Privacy Policy — Train The Day

Train The Day ("TTD", "we", "us", "our") provides the Train The Day website, waitlist, and training application. This Privacy Policy explains how we handle personal information when you use our services.

We follow the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) and, where applicable, the GDPR (EU/UK) and the CCPA/CPRA (California).

Types of information

Personal information is information or an opinion, whether true or not and whether recorded in a material form or not, about an individual who is identified or reasonably identifiable.

Sensitive information is a subset of personal information that is given a higher level of protection, including where applicable health information, biometric information, and other categories defined under applicable law.

1. Information we collect

We may collect the following categories of personal information, depending on how you use Train The Day:

Identity and contact details: name, email address, and similar identifiers you provide (e.g. waitlist sign-up, account registration).
Account and authentication data: user identifiers, OAuth tokens and scopes for connected services (we do not receive or store passwords for third-party providers).
Training and activity data you import or sync from connected devices and platforms (see Garmin Connect and Other connected fitness and device providers below), including workouts, routes, health and performance metrics, and related metadata as permitted by the integration.
Product usage: training plans, preferences, voice or chat interactions with the AI coach where you use those features, and similar in-app data you choose to provide.
Technical data: browser session, device and network information, approximate location, statistics on page views and sessions, and similar diagnostics needed to operate and secure the service.
Communications: messages you send to us (e.g. support or feedback).
Payment-related information as processed by our payment providers (we do not store full card details on our own servers).

Analytics (website). We use privacy-conscious analytics (e.g. Plausible or Openpanel in privacy-friendly configurations) to understand aggregate website usage. These tools are configured to minimise personal data collection.

We do not actively seek sensitive information beyond what is necessary to provide the service (for example, health or activity data you choose to connect). Where we process sensitive categories under law, we do so only where permitted and with appropriate safeguards (including consent where required).

2. How we collect personal information

Directly from you — for example when you join the waitlist, create an account, connect an integration, or contact us.
Automatically — when you use our website or app, including through cookies or similar technologies where applicable (see Cookies & tracking).
From third parties — when you authorise connections to Garmin, Wahoo, or other partners, we receive information from those providers according to the permissions you grant.

3. How we use your information

We use personal information to:

Provide, operate, and improve Train The Day;
Authenticate you, sync data you have authorised, and deliver training plans, coaching features, and insights;
Communicate with you about the product, waitlist, and (where you opt in) marketing;
Analyse, secure, and debug our services;
Comply with law and enforce our terms; and
Respond to your requests and support needs.

Where the GDPR applies, we rely on appropriate lawful bases such as contract, legitimate interests, consent (for optional features or marketing where required), and legal obligation.

We do not sell personal data.

4. Sharing and disclosures

We may disclose personal information to the following categories of recipients, only as needed to run Train The Day:

Infrastructure and service providers (e.g. cloud hosting, databases, email delivery, analytics, security, and customer support tools);
Payment processors for transactions you initiate;
AI or processing vendors where a feature requires it, subject to our data-minimisation practices and agreements;
Professional advisers where required;
Successors in the event of a merger, acquisition, or asset sale; and
Authorities and others when required or permitted by law.

We share only the minimum information necessary with third-party platforms and integrations that you enable (for example OAuth-based sync). A current list of key sub-processors is available on request.

5. International transfers

Our service providers may process or store data in countries including Australia, the United States, and other regions. Where we transfer personal information internationally, we take steps that are reasonable in the circumstances to protect your information in line with applicable privacy laws (including appropriate contractual safeguards where required).

6. Security

We use industry‑standard measures including encryption in transit (TLS), encryption at rest where appropriate, access controls, and monitoring. No method of transmission over the Internet is perfectly secure; you use Train The Day at your own risk in that regard. We will notify affected users and regulators where required by law in the event of a material breach.

7. Retention and deletion

We retain personal information for as long as your account is active or as needed to provide the service, plus a reasonable period afterwards for backups, legal compliance, and dispute resolution. Waitlist emails are retained until you unsubscribe or request deletion. Backup and log retention may persist for a limited additional period (typically on the order of weeks to months).

