triathleteai Privacy Policy

triathleteai (“we”, “us” or “our”) is committed to protecting your personal data and using it responsibly. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data. Our website and service are hosted on triathleteai.com, and our contact email is contact@triathleteai.com. All aspects of data collection and use follow applicable laws, including the GDPR as adopted in Norway.

Information We Collect

Account Information: We collect your email address and a hashed password (not readable text) when you sign up. You may also be asked to verify your account using security codes (e.g. via email). This information is used only for account authentication and contacting you about your account.
Health and Activity Data: With your explicit consent, we connect to fitness platforms (currently Strava) via their APIs to retrieve your activity data such as heart rate, distance, time, pace, power, and elevation. This data is collected only after you authorize us, and is linked internally to a unique user ID. We do not collect names or other unnecessary identifiers – only the user ID, email, and the activity metrics you authorize. All such data is treated as personal (and sensitive) data.
Usage Data & Cookies: We may collect minimal usage data (like page visits) to maintain the service. We use strictly necessary cookies for login/security only: authentication session tokens managed by Supabase, and security cookies set automatically by our hosting infrastructure (Cloudflare) for bot protection and DDoS mitigation. We do not use tracking, analytics, or marketing cookies. No user activity or personal data is logged beyond the scope described here.

How We Use Your Data

Personalized Training Plans: The primary use of your activity data is to generate custom triathlon training programs. We use your workout metrics with our AI engine powered by Google Gemini to create workout plans tailored to your needs. Your email address is used to manage your account and optionally send you your training plans and notifications.
Transparency and Consent: We use your data only for the purposes you have consented to. We will never use your data for marketing, sell it to third parties, or share it beyond what is necessary for the service. You can always review or withdraw your consent in your account settings.
Pseudonymization: Internally, we treat your activity data as pseudonymized. Your real identity is not stored with health metrics; we only maintain a user ID. This means we cannot identify you beyond your account without the link between email and user ID, which we keep confidential.

Data Encryption and Security

Encryption In Transit: All communication between your device, triathleteai.com, Strava's API, Google Gemini services, and Supabase infrastructure is secured using industry-standard encryption (HTTPS/TLS). This ensures your data cannot be intercepted during transfer.
Encryption At Rest: Any data stored by triathleteai is securely stored within Supabase infrastructure. Supabase provides encryption at rest for stored databases and storage systems. This means your health metrics and personal data are encrypted while stored on disk.
Strong Authentication: We store only hashed passwords, not plaintext. Our login system may use email or security codes as an additional verification factor. We follow best practices to protect your credentials and personal information.
Data Isolation: Your data is stored within our dedicated Supabase project environment. Data sent to Google Gemini for processing is used solely to generate your training plans. We do not use your data to train public models, and we do not share your data with other customers or applications.

Third-Party Services

Fitness Platform APIs (Strava): We only access Strava data with your permission. Strava's OAuth system ensures you authorize any data sharing. Once obtained, we use that data solely for generating your training plan and providing AI coaching insights. Anonymized workout metrics from Strava (such as duration, pace, heart rate zones, and power data) may be included in data sent to Google Gemini for AI coaching purposes. No Strava account information (username, profile) is shared with Gemini.
Google Gemini: Our app uses Google Gemini to process anonymized health metrics and generate AI-based training plans. Data sent to Gemini is limited to what is necessary for plan generation and is processed securely.
Supabase: We use Supabase for secure database storage, authentication, and backend services. Supabase acts as our data processor and stores account information and related application data securely.
No Data Sales: We will never sell your personal or health data. We also do not share your data with advertisers or other unrelated third parties. Only the above services (Strava, Google Gemini, and Supabase) process your data as necessary to run the app.

Data Retention and Deletion

Retention Period: We retain your data only as long as needed to provide the service. Training plans are generated on-demand; once generated, raw input data is not stored beyond what is required for active functionality. Where stored (e.g. saved plans), data is retained only while your account remains active.
User Deletion: You have the right to delete your data at any time. If you choose to delete your account or data, all personal data and health data will be erased from our systems. This is irreversible: once deleted, we cannot recover it. This aligns with your “right to erasure” under GDPR.
Data Backups: For system stability, encrypted backups may be retained temporarily in accordance with security best practices. These backups are periodically purged.

