1. Who We Are
TrailMath is a trail running training planning tool operated by SC EXPRESS DESIGN SRL (CUI RO19127375), Brașov, Romania (data controller within the meaning of the EU General Data Protection Regulation, "GDPR").
Contact: support@trailmath.run
2. Scope
This Privacy Policy applies to personal data processed through the TrailMath web application at app.trailmath.run, the TrailMath mobile applications, and the marketing site at trailmath.run.
You must be at least 16 years old to use TrailMath. We do not knowingly collect data from anyone under 16. If we become aware that a user is under 16, we will delete their account and associated data promptly.
By creating an account you agree to our Terms of Use. When you connect third-party platforms (Strava, Garmin), their own privacy policies also apply – see Section 6.
TrailMath supports guest accounts – you may begin using the app without providing an email address. Guest accounts store the same training and profile data described below, associated with a device-generated identifier. If you later register with an email, your guest data is linked to the new account.
3. Data We Collect
3.1 Account Data
Email address and password (hashed with bcrypt) when you create a registered account. Guest users are identified by a device-generated identifier and do not provide an email or password until they choose to register.
3.2 Profile and Onboarding Data
Running experience level, weekly volume, training preferences, race objectives (including target race name, date, distance, elevation, and priority), and scheduling preferences (preferred training days, available days per week) – provided during onboarding or updated later in account settings.
3.3 Training Data
Training plans, scheduled sessions, completion status, session notes, actual vs. planned metrics (distance, duration, pace, elevation), and session-level data such as warmup/cooldown structure, interval targets, and RPE (Rate of Perceived Exertion) values that you record within the app.
3.4 Health and Injury Data
If you use the injury tracking feature, we collect: injury location, type, severity, pain level, date of onset, and any notes you provide. This data may include information that qualifies as health data under GDPR Article 9. We process this data on the basis of your explicit consent (Art. 9(2)(a) GDPR), which you provide by voluntarily entering injury information in the app. You can delete individual injury records at any time.
3.5 Strength Training Data
If your plan includes strength sessions, we collect: exercises performed, sets, repetitions, weight, rest periods, and exercise completion status.
3.6 Coach Conversation Data
Messages you exchange with the AI coaching feature, along with the AI's responses. These conversations are stored in your account and used to provide context for future coaching interactions. See Section 5 for details on how AI processes your data.
3.7 Connected Platform Data
When you connect Strava or Garmin (see Section 6), we receive activity data including: activity type, name, date, duration, distance, elevation gain, heart rate summaries (average, max), and sport type.
We also temporarily store the raw API response from each platform, which may contain additional metadata beyond the fields listed above (such as gear, splits, laps, or GPS summaries). Imported activity records, including raw responses, are automatically deleted after 7 days. Training metrics derived from matched activities (duration, distance, elevation) are stored as part of your training history.
3.8 Push Notification and Device Data
If you enable push notifications on your mobile device, we store a device token (provided by Firebase Cloud Messaging) associated with your account. This token is used solely to deliver notifications you have opted into. You can disable push notifications at any time through your device settings, which effectively prevents further notifications. Device tokens are deleted when you disable notifications or delete your account.
3.9 Technical Data
IP address, browser type, device information, and request logs collected automatically.
4. How We Use Your Data
4.1 Core Service
- Generate and manage your training plans based on your goals, preferences, and fitness level
- Provide AI coaching suggestions based on your training history (see Section 5)
- Send essential account-related emails (password resets, security alerts)
4.2 Activity Matching
When activities arrive from Strava or Garmin, we match them against your planned sessions to automatically track completion and calculate training load metrics.
4.3 Volume Estimation and Historical Import
At the time you connect a platform, we import up to 180 days of historical activities. This backfill establishes your recent training volume baseline, which is used to generate safe and effective training plans – avoiding sudden load spikes that could lead to injury.