When you disconnect an integration (such as Garmin), we stop collecting new data from that provider; retention of historical data already stored is handled as described in this policy and in the integration-specific sections below.

8. Your rights

Subject to applicable law, you may request access, correction, deletion, restriction, objection, or portability of your personal information. You may withdraw consent where processing is based on consent.

California residents: We do not "sell" or "share" personal information for cross‑context behavioural advertising as those terms are defined under the CCPA/CPRA. You may exercise applicable CCPA rights by contacting us.

To make a request, contact privacy@traintheday.com.

9. Cookies & tracking

We may use cookies and similar technologies for essential functions such as authentication and session management. Where we use optional analytics cookies, you can control them through your browser settings; blocking all cookies may affect functionality.

10. Third‑party services and AI

Some features rely on third‑party platforms (hosting, messaging, analytics, AI inference). For AI‑powered features, we apply data‑minimisation and do not use your information to train public foundation models for those providers unless we tell you otherwise and we have a lawful basis. We send data to AI providers only where needed to deliver the feature you use and under appropriate contractual terms.

11. Links to other websites

Our services may link to third-party sites (including device and fitness partners). Those sites are not governed by this policy; please read their privacy notices.

12. Children's privacy

Train The Day is not directed at children under 16. We do not knowingly collect personal information from children under 16.

13. Garmin Connect and Garmin API

This section applies when you connect Train The Day to Garmin Connect or other Garmin services through our integration.

Data we may receive from Garmin

With your consent, we may collect the following categories of information through Garmin APIs, depending on the scopes you authorise:

Account identifiers and athlete profile information (such as name, email, age, gender, weight, height as permitted by scope);
Activity data including workout summaries, detailed activity files (including FIT where applicable), GPS tracks, routes, and segments;
Health and fitness metrics including heart rate, heart rate variability, respiration, pulse oximetry (SpO2), stress, body battery, sleep data, and training readiness;
Performance metrics such as VO₂ max, lactate threshold, training status, training load, recovery time, and fitness age;
Device information including device model, firmware version, and sensor data;
Goals, plans, and scheduled workouts;
Any other data you authorise us to access through Garmin Connect; and
OAuth tokens and scopes (we do not receive or store your Garmin password).

How we use Garmin data

We use Garmin-sourced data solely to:

Import, analyse, and display your activities, workouts, and health metrics within Train The Day;
Generate personalised training plans, insights, and recommendations you request;
Synchronise activities and plans with Garmin Connect where you enable that feature;
Provide coaching, analytics, and performance tracking features;
Improve our services through aggregated, de‑identified or anonymised analysis where permitted; and
Fulfil other purposes you explicitly authorise in the product.

We do not:

Sell your Garmin data to third parties;
Use your Garmin data for third‑party advertising;
Combine your Garmin data across unrelated customers for unrelated commercial purposes; or
Use your Garmin data to train public machine learning models.

We may share Garmin data only with sub‑processors necessary to operate Train The Day (e.g. secure cloud infrastructure) or where required by law, as described in this policy.

Storage and security

Garmin data is stored in our secure cloud environment with encryption in transit and at rest where applicable;
Access is limited to authorised personnel and systems on a need‑to‑know basis;
OAuth tokens are stored securely and rotated or revoked in line with Garmin platform guidance; and
We implement appropriate technical and organisational measures to protect your data in accordance with this policy.

Data retention

We retain Garmin data while your account is active and the Garmin integration remains connected, subject to our general retention rules;
Historical activity and health data may be retained to provide ongoing analytics and insights unless you request deletion;
Upon disconnection or token revocation, we cease accessing new data from Garmin immediately; and
Deletion of stored historical data follows Retention and deletion above and your requests via privacy@traintheday.com.

Your control

Connect / disconnect: You control the Garmin integration through Train The Day settings and/or your Garmin Connect account;
Revoke access: You may revoke our access to Garmin data at any time via Garmin Connect account settings;
Portability and deletion: You may request a copy or deletion of data we hold by contacting privacy@traintheday.com.

