Privacy Policy

Controller

Clément Devos
clement.devos.pro@gmail.com

What data is processed

When you sign in with your Bosch account, the following data is received from Bosch's identity server and stored in your session:

• Email address
• Display name
• User identifier (subject ID)
• OAuth access token and refresh token

Your eBike activity and bike profile data is fetched from the Bosch eBike Cloud API on your request and displayed in your browser. It is not stored on any server beyond the duration of the API call.

Session cookie

After sign-in, a single strictly necessary cookie named bosch_session is set on your browser. It is:

• Encrypted with AES-GCM using a server-side secret
• HttpOnly — not accessible to JavaScript
• SameSite — not sent on cross-site requests
• Valid for 30 days, or until you sign out

This cookie is required for the service to function. No consent is required under the ePrivacy Directive for strictly necessary cookies.

What is not collected

• No analytics or tracking
• No advertising
• No third-party cookies
• No data shared with third parties (other than the Bosch API calls you trigger)

Legal basis

Processing is based on the performance of the service you requested (Art. 6(1)(b) GDPR). The session data is necessary to authenticate API requests to Bosch on your behalf.

Your rights

Under GDPR you have the right to access, rectify, erase, or port your data, and to object to processing. To exercise these rights, contact clement.devos.pro@gmail.com.

Signing out deletes the session cookie and all associated data from the server immediately. You can also revoke this app's access to your Bosch account at any time via Bosch app permissions.