Skip to content
TFTrainingFlow
Preview race

Privacy Policy

Last updated: 2026-05-27

This policy explains what data TrainingFlow collects, why, and how you can remove it. It is written in plain language; the legal anchor is the EU General Data Protection Regulation (GDPR) and the German BDSG.

1. Controller

The controller responsible for processing your data is the operator listed in the Impressum. You can reach us by email at moin [at] kristianhoffmann.de.

2. What we collect, and why

Account & authentication

Email address and encrypted password credentials for account sign-in. Stored in Supabase (EU region, Frankfurt). Legal basis: Art. 6(1)(b) GDPR — contract performance.

Athlete profile (sensitive)

Birth year, weight, gender (optional), recent race times, training volume, experience. Treated as Art. 9 GDPR special-category health data because performance and weight indirectly reveal health information. We only process this data with your explicit consent (Art. 9(2)(a) GDPR), captured via the checkbox in your profile setup. You can withdraw consent at any time by deleting your profile or your account.

Race strategies

Each strategy stores the computed splits, nutrition plan, the athlete-profile snapshot that produced them, and the AI-narrative output. Retained until you delete it or your account.

Free-plan abuse prevention

When a free lifetime strategy is claimed, we store SHA-256 hashes of the request IP address, user agent, and a combined request fingerprint. These hashes help limit repeated free claims from the same browser or network without storing the raw IP address or raw user agent. Legal basis: Art. 6(1)(f) GDPR — abuse prevention and service security.

Billing

If you subscribe to Pro, payment is handled by Stripe (EU). We store only the Stripe customer ID and subscription status, never your card number. Legal basis: Art. 6(1)(b) GDPR.

Analytics

We use Google Analytics 4 only after explicit consent. Before consent, the Google Analytics tag is not loaded. After consent, Google may process page views, referrers, approximate location, device data and pseudonymous identifiers. Google states that GA4 does not log or store individual IP addresses from EU users.

Server logs

Vercel (our hosting provider), GitHub (source and deployment metadata) and Supabase log basic technical request data (IP, user agent, timestamps) for security and abuse prevention. IPs in our application logs are stored only as SHA-256 hashes. Logs are rotated within 30 days.

3. AI processing

TrainingFlow uses Anthropic's Claude API to convert pacing numbers (computed deterministically on our servers) into readable narrative text. We do not send personally identifying information to Anthropic — only the numerical race plan and a non-PII athlete summary. Anthropic operates as a processor under a DPA; their policy is to delete API inputs within 30 days and not to train on them.

4. Third-party processors

  • Supabase Inc. — database + authentication (primary database region Frankfurt, Germany)
  • Vercel Inc. — hosting and serverless delivery
  • GitHub — source code and deployment metadata
  • Stripe Payments Europe Ltd. — payment processing (Ireland)
  • Anthropic PBC — AI narrative generation (US, DPA-bound)
  • Resend (privacy@resend.com) — transactional emails
  • Google Ireland Limited — Google Analytics 4 after consent

For US-based processors we rely on EU-US Data Privacy Framework certifications and/or Standard Contractual Clauses.

5. Your rights

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17) — also available as a one-click action in /profile
  • Right to restriction (Art. 18)
  • Right to data portability (Art. 20) — export available on request
  • Right to object (Art. 21) — including profiling for analytics
  • Right to withdraw consent for Art. 9 health data (Art. 9(2)(a)) — by clearing your athlete profile
  • Right to complain to a supervisory authority — for residents of Germany, this is the data protection authority of the federal state where you live

To exercise any of these rights, email moin [at] kristianhoffmann.de.

6. Retention

Account data is retained while your account exists. Generated strategies are retained until you delete them. Stripe billing records are retained for 10 years per § 147 AO (German tax retention law). Google Analytics data follows the retention settings in GA4.

7. Cookies

We use strictly necessary storage for authentication. Google Analytics is optional and is loaded only after consent under § 25(1) TDDDG.

8. Changes to this policy

When we materially change this policy, we will notify active users by email and update the "Last updated" date above. Continued use after changes constitutes acceptance.

Analytics consent

We use Google Analytics only after consent to understand reach and product usage.