Privacy Policy

1. Controller

Julius Deusch (TrainQ, Sole Proprietorship)
In den Grüben 140
84489 Burghausen, Germany
Email: Julius.Deusch@trainq.app

2. Privacy Contact

For any inquiries regarding data protection and your rights (e.g. access, deletion, data export, revocation/disconnection of Garmin), you can contact us at any time:

Email: Julius.Deusch@trainq.app

A data protection officer is currently not required by law and therefore not appointed.

3. Scope

This privacy policy applies to:

• the website https://www.trainq.app,
• the TrainQ Mobile App (iOS/Android), and
• the optional Garmin Connect Integration (Garmin Connect Developer Program / Garmin APIs), if you activate it.

4. Definitions

• Personal data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation involving personal data (e.g. collection, storage, transmission, deletion).
• Controller: The entity that determines the purposes and means of processing (see Section 1).
• Processor: Service providers that process personal data on behalf of the controller pursuant to Art. 28 GDPR.

5. Categories of Processed Data

5.1 Website (Technical Usage)

When accessing the website, the following data may be processed:

• IP address, date and time of request, accessed URL/resource, status/response codes
• Device and browser information (User Agent), referrer URL (if transmitted)
• Security and error messages for maintaining stability and abuse/attack detection

5.2 Account Data (App)

When using the app, the following data may be processed:

• Email address, internal account IDs
• Authentication data (e.g. password hash or session/login tokens)
• Account settings and optional profile/display information you provide

5.3 Training Data (TrainQ)

Training-related data that you enter or that is generated in TrainQ, e.g.:

• Training plans and scheduled sessions
• Workouts, exercises, sets/reps/weights, notes
• Training history and derived analytics (e.g. weekly volume)

5.4 Garmin Data (Only with Active Connection and Consent)

When you connect your Garmin account, TrainQ processes Garmin data only within the scope of the permissions you grant and only as required for specific features (data minimization).

5.4.1 Activity Summaries

Typically (if available in the activity):

• Sport/activity type, start date/time, duration
• Distance, pace/speed, calories
• Heart rate values (e.g. average/maximum)

5.4.2 Activity Details

Only when a specific feature requires this data for analysis/review and it is available in the activity:

• Splits/laps/intervals and associated time series (e.g. pace/speed, heart rate progression)
• Additional detail metrics (e.g. cadence, power), as required

5.4.3 Location/Route Data (Sensitive)

Location/route/track data (e.g. GPS route) is only processed when:

• a feature you use requires this data for analysis/review,
• the data is available in the activity, and
• processing is necessary for the feature.

Otherwise, no location/route data is imported or stored from Garmin.

5.4.4 Activity Files (GPX/FIT/TCX)

GPX/FIT/TCX files are only processed and/or stored when a corresponding import/file feature is implemented and used by you and processing is required for it. Otherwise, such files are not processed or stored.

5.4.5 Connection and Authorization Data

OAuth tokens and technical identifiers required to maintain the Garmin connection and correctly associate data with your TrainQ account.

5.4.6 Origin of Garmin Data

The data imported via Garmin Connect integration originates from your Garmin account. Garmin is the independent controller for its own processing of your data.

For more information on data processing by Garmin, see the Garmin Connect Privacy Policy at: https://www.garmin.com/privacy/connect

5.5 Preference Data (Website)

Purely technical preferences (e.g. language/theme) that you actively select may be stored locally in localStorage (see Section 15).

5.6 Possible Special Categories (Art. 9 GDPR)

Certain activity metrics (particularly heart rate values and associated time series) may, depending on context, qualify as health data and thus as special categories of personal data under Art. 9 GDPR. Where applicable, processing is based exclusively on your explicit consent (see Section 7.2).

6. Purposes of Processing

6.1 Website Operation

• Delivery of the website and ensuring technical stability
• Detection and prevention of abuse, attacks, and technical disruptions
• Error diagnosis and security monitoring

6.2 Account Management and App Operation

• Registration, login, and account management
• Provision of the app's core features

6.3 Training Features

• Training history: building and maintaining your training diary
• Analytics/trends: analysis of progress and training patterns
• Plan fulfillment: comparing planned sessions with completed activities
• Coaching features: coaching/insights based on your history (if implemented)
• Post-workout review: review of training sessions (including relevant details, if implemented)

6.4 Support

• Processing your inquiries and communicating with you
• Documentation of support cases for follow-up and quality assurance

