# Train App Privacy Policy **Last Updated: October 2025** ## Introduction Welcome to Train App. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your data when you use our fitness coaching platform. Train App is a comprehensive fitness coaching SaaS platform that connects coaches with clients through web and mobile applications. This policy applies to all users: coaches, clients, and administrators. ## 1. Information We Collect ### 1.1 Personal Information **Account Information:** - Full name - Email address - Phone number - Date of birth - Profile photograph - Business logo (for coaches) - Location data (city/country for global map feature) **Authentication Data:** - Password (stored as encrypted hash) - Two-factor authentication settings - Login history and IP addresses - Session tokens ### 1.2 Health and Fitness Data **Training Data:** - Workout logs (exercises, sets, reps, weights, RPE ratings) - Training program assignments and progress - Personal best records and achievements - Rest periods and workout completion timestamps - Form check videos and coach feedback - Exercise substitution preferences **Nutrition Data:** - Daily food intake and macro tracking - Calorie targets and nutritional goals - Meal photos and saved recipes - Supplement schedules - Dietary preferences and restrictions **Progress Tracking:** - Body measurements and composition data - Progress photographs - Weight and body metrics history - Achievement milestones and XP points - Habit completion and streak tracking ### 1.3 Wearable Device Data With your explicit consent, we integrate with: - Apple Health - Fitbit - Garmin - WHOOP **Data collected may include:** - Steps, distance, and activity levels - Heart rate and heart rate variability - Sleep duration and quality - Calorie expenditure - Workout detection and performance metrics - Recovery scores and readiness metrics ### 1.4 Communication Data - Chat messages between coaches and clients - Voice notes from coaches - Form submission videos from clients - Community posts and interactions - Support ticket correspondence - Push notification preferences ### 1.5 Calendar and Scheduling Data With your permission, we access: - Google Calendar - Apple Calendar - Outlook Calendar **Data includes:** - Appointment bookings - Coach availability schedules - Calendar conflicts and busy times - Event synchronization status ### 1.6 Financial Data **Subscription Information:** - Stripe customer ID - Subscription plan and status - Payment method details (tokenized via Stripe) - Invoice history - Discount code usage **Note:** We do not store full credit card numbers. Payment processing is handled securely by Stripe. ### 1.7 Usage and Technical Data - Device type and operating system - App version and platform (web/mobile) - IP address and approximate location - Browser type and settings - Feature usage statistics - Error logs and crash reports - API request logs ### 1.8 Legal Basis for Processing (GDPR Compliance) We process your personal data under the following lawful bases as defined by GDPR Article 6: **a) Contract Performance:** - Creating and managing your account - Delivering coaching services (training programs, nutrition plans, progress tracking) - Processing subscription payments - Providing customer support **b) Legitimate Interests:** - Improving platform security and preventing fraud - Analyzing usage patterns to enhance user experience - Conducting business analytics and reporting - Maintaining and optimizing platform performance **c) Consent:** - Health and fitness data from wearable devices (explicit consent required) - Calendar access and synchronization (explicit consent required) - Marketing communications (opt-in consent) - Cookies and tracking technologies (except essential cookies) **d) Legal Obligations:** - Complying with tax and financial regulations - Responding to lawful requests from authorities - Maintaining records for regulatory compliance - Enforcing our Terms of Service and legal rights You have the right to withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing based on consent before its withdrawal. ## 2. How We Use Your Information ### 2.1 Core Service Delivery - **Training Program Management:** Deliver personalized workout programs and track progress - **Nutrition Coaching:** Provide meal planning, tracking, and nutritional guidance - **Communication:** Enable real-time chat between coaches and clients - **Progress Analytics:** Generate insights, graphs, and achievement tracking - **Task Management:** Create and manage daily coaching tasks - **Form Reviews:** Process and respond to client form check videos ### 2.2 Platform Functionality - **Account Management:** Authenticate users and maintain secure sessions - **Subscription Management:** Process payments and enforce plan limits - **Client Assignment:** Manage coach-client relationships and team coaching - **Calendar Integration:** Schedule appointments and avoid conflicts - **Wearable Sync:** Retrieve and display health metrics from connected devices - **Community Features:** Enable social interactions and content sharing ### 2.3 Business Operations - **Customer Support:** Respond to inquiries