Privacy Policy

TrainState (“TrainState”, “we”, “us”, “our”) is operated by Nicholas Andrew Van De Pas, a sole trader based in Wellington, New Zealand. This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in connection with the TrainState application and website at trainstate.fit.

This policy applies to all users of the Service and complies with the New Zealand Privacy Act 2020 (which is our primary governing jurisdiction), the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA) for California residents, and other applicable privacy laws in your jurisdiction.

Special category health data. The health and biometric data we process (including HRV, heart rate, sleep, and training data) constitutes special category personal data under GDPR Article 9. If you are located in the EEA, we will seek your explicit, separate consent for processing this data before it is collected. You may withdraw this consent at any time without affecting the lawfulness of prior processing.

By using TrainState, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

We use your personal information exclusively for the following purposes:

• To provide and operate the TrainState coaching service
• To calculate your daily readiness and recovery status
• To generate personalised AI coaching insights and training recommendations
• To track training load trends and inform future programming
• To maintain your training calendar and session history
• To process payments and manage your subscription
• To send transactional communications about your account and the service
• To maintain, improve, and secure the Service

We do not use your health data for advertising, marketing profiling, or any purpose beyond delivering the coaching service described above. We do not sell, rent, or trade your personal information.

TrainState uses the Anthropic Claude API as its AI coaching engine. When you interact with the coach, your fitness metrics and the content of your conversation are sent to Anthropic's servers to generate a response.

Your data is not used to train Anthropic's AI models. Per Anthropic's API terms, data submitted via the API is not used to improve or train their models. Anthropic processes this data solely to generate your coaching response.

AI-generated coaching insights are recommendations only. They are not medical advice. See section 6 of our Terms of Service for the full health disclaimer.

We share your personal information only with the following sub-processors, each engaged for a specific purpose:

• Vercel — Hosting and deployment. US-based, SOC 2 Type 2 certified. Application code and edge functions run on Vercel infrastructure.
• Supabase — Database and authentication. US-based, SOC 2 Type 2 certified. All user data, health records, and session data are stored in Supabase.
• Anthropic Claude API — AI coaching engine. US-based. Your fitness metrics and chat messages are sent to Anthropic to generate coaching responses. Per Anthropic's API terms, this data is not used to train their AI models.
• Stripe — Payment processing. PCI-DSS Level 1 certified. Stripe processes all billing transactions. TrainState never stores your full card details.
• Garmin — Device data retrieval via the Garmin Health API, if you connect a Garmin device. Your relationship with Garmin and their handling of your data is governed by Garmin's own privacy policy and terms.

We may also disclose personal information if required to do so by law, court order, or to protect the rights, property, or safety of TrainState, its users, or the public.

We do not sell, license, or share your personal information with any other third parties.

If you connect a Garmin device, TrainState accesses your Garmin Connect data via OAuth 2.0 authorisation. We never receive or store your Garmin username or password — only the OAuth access token needed to retrieve data on your behalf.

You can revoke TrainState's access to your Garmin data at any time by going to Garmin Connect → Settings → Connected Apps and removing TrainState. Revoking access prevents further data retrieval but does not automatically delete data already stored.

TrainState is not responsible for changes to the Garmin API, Garmin service availability, or Garmin's data access policies. The availability of Garmin integration features depends on Garmin maintaining API access.

We retain your data for the following periods:

• Health and biometric data: Deleted within 30 days of account deletion.
• Account and profile data: Retained for 90 days after account deletion to allow recovery if the deletion was accidental, then permanently deleted.
• AI coaching conversation history: 12 months from each conversation date.
• Garmin sync data: Deleted within 30 days of disconnection or account deletion.
• Billing and transaction records: 7 years, as required by New Zealand financial legislation.
• Technical logs: 90 days.

Garmin OAuth access tokens are retained only for as long as you maintain an active connection.

We use the following categories of cookies:

• Strictly necessary — Supabase authentication tokens. These cookies are required for you to stay signed in and use the Service. They cannot be disabled without breaking functionality.
• Optional analytics cookies. We may use analytics cookies to understand how the Service is used. These are only set after you provide consent via the cookie banner on first visit. You can update your preferences at any time via the preference centre in the footer.

We do not use advertising cookies. We do not share data with advertising networks.

We implement the following technical and organisational security measures:

• TLS encryption for all data in transit
• Encryption at rest via Supabase infrastructure
• Passwords hashed with bcrypt — never stored in plain text
• Row-level security (RLS) in Supabase — each user can only access their own data
• OAuth 2.0 for Garmin integration — we never handle your Garmin credentials
• Access controls limiting internal access to user data

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware, and will notify affected users without undue delay where the breach is likely to result in high risk to their rights and freedoms.

Despite these measures, no internet transmission or electronic storage is completely secure. We cannot guarantee the absolute security of your data.

Vercel, Supabase, and Anthropic are US-based companies. Your data may be transferred to and processed in the United States.

• EEA users: Transfers to the United States are made under Standard Contractual Clauses (SCCs) as approved by the European Commission, where required by GDPR.
• New Zealand users: Transfers are made under reasonable steps obligations as required by the NZ Privacy Act 2020.

TrainState is not a medical device and does not provide medical advice, diagnosis, or treatment. It is not a substitute for a qualified healthcare professional or certified trainer. See the full health disclaimer in our Terms of Service.

TrainState is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. The updated policy will include a revised effective date. Continued use of TrainState after changes take effect constitutes acceptance of the updated policy.

For privacy enquiries, data access requests, consent withdrawal, or any concerns about how we handle your personal information, contact our Privacy Officer: