Back to Home

Privacy Policy

Last Updated: October 23, 2025

Trajex™ is committed to protecting your privacy and ensuring the security of your personal data.

Introduction

This Privacy Policy describes how Trajex™ ("we", "us", or "our") collects, uses, and protects your personal information when you use our AI-powered endurance training platform, including our mobile applications and web services (collectively, the "Services").

By using Trajex, you agree to the collection and use of information in accordance with this policy. This policy complies with the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, and applicable data protection laws in European Economic Area (EEA) member states.

Data Controller: Trajex™ is the data controller responsible for your personal data. Our registered office is located in the European Union, ensuring full GDPR compliance for all EU/EEA users.

Legal Basis for Processing (GDPR)

Under GDPR Article 6, we process your personal data based on the following legal grounds:

1. Contract Performance (Article 6(1)(b))

Processing necessary to provide our AI training services, including plan generation, adaptation, readiness scoring, and workout synchronization.

2. Legitimate Interests (Article 6(1)(f))

Improving our AI models, fraud prevention, security monitoring, and service optimization. We conduct legitimate interest assessments to ensure your rights are not overridden.

3. Consent (Article 6(1)(a))

Marketing communications, optional analytics, and connecting third-party devices. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

4. Legal Obligation (Article 6(1)(c))

Tax compliance, financial record keeping, and responding to lawful requests from authorities.

Information We Collect

1. Information You Provide

  • Account Information: Email address, password (encrypted), name, date of birth
  • Profile Data: Age, weight, height, gender, fitness experience level, training goals, race dates
  • Nutrition Logs: Food items, meal times, calorie intake, macronutrient data (manually entered or scanned)
  • Payment Information: Processed securely through Stripe (we do not store full credit card details)
  • Communications: Messages you send to support, feedback, and survey responses

2. Data from Connected Devices & Services

When you connect third-party wearables and fitness platforms via OAuth authorization, we collect:

  • Strava: Workout activities (type, duration, distance, pace, heart rate, power data), athlete profile
  • Garmin Connect: Activities, sleep data (duration, stages, quality), heart rate variability (HRV), resting heart rate, daily stress scores
  • Apple HealthKit: Workouts, sleep analysis, HRV, resting heart rate, weight, activity rings
  • Whoop: Recovery score, strain score, sleep performance (REM, deep, light, awake stages)
  • Oura Ring: Readiness score, sleep analysis, activity tracking, heart rate metrics

We import up to 90 days of historical data when you first connect a device to establish baseline fitness metrics.

3. Automatically Collected Data

  • Usage Data: App interactions, features used, session duration, navigation paths
  • Device Information: Device type, operating system, app version, unique device identifiers
  • Analytics: Aggregated usage statistics via Mixpanel (see Cookie Policy)
  • Log Data: IP address, access times, error logs (retained for 90 days for debugging)

How We Use Your Information

We use your data to provide and improve our AI-powered training services:

Core Service Delivery

  • AI Training Plan Generation: Creating personalized 8-16 week periodized training plans using Google Gemini AI based on your goals, experience, and historical performance
  • Daily Plan Adaptation: Automatically adjusting workouts based on readiness scores calculated from sleep, HRV, resting heart rate, and recent training load
  • Readiness Scoring: Combining sleep quality, HRV trends, and fatigue indicators to provide daily recovery insights
  • AI Coaching Insights: Generating personalized motivational messages, training tips, and warnings (e.g., overtraining risk alerts)
  • Nutrition Analysis: Calculating energy balance (calories in vs. calories burned) and providing fueling recommendations
  • Performance Analytics: Computing fitness metrics (CTL, ATL, TSB), consistency tracking, and progress visualization
  • Workout Synchronization: Pushing structured workouts to Garmin devices (Premium feature)

Communication

  • Push Notifications: Daily coaching tips, readiness alerts, workout reminders (via Expo Push)
  • Email Communications: Weekly training summaries, trial reminders, subscription confirmations, payment notifications (via SendGrid)
  • Support: Responding to your inquiries and providing customer assistance

Service Improvement

  • AI Model Training: Improving plan generation algorithms using aggregated, anonymized data
  • Feature Development: Analyzing usage patterns to build features users find valuable
  • Bug Fixes: Identifying and resolving technical issues
  • A/B Testing: Testing messaging effectiveness and UI improvements

Legal & Security

  • Fraud Prevention: Detecting and preventing fraudulent activity and payment abuse
  • Compliance: Meeting legal obligations, enforcing terms of service
  • Audit Logging: Maintaining security audit trails for plan lifecycle events, sync history, and account changes

How We Share Your Information

We do not sell your personal data. We share data only in these limited circumstances:

Third-Party Service Providers

ServicePurposeData Shared
SupabaseDatabase & AuthenticationAll user data (encrypted at rest)
Google Gemini AIAI plan generation & coachingTraining history, goals (anonymized)
StripePayment processingEmail, name, billing info
SendGridEmail deliveryEmail address, name
MixpanelAnalyticsUsage events (anonymized)
SentryError monitoringError logs, device info

Other Disclosures

  • Legal Requirements: If required by law, court order, or government regulation
  • Business Transfers: In the event of a merger, acquisition, or sale of assets (users will be notified)
  • With Your Consent: Any other sharing will require your explicit permission

Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Row-Level Security (RLS): PostgreSQL policies ensure users can only access their own data
  • OAuth Security: Secure token-based authentication with third-party services (OAuth 2.0, PKCE)
  • Password Protection: Passwords hashed using bcrypt with salt
  • Access Controls: Role-based permissions for internal team access
  • Audit Logs: All critical operations logged for security review
  • Monitoring: Automated threat detection and alerting (Sentry, Prometheus)
  • Regular Audits: Periodic security assessments and penetration testing

While we use best practices to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your information.

