Privacy Policy

1. Data Controller

TrainLap ("we", "us", "our") is the data controller responsible for your personal data. TrainLap operates the web application at trainlap.com (the "Service"), a training planning and coaching platform for endurance athletes and coaches.

Contact: [email protected]

2. Data We Collect

We collect the following categories of personal data:

2.1 Account data

When you create an account, we collect your email address, display name, and password. Passwords are stored as bcrypt hashes — we never store or have access to plaintext passwords. We also store your role within the platform (coach, athlete, or administrator).

2.2 Training data

Training plans, session descriptions (free-text), structured session data (parsed intervals, distance, duration, pace targets), actual training logs, RPE (Rate of Perceived Exertion) scores, session notes, and coach/athlete comments and reactions.

2.3 Wellness data

If you choose to submit daily wellness check-ins, we collect self-reported fatigue, sleep quality, muscle soreness, and stress levels (Readiness Score). Wellness submissions are voluntary and can be skipped on any day.

2.4 Device and activity data (third-party integrations)

When you voluntarily connect a third-party fitness service (such as Garmin Connect, Suunto, or Polar Flow), we receive activity data from your completed training sessions. The specific data we collect from each integration is detailed in Section 5 below. We access only the data necessary to match completed activities to your training plan and display performance analytics. Each integration is entirely opt-in — no data is collected until you explicitly connect your account.

2.5 Messages

If you use the built-in messaging feature, we store message content, timestamps, and sender/recipient information to provide the messaging service.

2.6 Technical data

Server access logs containing IP address, browser user-agent string, and request timestamps. These logs are retained for security monitoring and error diagnosis only. We use Google Analytics to collect anonymized usage statistics on our marketing pages (trainlap.com). We do not use tracking pixels or advertising SDKs. No analytics are loaded inside the application itself (app.trainlap.com).

3. How We Use Your Data

We process your personal data exclusively to provide and improve the TrainLap coaching platform:

• Display training plans, session data, and analytics to coaches and athletes within the same group
• Calculate performance metrics: training load, weekly/monthly volume, HR zone distribution, compliance rates, and wellness trend analysis
• Match device-synced activities to planned training sessions
• Send transactional emails: account verification, password reset, and athlete invitation notifications
• Send optional push notifications and wellness check-in reminders (configurable by the user in Settings)
• Provide data export functionality (CSV, JSON, and PNG chart exports)
• Parse session text to extract structured training data (intervals, distance, pace, HR zones)
• Detect wellness anomalies and generate alerts for coaches when an athlete's Readiness Score deviates significantly from their personal baseline

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases as defined by the General Data Protection Regulation (EU) 2016/679:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for — displaying training plans, calculating analytics, syncing device data, and delivering notifications.
• Consent (Art. 6(1)(a)): Connecting third-party fitness services (Garmin, Suunto, Polar) and submitting wellness check-ins. You can withdraw consent at any time by disconnecting integrations in Settings or stopping wellness submissions.
• Legitimate interest (Art. 6(1)(f)): Server logging for security monitoring, error diagnosis, and fraud prevention.

5. Third-Party Integrations and Data Flows

TrainLap integrates with the following third-party services. Each device integration is opt-in — no data is collected from these services until you explicitly connect your account through the respective OAuth authorization flow. You can disconnect any integration at any time from the Settings page.

5.1 Garmin Connect (Garmin Health API)

When you connect your Garmin account, you authorize TrainLap to access your activity data through the Garmin Health API using Garmin's OAuth 1.0a authorization flow.

Data we receive from Garmin:

• Activity summaries: activity type, start time, duration, distance, average pace
• Heart rate data: average heart rate, max heart rate, heart rate time-in-zones
• Elevation data: total ascent, total descent
• Calorie data: active calories burned

How we use Garmin data:

• Match synced activities to planned training sessions in the athlete's calendar
• Display actual vs. planned comparisons (distance, duration, pace, HR zones)
• Calculate weekly/monthly training volume and HR zone distribution analytics
• Generate training load metrics and compliance reports

Data storage: Garmin activity data is stored in our EU-hosted database for as long as your account is active. We store only the summary-level data listed above — we do not store raw GPS tracks, location data, or Garmin user profile information.

Disconnecting: You can revoke TrainLap's access to your Garmin data at any time from Settings > Integrations. Upon disconnection, no further data is synced. Previously synced activity data remains in your training log unless you request its deletion.

5.2 Suunto (Suunto API)

When you connect your Suunto account, you authorize TrainLap to access your workout data through the Suunto API using OAuth 2.0 authorization.

Data we receive from Suunto:

• Workout summaries: activity type, start time, duration, distance
• Heart rate data: average heart rate, max heart rate
• Pace and speed data
• Elevation data: total ascent, total descent

How we use Suunto data: Identically to Garmin data — matching activities to planned sessions, displaying actual vs. planned metrics, calculating analytics, and generating reports.

