Privacy Policy

Last updated: 15.03.2026

Protecting your personal data is important to us. In this privacy policy, we inform you about what data we collect, for what purpose, and on what legal basis.

Note: These texts serve as drafts and must be reviewed by a lawyer qualified in Austrian law before productive use.

Data Controller

Lukas Kitzberger Email: datenschutz@train-smarter.at

Data Categories Collected

We process the following categories of personal data:

Master data: Name, email address, date of birth, role (Coach/Athlete)
Access data: Email address, encrypted password
Body and wellness data (only with explicit consent): Weight, body measurements, sleep quality, wellness score
Nutrition data (only with explicit consent): Nutrition diary, macronutrients
Usage data: IP address (upon consent), session data, timestamps
Training data: Training plans, programs, sessions

Legal Basis

The processing of your data is based on:

Art. 6(1)(a) GDPR (Consent) — for body, wellness, and nutrition data
Art. 6(1)(b) GDPR (Contract performance) — for master and training data
Art. 9(2)(a) GDPR (Explicit consent) — body data is treated as health data

Purpose of Processing

Your data is processed exclusively for providing the Train Smarter platform: training planning, athlete management, progress tracking, and communication between coach and athlete.

Storage Duration

Personal data is stored as long as your account is active. After a deletion request, a 30-day grace period applies, after which all data is permanently deleted. Audit log entries are retained for 12 months. Invitation tokens are deleted after 7 days.

Data Processors

We use the following data processors, all of which have a Data Processing Agreement (DPA) and process data within the EEA:

Supabase Inc. — Database, authentication, storage (Region: eu-central-1, Frankfurt)
Vercel Inc. — Hosting, Edge Functions (EU region)

Cookies and Local Storage

Our website uses only technically necessary cookies that are essential for operating the platform. A cookie consent banner is therefore not required.

Authentication Cookie

For login and session maintenance, we set an authentication cookie (HttpOnly, Secure, SameSite=Lax). This cookie contains an encrypted token to identify your session — no personal data in plain text.

Session Duration

The duration of your session depends on your choice at login:

Default (without 'Remember me'): Your session ends when you close the browser.
With 'Remember me': Your session remains active for up to 30 days or until you manually sign out.

Local Storage

We use your browser's local storage solely for your display preferences (e.g., sidebar state, preferred view). This data does not leave your device and is not transmitted to our servers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). These cookies are technically necessary and exempt from the consent requirement under the ePrivacy Directive.

Your Rights

You have the following rights under GDPR:

Right of access (Art. 15) — Overview of your stored data in Privacy Settings
Right to rectification (Art. 16) — Edit profile data anytime under Profile
Right to erasure (Art. 17) — Account deletion under Privacy Settings
Right to data portability (Art. 20) — Data export under Privacy Settings
Right to object (Art. 21) — Consents can be revoked anytime under Privacy Settings

Contact

For privacy requests beyond self-service, contact us at: datenschutz@train-smarter.at

Right to Complaint

You have the right to file a complaint with the Austrian Data Protection Authority: Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at