and resolve technical issues - **Analytics:** Monitor platform performance and user engagement - **Financial Reporting:** Provide revenue analytics to coaches - **Security Monitoring:** Detect and prevent fraudulent activity - **Service Improvements:** Identify bugs and develop new features ### 2.4 Legal Compliance - Comply with applicable laws and regulations - Respond to legal requests and court orders - Enforce our Terms of Service - Protect user safety and platform integrity ## 3. How We Store and Protect Your Data ### 3.1 Data Storage **Database:** PostgreSQL hosted on Render.com - Location: Cloud infrastructure with encryption at rest - Backup frequency: Daily automated backups - Retention: Active data retained for account lifetime **File Storage:** AWS S3 (Stockholm region - eu-north-1) - Form check videos - Voice notes from coaches - Exercise demonstration videos - Profile pictures and business logos - Meal photos - Progress photographs - Chat attachments ### 3.2 Security Measures **Encryption:** - All data transmitted via HTTPS/TLS encryption - Passwords stored using industry-standard hashing (bcrypt) - JWT tokens for session management - Sensitive tokens encrypted in database **Access Controls:** - Role-based access (super_admin, coach, client) - Two-factor authentication available - Rate limiting on all API endpoints - Parameterized queries to prevent SQL injection **Monitoring:** - Real-time error tracking - Security audit logging - Automated threat detection - Regular security assessments **Data Protection Impact Assessments (DPIA):** - We conduct periodic Data Protection Impact Assessments for features involving sensitive health data, wearable integrations, and high-risk processing activities - DPIAs evaluate privacy risks and implement appropriate safeguards - Assessments reviewed annually or when introducing new features that process health data ### 3.3 Data Retention We retain different types of data for varying periods based on legal requirements and business needs: **Account Data:** - Active accounts: Retained for duration of active subscription - Deleted accounts: Permanently deleted within 30 days of account deletion - User profiles and authentication data: Deleted immediately upon account deletion **Health and Fitness Data:** - Workout logs: Retained for account lifetime or until manually deleted - Nutrition logs: Retained for 24 months or until manually deleted - Progress photos: Retained until manually deleted by user - Wearable data: Retained for 12 months from last sync **Communication Data:** - Chat messages: Retained for 12 months after account deletion unless requested otherwise - Voice notes: Retained for 12 months or until manually deleted - Form check videos: Retained for 12 months or until manually deleted - Support tickets: Retained for 24 months for quality assurance **Financial Records:** - Invoice history: Retained for 7 years (UK tax law requirement) - Transaction logs: Retained for 7 years (UK financial regulations) - Subscription history: Retained for account lifetime plus 7 years **Technical Logs:** - Security logs: Retained for 12 months - Error logs: Retained for 6 months - Performance metrics: Retained for 3 months **Backups:** - System backups: Retained for 90 days for disaster recovery - Backups automatically purged after retention period expires **Legal Holds:** - Data preserved if required by law or ongoing investigation - Retention extended until legal matter is resolved ## 4. Data Sharing and Third-Party Services ### 4.1 Service Providers We share data with trusted third parties to operate our platform: **Payment Processing:** - Stripe (payment processing and subscription management) - Data shared: Name, email, payment method tokens **Cloud Infrastructure:** - Render.com (application hosting) - AWS S3 (file storage) - Data shared: All application data as necessary for service delivery **Communication Services:** - Push notification providers (for mobile alerts) - Email service providers (for transactional emails) - Data shared: User identifiers, notification content **Wearable Integrations:** - Apple Health, Fitbit, Garmin, WHOOP APIs - Data shared: User authorization tokens (with explicit consent) - Data received: Health and fitness metrics per user permissions **Calendar Services:** - Google Calendar API - Apple Calendar - Microsoft Outlook API - Data shared: Appointment scheduling and availability data (with explicit consent) ### 4.2 Data Sharing Between Users **Data Controller vs. Data Processor Roles:** Under GDPR, the roles are defined as follows: - **Train App Limited** acts as the **Data Processor** for client personal data on behalf of coaches - **Coaches** act as **Data Controllers** for their clients' personal data - **Train App Limited** acts as the **Data Controller** for coach account data and platform operations **Coach Responsibilities as Data Controllers:** - Coaches must have a lawful basis for processing client data (typically contract performance or consent) - Coaches must inform clients about data processing activities - Coaches are responsible for responding to client data subject requests (access, deletion, etc.) - Coaches must