Legal

Privacy Policy

Last updated: 26 April 2026  |  Effective: 26 April 2026

Overview

Trinity ("we", "us", or "our") is a training application for hybrid athletes that connects gym logging, running, and recovery into a single system. This Privacy Policy explains what personal data we collect, why we collect it, the legal basis for doing so, how we use and disclose it, and what rights you have.

We are the data controller for all personal data processed through Trinity, including any activity or sleep data imported from third-party services such as Strava, Apple HealthKit, or Google Health Connect.

By creating an account or using the Trinity app you agree to the practices described in this policy. If you do not agree, please do not use our services.

Connected services: Section 5 of this policy describes how Trinity collects, uses, stores, and discloses activity and health data obtained through Strava, Apple HealthKit, and Google Health Connect — all of which are optional and require your explicit permission to enable.

Health data: Trinity processes certain categories of health-related data (including sleep, body weight, heart rate, and exercise data). Section 4 explains what this data is, why we collect it, and the legal basis under UK GDPR Article 9 that applies.

Who We Are

Trinity is operated as a sole trader based in England & Wales, United Kingdom. Our website is trainwithtrinity.co.uk and our app is available on iOS and Android.

For the purposes of UK GDPR and the Data Protection Act 2018, Trinity is the data controller for all personal data you provide directly, and for all data retrieved from third-party services (such as Strava, Apple HealthKit, or Google Health Connect) on your behalf. As data controller, we determine the purposes and means of processing and are responsible for ensuring your data is handled lawfully.

ICO registration is in progress and will be confirmed prior to public launch. You will be able to verify our registration at ico.org.uk.

Data We Collect

Account & Profile Data

When you sign up and set up your profile, we collect:

  • Name and email address
  • Date of birth and biological sex (used to calculate training metrics)
  • Body weight and height
  • Training goals, experience level, and running ability
  • Training preferences and schedule
  • Typical nightly sleep duration (used to personalise sleep-based training adaptations)

Training & Activity Logs

Data you record inside the app, including: completed workout sets and reps, load lifted, body weight measurements, run distance and duration, and sleep logs.

Usage & Diagnostics

We collect pseudonymous app usage data (screens visited, features used, button interactions, session duration) and crash diagnostics to improve the app. This data is linked to a pseudonymous user identifier and processed as described in the Sharing & Sub-Processors section.

Communications

If you contact us by email or sign up to our waitlist, we store your name, email address, and the content of your message.

Device & Local Storage

The app stores certain data locally on your device (using AsyncStorage) to support offline use and reduce server requests. This includes session completion flags, onboarding progress, unit preferences, and notification settings. This data remains on your device and is not transmitted to our servers.

Health Data (Special Category)

Important: Some data Trinity collects constitutes special category data under UK GDPR Article 9 because it relates to your health. We only process this data with your explicit consent, obtained at the point of collection.

Body Weight, Height, and Profile Health Data

Trinity collects your body weight, height, biological sex, and date of birth so it can calculate training metrics (e.g. estimated 1-rep max, energy expenditure, and recovery thresholds). Because this can reflect physical condition, it is treated as health data under UK GDPR Article 9.

Legal basis: Article 9(2)(a), explicit consent. You provide this information voluntarily during onboarding and may update or remove it at any time in your profile settings.

Sleep Data

Trinity collects your self-reported nightly sleep duration and quality. Where you have connected Apple HealthKit or Google Health Connect, Trinity may also read objective sleep metrics (duration and sleep stages) from those sources. Sleep data is used solely to adapt your training load and recovery guidance — for example, automatically reducing prescribed volume after a poor night's sleep.

Legal basis: Article 9(2)(a) — explicit consent (for HealthKit / Health Connect sleep data, via the OS-level permission prompt). Self-reported sleep hours entered in the app are processed on the basis of contract performance (Article 6(1)(b)) as they are integral to the training service, with Article 9(2)(a) explicit consent obtained during onboarding.

Heart Rate, HRV, Steps, and Active Energy

Where you have connected Apple HealthKit or Google Health Connect, Trinity may read resting heart rate, heart rate variability (HRV), step count, and active energy expenditure to provide a more accurate picture of your training load and recovery. These metrics are read on demand and are not transmitted to any third party.

Legal basis: Article 9(2)(a), explicit consent given through the OS-level Health permission prompt. You can revoke individual data-type permissions at any time in iOS Settings > Privacy & Security > Health > Trinity, or in Android Settings > Apps > Health Connect > Trinity.