Data Retention

  • Active Accounts: Data retained as long as your account is active
  • Deleted Accounts: Most data deleted within 30 days of account deletion (except where legally required)
  • Legal Requirements: Financial records retained for 7 years (tax compliance)
  • Backups: Backup systems retain data for up to 90 days for disaster recovery
  • Anonymized Data: Aggregated, anonymized analytics may be retained indefinitely for research

Your Privacy Rights Under GDPR

As a data subject under GDPR, you have comprehensive rights over your personal data:

1. Right to Access (Article 15)

Request confirmation of whether we process your data and obtain a copy of your personal data.

How to exercise: Profile → Settings → Export Data or email privacy@trajex.fit

2. Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data.

How to exercise: Profile → Settings → Edit Profile

3. Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data when there is no compelling reason for continued processing.

How to exercise: Profile → Settings → Delete Account (permanent deletion within 30 days)

4. Right to Restriction of Processing (Article 18)

Request that we limit the processing of your personal data in specific circumstances (e.g., while we verify accuracy).

How to exercise: Email privacy@trajex.fit with your request

5. Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format (JSON) and transmit it to another service.

How to exercise: Profile → Settings → Export Data (receives ZIP file with JSON export)

6. Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: Unsubscribe link in emails or Profile → Settings → Communication Preferences

7. Right Not to be Subject to Automated Decision-Making (Article 22)

Not be subject to decisions based solely on automated processing that produces legal or similarly significant effects. Note: Our AI training plan generation is advisory and does not produce legal effects. You retain full control over whether to follow AI recommendations.

8. Right to Withdraw Consent (Article 7(3))

Withdraw consent at any time for processing based on consent (e.g., marketing, device connections).

How to exercise: Profile → Connected Services → Disconnect Device or Profile → Settings → Marketing Preferences

9. Right to Lodge a Complaint (Article 77)

Lodge a complaint with your local Data Protection Authority (DPA) if you believe we have violated your rights.

EU DPA List: European Data Protection Board Members

Response Timeline (GDPR Compliance)

  • Standard Response: Within 1 month of receiving your request
  • Complex Requests: Up to 3 months (we will inform you if extension is needed)
  • Free of Charge: First request is free; excessive/repetitive requests may incur reasonable administrative fees
  • Identity Verification: We may request additional information to verify your identity before processing requests

Children's Privacy

Trajex is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@trajex.fit, and we will delete it.

International Data Transfers (GDPR Chapter V)

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place as required by GDPR Articles 44-50:

EU Data Residency (Default for EU Users)

For users in the EU/EEA, all personal data is stored and processed within the European Union by default, using Supabase EU data centers (Frankfurt, Germany or other EU regions).

Standard Contractual Clauses (SCCs)

When data is transferred outside the EEA (e.g., to US-based service providers), we use European Commission-approved Standard Contractual Clauses (2021/914) to ensure GDPR-level protection.

Third-Party Processor Safeguards

  • Google Gemini AI: Processes data in Google Cloud infrastructure with EU-US Data Privacy Framework certification and SCCs
  • Stripe: GDPR-compliant payment processor with EU data centers and SCCs for non-EU transfers
  • SendGrid: Email service with EU data processing agreements
  • Mixpanel: Analytics with EU data residency option enabled

Adequacy Decisions

Where applicable, we rely on European Commission adequacy decisions (Article 45 GDPR) recognizing certain countries as providing adequate data protection (e.g., UK, Switzerland, Canada for commercial organizations).

Your Right to Information

You can request copies of the safeguards we have in place for international transfers by contacting our Data Protection Officer at dpo@trajex.fit.

Data Breach Notification (GDPR Articles 33-34)

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notification to Supervisory Authority

Report the breach to our lead supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to your rights.

Notification to Data Subjects

If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email and in-app notification, including:

  • • Nature of the personal data breach
  • • Likely consequences of the breach
  • • Measures taken to address the breach
  • • Contact point for further information (DPO)
  • • Recommended actions to mitigate potential adverse effects

Breach Response Procedures

We maintain documented incident response procedures including containment, investigation, notification, and remediation protocols to minimize impact and prevent recurrence.

Cookies & Tracking

We use cookies and similar technologies to improve your experience. For detailed information, see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will notify you via:

  • Email notification to your registered address
  • In-app notification
  • Prominent notice on our website

Continued use of Trajex after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or your personal data, contact us:

Email: privacy@trajex.fit

Data Protection Officer: dpo@trajex.fit

Support: support@trajex.fit

Company: Trajex™

Address: [Company Address - To Be Determined]

Contact Privacy Team