CTRL.LAB
FR|

Privacy Policy

Last updated: April 21, 2026· Version 1.0

Sport.CTRL, a French simplified joint-stock company (SASU) registered in France, places fundamental importance on the protection of your personal data. This policy applies to all services operated by Sport.CTRL, including the CTRL.LAB predictive intelligence system, its website (ctrllab.app), and associated interfaces.

1. Data controller

Sport.CTRL (SASU)
Address: [to be completed with registered office address]
Email: bastien.lm@sportctrl.com
Website: https://ctrllab.app

2. Data we collect

2.1 Identification data

  • First and last name, date of birth, nationality
  • Contact details: postal address, email, phone
  • Photograph, image elements
  • Sports license number (UCI, national federations)

2.2 Professional and contractual data

  • Team, status, sports history
  • Compensation, contract history
  • Sponsors, commercial partners

2.3 Sports performance data

  • Race results (from public sources such as procyclingstats.com and race organizers)
  • Training data: power, heart rate, cadence, speed, distance, elevation, duration
  • Derived metrics: FTP, CTL, ATL, TSB, power-duration curves, intensity zones
  • Optional complementary physiological data: VO2max, lactate, resting heart rate, heart rate variability (HRV)

2.4 Data from social media (Meta / Facebook / Instagram)

When you explicitly authorize us to access your Instagram Business account or Facebook Page, we may collect:

  • Public profile information: username, biography, profile picture, follower count
  • Aggregated engagement metrics: post count, engagement rate, reach, impressions, saves, shares
  • Reels and Stories metrics (views, completion, retention)
  • Aggregated audience demographics (age, gender, location — never individual identifiers)

This data is used exclusively for predictive analytics within the CTRL.LAB system and is never resold.

2.5 Browsing data

We collect the minimum technical data necessary for website operation: IP address (anonymized), browser type, pages viewed, visit duration.

3. Purposes of processing

  • Contractual management: execution of sports agent mandates, sponsorship contracts, invoicing
  • CTRL.LAB predictive analytics: calculation of composite scores, identification of predictive media performance windows, strategic recommendations for athletes and partner brands
  • Commercial prospecting: qualified athlete/brand matchmaking
  • Institutional communication: newsletter, Sport.CTRL social media
  • Legal obligations: accounting, UCI compliance, taxation

4. Legal basis

  • Contract performance for athletes under mandate and partner brands
  • Explicit consent for algorithmic processing of physiological data and social media data
  • Legitimate interest for B2B commercial prospecting (brands)
  • Legal obligation for retention of accounting and contractual documents

5. Data from Meta platforms (Facebook & Instagram)

Sport.CTRL uses official APIs provided by Meta Platforms, Inc. (Instagram Graph API, Facebook Graph API) to access certain public data and engagement metrics within the CTRL.LAB system.

5.1 Authorized access

We access no Meta data without prior and explicit authorization from the user concerned. Authorization is granted via Meta's standard OAuth 2.0 authentication process, which allows the user to control and revoke access at any time from their Meta account settings.

5.2 Data collected

We collect only data necessary for CTRL.LAB's analytical purposes: public metrics, aggregated insights metrics, anonymized audience demographics.

5.3 No sharing with Meta

We share no user data with Meta beyond what naturally transits via the official APIs. We do not train any algorithmic model on behalf of Meta.

5.4 Compliance with Meta Platform Terms

Use of Meta APIs strictly complies with platform terms of service (Meta Platform Terms, Instagram Platform Policy). We are subject to Meta's review process and commit to honoring all obligations associated with this status.

6. Physiological and sports performance data

Physiological data constitute a sensitive category requiring particular attention. They may fall under Article 9 GDPR (health data) depending on their granularity.

6.1 Reinforced consent

Collection and algorithmic processing of physiological data is conditional on explicit, specific, and documented consent from the athlete, formalized in a contractual amendment separate from the agent mandate.

6.2 Granular consent

Consent is granular: the athlete can independently authorize (a) collection and storage, (b) algorithmic analysis by CTRL.LAB, (c) aggregated transmission to third parties (partner brands, teams).

6.3 Revocability

Consent can be revoked at any time. Data processing then ceases within 30 days and data is anonymized or deleted per the athlete's request.

6.4 Sources

Physiological data originates from partner platforms (intervals.icu, TrainingPeaks, Garmin Connect, Wahoo Cloud) or is transmitted directly by the athlete in standard file formats (.fit, .tcx, .pwx).

7. Data sharing

  • Partner brands in aggregated and anonymized form (unless contractual agreement provides for nominative sharing)
  • Sports teams in the context of transfer negotiations, with prior athlete consent
  • Technical providers: hosting and cloud infrastructure providers (Neon, Railway, Cloudflare, Vercel) acting as processors under GDPR-compliant contracts
  • Competent authorities upon judicial request

We never sell your personal data to third parties.

8. Retention period

  • Contractual data: contract duration + 5 years (accounting obligations and statute of limitations)
  • Physiological data: mandate duration + 24 months (unless deletion request)
  • Meta data: active consent duration + 30 days
  • Commercial prospecting data: 3 years after last contact
  • Browsing data: maximum 13 months

9. Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access control (RBAC) and Row-Level Security on the database
  • Multi-factor authentication for administrator access
  • Encrypted and immutable backups
  • Access logging for sensitive data
  • Hosting within the European Economic Area

10. Your rights

In accordance with GDPR and French Data Protection Act, you have the following rights:

  • Right of access: obtain confirmation of processing and a copy of your data
  • Right of rectification: correct inaccurate or incomplete data
  • Right to erasure("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability in a standard format
  • Right to object to processing, particularly for prospecting purposes
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the French data protection authority (CNIL)

To exercise your rights, contact us at bastien.lm@sportctrl.com. We will respond within a maximum of one month.

11. Cookies

The ctrllab.app website uses only cookies strictly necessary for site operation and aggregated audience measurement. No advertising or third-party tracking cookies are deposited without explicit consent.

12. Changes to this policy

This policy may be modified to reflect the evolution of our services or regulations. The date of last update appears at the top of the document. Substantial changes are notified to affected users.

13. Contact

Sport.CTRL
Email: bastien.lm@sportctrl.com
Subject: "GDPR — [your request]"

Note on CTRL.LAB. The CTRL.LAB predictive intelligence system is developed and operated exclusively by Sport.CTRL for internal purposes. It is not marketed as a service to third parties. Final decisions (contract signatures, recommendations to athletes, brand selection) remain systematically made by humans.
Back to home
FR