6.5 Compliance and Security

• Protection of TrainQ, users, and systems from abuse and attacks
• Ensuring integrity, availability, and confidentiality of data
• Compliance with legal retention and documentation obligations

7. Legal Basis (Art. 6 GDPR) per Purpose

7.1 Performance of Contract (Art. 6(1)(b) GDPR)

To provide TrainQ and fulfill the user relationship, in particular for:

• Creation and management of user accounts
• Authentication and session management
• Provision of training features (planning, history, display)

7.2 Consent (Art. 6(1)(a) GDPR) and Explicit Consent (Art. 9(2)(a) GDPR)

For subscribing to our newsletter/launch notifications (Section 16).

For linking your Garmin account and importing/processing Garmin data (Sections 5.4 and 8).

Where Garmin data (or other activity data) qualifies as special categories of personal data under Art. 9 GDPR (particularly health-related data such as heart rate metrics and associated time series), processing is additionally based on your explicit consent pursuant to Art. 9(2)(a) GDPR.

You may withdraw your consent at any time with effect for the future (Art. 7(3) GDPR), see Section 9.

7.3 Legitimate Interests (Art. 6(1)(f) GDPR)

For IT security, abuse prevention, stability, and error diagnosis (particularly log data) to operate TrainQ securely and reliably. The legitimate interest lies in ensuring the security and integrity of the service. Access to log data is restricted to authorized personnel, no marketing use occurs, and short retention periods are applied (see Section 11) to protect your rights and freedoms.

8. Garmin Connect Integration (Details)

8.1 OAuth 2.0 / Authorization Flow

1. You start the "Connect Garmin" function in TrainQ.
2. You are redirected to Garmin's authorization/consent page.
3. After your consent, TrainQ receives OAuth tokens to retrieve the data you have shared via the Garmin APIs.

8.2 No Garmin Passwords at TrainQ

TrainQ does not receive, store, or process Garmin login credentials (passwords). Authentication is handled exclusively by Garmin.

8.3 Data Minimization

TrainQ only processes those Garmin fields required for the features you use (e.g. training history, analytics/trends, plan fulfillment, coaching features, post-workout review).

8.4 No Advertising / No Sale

Garmin data is not sold and not used for advertising or profiling/targeting purposes.

8.5 Garmin Attribution

Where Garmin data is displayed in the app, Garmin is identified as the data source (e.g. through corresponding labeling in the interface).

8.6 Garmin Privacy Notice

For information on data processing by Garmin, see the Garmin Connect Privacy Policy at: https://www.garmin.com/privacy/connect

9. User Control (Disconnection, Revocation, Export, Deletion)

9.1 Disconnection and Revocation (for the Future)

You can disconnect the Garmin link in TrainQ and/or revoke permissions in your Garmin account. After disconnection/revocation, no new Garmin activities will be imported.

9.2 Previously Imported Garmin Data

Previously imported Garmin data remains stored until you:

• delete it yourself (if such a function is provided),
• request its deletion, or
• delete your TrainQ account.

9.3 Data Export

You can request an export of your personal data (including any imported Garmin data):
Email: Julius.Deusch@trainq.app (subject e.g.: "Data export").

9.4 Deletion

You can request the deletion of imported Garmin data and/or your TrainQ account:
Email: Julius.Deusch@trainq.app (subject e.g.: "Delete Garmin data" and/or "Delete account").
To protect against unauthorized requests, reasonable identity verification may be required.

10. Recipients / Processors & International Transfers

10.1 Recipients / Processors

Service providers may be engaged as processors for operating TrainQ. Data is only shared as required for service provision and on the basis of data processing agreements pursuant to Art. 28 GDPR (where necessary). Categories of such service providers may include:

• Hosting / Infrastructure (provision and security of website and backend services)
• Database / Storage (storage of user and training data)
• Email / Support (handling of support inquiries and communication)

Currently engaged processors (selection):

• Vercel Inc. (USA) — Hosting and delivery of the website. Privacy: vercel.com/legal/privacy-policy
• Supabase Inc. (USA) — Database, authentication, and backend services. Privacy: supabase.com/privacy
• EmailJS — Email delivery for contact inquiries. Privacy: emailjs.com/legal/privacy-policy

A complete and current list can be requested at any time by email at Julius.Deusch@trainq.app.

Personal data is not shared for marketing or advertising purposes.

