Your data, plainly explained.

BonkProof is an AI-powered cycling coach delivered through a Telegram bot, operated by Dappness Ltd, a company registered in Scotland (“BonkProof”, “we”, “us”). This policy explains what personal data we collect when you use the service, why we collect it, who we share it with, and the rights you have over it. Dappness Ltd is the data controller for the personal data processed through BonkProof.

If you have any questions about this policy or want to exercise a privacy right, email us at [email protected].

We only collect the data we need to coach you. Specifically:

• Telegram account data.When you start a chat with the bot, Telegram provides us with your Telegram user ID, and (where you've shared them) your first name, last name, username, and language. We use your Telegram ID as the primary key for your account.
• Athlete profile. Information you give the coach during onboarding and ongoing chats: FTP, weight, date of birth, training days per week, weekly training hours, goals, target events and times, motivation, preferred coaching personality, and similar details.
• Strava activity data. If you connect Strava, we read your activities (name, date, duration, distance, elevation, power, heart rate, activity type) and basic athlete profile. We only access the scopes you approve — activity:read_all and profile:read_all. We never post, edit, or delete anything on your Strava account, and we don't access your Strava social graph or messages.
• Coaching conversations. Messages you exchange with the bot, plus facts and reference documents the coach generates from them, so the coach remembers context across sessions.
• Derived training metrics. We compute fitness, fatigue, and form (CTL / ATL / TSB) and weekly summaries from your activity history to inform coaching.
• Subscription data. If you subscribe, Stripe provides us with a customer ID, subscription ID, plan, and billing status. We do not see or store your card details — those stay with Stripe.
• Product analytics. Basic usage events (e.g. sign-ups, feature interactions) keyed to your Telegram ID via PostHog.

We use your data to:

• Deliver personalised coaching responses in Telegram.
• Assemble the context passed to our AI model — your profile, recent activities, training load, remembered facts, and the current week's conversation — so the coach can give relevant advice.
• Sync and analyse your rides when new activities arrive from Strava via webhook.
• Manage your trial, subscription, and billing.
• Improve the product (understand which features are used, diagnose bugs, prioritise roadmap).
• Communicate with you about your account and service changes.

We do not sell your data, and we do not use your coaching conversations or activity data to train third-party AI models.

We rely on the following lawful bases under UK GDPR / GDPR:

• Contract.Processing your profile, Strava data, and conversations is necessary to provide the coaching service you've asked for.
• Legitimate interests. Product analytics, fraud prevention, and operating the service.
• Consent. Connecting Strava is an affirmative action granting us access to your activity data; you can revoke it at any time from your Strava settings.
• Legal obligation. Keeping billing and tax records as required by law.

We share the minimum data needed with the following processors:

• Telegram— hosts the conversation interface. Any message you send to the bot passes through Telegram's infrastructure under Telegram's privacy policy.
• Strava — source of your activity data, with your authorisation. Revoking access in Strava stops the flow immediately.
• Anthropic (Claude)— we send each coaching turn to Anthropic's API to generate responses. This includes your profile, recent activity summaries, remembered coaching facts, and the current week's messages. Anthropic processes the request under its commercial terms and does not use API traffic to train models.
• Stripe — processes payments if you subscribe. Card data is collected and stored by Stripe, not by us.
• PostHog (EU-hosted) — product analytics events keyed to your Telegram ID.
• Infrastructure providers — Neon (Postgres database), Railway (bot hosting), and our web host. These providers process data on our instructions only.

We may also disclose data if required by law, to enforce our Terms, or to protect the rights and safety of users and the public.

Some of our processors (notably Anthropic and Stripe) operate outside the UK / EEA. Where we transfer personal data internationally, we rely on the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or the processor's adequacy decisions, as appropriate.

• Strava-sourced activity data is deleted automatically when you disconnect Strava, along with your Strava tokens.
• Your athlete profile and conversation history are kept while your account is active, so the coach can refer back to prior context.
• Billing records are kept for as long as required by tax and accounting law.
• Analytics eventsare retained under PostHog's default retention.

You can request full account deletion at any time — see below.

Depending on your jurisdiction, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data — you can update most fields via the bot.
• Delete your data (right to erasure).
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent (e.g. by disconnecting Strava).
• Lodge a complaint with your local data protection authority (for UK users, the ICO).

To exercise any of these rights, email [email protected] from the address linked to your account, or message the bot. We aim to respond within 30 days.

Data is stored in managed, access-controlled infrastructure and transmitted over TLS. Access to production systems is limited to the operators who need it. No system is perfectly secure, but we take reasonable technical and organisational measures to protect your data. If a breach affects your information, we will notify you and the relevant authorities as required by law.

BonkProof is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has given us information, contact us and we will delete it.

We may update this policy from time to time — for example, when we add a new integration. Material changes will be announced via the bot or email. The “last updated” date at the top of this page will always reflect the current version.