4.4 Garmin Workout Push
If you connect Garmin with the training_api scope, TrailMath can send upcoming
workout structures to your Garmin device. Details of what is sent are described in
Section 6.3.
4.5 Push Notifications
If enabled, we send notifications about upcoming sessions, plan updates, or coach messages. You can disable notifications at any time through your device settings.
4.6 Diagnostics
- Diagnose technical issues and prevent abuse
- Monitor service health and performance
We do not sell your data, use it for advertising, send marketing emails, or build advertising profiles.
5. AI Processing
TrailMath uses AI to generate coaching suggestions. The AI model is provided by an EU-based AI provider, acting as a data processor. The specific provider may change over time; the current provider is listed in our sub-processor table (Section 8).
5.1 What Data Is Sent to the AI
When the AI coaching feature processes your data, the following context is included:
- 14 days of recent training history (detailed session data)
- A summary of the preceding two weeks (days 15–28) for broader context
- 21 days of upcoming planned sessions
- Your current race objective (target event details)
- Active injury data, if any, so the coach can account for limitations
- Your recent coach conversation history for continuity
Data is pseudonymized – no personal identifiers (name, email) are included in AI requests. Your data is identified by an internal reference only.
5.2 AI Provider Commitments
Our AI provider processes data on their API platform, which is currently hosted in the EU. According to our provider's published policies, API inputs are not used for model training. Activity data imported from connected platforms (Strava, Garmin) is not used for AI model training.
5.3 AI-Generated Content
Coaching responses are generated by the AI model and may include training suggestions, workout modifications, or general guidance. These are informational and do not constitute medical or professional coaching advice.
6. Connected Platforms
6.1 How Connections Work
Platform connections use the OAuth 2.0 authorization protocol. When you connect Strava or Garmin, you are redirected to that platform's website where you grant TrailMath specific permissions. We never see or store your platform password.
OAuth access tokens and refresh tokens are stored with application-level AES-256-CBC encryption in our database. Tokens are used solely to communicate with the connected platform on your behalf.
6.2 Strava
Permissions requested
We request the read and activity:read_all scopes. The
activity:read_all scope grants access to all activities including those
you have marked as private on Strava. We request this broader scope because many trail
runners mark training activities as private while still wanting them included in their training
plan tracking. You can revoke this access at any time (see Section 6.5).
Data flow direction
Strava → TrailMath only. We do not write any data back to Strava.
Data received
Activity type, name, date, duration, distance, elevation gain, heart rate summary, and the raw API response (which may include additional metadata such as gear, splits, or laps).
Retention of imported data
Imported activity records, including raw API responses, are retained for up to 7 days, then permanently deleted. Training metrics already written to matched sessions (duration, distance, elevation) remain as part of your training history. See Section 11 for the full retention overview.
Webhook verification
Strava delivers activity updates via webhooks. We verify inbound webhooks by matching the
subscription_id against our registered subscription.
Historical import
At connection time, we import up to 180 days of past activities. After that, new activities are received via Strava's webhook event system in near-real-time.
Activity deletion
If you delete an activity on Strava, we receive a webhook notification and remove the corresponding imported record from TrailMath within 48 hours. Training metrics already recorded on your sessions (duration, distance, elevation) are retained as part of your training history.
Disconnection
When you disconnect Strava from TrailMath, we call the Strava deauthorization endpoint to revoke our access tokens, and delete all tokens and cached activity imports from our database. Training metrics already recorded on your sessions are retained as part of your training history.
6.3 Garmin
Permissions requested
We request activity_export (to receive your activities) and
training_api (to send workouts to your device) scopes. The OAuth flow uses
PKCE (Proof Key for Code Exchange) for added security.
Data flow direction
Bidirectional. We receive activity data from Garmin and can send workout structures to your Garmin device.
Data received from Garmin
Activity type, name, date, duration, distance, elevation gain, heart rate summary, and the raw API response.