10.2 International Data Transfers

Processing within the EU/EEA is preferred where possible.

Where data is transferred to countries outside the EU/EEA in individual cases, this is done only in compliance with Art. 44 ff. GDPR, in particular:

• on the basis of an adequacy decision by the EU Commission, or
• using Standard Contractual Clauses (SCC) and, where applicable, additional technical and organizational measures.

11. Retention Period / Deletion Concept

Personal data is only stored for as long as necessary for the purposes stated in this policy, unless longer statutory retention periods apply.

• Account and training data (including imported Garmin data): until deleted by you or deletion of your account; statutory retention obligations remain unaffected.
• Server/security logs: generally a maximum of 30 days, then deletion or anonymization where practicable.
• Backups: rotating, maximum approx. 30 days; data may remain in backups until overwritten.
• Support communication: generally up to 12 months after case closure, unless exceptionally longer retention is required (e.g. for the establishment, exercise, or defense of legal claims).

12. Security (Technical and Organizational Measures)

Appropriate technical and organizational measures (TOMs) are implemented to ensure a level of protection appropriate to the risk, including:

• Encryption of data in transit (TLS/HTTPS)
• Access controls, authentication, and authorization management based on the principle of least privilege
• Protection of tokens/keys and strict separation of user access
• Logging of security-relevant events for detection and prevention of abuse
• Implementation and compliance with the security and API usage requirements specified by Garmin for applications using the Garmin Connect Developer Program

13. Data Subject Rights

Subject to legal requirements, you have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR), where processing is based on Art. 6(1)(f) GDPR
• Right to withdraw consent (Art. 7(3) GDPR) with effect for the future
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, simply contact: Julius.Deusch@trainq.app.

Competent Supervisory Authority:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach, Germany
https://www.lda.bayern.de

14. Consent Management

• Garmin: Disconnect the connection in TrainQ and/or revoke permissions/restrict sharing in your Garmin account (with effect for the future).
• Additional consents: If additional consent-based features are introduced in the future, this will be explicitly communicated and documented accordingly.

15. Cookies / Tracking on the Website

The website currently does not use non-essential tracking cookies and does not use third-party analytics by default.

A cookie consent banner is displayed to inform you about this and to let you confirm your preference. Your choice is stored locally via localStorage.

For purely technical preferences (e.g. language/theme, cookie consent), localStorage may be used. TrainQ does not store or use any identifiers via localStorage for advertising or analytics purposes.

If non-essential tracking technologies are used in the future, this privacy policy will be updated and — if required — an appropriate consent mechanism will be provided.

16. Newsletter / Launch Notifications

16.1 Purpose and Scope

If you sign up for our launch notification or newsletter via the email signup form on our website, we process your email address to send you:

• A one-time notification when TrainQ Pro launches
• Occasional training insights and blog updates

16.2 Legal Basis

Your consent pursuant to Art. 6(1)(a) GDPR, given when you submit the signup form. We use a double opt-in process: after submitting your email address, you will receive a confirmation email. Your subscription is only activated after you click the confirmation link.

16.3 Service Provider

Newsletter delivery is handled via Formspree (Formspree, Inc., USA). Formspree processes your email address on our behalf. Privacy: formspree.io/legal/privacy-policy. Data transfer to the US is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).

16.4 Withdrawal / Unsubscribe

You may withdraw your consent and unsubscribe at any time with effect for the future. Each email contains an unsubscribe link. Alternatively, you can contact us at Julius.Deusch@trainq.app.

16.5 Retention

Your email address is stored until you unsubscribe or the newsletter service is discontinued. Upon unsubscription, your email address is deleted without undue delay.

17. Contact / Support

When you contact us by email, the information you submit (e.g. email address, message content) is processed to handle your inquiry. The legal basis depends on context:

• Art. 6(1)(b) GDPR (contract / pre-contractual measures), where the inquiry relates to your user relationship, and/or
• Art. 6(1)(f) GDPR (efficient handling, security) for general inquiries.

17a. Automated Decisions (Art. 22 GDPR)

TrainQ currently does not use automated decision-making including profiling that produces legal effects concerning you or similarly significantly affects you (within the meaning of Art. 22 GDPR).

18. Changes to this Privacy Policy

This privacy policy may be updated when features, legal requirements, or technical conditions change. The latest version is always available at https://www.trainq.app/privacy.html.

Version/Date: 2026-03-13 · Contact: Julius.Deusch@trainq.app