automatically within minutes.
• Strava activities: Workouts uploaded to Strava remain on Strava's servers and are subject to Strava's retention policies.

To delete all data associated with your use of the App, disconnect Strava (if connected) and uninstall the App.

8. Children's Privacy

The App is not directed to children under 13. We do not knowingly collect data from children. If you believe a child has provided us with data, please contact us and we will delete it.

9. Your Rights

You can:

• View and delete individual workouts within the App.
• Disconnect your Strava account at any time, which revokes our access and deletes your tokens from our server.
• Uninstall the App to remove all locally stored data.
• Contact us to request information about any data we hold.

10. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

11. Contact

Questions or requests? Contact us at [email protected].