Privacy Policy

Last updated: May 2026 · support@rule9.bike

1. Who We Are

Rule9 (rule9.bike) is a cycling route weather analysis tool. It lets cyclists analyze GPX routes point-by-point for weather, wind, and riding conditions, and optionally connects with Strava to import routes and generate post-ride summaries.

2. Strava Data We Access

When you connect Strava, we request the following OAuth scopes:

  • read — to list your saved public routes and fetch their GPX data.
  • activity:read — to read completed activity details for optional post-ride summaries.
  • activity:write — to update activity descriptions with an optional post-ride AI summary.

We do not request read_all, private activities, segment leaderboards, or any other Strava permissions beyond what is listed above.

3. Why We Collect This Data

  • To list your Strava routes so you can select one for weather analysis.
  • To fetch the GPX data of a selected route for weather analysis.
  • To update the description of a completed activity with a post-ride weather summary (opt-in via Strava webhook).

4. Data Access and Ownership

Your Strava data is shown only to you — the authenticated owner of that Strava account. Rule9 does not share your Strava data with other users, does not create public leaderboards, does not create public activity feeds, and does not expose your Strava data in any way to third parties outside of the necessary service providers described below.

5. Token Storage and Security

  • Strava access tokens and refresh tokens are stored only on our server. They are never returned to your browser or stored in localStorage or sessionStorage.
  • Tokens are encrypted at rest using AES-256-GCM with a random nonce per record before being written to our Redis database (Upstash).
  • The encryption key is stored as a Render environment secret and is never logged.
  • Your session is maintained via an HttpOnly, Secure, SameSite cookie — inaccessible to JavaScript.

6. AI and Third-Party Services

  • Weather data comes from Open-Meteo (free, open-source). Only geographic coordinates and timestamps are sent.
  • AI summaries are generated by OpenAI. Only aggregated, non-personal route statistics are sent (distance, temperature range, elevation, speed). Your name, athlete ID, activity ID, or personal Strava data are not sent to OpenAI.
  • We do notuse your Strava data to train any AI or machine learning model. OpenAI's API usage policy applies; we use the API with data minimization in mind.
  • Feedback notifications are sent to our private Telegram bot. Only the feedback text and optional contact email you provide are transmitted.
  • Analytics: We use Vercel Analytics for anonymized page-view statistics. No Strava data is sent to any analytics service.

7. Strava API Monitoring

Rule9 uses the Strava API. As part of the Strava API Agreement, Strava may collect data about your use of Strava's API features within this application. This includes information about API calls made on your behalf (e.g. route listing, GPX exports). This data collection is governed by Strava's Privacy Policy.

8. Data Retention

  • Strava token records are retained for up to 180 days of inactivity, then automatically purged.
  • Route analysis results are cached for 24 hours.
  • Feedback submissions are retained for 7 days.
  • No other permanent data store is used.

9. Data Deletion and Disconnect

You can disconnect Strava at any time by clicking "Disconnect Strava" in the app. This will:

  • Immediately delete your encrypted Strava token record from our server.
  • Clear your Rule9 session cookie.
  • Attempt to revoke Rule9's Strava authorization through Strava's deauthorization endpoint.
  • If Strava deauthorization fails, local data is still removed and you can also revoke access manually from your Strava App Settings).

To request manual deletion of any remaining data, contact us at support@rule9.bike.

10. Data We Do NOT Collect

  • We do not sell your data to any third party.
  • We do not use invasive tracking, advertising cookies, or marketing pixels.
  • We do not collect your name, email, or personal details unless you voluntarily submit them via the feedback form.

11. Contact

For privacy questions, data deletion requests, or support, contact us at: support@rule9.bike

← Return to AppTerms of ServiceSupport / Contact