LE DIRECTEUR

Last updated: March 16, 2026

1. Who We Are

Le Directeur ("we", "us", "our") is a community web application that generates AI-powered commentary on cycling and fitness activities. The app is operated as a personal project and is available at ledirecteur.app.

For questions about this privacy policy or your data, contact us at: privacy@ledirecteur.app

2. What Data We Collect

When you connect a fitness platform to Le Directeur, we collect the following data with your explicit authorization:

Account Data

• Name and profile picture (from your connected platform)
• Platform user ID (Strava, Wahoo, and/or Garmin)
• Weight, height, and FTP (if provided by you, used for power-to-weight and training analysis)
• Your sharing preferences

Activity Data

• Activity name, type, and start time
• Distance, duration, elevation gain
• Speed (average and max)
• Power output (average and max watts, if available)
• Heart rate data (if available)
• Suffer score (Strava only, if available)
• Device name (Garmin only, for required attribution)
• GPS tracks and location data (from uploaded activity files)
• Lap and split data (if available)
• Cadence and temperature data (if available)
• Per-second power data (from uploaded files or Strava streams, used to compute best efforts, normalized power, and training metrics)
• Route polylines (simplified GPS tracks for map display)

Google Sign-In Data

If you sign in with Google, we collect:

• Your Google profile name and picture
• Your Google account ID (for authentication)
• Your email address (stored only for account identification, never shared or used for marketing)

What We Do NOT Collect

• Payment information
• Photos or social content
• Health data beyond what is listed above

3. How We Collect Data

We collect data exclusively through official platform APIs after you explicitly authorize our application via OAuth:

• Strava: Via the Strava API with OAuth 2.0 authorization. We request read and activity:read_all scopes.
• Wahoo: Via the Wahoo Cloud API with OAuth 2.0 authorization. We request user_read, workouts_read, and offline_data scopes.
• Garmin: Via the Garmin Connect API with OAuth 2.0 PKCE authorization. We request activity read access.

New activities are delivered to us via webhooks (push notifications) from each platform. We do not poll or scrape any platform.

You may also upload activity files (.FIT, .GPX, .TCX) directly. These files are parsed server-side to extract activity data including GPS tracks, per-second power data, and lap splits. Raw files are retained for up to 30 days (see Data Retention) in case reprocessing is needed.

4. How We Use Your Data

Your activity data is used for one purpose: generating AI-powered commentary on your workouts using the Claude API (by Anthropic). Specifically:

• Activity statistics (distance, time, speed, power, lap splits, best efforts, training metrics, etc.) are sent to the Claude API as context for generating a short humorous commentary about the activity.
• Per-second power data is analyzed to compute best efforts (peak power at various durations), normalized power, variability index, intensity factor, training stress score, and interval detection.
• GPS tracks are simplified into route polylines and displayed on activity cards as maps. Full-resolution GPS coordinates are not stored, sent to the Claude API, or displayed to other users.
• We use Claude for inference only. Your data is never used for model training, fine-tuning, or building datasets.
• If you opt in to group sharing, your activities and commentary are displayed on the shared leaderboard visible to other opted-in users. GPS tracks are never shared.

5. How We Share Your Data

Your data is never sold, leased, licensed, or disclosed to advertisers, data brokers, or other third parties.

Data is shared only in the following limited ways:

• With other users (only with your consent): If you enable "Share my activities with the group," your activity data and commentary are visible to other opted-in users on the leaderboard. You can disable this at any time in Settings.
• With Anthropic (Claude API): Activity statistics are sent to Anthropic's API to generate commentary. Anthropic processes this data according to their privacy policy. No personal identifiers beyond your first name are included in API requests.
• With Supabase: Your data is stored in a Supabase-hosted PostgreSQL database. Supabase processes data according to their privacy policy.
• With Netlify: The application is hosted on Netlify. Netlify processes requests according to their privacy policy.
• With Google: If you sign in with Google, authentication is handled via Google OAuth. Google processes data according to their privacy policy.
• With GitHub: Bug reports and feature requests submitted through the app are created as issues on our GitHub repository. Your user ID (not your name or email) is included in the issue for tracking purposes.

6. Data Retention

• Strava-sourced activity data: Automatically deleted after 7 days, as required by the Strava API Agreement.
• Wahoo-sourced activity data: Retained for up to 30 days, then automatically deleted.
• Garmin-sourced activity data: Retained for up to 30 days, then automatically deleted.
• Uploaded activity files: Raw files are retained for up to 30 days in case reprocessing is needed, then automatically deleted. Extracted activity data follows the same 30-day retention.
• Account data: Retained until you disconnect your account or request deletion.
• AI-generated commentary: Deleted when the associated activity is deleted.

A scheduled process runs daily to enforce these retention limits.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data is transmitted over HTTPS (encrypted in transit)
• OAuth tokens are stored encrypted in our database
• API keys and secrets are stored as environment variables, never in code
• The application uses HttpOnly, Secure, SameSite cookies for session management
• We do not store passwords — authentication is handled entirely by each platform's OAuth system

In the event of a data breach, we will notify affected users and relevant platform partners within 24 hours of discovery.

8. Your Rights

You have the following rights regarding your data:

For All Users

• Access: View your data in the Settings page and personal feed.
• Disconnect: Remove any platform connection at any time via Settings. This deletes all activities sourced from that platform.
• Deletion: Request complete deletion of your account and all associated data by contacting us.
• Withdraw consent: Revoke our access at any time by disconnecting in our app or revoking access directly in Strava, Wahoo, or Garmin settings. We will delete your data upon revocation.
• Opt out of sharing: Disable group sharing at any time in Settings.

Additional Rights (EU/EEA/UK — GDPR)

If you are in the EU, EEA, or UK, you additionally have the right to:

• Request a portable copy of your data
• Request rectification of inaccurate data
• Object to processing of your data
• Lodge a complaint with your local data protection authority

Our legal basis for processing your data is your explicit consent, provided when you authorize our application via OAuth.

Additional Rights (California — CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information — we do not sell your personal information
• Non-discrimination for exercising your privacy rights

9. Third-Party Platform Terms

Your use of Le Directeur is also subject to the terms of the platforms you connect:

• Strava API Agreement and Strava Privacy Policy
• Wahoo API Agreement and Wahoo Privacy Policy
• Garmin Terms of Use and Garmin Privacy Policy

Strava, Wahoo, and Garmin may collect usage data related to your use of our application in accordance with their respective privacy policies.

10. Cookies

We use a single essential cookie (directeur_session) to maintain your login session. This cookie is:

• HttpOnly (not accessible to JavaScript)
• Secure (only sent over HTTPS)
• SameSite=Lax (prevents cross-site request forgery)
• Expires after 30 days

We do not use analytics cookies, advertising cookies, or any third-party tracking.

11. Children

Le Directeur is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of Le Directeur after changes constitutes acceptance of the updated policy.

13. Contact

For privacy questions, data requests, or concerns:

Email: privacy@ledirecteur.app