comply with GDPR and applicable data protection laws - Train App provides tools to help coaches meet their obligations **Train App's Role as Data Processor:** - We process client data only on documented instructions from coaches (Data Controllers) - We implement appropriate technical and organizational security measures - We assist coaches in responding to data subject requests - We notify coaches of any data breaches affecting client data - We do not use client data for purposes other than providing the coaching platform **Coach-Client Relationship:** - Coaches can view all client training, nutrition, and progress data - Clients can view coach-provided programs, feedback, and content - Chat messages are visible to both parties - Coaches must obtain appropriate consent from clients for data processing **Team Coaching:** - Head coaches can reassign clients to team members - Assigned coaches have full access to client data for coaching purposes - Client billing remains with head coach - Head coach remains the Data Controller; team members are authorized processors **Community Features:** - Community posts visible to other users in your coach's community - Profile information (name, photo) visible to community members - Coaches control community membership and access ### 4.3 Legal Requirements We may disclose information if required by law: - Court orders or legal process - Government investigations - Protection of rights and safety - Fraud prevention and security **We will not sell your personal data to third parties.** ## 5. Your Rights and Choices ### 5.1 Access and Control **Account Settings:** - Update personal information - Change password and security settings - Manage notification preferences - Configure privacy settings **Data Access:** - Request a copy of your personal data - Review workout and nutrition history - Export progress data and analytics **Data Deletion:** - Delete individual progress photos or meal logs - Remove wearable device connections - Request full account deletion ### 5.2 Communication Preferences - Opt-out of marketing communications - Customize push notification settings - Control email notification frequency - Manage in-app alerts ### 5.3 Third-Party Integrations - Disconnect wearable devices at any time - Revoke calendar access permissions - Manage OAuth connections in account settings ### 5.4 Geographic Rights **EU/UK Users (GDPR):** - Right to access your data - Right to rectification - Right to erasure ("right to be forgotten") - Right to data portability - Right to restrict processing - Right to object to processing **California Users (CCPA):** - Right to know what data is collected - Right to delete personal information - Right to opt-out of data sales (we do not sell data) - Right to non-discrimination ## 6. Cookies and Tracking We use cookies and similar tracking technologies to provide and improve our services. For detailed information, please refer to our full Cookie Policy (available upon request). ### 6.1 Essential Cookies (Always Active) These cookies are necessary for the Platform to function and cannot be disabled: - Session management and authentication - Security features (CSRF protection, rate limiting) - Load balancing and performance optimization - User preferences and settings **Legal Basis:** Legitimate interests (essential for service delivery) ### 6.2 Analytics and Performance Cookies With your consent, we use cookies to understand how users interact with our Platform: - Usage statistics and feature adoption (e.g., Google Analytics) - Error tracking and crash reporting - Performance monitoring and optimization - A/B testing for feature improvements **Legal Basis:** Consent (can be withdrawn at any time) ### 6.3 Third-Party Cookies Some third-party services may set their own cookies: - Stripe (payment processing) - OAuth providers (Google, Apple for calendar integration) - Wearable device APIs (with explicit consent) These are governed by the respective third parties' privacy policies. ### 6.4 Your Cookie Choices You have control over cookie usage: - **Browser Settings:** Disable non-essential cookies in your browser preferences - **Clear Data:** Clear cookies and local storage at any time - **Private Browsing:** Use private/incognito browsing modes to prevent cookie storage - **Cookie Consent:** Update your cookie preferences in account settings (web app) **Note:** Disabling essential cookies may prevent access to certain Platform features. ### 6.5 Do Not Track We respect browser "Do Not Track" (DNT) signals. When DNT is enabled, we will not use analytics or tracking cookies. ## 7. Children's Privacy Train App is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If we become aware of data collected from a child under 16, we will delete it promptly. Coaches working with clients aged 16-18 should obtain parental consent before adding them to the platform. ## 8. International Data Transfers Train App is operated from the United Kingdom. Your data may be transferred to and processed in: - United Kingdom (primary operations) - European Union (AWS S3 Stockholm region) - United States (third-party services like Stripe) We ensure appropriate safeguards