The short version: Training Form collects your training data to coach you. We never sell it, never share it with advertisers, and never use it for any purpose other than providing the service. Your health and activity data is private by design.
1. Who we are
Training Form is an iOS application that connects to your training data sources, calculates training load metrics (CTL, ATL, and TSB), and delivers coaching guidance to help you train smarter.
For privacy inquiries, contact us at support@trainingform.app.
2. What data we collect
We collect the minimum data necessary to provide the service:
- Account information — email address, display name, and a securely hashed password (or Apple ID if you use Sign in with Apple). We never store your password in plain text.
- Training activity data — raw activity streams from connected sources including power output, heart rate, pace, altitude, duration, and sport type. This data is fetched from Strava or Apple HealthKit with your explicit permission.
- Health and fitness data — when you connect Apple HealthKit, we access workout data and heart rate samples to calculate training load. This requires explicit permission granted through the iOS HealthKit authorization prompt.
- Configuration data — training thresholds (FTP, LTHR, threshold pace), biometric data (weight, resting heart rate, max heart rate, date of birth), HR zones, aggression level, and race events you enter manually.
- Derived metrics — CTL, ATL, TSB, Training Stress Score (TSS), and zone distribution calculated internally from your raw activity data.
3. What we do not collect
- We do not collect location data beyond what is embedded in activity GPS tracks.
- We do not collect device identifiers for advertising purposes.
- We do not use analytics SDKs or third-party tracking tools.
- We do not collect data from sources you have not explicitly connected.
4. How we use your data
Your data is used exclusively to provide the Training Form service:
- Calculating your CTL, ATL, and TSB from raw activity streams
- Generating Form Guidance coaching recommendations specific to your training state
- Producing workout suggestions calibrated to your race phase and aggression level
- Displaying your activity history, personal records, and training load balance
- Estimating training thresholds when you have not set them manually
We never use your data for advertising, profiling, research, or any purpose beyond what is described here.
5. Apple HealthKit data
Training Form accesses Apple HealthKit data solely to provide coaching functionality within the app. Specifically:
- HealthKit data is never used for advertising or marketing purposes.
- HealthKit data is never shared with third parties.
- HealthKit data is never sold under any circumstances.
- HealthKit workout and heart rate data is transmitted securely to our backend for training load calculation only.
- You can disconnect Apple Health at any time from Settings → Manage Connections.
Access to HealthKit requires explicit permission granted through the iOS authorization prompt. You may revoke this permission at any time in iOS Settings → Privacy & Security → Health.
6. Third-party services
Training Form integrates with the following third-party services when you choose to connect them:
- Strava — we access your activity data via Strava's OAuth API with your explicit authorisation. We fetch raw activity streams only. We never post to Strava on your behalf. You can disconnect Strava at any time from Settings → Manage Connections.
- Supabase — our database provider, hosting activity data and account information on PostgreSQL infrastructure. Data is stored in a secure, access-controlled environment.
- Railway — our backend hosting provider. Activity processing occurs on Railway infrastructure.
We do not share your personal data with these providers beyond what is necessary to operate the service.
7. Data storage and security
- All data is transmitted over HTTPS. We do not use unencrypted HTTP connections.
- Passwords are hashed using bcrypt before storage. Plain text passwords are never stored.
- Authentication uses JWT tokens stored in the iOS Keychain — not in UserDefaults or any less secure location.
- OAuth tokens from Strava are stored encrypted in our database and never exposed in API responses or logs.
- Activity streams are compressed before storage to minimise data footprint.
8. Data retention and deletion
You can delete your account and all associated data at any time from the Profile sheet within the app. Deletion is permanent and immediate — all activity data, configuration, and account information is removed from our systems upon request.
To request deletion by email, contact support@trainingform.app. We will process deletion requests within 7 days.
9. Children's privacy
Training Form is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us at support@trainingform.app and we will delete it promptly.
10. Changes to this policy
If we make material changes to this privacy policy, we will update the date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy.
11. Contact
For any privacy questions, data requests, or concerns, contact us at support@trainingform.app. We respond to all privacy inquiries within 7 days.