Your Rights

Under GDPR and Norwegian data protection law, you have rights regarding your personal data. These include (but are not limited to):

Access & Portability: You can request a copy of the personal data we hold about you.
Correction: You may request correction of inaccurate information.
Deletion: You may request erasure of your personal and health data.
Consent Withdrawal: You may withdraw consent at any time.
Complaint: You may lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

To exercise any of these rights or for any privacy concerns, please contact us at contact@triathleteai.com.

Children’s Privacy

triathleteai is intended for adult athletes. We do not knowingly collect information from children under 16. If we learn we have inadvertently collected a child’s personal data, we will delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be available on triathleteai.com.

Strava Integration

With your explicit consent, we connect to Strava via OAuth 2.0 to retrieve your activity data including:

GPS route data (location information)
Activity metrics (duration, distance, heart rate, power, pace, cadence, elevation, calories)
Activity timestamps and descriptions
Athlete profile information (username, profile photo)
Time-series stream data (second-by-second heart rate, power, cadence, speed, altitude, temperature) — loaded on-demand when you view workout charts

We store OAuth access tokens encrypted at the application level using pgcrypto symmetric encryption, in addition to Supabase's disk-level AES-256 encryption at rest. Encryption keys are stored separately from the database. Token exchange and refresh are handled server-side — your credentials never transit through the mobile app. You can revoke access at any time through Settings → Manage Integrations. When you disconnect Strava:

We delete all imported activities and associated metrics
We delete the stored OAuth tokens
Your planned workouts (not imported from Strava) are preserved

We do not share your Strava data with third parties. Strava data is used solely to populate your training calendar and provide personalized coaching advice.

AI Coach (Google Gemini)

Our AI coaching feature uses Google's Gemini API to analyze your training data and provide personalized advice. We send the following data to Gemini:

Anonymized workout history (dates, disciplines, durations, workout types)
Athlete ability levels (beginner/intermediate/advanced classifications)
Current and target race times (performance metrics only)
Training plan phase and progress (base/build/peak/taper)
Race name and date (if you have entered race information)
Custom personal context you provide in the "About Me" section (e.g., injuries, training preferences, health conditions) — this is optional and entirely user-controlled

We do NOT send: your email address, name, user ID, or any directly personally identifiable information.

Custom AI Context: You may optionally provide personal context (up to 500 characters) to improve AI coaching quality. This may include information about injuries, health conditions, or training preferences. This data is stored in our database (Supabase/Postgres) and sent to Google Gemini when generating coaching advice. You can delete this data at any time by clearing the field in the AI Coach screen, or by deleting your account. We recommend not sharing sensitive medical information — consult a healthcare professional for medical advice.

Important: If you enter your name in race names (e.g., "John's Ironman"), that text will be included in data sent to Gemini. We recommend using event names only (e.g., "Ironman Kona 2026").

Gemini processes your data solely to generate training recommendations. Google does not use your data to train public models or for advertising purposes (per our agreement with Google). We log AI sessions for debugging and billing purposes, retaining these logs for 1 year.

Data Retention (Detailed)

We retain your data as follows:

Active accounts: Profile, plans, and workouts retained indefinitely while your account is active
Completed workouts: Retained while your account is active.
AI coach logs: Retained while your account is active (for debugging and billing audit purposes). Older logs may be purged periodically.
Deleted accounts: All data permanently deleted within 30 days of account deletion request
Backups: Encrypted database backups are purged within 90 days after account deletion

You can delete your account at any time through Settings → Delete Account.

Your Rights (GDPR — Detailed)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

Right to Access (Article 15): Request a copy of your personal data via email: contact@triathleteai.com
Right to Rectification (Article 16): Update your profile and settings within the app
Right to Erasure (Article 17): Delete your account and all data via Settings → Delete Account
Right to Data Portability (Article 20): Ask for your data in JSON format via email: contact@triathleteai.com
Right to Object (Article 21): Object to data processing by deleting your account
Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, use the in-app features listed above or contact us at contact@triathleteai.com.

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right to Know: Request details about personal data we've collected in the past 12 months
Right to Delete: Request deletion of your personal data (certain exceptions apply for legal obligations)
Right to Opt-Out of Sale: We do not sell personal data, so no opt-out is required
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, email contact@triathleteai.com with subject "CCPA Request" and include:

Your full name
Email address associated with your account
Specific request (access, deletion, etc.)
Identity verification (we may request additional information to confirm your identity)

We will respond within 45 days as required by CCPA.

International Data Transfers

Our services are hosted by Supabase (using AWS infrastructure) with servers located in:

Primary data storage: EU West (Ireland) — where your data is stored at rest
Processing: Multiple regions including Europe (AI coaching via Gemini API)

By using our service, you consent to the transfer of your data to these locations. We ensure adequate safeguards through:

Standard Contractual Clauses (SCCs) with Supabase (AWS) for EU data transfers
Encryption in transit using TLS 1.3
Encryption at rest using AES-256
Row Level Security (RLS) policies ensuring users can only access their own data

For EEA residents: We comply with GDPR Article 46 requirements for data transfers outside the European Economic Area.

Cookies and Tracking

We use only strictly necessary cookies required for security and service functionality. We do not use analytics, advertising, or tracking cookies of any kind.

Authentication cookies (Supabase): Session tokens required to keep you logged in. These are secure, httpOnly cookies managed by Supabase. They exist only for the duration of your session.
Security cookies (Cloudflare): Our website is hosted via Cloudflare, which automatically sets strictly necessary cookies to protect against bots and DDoS attacks:
- __cf_bm — Bot Management cookie, expires at end of browser session (30 minutes). Set by Cloudflare to distinguish humans from automated traffic.
- cf_clearance — Set after a Cloudflare security challenge is passed, valid for up to 24 hours. Only set if a challenge is triggered.
These cookies are set by Cloudflare as part of operating the infrastructure and are strictly necessary for security. They do not track you across other websites.
No tracking cookies: We do not use analytics cookies, advertising cookies, or any third-party tracking technologies.
No third-party tracking scripts: We do not embed social media widgets, analytics platforms, or advertising networks.

Because all cookies we use are strictly necessary for security and authentication, they do not require consent under GDPR Article 6(1)(f) (legitimate interests) and ePrivacy Directive exemptions for technically necessary cookies. You can block cookies via your browser settings, but this will prevent you from logging in and may interfere with security protections.

Children's Privacy (COPPA Compliance)

Our service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at contact@triathleteai.com and we will delete the information immediately.

Age requirement: You must be at least 16 years old to use TriathleteAI. By using the service, you confirm you meet this requirement.

Data Security

We implement industry-standard security measures to protect your data:

Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
Encryption at rest: All database data is encrypted using AES-256
Secure storage: Authentication tokens stored in device keychain (iOS) or EncryptedSharedPreferences (Android)
Row Level Security: Database policies ensure users can only access their own data
OAuth tokens: Third-party integration tokens (Strava) are encrypted at the application level using pgcrypto symmetric encryption before storage, in addition to Supabase's disk-level AES-256 encryption at rest. Encryption keys are stored separately from the database.
API keys: Server-side only (Google Gemini API key never exposed to client)
Regular updates: We apply security patches promptly

While we implement strong security measures, no system is 100% secure. In the event of a data breach, we will notify affected users within 72 hours as required by GDPR Article 33.

Changes to This Policy

Last updated: February 14, 2026

We may update this privacy policy from time to time. We will notify you of significant changes by:

Posting the new policy on this page
Updating the "Last updated" date
Showing an in-app notification (for material changes)

Your continued use of the service after changes constitutes acceptance of the updated policy. We recommend reviewing this policy periodically.

Contact Us

If you have questions about this privacy policy or your personal data, please contact us:

Email: contact@triathleteai.com
Data Protection Officer: (If required, appoint before EU launch)
Response time: We aim to respond within 5 business days

By using triathleteai and our services, you agree to the terms of this Privacy Policy. If you have any questions, contact us at contact@triathleteai.com.