Privacy Policy

1. Data Controller

2. Data We Collect

We collect the following types of personal data:

• Registration Data: Email address, name, date of birth
• Fitness Profile: Fitness goals, experience level, available equipment, workout preferences
• Daily Check-ins: Mood, energy levels, stress, sleep quality, muscle soreness
• Workout History: Completed workouts, RPE (Rate of Perceived Exertion), feedback on difficulty
• Payment Data: Subscription status, payment method (processed securely via Stripe)
• Usage Data: Pages visited, features used, session duration

3. Purposes of Data Processing

We process your personal data for the following purposes:

• To create and deliver personalized AI-powered workout plans
• To track your fitness progress and adjust recommendations
• To process subscription payments and manage your account
• To improve our AI algorithms and service quality
• To send you important service updates and notifications
• To ensure platform security and prevent fraud

4. Legal Basis for Processing

• Contract Performance: Processing necessary to provide our fitness planning service
• User Consent: For optional features like daily check-in reminders and workout notifications
• Legitimate Interest: For service improvement, analytics, and fraud prevention
• Legal Obligations: To comply with tax, accounting, and payment regulations

5. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, all personal data (including workout history and check-ins) will be permanently deleted within 30 days, except for data we are legally required to retain for tax or accounting purposes (7 years).

6. Data Sharing and Third Parties

We do not sell your personal data to third parties. We do not share your data with advertisers or marketing companies.

We use the following trusted service providers who process data on our behalf under strict data protection agreements: Supabase (database hosting - EU region), OpenAI (AI workout generation - anonymized data only), Stripe (payment processing), Resend (email notifications), Sentry (error monitoring - anonymized).

7. Your Rights (GDPR)

Under GDPR, you have the right to: Access your personal data, Rectify inaccurate data, Erase your data ("right to be forgotten"), Restrict processing, Data portability (export your data), Object to processing, Withdraw consent at any time. To exercise these rights, contact us at support@trainfix.app.

You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

8. Data Security

We implement industry-standard security measures to protect your data:

• Supabase Auth with secure password hashing and multi-factor authentication support
• Row-Level Security (RLS) ensures users can only access their own data
• All data encrypted in transit (HTTPS/TLS) and at rest (AES-256)
• Rate limiting and CSRF protection to prevent abuse
• AI training data is anonymized and stripped of personally identifiable information

9. International Data Transfers

Your data is primarily stored in the European Union (Supabase EU region). When using third-party services like OpenAI (USA), we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) and data anonymization where applicable.

10. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice in the app. Continued use of TrainFix after changes constitutes acceptance of the updated policy.