are in place for international transfers, including: - Standard contractual clauses - Adequacy decisions - Privacy Shield frameworks (where applicable) ## 9. Changes to This Policy We may update this Privacy Policy periodically to reflect: - Changes in our practices - Legal or regulatory requirements - New features or services - User feedback **Notification of Changes:** - Email notification for material changes - In-app banner when policy updates - Updated "Last Modified" date at top of policy - Continued use constitutes acceptance of changes ## 10. Contact Us ### Data Protection Officer For privacy-related inquiries, data access requests, or concerns: **Email:** info@train-app.com **Address:** Train App Limited, 45 Sherwood Vale, Nottingham, NG5 4EB, United Kingdom ### General Support **Email:** info@train-app.com **In-App:** Support ticket system (Admin interface) ### Response Time We aim to respond to all privacy inquiries within 30 days. ## 11. Specific Feature Privacy Details ### 11.1 Client Impersonation Feature Coaches can temporarily "impersonate" client accounts to provide guidance: - Used only for legitimate coaching purposes - Access logged and auditable - Client can see when coach has accessed their account - Does not grant access to payment information ### 11.2 XP and Gamification System - Achievement data stored locally and on server - Leaderboards (if enabled) show first name and XP only - Opt-out available in privacy settings ### 11.3 Screenshot Analysis (Development Feature) - Used in development environment only - Powered by OpenAI API for debugging - Not active in production environment - No client data processed through this feature ### 11.4 Voice Notes - Stored in AWS S3 with encryption - Accessible only to intended recipient (coach or client) - Not used for voice recognition or AI training - Can be deleted by sender or recipient ### 11.5 AI and Automated Processing Train App uses artificial intelligence and automation to enhance coaching services: **AI-Powered Features:** - Form check video analysis (optional, coach-activated) - Workout recommendation suggestions based on progress patterns - Nutrition insights and macro trend analysis - Progress prediction and milestone forecasting - Exercise substitution recommendations based on equipment availability **How We Use AI:** - AI models process health and fitness data to provide personalized insights - Screenshot analysis (development environment only, using OpenAI API) - Pattern recognition for detecting training plateaus and suggesting deloads - Natural language processing for voice-to-text note conversion **Important Safeguards:** - **No Automated Decision-Making:** AI outputs are advisory only and do not produce legal or similarly significant effects without human review - **Coach Oversight:** All AI recommendations are reviewed and approved by coaches before being presented to clients - **Transparency:** Users are informed when AI is used to process their data - **Human Intervention:** Coaches can override or modify any AI-generated suggestions - **Data Minimization:** AI models only access data necessary for the specific feature - **No External AI Training:** Your personal data is not used to train third-party AI models (except in controlled development environments with synthetic data) **Right to Human Review:** - You have the right to request human review of any AI-generated decision or recommendation - You can opt out of AI-powered features while retaining access to manual coaching tools **AI Model Providers:** - OpenAI (GPT models) - Used only in development for debugging, not production - Proprietary algorithms developed by Train App for fitness-specific insights ## 12. Data Security Incident Response In the event of a data breach: 1. **Immediate Response:** Contain and investigate the incident 2. **User Notification:** Notify affected users within 72 hours 3. **Regulatory Reporting:** Report to relevant authorities as required 4. **Remediation:** Implement measures to prevent recurrence 5. **Transparency:** Provide regular updates on incident resolution ## 13. Business Transitions If Train App is acquired, merged, or sells assets: - Users will be notified via email and in-app notification - This Privacy Policy continues to apply - Users have option to delete account before transition - New owner must honor existing privacy commitments --- ## Summary of Key Points ✅ **We collect:** Personal, health, fitness, and usage data to provide coaching services ✅ **We use it for:** Delivering training programs, nutrition coaching, progress tracking, and platform operations ✅ **We store it securely:** Encrypted databases (Render) and file storage (AWS S3) ✅ **We share with:** Essential service providers only (Stripe, AWS, wearable APIs) ✅ **We don't:** Sell your data to third parties or use it for unrelated marketing ✅ **You can:** Access, update, export, or delete your data at any time ✅ **You control:** Privacy settings, notification preferences, and third-party connections --- **By using Train App, you acknowledge that you have read and understood this Privacy Policy.** For questions or concerns, contact us at info@train-app.com