Privacy Policy

Introduction

This is the privacy policy of THX IT Oy in accordance with the Personal Data Act (sections 10 and 24) and the General Data Protection Regulation (GDPR) of the European Union. THX IT Oy serves both individuals and companies. THX IT Oy processes personal data carefully and securely. This privacy statement describes how THX IT Oy handles your personal data. It includes information about our customer registry and your rights related to your data. We also explain our use of cookies and how we keep your information secure.

Why We Collect and Use Your Personal Data (Legal Basis and Purpose)

We process your personal data for different reasons, and we always have a legal basis for doing so. Here's a breakdown:

1. To Provide You with the TrainFlow Service (Contractual Basis)
   
   • Legal Basis: Article 6(1)(b) GDPR – We need to process your data to fulfill our contract with you, or to get ready to enter into a contract with you.
   • Purpose: When you sign up for TrainFlow (on our website or app) and agree to our Terms of Service and Privacy Policy, you enter into an agreement with us. We use your personal data to:
   • Give you the TrainFlow service: This includes setting up and managing your account, letting you use the platform, processing your training information, creating personalized training plans, connecting you with coaches (if you choose), and making sure the service works as it should, as described in our Terms of Service.
   • Manage your account and help you: This includes talking to you about your account, answering your questions, fixing problems, and providing technical support.
   • Process payments (if you subscribe): If you pay for TrainFlow, we process your data to manage your subscription and handle payments.
2. To Improve Our Service and for Our Business Needs (Legitimate Interests)
   
   • Legal Basis: Article 6(1)(f) GDPR – We can process your data if it's necessary for our legitimate business interests, as long as it doesn't outweigh your rights and freedoms.
   • Purpose: We use your personal data because we have legitimate interests in:
     • Making TrainFlow better: We analyze how people use TrainFlow to understand what's working well and what we can improve. This helps us develop new features and make the service easier and more enjoyable to use. We try to use data that is grouped together and doesn't identify you personally whenever possible.
     • Marketing similar services to you (with opt-out): We may send you information about updates, new features, and other services from THX IT Oy that are similar to TrainFlow and that we think you might be interested in. You can always tell us to stop sending these messages (opt-out). You have the right to object to this at any time (see the section "Your Rights"). We will make sure our marketing messages are relevant to you.
     • Keeping TrainFlow secure and preventing fraud: We monitor how people use TrainFlow to find and prevent any illegal activity, misuse of the service, and to make sure our platform and your data are safe.
     • Running our business efficiently: We use your data for internal administration, reporting, and to make sure our business runs smoothly.
3. When You Give Us Your Permission (Consent)
   
   • Legal Basis: Article 6(1)(a) GDPR – We can process your data if you have given us your clear consent for a specific purpose.
   • Purpose: In some cases, we may ask for your consent to use your personal data. This might be for:
     • Marketing that is not about similar services: If we want to send you marketing about other products or services from THX IT Oy or from other companies that are not directly related to TrainFlow, we will ask for your explicit permission.
     • Optional features: If we add new features to TrainFlow that are not essential to the core service and require us to use your data in a new way that isn't covered by our legitimate interests, we may ask for your consent.
     • Sensitive health data (if needed and beyond what's necessary for TrainFlow): If we ever need to process very sensitive health information that goes beyond what is normally used for training and performance tracking in TrainFlow, we would ask for your explicit consent, unless there's another legal reason to do so (like if it's needed for medical reasons).
4. To Follow the Law (Legal Obligation)
   
   • Legal Basis: Article 6(1)(c) GDPR – We need to process your data to comply with legal obligations.
   • Purpose: We may need to use your personal data to meet legal requirements, such as accounting rules, tax laws, or if we are asked to provide information to government authorities.

   In short: The main reason we process your personal data is to provide you with the TrainFlow service, as agreed when you sign up. We also use it for our legitimate business interests like improving the service and marketing similar services (with an opt-out). We may ask for your consent for specific marketing or features, and we will also process your data when required by law.

What Information We Collect (Content of the Registry Data)

We collect the personal information needed to provide you with the TrainFlow service and to improve it. This information includes:

• Contact details you provide when you register on https://trainflow.app:
  • Your name and surname
  • Your email address
  • Your password
• Optional information you can add to your profile on https://trainflow.app:
  • Profile picture
  • Contact information: email address, phone number, social media usernames (for connecting with other users)
  • Location (country and city)
  • "About me" information
  • Types of activities you are interested in (e.g., running, cycling, swimming)
  • Gender
  • Date of birth
  • Height and weight
  • Information about your fitness levels, such as your anaerobic threshold (AT) and training zones.
• Training data you enter while using https://trainflow.app:
  • Planned and completed workouts
  • Events, measurements, competitions
  • Long-term training plans
  • Workout templates and categories
  • Training plans you use and share with other users
  • Training plans you publish in the Training Plan Store
  • Other data related to how you use the app.
• Data from connected services (Garmin Connect, Strava, Apple Health, Polar Flow, Suunto, Coros):
  • Garmin Connect: If you connect your Garmin Connect account, you will be redirected to Garmin Connect to authorize TrainFlow to access your workout data through their API. This authorization process uses industry-standard protocols (like OAuth 2.0) and does not require you to share your Garmin Connect username or password with TrainFlow. Once authorized, we can import your workout data (runs, walks, swims, rides, etc.) and related information (track, distance, speed, time, calories burned, heart rate, power, etc.) into TrainFlow. You can revoke TrainFlow's access to your Garmin Connect data at any time through your Garmin Connect account settings.
  • Strava: If you connect your Strava account, you grant us permission to access your Strava profile and your workout data (runs, walks, swims, rides, etc.) and related information (track, distance, speed, time, calories burned, heart rate, power, etc.). You can revoke TrainFlow's access to your Strava data at any time through your Strava account settings.
  • Apple Health (Apple Watch): If you choose to connect TrainFlow to Apple Health (which may be used to collect data from your Apple Watch), you will be asked to grant TrainFlow permission to access specific data types within Apple Health, such as workout data, heart rate, and activity levels. You control which data TrainFlow can access through your Apple Health privacy settings. We import workout data and related information (track, distance, speed, time, calories burned, heart rate, etc.) from Apple Health into TrainFlow. You can revoke TrainFlow's access to Apple Health data at any time through your Apple Health settings.
  • Polar Flow (Polar Watch): If you connect your Polar Flow account, you will be redirected to Polar Flow to authorize TrainFlow to access your workout data through their API. This authorization process uses industry-standard protocols (like OAuth 2.0) and does not require you to share your Polar Flow username or password with TrainFlow. Once authorized, we can import your workout data and related information (track, distance, speed, time, calories burned, heart rate, power, etc.) from Polar Flow into TrainFlow. You can revoke TrainFlow's access to your Polar Flow data at any time through your Polar Flow account settings.
  • Suunto: If you connect your Suunto account, you will be redirected to Suunto to authorize TrainFlow to access your workout data through their API. This authorization process uses industry-standard protocols (like OAuth 2.0) and does not require you to share your Suunto username or password with TrainFlow. Once authorized, we can import your workout data and related information (track, distance, speed, time, calories burned, heart rate, power, etc.) from Suunto into TrainFlow. You can revoke TrainFlow's access to your Suunto data at any time through your Suunto account settings.
  • Coros: If you connect your Coros account, you will be redirected to Coros to authorize TrainFlow to access your workout data through their API. This authorization process uses industry-standard protocols (like OAuth 2.0) and does not require you to share your Coros username or password with TrainFlow. Once authorized, we can import your workout data and related information (track, distance, speed, time, calories burned, heart rate, power, etc.) from Coros into TrainFlow. You can revoke TrainFlow's access to your Coros data at any time through your Coros account settings.
• Contact details if you subscribe to our newsletter:
  • Your name
  • Your email address
• Information when you contact our support team:
  • Your name
  • Your email address
• Technical information collected automatically:
  • When you use our website and app, we automatically record information about your interaction with features, content, and links (including social media plugins).
  • Your IP address
  • Browser type and settings
  • Date and time of use
  • Browser configuration and plugins
  • Language preferences
  • Cookie data
  • Information about your device (type, operating system, unique identifiers, error information).
• We use this Personal Data to:
  • Communicate with you
  • Set up your account
  • Maintain your account and give you access to TrainFlow
  • Contact you about account issues
  • Send you information and offers
  • Allow you to use interactive features and programs on TrainFlow
  • Connect you with coaches
  • Help you with technical problems and provide support
  • Offer educational workshops and materials
  • Personalize and improve your experience on TrainFlow
  • Develop new features and services
  • Connect with other apps you use
  • Analyze and improve TrainFlow
  • Customize content, ads, and offers
  • Measure how well TrainFlow is performing
  • Provide information about data privacy and security
  • Help keep TrainFlow secure
  • Investigate and prevent illegal activities or violations of our Terms of Use
  • Run our business efficiently
  • Comply with laws
  • Protect our legal rights and the rights of others.

Where We Get Your Information From (Regular sources of information)

We collect personal information directly from you when you register for TrainFlow and use the service. We also collect information when you:

• Fill out forms on our website
• Contact us by email or phone
• Interact with us on social media
• Enter into contracts with us
• Meet with us as a customer
• Otherwise share your information with us.

