Sauce for Zwift

There’s an argument to be made that Sauce the company does not process personal data at all but rather that Sauce the software is a tool for its users to do private data processing that is potentially outside the scope of GDPR altogether (see Art. 2(2) c).

In the HR data/health insurance example, I can think of quite a few more pressing data protection concerns than Sauce, but of course those would mean taking privacy actually seriously and, say, passing a federal data protection law in the US but, well, good luck with that.

I said I was going to leave it, but I won’t while you misrepresent my posts like this.

I don’t have an interest in “defending a position”. I don’t care whether Sauce has to enter into some sort of data sharing agreement or not. I don’t really care too much if it gets shut down, although that would be a shame. (I think Zwift should be providing the functionality Sauce is, or doing things properly by providing a properly managed API - almost certainly with the sort of controls you’re asking for.)

Thank you for clarifying!

There is no argument to say that Sauce does not process personal data, it literally does. I’m asking how its processed and how its stored (if at all). Its a legal requirement.

I dont think they can do the blanket policy, as they then need to have commitment from each of those 3rd parties that they will handle data correctly I.e. if you delete your zwiftpower account, all the data the 3rd party holds gets deleted as well. Practically I cant see them being able to do that but they have an obligation now to ensure that happens.

Agree on the sauce discussion, Sauce uses locally available information and I dont believe stores this anywhere (There might be a conversation around broadcasting this information without prior consent but who knows).

The can of worms is the API.

Yes, but is Sauce the company the data controller? Unless it does some form of central collection (which to me seems unrealistic already in terms of resources), I would argue that it is not, but rather the controller is each individual user.

Individuals can see the data within the platform, that is fine. Sauce is not an individual though.

Not in this case.

And to return to my original post, yes I have. I haven’t chosen to share my data with other organisations though. I’ve read the ts and Cs on this

All GDPR discussions are completely missing the point unless everybody has the meter running and Someone Else is footing the bill.

And yet, on this thread, people don’t seem to understand the difference between a user seeing data and a programme processing it!!!

A piece of software is not a “natural or legal person, public authority, agency or other body”. So who is the data controller here?

There is little difference in this instance as any user could be running a programme/script.

If they were to somehow only restrict what they saw on screen that argument might make sense but there are countless ways to gather basic user data from zwift. Some far easier with way more data than sauce.

It’s an agency or other body, by definition

Which are?

Zwiftpower for a start. anyone can grab your whole ride history in seconds

What are you after exactly, Tim? and from whom?

To know how they process and store my data, I’ve only said that about a thousand times.

I opted into that - it’s owned by Zwift!

You know that “Sauce for Zwift” is trademarked, right?

Also, Sauce is a registered LLC. Therefore are clearly defined in GDPR legislation

So you opted into me scraping all your ride data?

Is that better or worse than what sauce is doing as I’d argue that it gives way more information so the concern around sauce or other 3rd parties seems a bit mute here

But Zwift have data protection policies. You, as an individual with access to ZP have to comply with their terms and conditions, if you don’t, your access can be removed.

It’s not difficult to understand. Are you being deliberately obtuse?

Do yiu use Sauce as well?