Privacy Policy

This policy explains what personal data we process when you use Trayntrak, why we process it, the legal basis for doing so, and the rights you have under the General Data Protection Regulation (GDPR).

1. Controller

The controller responsible for the processing of your personal data is:

Michael Ashton
Corintostr. 2
51103 Cologne
Germany
Email: support@trayntrak.com

2. What data we process, and why

We keep data collection to what is needed to run the service. The table below sets out each category, the purpose, the legal basis and how long we keep it.

Account data

Your email address and a securely hashed password, so you can register, sign in and we can contact you about your account (e.g. password resets). Legal basis: performance of our contract with you, Art. 6 (1)(b) GDPR. Retention: until you delete your account.

Training data

The programs, plans, workouts and sets you create and log. Legal basis: Art. 6 (1)(b) GDPR (providing the tracking service you signed up for). Retention: until you delete the data or your account.

Body measurements and fitness metrics

Optional measurements you choose to record (e.g. body weight, body measurements). Depending on what you enter, this may constitute health data, which is a special category of personal data. We therefore process it only on the basis of your explicit consent, which you give in the app and can withdraw at any time with effect for the future. Legal basis: Art. 9 (2)(a) GDPR (explicit consent), in conjunction with Art. 6 (1)(a). Retention: until you delete the data, withdraw consent, or delete your account.

Preferences

Settings such as your units and language, so the app behaves the way you expect. Legal basis: Art. 6 (1)(b) and (f) GDPR. Retention: until you delete your account.

Technical and security data

When you use the service, our hosting and security providers process technical data such as your IP address and request timestamps to deliver the application securely and to defend against abuse. At sign-up and sign-in we use Cloudflare Turnstile, a privacy-friendly bot-protection check, which processes such technical data to distinguish humans from automated traffic. Legal basis: our legitimate interest in a secure, functioning service, Art. 6 (1)(f) GDPR. Retention: short-lived; such logs are kept only as long as needed for operation and security.

3. Cookies and local storage

We do not use any tracking, advertising or analytics cookies. The only cookies or local storage values we set are listed in the table below. Because they are strictly necessary or functional, no consent banner is required.

Name	Type	Purpose	Expiry
sb-*-auth-token	Cookie / local storage	Keeps you signed in. Set by our authentication provider (Supabase). Web browsers receive a secure HTTP-only cookie; the native app uses local storage inside its sandboxed webview.	Session / up to 1 week (refresh token)
i18n_redirected	Cookie	Remembers which language you last used so the app opens in the same language next time.	1 year

Cloudflare Turnstile (our bot-protection check at sign-up, sign-in and other sensitive forms) does not set any persistent cookies; it performs a challenge entirely in memory and returns a short-lived token.

4. Who we share data with (processors)

We use a small number of carefully chosen service providers who process data on our behalf as processors under Art. 28 GDPR. We conclude a data processing agreement with each of them.

Provider	Purpose	Location
Supabase	Database and authentication	European Union
Fly.io	Application hosting	Frankfurt, Germany (EU)
Cloudflare	Bot protection (Turnstile) and DNS	EU / global (US provider)
Brevo	Sending transactional email (e.g. password resets)	European Union (France)

We do not sell your personal data, and we do not share it with third parties for their own purposes.

5. International data transfers

Your core account, training and measurement data is stored within the European Union. One provider (Cloudflare) is a US-based company that may process limited technical data outside the EU. Where such a transfer occurs, it is safeguarded by appropriate measures within the meaning of Art. 46 GDPR, such as the EU Standard Contractual Clauses and/or the provider's certification under the EU–US Data Privacy Framework.

6. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you (Art. 15);
• have inaccurate data corrected (Art. 16);
• have your data erased (Art. 17);
• restrict processing (Art. 18);
• receive your data in a portable, machine-readable format (Art. 20);
• object to processing based on legitimate interests (Art. 21); and
• withdraw any consent you have given at any time, without affecting the lawfulness of processing before withdrawal (Art. 7 (3)).

You can exercise the most common of these directly in the app under Account → Privacy & data, where you can export a copy of your data or delete your account. For anything else, contact us using the details in section 1.

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your residence or place of the alleged infringement (Art. 77 GDPR).

7. Data security

Connections to Trayntrak are encrypted in transit using TLS, passwords are stored only in hashed form, and access to your data is scoped to your account. We take appropriate technical and organisational measures to protect your data, though no method of transmission or storage is ever completely secure.

8. Children

Trayntrak is not directed at children. You must be at least 16 years old to create an account. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to this policy

We may update this policy as the service evolves or as legal requirements change. The current version is always available here, with the "Last updated" date shown at the top.

10. Contact

For any privacy questions or to exercise your rights, email us at support@trayntrak.com, or open the app at app.trayntrak.com.