Privacy Policy

1. Introduction

Training Cycles ("we," "us," or "our") is a track & field team training management application developed by Training Cycle. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our web and mobile applications (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Account & Authentication Data

• Email address
• Password (stored only as a secure, one-way hash)
• Passkey credentials (WebAuthn public keys for passwordless sign-in)

2.2 Health & Wellness Data

• Sleep quality (1–10 scale) and sleep hours
• Energy level (1–10 scale)
• Soreness level (1–10 scale)
• Mood rating (1–10 scale)
• Rate of perceived exertion / RPE (1–10 scale)
• Fatigue level (1–10 scale)
• Injury notes and pain area descriptions

2.3 Training & Performance Data

• Workout sessions and exercise details
• Performance times and distances
• Personal records
• Competition results

2.4 Personal & Team Data

• Journal entries (free-form text with optional mood tags and categories)
• Team and group membership information

2.5 Data Stored on Your Device (iOS)

• Authentication tokens (JWT) stored securely in the iOS Keychain
• Cached profile information stored in UserDefaults
• Locally cached training data stored in SwiftData for offline access

2.6 HealthKit Data (iOS Only)

Important: If you choose to connect HealthKit, we may collect the following health and fitness data types to enhance your training analysis and readiness assessment:

• Heart rate data (resting heart rate, heart rate variability)
• Sleep analysis (sleep duration, deep sleep, REM sleep, sleep quality scores)
• Respiratory rate
• Body temperature measurements (wrist temperature deviations)
• Cardio fitness (VO2 Max estimates)
• Heart rate recovery measurements

HealthKit Data Restrictions: In accordance with Apple's Developer Program License Agreement, all HealthKit data collected through our iOS application is:

• Never used for advertising purposes
• Never sold to third parties
• Only used to provide health and fitness services related to athletic training, performance analysis, and recovery monitoring
• Stored securely and processed in accordance with Apple's HealthKit guidelines

You maintain full control over your HealthKit data and can revoke access at any time through your device's Health app settings or by disconnecting HealthKit integration within our application.

3. Information We Do Not Collect

We are committed to collecting only the data necessary to provide the Service. We do not:

• Use third-party analytics, tracking, or advertising SDKs
• Collect the Identifier for Advertisers (IDFA) or any device advertising identifiers
• Collect device fingerprints or unique device identifiers for tracking purposes
• Track your activity across other apps or websites

4. How We Use Your Information

We use the information we collect to:

• Authenticate your identity and manage your account
• Deliver core training management features, including scheduling, check-ins, and performance tracking
• Enable coaches to monitor athlete wellness and adjust training plans
• Display your training history and personal records
• Provide journaling functionality for personal reflection and coach–athlete communication
• Maintain and improve the reliability of the Service

5. Data Sharing & Disclosure

We do not sell your personal data to third parties.

Your data may be shared in the following limited circumstances:

• Within your team: Health, wellness, and training data you submit may be visible to your assigned coach(es) as part of the core functionality of the Service.
• Strava (optional integration): If you connect your Strava account, we access your Strava activity data (activity type, distance, duration, heart rate, elevation) via the Strava API. Once connected, a daily automated sync (run at 5:00 AM UTC via a server-side cron job at /api/cron/strava) fetches new activities on your behalf. You may disconnect Strava at any time from within the app, which stops all future syncing and removes stored Strava data. Strava is an independent data controller; see their privacy policy for how they handle your data.
• Service providers: We use third-party infrastructure providers (Neon for database hosting, Vercel for application hosting) solely to operate the Service. These providers process data on our behalf and are contractually obligated to protect it.
• Legal requirements: We may disclose information if required to do so by law, regulation, or valid legal process.

6. Data Storage & Security

• All data transmitted between your device and our servers is encrypted using HTTPS (TLS).
• Passwords are stored as secure, one-way hashes and are never kept in plaintext.
• Authentication tokens on iOS are stored in the system Keychain, the most secure on-device storage available.
• Server-side data is stored in a PostgreSQL database managed through Prisma ORM with access restricted to authorized services only.

While we implement commercially reasonable safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Raw health & wellness metrics (heart rate, sleep, check-in scores, RPE, HRV, and HealthKit data): retained for 24 months from the date of collection. An automated weekly process permanently deletes records older than 24 months regardless of account status.
• Training & performance records (workout sessions, personal records, competition results): retained for the lifetime of your account.
• Journal entries: retained until you delete them or close your account.
• Account credentials & profile data: retained until account deletion.
• Aggregated, de-identified analytics: may be retained indefinitely as they cannot be linked to any individual.

If you delete your account, all personal data (including all categories above) will be permanently removed from our production systems within 30 calendar days, and from backup systems within 90 days.

Coach access on team removal: When an athlete is removed from a team, all coach access to that athlete's data is revoked immediately. The removal is recorded in our audit log for compliance purposes.

8. Your Rights & Choices

You have the right to:

• Access your data: View your health, wellness, training, and journal data within the app at any time.
• Delete journal entries: Remove any journal entry you have created.
• Manage passkeys: Add or remove passkey credentials used for authentication.
• Delete your account: Request permanent deletion of your account and all associated data (see Section 8.1 below).
• Data portability: Request a copy of your personal data in a portable format by contacting us.

8.1 Your Right to Deletion (GDPR Article 17 & CCPA § 1798.105)

Under the General Data Protection Regulation (GDPR Article 17) and the California Consumer Privacy Act (CCPA § 1798.105), you have the right to request erasure of your personal data. We honor this right through a self-service in-app deletion flow and by email request.

What gets deleted

• Account credentials (email anonymized, password hash removed)
• Athlete profile and all associated health & wellness data
• Training records, workout history, and personal records
• Journal entries, coach notes, and goal records
• Team memberships and competition entries
• HealthKit data synced to our servers
• Strava connection and synced activity data
• Push notification tokens and device records

How to delete your account

• In-app (immediate): Go to Settings → Delete Account. Deletion is immediate and permanent.
• By email: Send a request to privacy@trainingcycles.app from the address associated with your account. We will complete deletion within 30 calendar days.

Audit retention

A minimal audit log entry (user ID, deletion timestamp, initiator) is retained after deletion solely for compliance and fraud-prevention purposes, as permitted under GDPR Article 17(3) and applicable law. This record contains no health data or PII beyond the anonymized user ID.

9. Children's Privacy & Minor Athletes

9.1 Children Under 13 (COPPA)

The Service is not directed at children under 13 years of age. Our registration flow enforces a minimum age of 13 and will not permit account creation for users who indicate they are younger. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will promptly delete that information. If you believe a child under 13 has provided us with personal data, please contact us at privacy@trainingcycles.app.

9.2 COPPA Direct Notice to Parents — Minor Athletes Ages 13–17

In accordance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) and FTC Rule 16 C.F.R. § 312.4, we deliver a direct notice to a parent or guardian before collecting personal information from any athlete between the ages of 13 and 17. This notice is sent by email to the parent/guardian address provided at registration.

What the Notice Covers

The direct notice sent to parents describes, in plain language:

• Our identity and contact information (Training Cycle, privacy@trainingcycles.app)
• The categories of personal information we collect from the child (account data, wellness check-ins, training records, HealthKit data if connected)
• How that information is used (solely to provide coaching and training management features)
• Whether information is disclosed to third parties (only to the child's assigned coach and our infrastructure providers; never sold)
• Parental rights: the right to review, correct, refuse further collection, or delete the child's personal information

Parental Rights (COPPA § 312.6)

A parent or guardian of a minor athlete may, at any time:

• Review the personal information we have collected from their child
• Correct inaccurate personal information
• Refuse further collection or use of personal information by requesting account deactivation
• Delete their child's personal information from our systems (see Section 8.1)

To exercise any of these rights, contact us at privacy@trainingcycles.app. We will respond within 30 calendar days.

9.3 Additional Protections for Minor Athletes

• Account flagging: Minor accounts (ages 13–17) are identified at registration using date of birth and flagged internally for enhanced protections.
• Breach notification: In the event of a data breach affecting minor accounts, we will notify the parent/guardian email on file within 72 hours.
• Data minimization: We collect only the data necessary for the coaching relationship: wellness check-ins, training records, and performance data. No advertising identifiers or behavioral tracking data is collected for any user, including minors.
• Health data restrictions: HealthKit data for minor athletes is subject to the same restrictions as all users: never sold, never used for advertising, and only used to provide athletic training services.
• No excess data conditioning: We do not condition a minor athlete's participation in the Service on the disclosure of more personal information than is reasonably necessary to provide the coaching and training features.

10. Consumer Health Data Privacy Policy

Applicable to residents of Washington, Nevada, and Connecticut under the Washington My Health MY Data Act (MHMD), Nevada SB 370, and the Connecticut Data Privacy Act (CTDPA).

10.1 Consumer Health Data We Collect

The following data types are classified as "consumer health data" or "sensitive personal information" under applicable state law (CCPA/CPRA, Washington MHMD, Nevada SB 370, Connecticut CTDPA):

• Heart rate data: Resting heart rate and heart rate variability (HRV/SDNN) collected via Apple HealthKit
• Sleep data: Sleep duration, sleep quality scores, deep sleep and REM sleep minutes
• Biometric indicators: VO2 Max estimates, heart rate recovery, respiratory rate, wrist temperature deviation
• Subjective wellness metrics: Daily energy level, soreness, mood, fatigue ratings (1–10 scale)
• Injury and pain data: Injury notes and pain area descriptions entered during wellness check-ins
• Physical activity data: Workout sessions with heart rate data synced from Strava or Apple Watch
• Journal entries: Free-form athlete journal text with optional mood tags. Where journal content describes physical or mental health conditions, this data constitutes sensitive personal information under CCPA/CPRA § 1798.140(ae) and consumer health data under the Washington MHMD Act.

10.1a Legal Basis for Processing

We process consumer health data on the following legal bases:

• Explicit consent: HealthKit access requires your explicit permission via iOS. Wellness check-ins and journal entries are submitted at your discretion. You may withdraw consent at any time by revoking HealthKit permissions, ceasing check-in submissions, or deleting your account.
• Performance of a contract: Wellness and performance data submitted by athletes is necessary to deliver the core coaching and training management service described in our Terms of Service.

10.1b Retention of Consumer Health Data

• HealthKit biometrics & raw wellness metrics (heart rate, HRV, sleep, VO2 Max, respiratory rate, wrist temperature, check-in scores): retained for 24 months from the date of collection, then permanently deleted.
• Journal entries: retained until you delete them or close your account.
• Training & performance records: retained for the lifetime of your account.

10.2 No Sale of Consumer Health Data

We do not sell, rent, or otherwise transfer consumer health data to any third party for monetary or other valuable consideration. This commitment applies to all health data types listed in Section 10.1.

10.3 Third-Party Sharing & Processors

Consumer health data may be processed by the following service providers solely to operate the Service:

• Neon (database hosting): All health and wellness data is stored in a PostgreSQL database hosted by Neon, Inc. Neon acts as a data processor and does not use your data for any purpose beyond database operations.
• Vercel (application hosting): The Service runs on Vercel's infrastructure. Request data passes through Vercel's edge network in transit only.
• Strava (optional, user-initiated): If you choose to connect your Strava account, activity and heart rate data is fetched from Strava's API at your direction. Strava is an independent controller of your data under their own privacy policy. You may disconnect Strava at any time from within the app.

We do not share consumer health data with any other third party, including data brokers, advertisers, or analytics providers.

10.4 Deletion Rights & 30-Day Response SLA

You have the right to request permanent deletion of all consumer health data and associated personal information. We will fulfill verified deletion requests within 30 calendar days of receipt.

To submit a deletion request:

• In-app (immediate): Use the "Delete Account" option in Settings. This immediately and permanently deletes your account and all associated health data from our systems.
• By email: Send a deletion request to privacy@trainingcycles.app from the email address associated with your account. We will respond and complete the deletion within 30 calendar days.

Upon deletion, all consumer health data is permanently removed from our production database and will be purged from backup systems within 90 days in accordance with our backup retention policy.

10.5 Consent

Consumer health data is collected only with your explicit consent:

• HealthKit data requires explicit permission granted through the iOS Health app. You may revoke this permission at any time.
• Wellness check-in data is submitted voluntarily by you for each check-in.
• Strava activity data is synced only after you explicitly connect your Strava account.

11. California Residents — CCPA Rights

Applicable to residents of California under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

11.1 Data Categories Collected (CCPA § 1798.100)

The following table lists each category of personal information we collect, how it is collected, its retention period, and whether it is disclosed to third parties.

We do not collect: device advertising identifiers (IDFA), behavioral tracking data, geolocation, financial information, or commercial purchase history.

11.2 Your CCPA Rights

As a California resident, you have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: Request deletion of personal information we have collected from you (see Section 8.1).
• Right to Correct: Request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information with third parties for cross-context behavioral advertising. Because we do not sell or share personal data, there is nothing to opt out of. You may confirm this on our Do Not Sell My Personal Information page.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your rights, email privacy@trainingcycles.app with the subject line “CCPA Rights Request.” We will verify your identity and respond within 45 calendar days, with a possible 45-day extension where reasonably necessary.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Training Cycle
privacy@trainingcycles.app