Data storage: Suunto workout data is stored in our EU-hosted database for as long as your account is active. We store only summary-level activity data — no raw GPS tracks or location data.

Disconnecting: You can revoke access at any time from Settings > Integrations. No further data is synced after disconnection.

5.3 Polar Flow (Polar AccessLink API)

When you connect your Polar account, you authorize TrainLap to access your training data through the Polar AccessLink API using OAuth 2.0 authorization.

Data we receive from Polar:

• Training session summaries: sport type, start time, duration, distance
• Heart rate data: average heart rate, max heart rate, HR zone durations
• Calorie data: calories burned during sessions

How we use Polar data: Same as other integrations — activity matching, analytics, and reporting.

Disconnecting: You can revoke access from Settings > Integrations or from your Polar Flow account settings at flow.polar.com.

5.4 .FIT File Upload

You can manually upload .FIT files exported from any compatible GPS device. We parse the following data from the file: distance, duration, elevation, heart rate (average and max), pace, and activity start time. The original .FIT file is not stored after parsing — only the extracted summary data is retained.

5.5 Other third-party services

• Resend — Transactional email delivery (account verification, password reset, invitations). Resend processes recipient email addresses solely for the purpose of delivering emails on our behalf. Resend Privacy Policy.
• Anthropic (Claude API) — AI-powered session text parsing. When you save a training session, the session description text is sent to Anthropic's API for structured data extraction. No personal identifiers (name, email, athlete identity) are included in API requests — only the session text. Anthropic does not use API inputs to train models per their data usage policy.

6. Data Sharing and Visibility

Your data is shared only in the following limited contexts:

• Within your coaching group: Coaches in your group can see your training plans, session actuals, wellness data, and analytics. Athletes in the same group may see limited data depending on the group's visibility settings configured by the coach.
• Service providers: We use the third-party services listed in Section 5 solely to operate the platform. These providers process data on our behalf and are bound by their respective privacy policies and data processing agreements.

We do not share, sell, or disclose your personal data to any other third parties. We do not participate in data brokerages or advertising networks.

7. Data Storage and Security

Infrastructure location: All data is stored in a PostgreSQL database hosted on European (EU) infrastructure.

Security measures:

• All data in transit is encrypted via TLS (HTTPS)
• Passwords are hashed using bcrypt with per-user salts
• API authentication uses short-lived JSON Web Tokens (JWT)
• OAuth tokens for third-party integrations are stored encrypted at rest
• Database access is restricted to application-level connections only — no public database access
• Server access logs are retained for a limited period for security monitoring

8. Data Retention and Deletion

Active accounts: Your data is retained for as long as your account remains active and you continue to use the Service.

Account deletion: You may request deletion of your account and all associated data at any time by contacting [email protected]. Upon receiving a deletion request:

• Your account, training data, wellness submissions, messages, and all synced device data are permanently deleted within 30 days
• Third-party integration tokens are immediately revoked
• Data that has been exported by you (CSV, JSON, PNG) is outside our control once downloaded
• Server logs containing your IP address are automatically purged after 90 days

Integration disconnection: When you disconnect a third-party integration (Garmin, Suunto, Polar), we stop receiving new data immediately. Previously synced activity data remains in your training log unless you specifically request its removal.

9. Your Rights

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights:

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate personal data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format. TrainLap provides built-in CSV and JSON export in the Analytics section.
• Right to restrict processing (Art. 18): Request that we limit processing of your data in certain circumstances.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7): Withdraw consent for optional processing at any time — for example, by disconnecting device integrations, stopping wellness check-ins, or disabling push notifications.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with a supervisory authority in your EU member state if you believe your data protection rights have been violated.

10. International Data Transfers

Your data is stored and processed within the European Union. If any sub-processor requires data transfer outside the EU/EEA (for example, Anthropic's API for session parsing), such transfers are conducted under Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR.

11. Children's Privacy

TrainLap is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If a coach adds a minor athlete to their group, the coach is responsible for ensuring appropriate parental or guardian consent has been obtained. If we become aware that we have collected data from a child under 16 without appropriate consent, we will delete that data promptly.

12. Cookies and Local Storage

TrainLap uses only essential cookies and local storage required to operate the application:

• Authentication token: A JWT stored in local storage to maintain your login session.
• Theme preference: Your light/dark mode preference stored in local storage.
• Service worker cache: Static application assets cached for offline/PWA functionality.

On our marketing pages (trainlap.com), Google Analytics sets a cookie (_ga) to distinguish unique visitors. We do not use advertising cookies or third-party tracking cookies. The application (app.trainlap.com) does not load any analytics.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users or through an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

For any questions about this Privacy Policy, your personal data, or to exercise your data protection rights, contact us at: