Skip to content
T
Trainsphere

Legal

Privacy Policy

Last updated: March 12, 2026

1Introduction

Trainsphere (“we”, “our”, or “us”) operates the AI-powered fitness coaching platform available at https://trainsphere.io. We are committed to protecting your personal data and being transparent about how we use it.

This Privacy Policy explains what personal data we collect, why we collect it, how we process it, and what rights you have under the General Data Protection Regulation (GDPR) and French data protection law.

Data Controller: Trainsphere — trainsphere.io — France

2Data We Collect

We collect the following categories of personal data:

Account Data

  • Name and email address
  • Phone number (if you connect WhatsApp or Telegram)
  • Password (stored as a one-way bcrypt hash — we never see it in plain text)
  • Language preference

Fitness Profile

  • Training goal (e.g. strength, hypertrophy, weight loss)
  • Experience level (beginner / intermediate / advanced)
  • Available equipment and training location
  • Training frequency and session duration
  • Preferred training days

Training Data

  • Generated workout plans (pre-cycle and mesocycle programmes)
  • Workout completion status and session logs
  • Feedback per session (enjoyment, difficulty, RPE)
  • Exercise preferences and dislikes
  • Weekly training summaries and completion rates
  • Workload metrics (ACWR — Acute:Chronic Workload Ratio)

Coaching Conversations

  • All messages you send to your AI coach (Telegram or WhatsApp)
  • AI coach responses
  • Session transcripts stored as encrypted files

AI Coaching Memory

  • Structured facts extracted from conversations by AI (safety notes, identity info, stated preferences, context, episodic memories)
  • Coaching journal entries generated by AI
  • User pattern analysis (engagement, response patterns)

Technical & Payment Data

  • IP address and browser user agent
  • Login timestamps and session identifiers
  • Stripe customer ID and subscription status
  • Payment history (card details are processed directly by Stripe — we never store them)
  • Billing name and address (collected and stored by Stripe at checkout for tax and invoice compliance)

3Health Data — Special Category (Article 9 GDPR)

Health data is a special category under GDPR Article 9 and receives the highest level of protection.

When you share information about injuries, physical limitations, pain, or medical conditions with your AI coach, this constitutes health data. We collect and process this data solely to personalise your training programme and ensure your safety (e.g. to exclude contraindicated exercises). This processing is based on your explicit consent, which you grant during onboarding and can withdraw at any time.

We will never:

  • Use your health data for profiling or advertising
  • Share your health data with third parties other than Anthropic (which processes it only to generate coaching responses)
  • Make automated medical diagnoses — we always refer you to a qualified healthcare professional

4How We Use Your Data

  • Service delivery : Generate personalised workout programmes, deliver AI coaching via WhatsApp, Telegram, or the dashboard, and adapt your programme based on your feedback.
  • Safety : Check for injuries and physical limitations before every exercise recommendation, and escalate safety concerns to our coaching team.
  • Product improvement : Analyse anonymised usage patterns to improve the AI coach quality — only with your consent.
  • Communication : Send workout reminders, progress summaries, trial expiry reminders, and service-related notifications via WhatsApp or Telegram.
  • Billing & payments : Manage your subscription, process payments through Stripe, and issue refunds where applicable.
  • Security : Detect abuse, prevent fraud, and protect the integrity of our platform.
  • Legal compliance : Retain financial records as required by French tax law (7 years), and respond to lawful requests from authorities.

5AI Processing & Profiling

Trainsphere uses Claude AI models (by Anthropic) to power your coach. When you send a message, it is processed by the AI to generate a coaching response. The AI also reads your fitness profile, injury notes, workout history, and conversation memory to personalise its answers.

The AI coach builds and maintains a memory of relevant facts about you — such as your preferred exercises, goals, injury history, and coaching context. This memory is stored as encrypted files in your personal coaching space and is used exclusively to improve the quality and continuity of your coaching.

Workout programmes are generated automatically by AI based on your profile. You have the right to request human review of any AI-generated recommendation and to provide feedback that modifies it. All AI-generated programmes are explicitly marked as fitness guidance — not medical advice.

Your rights regarding automated processing:

  • You can request a human review of any AI-generated workout plan — email privacy@trainsphere.io
  • You can correct AI-generated assumptions by telling your coach directly or by contacting us
  • You can delete your AI coaching memory at any time from Account Settings

6Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)) : Account creation and authentication, workout programme generation, coaching delivery, billing and subscription management.
  • Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) : Health and injury data, analytics and product improvement, marketing communications. You can withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)) : Security monitoring, fraud and abuse prevention, technical service reliability, anonymised product analytics.
  • Legal obligation (Art. 6(1)(c)) : Retention of financial and billing records (7 years) as required by French accounting law.

7Sub-processors & Data Sharing

We never sell your personal data. We share it only with the following sub-processors, each contractually bound to process data only on our behalf and in accordance with GDPR:

  • AnthropicAI model processing — your messages and coaching context are sent to Claude to generate responsesUSA
  • SupabaseDatabase hosting (encrypted user files, workout data, account data) and authenticationUSA / EU
  • VercelWeb application hosting and sandbox compute environment for AI coaching sessionsUSA
  • RailwayServer hosting for the coaching backendUSA
  • StripePayment processing and subscription management — Stripe processes and stores your payment card dataUSA / EU
  • TwilioWhatsApp messaging delivery — your WhatsApp messages are routed through TwilioUSA
  • TelegramTelegram messaging delivery — messages sent via Telegram pass through Telegram's serversWorldwide
  • LangfuseAI observability and performance tracing — processes coaching session metadata (user ID, response quality metrics) to monitor AI coach performanceGermany / EU
  • SentryError tracking and application monitoring — receives error events with stack traces and user context to help diagnose crashesUSA
  • OpenAIVoice transcription (Whisper API) — processes audio messages if you send voice notes to your coachUSA

In cases required by law or a binding court order, we may be required to disclose data to public authorities. We will notify you if legally permitted to do so.

8Data Retention

  • Active account : All data retained while your account is active and your subscription is ongoing.
  • After account deletion : All personal data (profile, workouts, conversations, AI memory) is deleted immediately from our active systems upon request. Platform backup snapshots are purged automatically within 30 days.
  • Financial records : Billing records and invoices are retained for 7 years to comply with French tax law (Article L123-22 of the Code de commerce), even after account deletion.
  • Inactive free accounts : Accounts with no activity for 12 consecutive months may be deleted after 30 days' notice.
  • GDPR deletion requests : Deletion requests are processed within 30 days. Financial data retention obligations take precedence over deletion requests for billing records only.

9Data Security

We apply technical and organisational measures to protect your personal data:

  • All user files (fitness profile, workout data, conversations, AI memory) are encrypted at rest using AES-256-GCM encryption
  • All data in transit is encrypted using industry-standard TLS (enforced at the infrastructure level by Railway and Vercel)
  • Passwords are hashed with bcrypt via Supabase Auth — we have no access to your plain-text password
  • Database access is controlled by Row Level Security (RLS) policies — each user can only access their own data
  • Names and email addresses are redacted from observability logs (Langfuse, Sentry) generated during AI sessions; user identifiers are retained in security and audit logs as required for incident investigation and GDPR compliance
  • Security events are logged and monitored for abuse detection
  • Access to production systems is restricted to authorised personnel only

No system is 100% secure. If we become aware of a personal data breach that poses a risk to your rights, we are committed to notifying the CNIL within 72 hours (GDPR Art. 33) and informing affected users without undue delay (GDPR Art. 34). We will take all reasonable steps to contain and remediate the breach.

10International Transfers

Several of our sub-processors (Anthropic, Vercel, Railway, Stripe, Twilio, OpenAI, Sentry) are based in the United States. Data transfers to these recipients are carried out under Standard Contractual Clauses (SCCs) approved by the European Commission, which provide adequate protection for your personal data.

Langfuse is based in Germany and processes data entirely within the EU. Supabase and Stripe operate EU-region infrastructure for certain data.

11Your Rights (GDPR)

As a data subject under GDPR, you have the following rights:

  • Access (Art. 15): Request a copy of all personal data we hold about you
  • Rectification (Art. 16): Correct inaccurate or incomplete data
  • Erasure (Art. 17): Request deletion of your account and all associated data
  • Restriction (Art. 18): Ask us to pause processing while a dispute is resolved
  • Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Objection (Art. 21): Object to processing based on legitimate interest
  • Automated decisions (Art. 22): Request human review of any AI-generated coaching decision
  • Withdraw consent (Art. 7(3)): Revoke consent at any time — this does not affect prior processing

Exercise your rights from Account Settings or contact privacy@trainsphere.io. We will respond within 30 days (extendable to 90 days for complex requests).

Supervisory authority: If you are unsatisfied with our response, you have the right to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés — www.cnil.fr).

12Cookies & Analytics

We use the following cookies on our website:

  • Authentication cookies (strictly necessary) : Set by Supabase Auth to maintain your login session. These cannot be disabled as they are essential for the service to function.
  • Analytics (Google Analytics 4 — optional) : If you consent, we collect anonymised usage data (page views, feature usage) to improve the service. You can withdraw consent at any time via Account Settings.

We do not use advertising or tracking cookies. No data is shared with ad networks.

13Children

Trainsphere is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us at privacy@trainsphere.io and we will delete the account promptly.

14Changes to this Policy

We may update this Privacy Policy when we add new features, change sub-processors, or when required by law. For material changes, we will notify you by email at least 14 days in advance. The date of the most recent revision is shown at the top of this page.

15Contact

Data Protection Officer (DPO):

For any privacy-related question or to exercise your rights, contact our DPO:

Email: dpo@trainsphere.io

Controller address: Trainsphere — France

Supervisory authority: CNIL — Commission Nationale de l’Informatique et des Libertés \u2014 https://www.cnil.fr