Trainody Privacy Policy

1. Introduction

This Privacy Policy describes how Trainody collects, uses, stores and protects the personal data of users of our software as a service (SaaS) platform dedicated to personal trainers and their clients, accessible through the trainody.com website, the app.trainody.com web application and the mobile app for clients.

Personal data is processed in compliance with Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 ("Italian Privacy Code").

2. Data Controller

The data controller is Trainody. For any privacy-related matter you can contact us at: info@trainody.com.

3. Processing Roles: Trainody and Personal Trainers

The platform is used by personal trainers to manage their clients. It is therefore important to distinguish two roles:

• Trainody as controller: for account data (registration, billing, technical logs, platform usage data), Trainody acts as data controller.
• Trainody as processor: for end-client data entered by personal trainers (personal details, medical histories, measurements, workout plans, progress, messages), the personal trainer acts as an independent data controller and Trainody as a data processor pursuant to Art. 28 GDPR, processing such data exclusively to provide the service and according to the trainer's instructions.

The personal trainer is responsible for having an appropriate legal basis (e.g. explicit consent for health-related data) for the data of their clients uploaded to the platform.

4. Data We Collect

4.1 Data Provided by the User

• Registration data: first name, last name, email address, password (stored in encrypted form)
• Professional information of the personal trainer (e.g. business name, gym/studio)
• Contact and personal details of clients entered by the trainer
• Workout plans and programs, notes, videos and uploaded materials
• Physical measurements, progress and fitness goals
• Medical history information and documentation relevant to physical activity, which may include health-related data (special category of data under Art. 9 GDPR), processed only with an appropriate legal basis
• Contents of trainer-client chat communications

4.2 Payment Data

Subscription payments are handled by our provider Stripe. Trainody does not store full payment card data: it only receives from Stripe the information needed to manage the subscription (payment outcome, last digits of the card, subscription status).

4.3 Automatically Collected Data

• Access and system logs
• IP address and country of origin (also used to suggest the website language)
• Device and browser information
• Technical cookies necessary for the operation of the platform (see section 11)
• Aggregated website usage and performance data (cookieless analytics, see section 11)

5. Purposes and Legal Bases of Processing

• Provision of the service (account creation and management, platform features, trainer-client communication, mobile app) — legal basis: performance of the contract (Art. 6(1)(b) GDPR)
• Payment and billing management — legal basis: performance of the contract and compliance with legal obligations (Art. 6(1)(b) and 6(1)(c) GDPR)
• Processing of health-related data (medical history, conditions relevant to training) — legal basis: explicit consent of the data subject (Art. 9(2)(a) GDPR), collected by the personal trainer as controller
• Platform security (prevention of unauthorized access, abuse and fraud) — legal basis: legitimate interest (Art. 6(1)(f) GDPR)
• Service improvement through aggregated usage statistics — legal basis: legitimate interest (Art. 6(1)(f) GDPR)
• Service communications (technical notices, changes to the terms, security alerts) — legal basis: performance of the contract and legitimate interest
• Compliance with legal obligations (tax, accounting, requests from authorities) — legal basis: legal obligation (Art. 6(1)(c) GDPR)

Providing the data necessary for the provision of the service is a requirement for using the platform: without it, the service cannot be provided.

6. Recipients of the Data

Data may be disclosed to the following categories of recipients, appointed where necessary as data processors pursuant to Art. 28 GDPR:

• Supabase — database, authentication and storage of platform data
• Vercel — hosting of the website and web application, aggregated usage and performance statistics
• Stripe — payment processing and subscription management
• Resend — sending of transactional and service emails
• Personal trainers and their respective clients, within the limits of their professional relationship
• Consultants and suppliers (e.g. tax, legal) within the limits of the purposes indicated above
• Competent authorities, where required by law

Personal data is never sold or transferred to third parties for marketing purposes.

7. Data Transfers Outside the EU

Data is stored primarily on servers located in the European Union. Some of the providers listed above are based in the United States or may process data outside the EU: in such cases the transfer takes place on the basis of an adequacy decision of the European Commission (including the EU-U.S. Data Privacy Framework, where applicable) or the Standard Contractual Clauses (SCC), with supplementary safeguards where necessary.

8. Data Retention

Personal data is retained for the following periods:

• Account data and platform content: for the duration of the contractual relationship
• Billing data and tax documents: 10 years, in compliance with legal obligations
• Technical and security logs: up to 12 months, unless needed to investigate unlawful activity
• Residual non-essential data: a maximum of 24 months after termination of the service

Once these periods expire, data is deleted or anonymized. Upon account closure, client data entered by the trainer is deleted or returned according to the trainer's instructions, without prejudice to statutory retention obligations.

9. Data Subject Rights

Pursuant to Arts. 15-22 GDPR, data subjects have the right to:

• Access their data and obtain a copy of it
• Rectify inaccurate or incomplete data
• Obtain the erasure of their data ("right to be forgotten")
• Restrict processing
• Receive their data in a structured, commonly used format (portability)
• Object to processing based on legitimate interest
• Withdraw consent at any time, without affecting the lawfulness of prior processing
• Lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or their local supervisory authority

Requests can be sent to info@trainody.com. We will respond within 30 days. For data entered by their personal trainer, clients may also contact the trainer directly, in their capacity as data controller.

10. Data Security

We adopt technical and organizational security measures appropriate to the risk, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Password storage in encrypted form (hashing)
• Access control and data minimization
• Regular backups
• Monitoring and data breach management procedures, with notification to the supervisory authority and to data subjects in the cases provided for by Arts. 33-34 GDPR

11. Cookies and Similar Technologies

The website only uses technical cookies, for which consent is not required:

• NEXT_LOCALE — stores the language chosen by the user (duration: 12 months)
• Session cookies necessary for authentication in the reserved area (app.trainody.com)

Website usage and performance statistics are collected through Vercel Analytics and Speed Insights, tools that do not use cookies and do not track users across different sites: the data collected is aggregated and anonymous. We do not use profiling cookies or third-party marketing tools.

12. Minors

The service is not intended for users under 16 years of age. We do not knowingly collect data from minors without the consent of their parents or legal guardian. A personal trainer who intends to train a minor client must obtain the consent of the person holding parental responsibility.

13. Changes to this Privacy Policy

We may update this Privacy Policy to reflect regulatory or service changes. Substantial changes will be communicated by email or through a notice on the platform with reasonable advance notice. The date of the last modification is shown at the top of this document.

14. Contact Us

To exercise your rights or for any questions about this Privacy Policy:

• Email: info@trainody.com
• Instagram: @trainody.app