Where Your Data Is Processed and Who We Share It With (Regular data transfers and data transfers outside e EU or EEA)

Where Your Data Is Stored:

Your personal data is currently stored and processed within the European Union (EU) and the European Economic Area (EEA). Our servers and computer systems are located in the EU/EEA.

Sharing Data with Service Providers within the EU/EEA:

To operate TrainFlow effectively, we use third-party service providers who process data on our behalf within the EU/EEA. These providers help us with:

• Hosting and Cloud Services: Storing your data and running our platform securely and reliably.
• Payment Processing: Handling payments for subscriptions securely.
• Analytics: Understanding how users use TrainFlow to improve it. This data is often anonymized.
• Customer Support: Managing and responding to your support requests.
• Email Communication: Sending you important notifications, updates, and marketing messages (if you have agreed to them).
• Other Services: Providing security, data backups, and software development tools.

All our service providers are legally required to protect your data according to GDPR and our instructions. We have agreements with them to ensure your personal data is safe.

We Do Not Regularly Send Data Outside the EU/EEA:

Currently, we do not regularly transfer personal data outside the EU or EEA. All our systems and service providers are located within the EU/EEA.

If We Need to Transfer Data Outside the EU/EEA in the Future:

If we ever need to send your data outside the EU or EEA (for example, if we use a service provider located outside this area), we will make sure it's done legally and securely, following GDPR rules. This means we will use safeguards like:

• Standard Contractual Clauses (SCCs): Using standard contracts approved by the European Commission with the data recipient in the other country.
• Binding Corporate Rules (BCRs): For data transfers within large company groups (if applicable).
• Adequacy Decisions: Transferring data to countries that the EU considers to have good data protection laws (like Canada or Switzerland).
• Other legal methods approved under GDPR.

We will update this Privacy Policy if we change how we transfer data, including information about the safeguards we use for any data transfers outside the EU/EEA.

How We Protect Your Data (Registry protection principles)

We take data security seriously and work hard to protect your personal data. We use appropriate technical and organizational measures to protect your personal data from unauthorized access, use, or disclosure. These measures include:

• Encryption: We use encryption to protect your personal data both when it's being sent and when it's stored.
• Access Controls: Access to your personal data is limited to authorized personnel who need it to perform their job duties.
• Regular Security Assessments: We conduct regular security checks to ensure our systems are secure.
• Data Minimization: We only collect and keep personal data that we actually need.
• Confidentiality: We ensure that access to your data is only granted to employees who need it for their work.

We continuously review and update our security measures to ensure they are effective and in line with industry best practices. We will notify you of any significant changes by email or notice on the website.

Your Rights Regarding Your Data (Right to check and right to demand correction of information and Other rights related to the processing of personal data)

Right to Access and Rectify Your Data You have the right to access the personal data we hold about you in our registry. If you find that any of your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it.
If you wish to access your personal data or request a correction, please send a written request to the controller (contact details provided above). To protect your privacy and security, we may need to verify your identity before providing access to or correcting your personal data. We will respond to your request within the timeframe specified by the EU General Data Protection Regulation (GDPR), which is usually within one month.
Other Rights You Have:
Under the General Data Protection Regulation (GDPR), you also have the following rights:

• Right to Erasure ("Right to be Forgotten"): You can ask us to delete your personal data from our registry.
• Right to Restrict Processing: You can ask us to limit how we use your personal data in certain situations.
• Right to Data Portability: You can ask to receive your personal data in a machine-readable format and transfer it to another service provider.
• Right to Object: You can object to the processing of your personal data for certain purposes, such as direct marketing.
• Right to Withdraw Consent: If we are processing your data based on your consent, you can withdraw your consent at any time.
• Right to Lodge a Complaint with a Supervisory Authority: You have the right to file a complaint with a data protection authority if you believe we are not processing your data legally.

To exercise any of these rights, please send a written request to the controller (contact details provided above). We may need to verify your identity before processing your request. We will respond to you within the timeframe specified by the GDPR (usually within one month).

Cookie Policy

This website, https://trainflow.app, uses only essential cookies to make sure the site works properly and provides you with a good user experience.
What are essential cookies?
Essential cookies are necessary for our website to function. They allow for:

• Website Navigation: Moving around the website and using its features.
• Secure Access: Accessing secure areas of the website, like your account.
• Session Management: Keeping you logged in and remembering your preferences as you browse.

Essential cookies do not require your consent:
According to privacy regulations like the ePrivacy Directive and GDPR, we don't need to ask for your consent to use essential cookies. These cookies are necessary for the website to work as expected, and we have a legitimate interest in using them.

Managing Cookies:
While essential cookies are necessary, most browsers allow you to control cookies in your browser settings. However, please remember that blocking essential cookies may prevent the https://trainflow.app website from working correctly. For more information on managing cookies, please check your browser's help section.