Privacy Policy

Data Controller

Lukas Kitzberger Email: datenschutz@train-smarter.at

Data Categories Collected

We process the following categories of personal data:

• Master data: Name, email address, date of birth, role (Coach/Athlete)
• Access data: Email address, encrypted password
• Body and wellness data (only with explicit consent): Weight, body measurements, sleep quality, wellness score
• Nutrition data (only with explicit consent): Nutrition diary, macronutrients
• Usage data: IP address (upon consent), session data, timestamps
• Training data: Training plans, programs, sessions

Legal Basis

The processing of your data is based on:

• Art. 6(1)(a) GDPR (Consent) — for body, wellness, and nutrition data
• Art. 6(1)(b) GDPR (Contract performance) — for master and training data
• Art. 9(2)(a) GDPR (Explicit consent) — body data is treated as health data

Purpose of Processing

Your data is processed exclusively for providing the Train Smarter platform: training planning, athlete management, progress tracking, and communication between coach and athlete.

Storage Duration

Personal data is stored as long as your account is active. After a deletion request, a 30-day grace period applies, after which all data is permanently deleted. Audit log entries are retained for 12 months. Invitation tokens are deleted after 7 days.

Data Processors

We use the following data processors, all of which have a Data Processing Agreement (DPA). Where a third-country transfer to the USA takes place (Sentry, AI providers), this is explained in the respective special sections:

• Supabase Inc. — Database, authentication, storage (Region: eu-central-1, Frankfurt)
• Vercel Inc. — Hosting, Edge Functions (EU region fra1, Frankfurt)
• Functional Software, Inc. (Sentry) — Error tracking and performance monitoring (Region: de.sentry.io, Frankfurt). Third-country transfer to the USA via EU-US Data Privacy Framework and EU Standard Contractual Clauses. Processed data: anonymized error logs with user IDs (UUID), stack traces and web vitals — no personal cleartext data such as email or names. Privacy policy: https://sentry.io/privacy/

AI-powered Features

Train Smarter uses artificial intelligence to help you maintain the exercise library and training taxonomy (e.g. suggestions, spell-check, translation). The AI features are optional — the app works fully without them.

AI services used

We use the following external services as data processors:

• Anthropic, PBC (USA) — "Claude" model for suggestions and text processing. Privacy policy: https://www.anthropic.com/legal/privacy
• OpenAI, LLC (USA) — "GPT" model as alternative to Claude. Privacy policy: https://openai.com/policies/privacy-policy

Which data do we transmit?

When you trigger an AI feature, we transmit the content of the relevant exercise or taxonomy field to the AI provider (e.g. exercise name, description). We explicitly do NOT transmit personal data of your athletes, NO wellness, weight or nutrition data, NO email addresses and NO training plans.

Legal basis and third-country transfer

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in efficient content maintenance). Since Anthropic and OpenAI operate servers in the USA, a third-country transfer takes place. Protection is ensured via the EU-US Data Privacy Framework (in force since 10 July 2023) — both providers are certified. Additionally, EU Standard Contractual Clauses apply.

Retention of AI request logs

Our internal AI request logs (for cost monitoring and abuse detection) automatically anonymize transmitted text inputs after 30 days. On the provider side, Anthropic does not store API content for model training (Zero-Retention Policy); OpenAI stores API content for up to 30 days for abuse detection and likewise does not use it for model training.

AI Bulk Processing (batch operations)

As a platform administrator you can use AI in two batch operations that process up to 1,000 exercises at once:

• Bulk reclassification — AI moves existing exercises into a new taxonomy category (e.g. "Abdominals" → "Core/Stability").
• Bulk auto-completion — AI suggests missing fields (description, primary muscle group, classification tags, etc.).

Only factual exercise data is transmitted to Anthropic (Claude) in the USA (exercise name DE/EN, existing descriptions, taxonomy assignments). As with the other AI features, we still do NOT transmit any athlete data, NO wellness, weight or nutrition data and NO training plans. Legal basis and third-country transfer are the same as for the AI features described above (Art. 6(1)(f) GDPR, EU-US Data Privacy Framework, EU Standard Contractual Clauses).

Automated suggestions and human oversight (Art. 22 GDPR)

Every AI suggestion is paired with a confidence score. Low-confidence suggestions land in a review queue (annotation queue) and must be accepted or rejected manually by the administrator. High-confidence suggestions (default threshold 0.85) are applied directly, but are fully recorded in an audit log; the administrator can inspect each change at any time and revert it with a single click. This is therefore not a solely automated decision producing legal effects within the meaning of Art. 22 GDPR — human oversight remains in place throughout. In addition, fields populated by an AI batch operation are visibly tagged in the app as "AI-generated"; the tag disappears as soon as the value is edited manually.

Retention period

Job metadata and per-item results (table "ai_job_items") are automatically deleted 90 days after job completion. The audit log for AI write operations (table "entity_field_history") is also retained for 90 days — this period safeguards the right to rectification under Art. 16 GDPR (reverting individual values) and is consistent with the retention period of our AI request logs. When you delete your trainer account, all associated log data is deleted without delay (see "Right to erasure").

Your control and transparency

On the exercise detail page you can review the most recent AI changes at any time and revert individual values. At the job level a full rollback of all changes made in a batch is available. AI batch operations can only be triggered by platform administrators — as an athlete or regular trainer account, your content is not affected by a batch operation without an explicit administrator action.

Right to object

You can object to the processing of your text inputs by AI providers at any time (Art. 21 GDPR) by not using the AI features in the app.

Cookies and Local Storage

Our website uses only technically necessary cookies that are essential for operating the platform. A cookie consent banner is therefore not required.

Authentication Cookie

For login and session maintenance, we set an authentication cookie (HttpOnly, Secure, SameSite=Lax). This cookie contains an encrypted token to identify your session — no personal data in plain text.

Session Duration

The duration of your session depends on your choice at login:

• Default (without 'Remember me'): Your session ends when you close the browser.
• With 'Remember me': Your session remains active for up to 30 days or until you manually sign out.

Local Storage

We use your browser's local storage solely for your display preferences (e.g., sidebar state, preferred view). This data does not leave your device and is not transmitted to our servers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). These cookies are technically necessary and exempt from the consent requirement under the ePrivacy Directive.

Your Rights

You have the following rights under GDPR:

• Right of access (Art. 15) — Overview of your stored data in Privacy Settings
• Right to rectification (Art. 16) — Edit profile data anytime under Profile
• Right to erasure (Art. 17) — Account deletion under Privacy Settings
• Right to data portability (Art. 20) — Data export under Privacy Settings
• Right to object (Art. 21) — Consents can be revoked anytime under Privacy Settings

Contact

For privacy requests beyond self-service, contact us at: datenschutz@train-smarter.at

Right to Complaint

You have the right to file a complaint with the Austrian Data Protection Authority: Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at