Retention of imported data
Imported activity records, including raw API responses, are retained for up to 7 days, then permanently deleted. Training metrics already written to matched sessions (duration, distance, elevation) remain as part of your training history. See Section 11 for the full retention overview.
Data sent to Garmin
When you choose to push a workout to your Garmin device, we send: workout name, date, duration, sport type, and structured steps (warmup, intervals, cooldown, pace/heart-rate zones, exercise names, sets, and reps for strength workouts). No personal information, email address, or cross-platform data is included in outbound workout payloads.
Webhook verification
Garmin delivers activity updates via webhooks. We verify inbound Garmin webhooks using HMAC-SHA256 signature validation.
Disconnection
When you disconnect Garmin from TrailMath, we delete all OAuth tokens from our database. Note: Garmin's API does not provide a remote token revocation endpoint, so we cannot programmatically revoke access on their side. You can revoke TrailMath's access directly from your Garmin Connect account settings. Workouts previously pushed to your device will remain on the device.
6.4 Third-Party Privacy Policies
Strava and Garmin are independent data controllers for data they hold about you. They are not sub-processors of TrailMath – you connect to them directly via OAuth, and their privacy practices are governed by their own policies:
6.5 Your Control
- All platform connections are optional – TrailMath works without them.
- You can disconnect any platform at any time from your account settings.
- You can also revoke access directly from your Strava or Garmin account settings.
7. Mobile Apps and Push Notifications
TrailMath is available as a mobile application. The mobile app accesses the same account and data described in this policy.
7.1 Push Notifications
If you opt in to push notifications, we use Firebase Cloud Messaging (FCM) operated by Google to deliver them. When you enable notifications, your device provides a registration token which we store and associate with your account. This token is an opaque identifier – it does not contain personal information.
Notification messages are composed on our servers in the EU. To deliver them, we send Google's Firebase Cloud Messaging service only the device registration token (an opaque identifier) along with a brief, generic prompt (e.g., "You have a session today"). No detailed training data, personal identifiers, or message content beyond this brief prompt is transferred to Google.
You can disable push notifications at any time through your device's notification settings. When you disable notifications or delete your account, we delete the associated device tokens.
7.2 App Store Distribution
The mobile app is distributed through the Google Play Store and/or Apple App Store. These platforms may collect their own data (crash reports, install analytics) governed by their respective privacy policies. TrailMath does not control or receive this data.
8. Sharing and Recipients
We do not sell your data. We do not share data with advertisers.
8.1 Sub-Processors
We use the following sub-processors to provide the service:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting, database, backups | Germany (EU) |
| AI provider (currently Mistral AI) | AI coaching suggestions. API inputs are not used for model training. | EU (currently France) |
| Bunny Fonts (BunnyWay d.o.o.) | Web font delivery | EU |
| Google LLC (Firebase Cloud Messaging) | Push notification delivery (when enabled). Only device registration tokens (opaque IDs) are shared with Google for message routing; notification content is composed in the EU. | EU/US |
8.2 Connected Third-Party Platforms
Strava and Garmin are independent data controllers, not sub-processors. Data flows to and from these platforms are initiated by you through OAuth connections. See Section 6 for details.
8.3 Legal Requirements
We may disclose personal data if required by law, regulation, legal process, or governmental request.
9. International Transfers
All primary data is stored on Hetzner servers in Germany. AI processing currently takes place within the EU.
When you connect Strava or Garmin, data is transferred to and from services in the United States. These transfers occur on the basis of your explicit consent (Art. 49(1)(a) GDPR) – you actively initiate each connection knowing data will be transferred to the US.
Firebase Cloud Messaging (if push notifications are enabled) receives device registration tokens – opaque identifiers with no personal data – to route notifications. These tokens may be processed in the US. The notification content itself is a brief, generic prompt composed on our EU servers. Google participates in the EU-US Data Privacy Framework.
