Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Nodex Devices ("we", "us", "our") collects, uses, and protects information in connection with the StravaDisplay device and cloud service. We are committed to handling your data responsibly and in accordance with UK GDPR.

1. What Data We Collect

We collect and store only what is necessary to operate the Service:

• Device identifiers — serial number and a derived device ID, provisioned at manufacture
• Strava OAuth tokens — an access token and refresh token allowing the Service to fetch your activity statistics. These are encrypted at rest.
• Activity statistics — aggregated totals (distances, times, elevation) retrieved from the Strava API. We do not store individual activity details, GPS routes, heart rate, or personal profile data.
• Display preferences — which metrics you have chosen to display and your brightness/timing settings
• Service logs — anonymous request logs for debugging and rate-limit management, retained for up to 30 days

2. What We Do Not Collect

• Your name, email address, or Strava profile
• GPS routes or location data
• Individual workout details beyond aggregated totals
• Payment information (handled entirely by our payment processor)
• Any data from your home network beyond what is necessary to connect the Device to WiFi

3. How We Use Your Data

Data is used solely to operate the Service:

• Authenticating your Device with the cloud service
• Fetching activity totals from Strava on your Device's behalf
• Delivering the statistics to your Device for display
• Delivering firmware updates to your Device

We do not sell, share, or use your data for advertising or analytics purposes.

4. Strava Data

We access your Strava data under the read-only activity:read permission scope. We comply with the Strava API Agreement. You can disconnect your Strava account at any time via strava.com/settings/apps, which will immediately revoke our access. Any stored tokens will be deleted within 24 hours of revocation.

5. Data Storage and Security

Data is stored on Cloudflare's infrastructure (Cloudflare Workers KV and D1) with servers located in the European Economic Area where possible. Cloudflare is certified under the EU-US Data Privacy Framework. All data in transit is encrypted using TLS 1.2 or higher. OAuth tokens are stored with encryption at rest.

6. Data Retention

Device and Strava token data is retained for as long as your Device remains active. If your Device has not contacted the Service for 12 months it will be treated as inactive and associated data may be deleted. You may request deletion at any time (see Section 8).

7. Your Rights (UK GDPR)

You have the right to:

• Access — request a copy of the data we hold about your Device
• Erasure — request deletion of all data associated with your Device
• Restriction — request that we stop processing your data while a complaint is resolved
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at contact@tps505.com. We will respond within 30 days.

8. Contact & Complaints

For privacy enquiries contact contact@tps505.com.

If you are unsatisfied with our response you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Changes to This Policy

We may update this policy periodically. The "last updated" date at the top of this page will reflect any changes. Continued use of the Device following an update constitutes acceptance of the revised policy.