Bolty

Privacy Policy

Effective date: March 4, 2026

1. Data Controller

Bolty is published by Robin Baret, an individual.

Contact email: [email protected]

Hosting: Railway (servers located in Europe).

2. Data Collected

Bolty collects the following data in order to provide the service:

2.1 User Account

  • Email address
  • Password (hashed with bcrypt — never stored in plaintext)
  • Apple Sign-In or Google Sign-In identifiers (unique identifier provided by the provider)

2.2 Runner Profile

  • First name
  • Age
  • Weight
  • Running level and experience
  • Motivations and race goal
  • Heart rate zones
  • Preferred training days

2.3 Sport Activities

  • Metadata: distance, duration, average pace, heart rate, cadence, elevation
  • Second-by-second streams: GPS, heart rate, pace, altitude, cadence
  • GPS trace (encoded polyline)
  • Lap data (laps)
  • Real-time GPS location data (when using the built-in tracking from the phone)

2.4 Post-Run Feedback

  • Rating of perceived exertion (RPE)
  • Physical sensations
  • User free-form notes

2.5 Training Plans

  • AI-generated training plans
  • Scheduled sessions and their status

2.6 AI Coach Analyses

  • AI-generated text and structured data
  • Q&A history with the coach

2.7 Technical Data

  • Strava authentication tokens (encrypted in the database)
  • Garmin Connect authentication tokens (encrypted in the database)
  • Push notification token (Expo)

2.8 Usage and Analytics Data

  • In-app navigation events (screens visited, onboarding steps completed)
  • Key actions: subscription, connecting an activity source, viewing an analysis
  • Platform (iOS/Android) and app version

This data is collected in a pseudonymized manner via PostHog (hosted in Europe) and is never sold to third parties. It is used solely to improve the user experience and identify friction points in the application.

3. Legal Basis for Processing

  • Performance of a contract (Article 6.1.b of the GDPR): data processing is necessary for the provision of the Bolty service (run analysis, plan generation, progress tracking).
  • Consent (Article 6.1.a of the GDPR): for push notifications, GPS location access (built-in tracking) and connections to third-party services (Strava, Garmin Connect, Apple Health). You can withdraw your consent at any time.

4. Sub-processors and Third Parties

Certain data is shared with the following providers, strictly in the context of delivering the service:

Artificial Intelligence Provider (USA)

Purpose : AI analysis of activities and training plan generation.

Data transmitted : user profile and aggregated metrics. Raw GPS streams are not transmitted.

Strava (USA)

Purpose : activity import via OAuth 2.0 in read-only mode (scope activity:read_all).

Data transmitted to Strava : none. Bolty only imports data from Strava.

Data imported : running activities (metadata, GPS/HR/pace/altitude/cadence streams, Strava athlete ID, GPS traces, laps).

The connection can be revoked at any time from the Bolty app or from your Strava settings.

Garmin Connect (USA)

Purpose : activity import via OAuth 2.0. Bolty accesses running activities in read-only mode.

Data transmitted to Garmin : none. Bolty only imports data from Garmin Connect.

Data imported : running activities (metadata, GPS/HR/pace/altitude/cadence streams, GPS traces, laps).

The connection can be revoked at any time from the Bolty app or from your Garmin Connect settings.

Apple / Google (USA)

Purpose : authentication only (identity token verification).

Expo / EAS (USA)

Purpose : push notification service.

Data transmitted : push token and notification content.

RevenueCat (USA)

Purpose : in-app subscription management.

Data transmitted : anonymized user identifier. No payment data is shared with RevenueCat or stored by Bolty.

PostHog (Europe)

Purpose : product analytics to understand app usage and improve the user experience.

Data transmitted : pseudonymized usage events (onboarding steps, key actions), platform and app version. No sensitive personal data is transmitted.

Hosting : European instance (eu.posthog.com). Data does not leave Europe.

Railway (Europe)

Purpose : hosting of the backend and PostgreSQL database. Servers are located in Europe.

5. Apple Health (HealthKit), Garmin Connect and built-in GPS tracking

Bolty can access running data via Apple Health (HealthKit) on iOS. This access is local: data is read directly from the device after explicit user authorization through the iOS permissions system.

Data imported from Apple Health (runs, heart rate, cadence, elevation) is processed in the same way as data imported from Strava.

Bolty also allows connecting a Garmin Connect account to automatically import activities recorded on a Garmin watch. This connection uses the OAuth 2.0 protocol and can be revoked at any time.

Finally, Bolty offers built-in GPS tracking to record a run directly from the phone. This feature requires access to the device's location, granted through the operating system's permissions. Location data is used exclusively to record the run's route and is never shared for advertising purposes.

6. International Transfers

Some sub-processors are based in the United States. These companies are certified under the EU-US Data Privacy Framework (DPF), which ensures an adequate level of protection as recognized by the European Commission.

7. Data Retention

Your data is retained for as long as your account exists.

When you delete your account, all associated data is permanently and irreversibly deleted (cascading deletion of all activities, analyses, plans, profile and tokens).

8. Your Rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: obtain a copy of your personal data.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure: request the deletion of your data. Account deletion is available directly in the app (Profile > Delete my account).
  • Right to data portability: receive your data in a structured, readable format.
  • Right to object: object to the processing of your data.
  • Right to restriction: request the restriction of processing.

To exercise these rights, contact us at [email protected].

9. California-Specific Rights (CCPA)

If you reside in California, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know: know the categories and specific pieces of personal data collected.
  • Right to deletion: request the deletion of your personal data.
  • Right to non-discrimination: not be treated differently for exercising your rights.

Bolty does not sell personal data.

10. Security

We implement the following measures to protect your data:

  • HTTPS encryption for all communications
  • Passwords hashed with bcrypt (never stored in plaintext)
  • Strava tokens encrypted in the database
  • Authentication via time-limited tokens

11. Minimum Age

Bolty is intended for individuals aged 16 and older. We do not knowingly collect personal data from minors under the age of 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us so we can delete it.

12. Cookies and Analytics

The Bolty landing page (bolty.run) does not use tracking cookies or third-party analytics tools. Only strictly necessary technical cookies may be used.

The Bolty mobile app uses PostHog (European instance) to collect anonymized usage events. This data is used exclusively to improve the product. No cookies are used in the mobile app — PostHog operates via the SDK integrated into the application.

13. Changes to This Policy

We reserve the right to modify this privacy policy. In case of substantial changes, you will be notified via an in-app notification or by email.

14. Contact

For any questions regarding this privacy policy or your personal data, contact us at [email protected].