Legal

Privacy Policy

Last updated: 13 April 2025 · Effective immediately

WatchForward ("we", "us", or "our") operates the WatchForward Poster application (the "Service"). This page explains what data we access, how we use it, and your rights as a user. We believe in plain language over legal fog — here's exactly how we treat your data.

The short version: We only access what Strava gives us, we use it only to generate posts for you, and we don't store anything beyond what's needed to keep you logged in for 30 days. We don't sell data. Full stop.

1. Who We Are

WatchForward is operated by Pierluigi De Rogatis. For any privacy-related enquiries, contact us at pierluigi.derogatis@live.com.

2. Data We Access

WatchForward connects to your Strava account via OAuth 2.0. With your explicit consent, we access:

Activity data — name, type (run/ride/etc.), distance, elevation, and duration of your recent activities. Used solely to pre-fill the post generator so you don't have to type your stats manually.
Activity write access — used only when you explicitly tap "Update Strava" to save the AI-generated title and description back to a specific activity. We never modify your activities without a direct, user-initiated action.
Athlete profile — basic profile information (name, athlete ID) used to authenticate your session only.

3. How We Use Your Data

We use your Strava data exclusively to provide the core functionality of WatchForward:

Displaying your recent activities in the activity selector.
Pre-filling workout metrics to generate AI-powered social post captions via Gemini.
Writing AI-generated content back to Strava when you explicitly request it.

We do not use your data for advertising, profiling, training AI models, or any purpose beyond the above.

4. Data Storage & Retention

WatchForward is built with a minimal data footprint:

Your Strava OAuth refresh token is stored server-side in Cloudflare KV, encrypted at rest, keyed to your Strava athlete ID. It is used solely to obtain fresh access tokens on your behalf.
Your session token is stored in your browser's localStorage. It expires after 30 days.
Activity data fetched from Strava is held in memory for your current session only and is discarded when you close or reload the app.
We do not operate a user database. We do not store your name, email, activity history, or generated posts.
Rate-limiting counters (to protect fair use) are stored in Cloudflare KV keyed to your athlete ID and a UTC date string. They automatically expire after 24 hours.

5. Third-Party Services

WatchForward integrates with the following third-party services:

Strava — activity data source and write destination. Governed by Strava's Privacy Policy.
Google Gemini AI — used to generate post captions. Only your activity type, metrics, duration, and personal notes are sent. No identifying information is transmitted. Governed by Google's Generative AI Terms.
Cloudflare Workers & KV — our serverless backend infrastructure. Session and token data only. Governed by Cloudflare's Privacy Policy.

6. Sharing of Data

We do not sell, rent, or share your personal data with any third parties for any commercial purpose. Data is only transmitted to the third-party services listed in Section 5, strictly as needed to operate the Service.

7. Your Rights

You can revoke WatchForward's access to your Strava account at any time by visiting Strava Settings → My Apps and disconnecting WatchForward. This immediately invalidates all tokens.

To request deletion of any server-side data we hold (session token, refresh token, rate-limit counters), contact us at pierluigi.derogatis@live.com and we will action it within 72 hours.

8. Children's Privacy

WatchForward is not directed at children under the age of 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

For any questions about this Privacy Policy:
Pierluigi De Rogatis — pierluigi.derogatis@live.com