We recommend checking whether each provider participates in the EU-US Data Privacy Framework or offers Standard Contractual Clauses for additional safeguards.
10. Cookies, Local Storage, and Device Storage
10.1 Cookies
TrailMath uses the following cookies, all of which are essential for the application to function. We do not use analytics cookies, tracking pixels, or third-party advertising cookies.
| Cookie | Purpose | Duration |
|---|---|---|
trailmath_session | Session authentication | Session (expires on browser close or after configured lifetime) |
XSRF-TOKEN | Cross-site request forgery protection | Session |
10.2 Local Storage (Browser)
We use browser localStorage to store your dark mode preference. This is a non-tracking, functional storage that stays on your device and is not sent to our servers.
10.3 Device Storage (Mobile)
The mobile app may store authentication tokens and user preferences in secure device storage (Keychain on iOS, Keystore on Android). This data remains on your device and is cleared when you log out or uninstall the app.
11. Retention
| Data Category | Retention Period |
|---|---|
| Account and profile data | Until account deletion |
| Training data (plans, sessions, notes, strength data) | Until account deletion |
| Health and injury data | Until you delete the record or delete your account |
| Processed activity data (matched sessions) | Until account deletion |
| Imported activity records (Strava/Garmin) | Retained for up to 7 days, then permanently deleted. Training metrics derived from matched activities are retained as part of your training history. |
| OAuth tokens (connected platforms) | Deleted immediately on disconnect |
| Coach conversation history | Until account deletion |
| Push notification device tokens | Until you disable notifications or delete your account |
| Technical/security logs | Retained for a limited period for debugging and security purposes |
When you delete your account, active data (profile, training data, conversations, tokens, and connected platform data) is deleted immediately from our production database. Encrypted database backups are overwritten according to our backup rotation schedule.
12. Security
We employ the following technical measures to protect your data:
- Encryption in transit: TLS 1.2 or higher for all connections
- Encryption at rest: Application-level AES-256-CBC encryption for sensitive fields (OAuth tokens, API keys); Hetzner infrastructure-level protections for underlying storage
- Password hashing: bcrypt with per-user salts
- OAuth security: PKCE for Garmin, state parameter validation for all OAuth flows
- Webhook verification: HMAC-SHA256 signature validation on inbound Garmin webhooks; subscription ID matching for Strava webhooks
- Token storage: OAuth tokens stored with application-level AES-256-CBC encryption
- CSRF protection: Token-based cross-site request forgery protection on all state-changing requests
Data breach notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and notify affected users without undue delay (Art. 34 GDPR) where the breach is likely to result in a high risk.
13. Your Rights
Under the GDPR, you have the right to:
- Access (Art. 15) – Request a copy of the data we hold about you
- Rectification (Art. 16) – Correct inaccurate personal data
- Erasure (Art. 17) – Request deletion of your account and associated data
- Restriction (Art. 18) – Request that we limit processing of your data in certain circumstances
- Portability (Art. 20) – Export your training data in a standard, machine-readable format
- Objection (Art. 21) – Object to processing based on legitimate interest
- Withdraw consent (Art. 7(3)) – Where processing is based on consent (e.g., platform connections, injury data, push notifications), you may withdraw consent at any time without affecting the lawfulness of prior processing
Account deletion is available directly within the app under account settings. You can also request deletion by emailing us.
To exercise any of these rights, email support@trailmath.run. We will respond within 30 days. If we need an extension (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
Supervisory authority: If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
14. Changes and Contact
Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. For significant changes (new data categories, new sub-processors, changes to your rights), we will provide at least 14 days' advance notice via in-app notification or email before the changes take effect.
Minor clarifications or formatting changes may be made without advance notice. The "Last updated" date at the top of this page reflects the most recent revision.
Contact
For any questions about this privacy policy, your data, or to exercise your GDPR rights:
SC EXPRESS DESIGN SRL (CUI RO19127375)
Brașov, Romania
Email: support@trailmath.run