Compliance

We adhere to the Garmin Developer Program Agreement, API Terms of Use, and Branding Guidelines. We access only the data scopes you consent to and use data solely to deliver the features you request, in line with applicable privacy laws.

Garmin's own privacy practices

Garmin's collection and use of your data on Garmin's systems is governed by Garmin's Privacy Policy (see garmin.com/privacy). We are not responsible for Garmin's practices outside what we receive through the authorised integration.

14. Other connected fitness and device providers

Train The Day may offer integrations with additional third‑party fitness, training, and device platforms such as Wahoo, and others as we add them. This section applies to those connections in addition to the general terms of this policy.

Data we may receive

When you connect a partner account, we may receive account identifiers, OAuth tokens and authorised scopes (not your password for that service), and activity or training data such as workouts, summaries, GPS or motion data, health or performance metrics, device metadata, and plans — limited to what each provider's API and your permissions allow.

How we use this data

We use provider-sourced data only to power Train The Day features you choose, including importing and displaying activities, personalising coaching and plans, sync where enabled, and improving the product through aggregated or de‑identified analytics where permitted. We do not sell this data for advertising. We do not use provider-sourced integration data to train public machine learning models. How we use AI inference for product features is described in Third‑party services and AI above.

Your control

You can disconnect integrations in Train The Day settings and/or revoke access in the partner's account or developer portal. Each provider publishes its own privacy policy and controls; we encourage you to review them when you connect an account.

Third‑party responsibility

Each integration partner is responsible for its own collection and use of your data on its systems. We are responsible for our handling of data once it is received in Train The Day under this policy.

15. Privacy collection notice (Australia)

We collect personal information from you and, where you authorise it, from third parties (such as connected fitness accounts) so that we can provide Train The Day, respond to enquiries, operate our website, and for the purposes set out in this Privacy Policy.

We may disclose personal information to service providers, professional advisers, and others described in this policy, including where data may be stored or accessed outside Australia (for example in the United States), in line with the APPs.

If you do not provide certain information, we may not be able to provide parts of the service (for example, without authorising a sync, we cannot import data from that provider). Our Privacy Policy explains how you may access and correct information, and how to make a complaint.

16. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date reflects the current version. Material changes may be notified through the app or by email where appropriate. We encourage you to review this page periodically.

17. Contact us

For questions, privacy requests, or notices:

Privacy: privacy@traintheday.com
Support: support@traintheday.com

We follow the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) and, where applicable, the GDPR (EU/UK) and the CCPA/CPRA (California).

Types of information

Personal information is information or an opinion, whether true or not and whether recorded in a material form or not, about an individual who is identified or reasonably identifiable.

1. Information we collect

We may collect the following categories of personal information, depending on how you use Train The Day:

Identity and contact details: name, email address, and similar identifiers you provide (e.g. waitlist sign-up, account registration).
Account and authentication data: user identifiers, OAuth tokens and scopes for connected services (we do not receive or store passwords for third-party providers).
Training and activity data you import or sync from connected devices and platforms (see Garmin Connect and Other connected fitness and device providers below), including workouts, routes, health and performance metrics, and related metadata as permitted by the integration.
Product usage: training plans, preferences, voice or chat interactions with the AI coach where you use those features, and similar in-app data you choose to provide.
Technical data: browser session, device and network information, approximate location, statistics on page views and sessions, and similar diagnostics needed to operate and secure the service.
Communications: messages you send to us (e.g. support or feedback).
Payment-related information as processed by our payment providers (we do not store full card details on our own servers).

2. How we collect personal information

Directly from you — for example when you join the waitlist, create an account, connect an integration, or contact us.
Automatically — when you use our website or app, including through cookies or similar technologies where applicable (see Cookies & tracking).
From third parties — when you authorise connections to Garmin, Wahoo, or other partners, we receive information from those providers according to the permissions you grant.

3. How we use your information

We use personal information to:

Provide, operate, and improve Train The Day;
Authenticate you, sync data you have authorised, and deliver training plans, coaching features, and insights;
Communicate with you about the product, waitlist, and (where you opt in) marketing;
Analyse, secure, and debug our services;
Comply with law and enforce our terms; and
Respond to your requests and support needs.

Where the GDPR applies, we rely on appropriate lawful bases such as contract, legitimate interests, consent (for optional features or marketing where required), and legal obligation.

We do not sell personal data.

4. Sharing and disclosures

We may disclose personal information to the following categories of recipients, only as needed to run Train The Day:

Infrastructure and service providers (e.g. cloud hosting, databases, email delivery, analytics, security, and customer support tools);
Payment processors for transactions you initiate;
AI or processing vendors where a feature requires it, subject to our data-minimisation practices and agreements;
Professional advisers where required;
Successors in the event of a merger, acquisition, or asset sale; and
Authorities and others when required or permitted by law.

5. International transfers

6. Security

7. Retention and deletion

8. Your rights

To make a request, contact privacy@traintheday.com.

9. Cookies & tracking

10. Third‑party services and AI

11. Links to other websites

Our services may link to third-party sites (including device and fitness partners). Those sites are not governed by this policy; please read their privacy notices.

12. Children's privacy

Train The Day is not directed at children under 16. We do not knowingly collect personal information from children under 16.

13. Garmin Connect and Garmin API

This section applies when you connect Train The Day to Garmin Connect or other Garmin services through our integration.

Data we may receive from Garmin

With your consent, we may collect the following categories of information through Garmin APIs, depending on the scopes you authorise:

Account identifiers and athlete profile information (such as name, email, age, gender, weight, height as permitted by scope);
Activity data including workout summaries, detailed activity files (including FIT where applicable), GPS tracks, routes, and segments;
Health and fitness metrics including heart rate, heart rate variability, respiration, pulse oximetry (SpO2), stress, body battery, sleep data, and training readiness;
Performance metrics such as VO₂ max, lactate threshold, training status, training load, recovery time, and fitness age;
Device information including device model, firmware version, and sensor data;
Goals, plans, and scheduled workouts;
Any other data you authorise us to access through Garmin Connect; and
OAuth tokens and scopes (we do not receive or store your Garmin password).

How we use Garmin data

We use Garmin-sourced data solely to:

Import, analyse, and display your activities, workouts, and health metrics within Train The Day;
Generate personalised training plans, insights, and recommendations you request;
Synchronise activities and plans with Garmin Connect where you enable that feature;
Provide coaching, analytics, and performance tracking features;
Improve our services through aggregated, de‑identified or anonymised analysis where permitted; and
Fulfil other purposes you explicitly authorise in the product.

We do not:

Sell your Garmin data to third parties;
Use your Garmin data for third‑party advertising;
Combine your Garmin data across unrelated customers for unrelated commercial purposes; or
Use your Garmin data to train public machine learning models.

We may share Garmin data only with sub‑processors necessary to operate Train The Day (e.g. secure cloud infrastructure) or where required by law, as described in this policy.

Storage and security

Garmin data is stored in our secure cloud environment with encryption in transit and at rest where applicable;
Access is limited to authorised personnel and systems on a need‑to‑know basis;
OAuth tokens are stored securely and rotated or revoked in line with Garmin platform guidance; and
We implement appropriate technical and organisational measures to protect your data in accordance with this policy.

Data retention

We retain Garmin data while your account is active and the Garmin integration remains connected, subject to our general retention rules;
Historical activity and health data may be retained to provide ongoing analytics and insights unless you request deletion;
Upon disconnection or token revocation, we cease accessing new data from Garmin immediately; and
Deletion of stored historical data follows Retention and deletion above and your requests via privacy@traintheday.com.

Your control

Connect / disconnect: You control the Garmin integration through Train The Day settings and/or your Garmin Connect account;
Revoke access: You may revoke our access to Garmin data at any time via Garmin Connect account settings;
Portability and deletion: You may request a copy or deletion of data we hold by contacting privacy@traintheday.com.

Compliance

Garmin's own privacy practices

14. Other connected fitness and device providers

Data we may receive

How we use this data

Your control

Third‑party responsibility

Each integration partner is responsible for its own collection and use of your data on its systems. We are responsible for our handling of data once it is received in Train The Day under this policy.