Withdrawal of Consent

You can withdraw consent for health data processing at any time by contacting us at hello.trinityapp@gmail.com, by revoking individual permissions in your device settings, or by deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Connected Services

Trinity offers optional integrations with three external services. Each is opt-in, requires your explicit authorisation, and can be revoked at any time. Trinity is the data controller for all data imported from these services into the app — we determine how that data is used to power your training programme.

Apple HealthKit (iOS only)

If you grant permission, Trinity reads the following data types from Apple HealthKit on your device:

  • Sleep analysis (duration and stage breakdown)
  • Resting heart rate
  • Heart rate variability (HRV)
  • Steps
  • Active energy burned
  • Body weight (read-only)
  • Workouts (running and other recorded sport sessions)

HealthKit data is read on demand and stored only when you log a session that incorporates it (for example, an auto-imported run). Trinity does not write to Apple Health. You can revoke individual permissions at any time in iOS Settings > Privacy & Security > Health > Trinity.

Legal basis: Article 9(2)(a), explicit consent via the iOS Health permission sheet.

Google Health Connect (Android only)

The Android equivalent of HealthKit. The same data types are read with the same purposes. You can revoke permissions at any time in Health Connect > Apps > Trinity.

Legal basis: Article 9(2)(a), explicit consent via the Health Connect permission flow.

Strava

If you connect your Strava account, Trinity will automatically import your run, ride, and other endurance activities so you don't have to log them manually. You authorise this connection directly through Strava's OAuth flow; we never see or store your Strava username or password.

Imported Strava data includes:

  • Activity summaries (sport type, distance, duration, pace, elevation, calories, average and max heart rate, perceived effort)
  • Activity dates and times

Imported activities are stored in your Trinity training history and used to compute weekly training load and volume. We do not share Strava data with advertisers, data brokers, or any party other than the infrastructure sub-processors listed below.

You can disconnect Strava at any time in Settings > Strava > Disconnect inside Trinity, or by revoking access in your Strava settings > My Apps. Upon disconnection, we stop fetching new activities. You may also request deletion of all previously imported Strava data — see Your Rights.

Legal basis: Article 9(2)(a), explicit consent via the Strava OAuth flow.

Disclosure of connected-service data

We do not sell, rent, or trade your activity or health data. It may be disclosed only in the following limited circumstances:

  • Infrastructure sub-processors: Supabase Inc. (database and authentication, hosted in the EU) stores imported records on our behalf under a data-processing agreement. Supabase may not use your data for its own purposes.
  • Legal requirements: Where required by law, court order, or governmental authority.
  • Business transfer: In the event of a merger, acquisition, or sale of assets, this data would transfer to the acquiring entity subject to the same privacy commitments described here. You will be notified of any such change before it takes effect.

How We Use Your Data

We process your personal data on the following legal bases under UK GDPR:

  • Contract performance (Article 6(1)(b)) — to create and maintain your account, deliver personalised training suggestions, adapt recommendations based on logged activity, and provide customer support.
  • Explicit consent (Article 9(2)(a) for health data; Article 6(1)(a) for other consent-based processing) — to process body weight, sleep, and any HealthKit / Health Connect metrics; to connect to Strava and other third-party services; to send you optional marketing communications. You can withdraw consent at any time without affecting prior lawful processing.
  • Legitimate interests (Article 6(1)(f)) — to improve our app, prevent fraud, and ensure platform security, where this does not override your rights and freedoms.
  • Legal obligation (Article 6(1)(c)) — where required to comply with applicable law.

We use your data to:

  • Generate personalised training suggestions based on your workout history
  • Adjust suggestions based on your sleep and recovery data
  • Provide progress tracking, strength trends, and pace analysis
  • Display your progress over time (body weight trends, strength estimates, running improvements)
  • Send you in-app and push notifications about your programme (see Notifications)
  • Conduct pseudonymous aggregate analysis to improve our algorithms
  • Comply with legal and regulatory obligations

We do not use your personal data for automated decision-making that produces significant legal or similarly significant effects without human oversight.

Sharing & Sub-Processors

We do not sell your personal data. We share data only with the following named sub-processors, each operating under a data-processing agreement with contractual data-protection obligations:

Sub-Processor Location Purpose Data Shared
Supabase Inc. USA (data hosted in EU — London, AWS eu-west-2) Database, authentication, and file storage All account, profile, training, and sleep data
PostHog Inc. USA (EU-hosted instance) Product analytics — understanding how the app is used to improve it Pseudonymous user identifier, screen views, feature interactions, session duration. No name, email, or health data.
Apple Inc. / Google LLC USA App distribution, push notification delivery, in-app payment processing Device push token for notifications; payment data handled directly by Apple/Google under their own privacy policies
RevenueCat, Inc. USA Subscription management — receipt validation, entitlement state, renewal tracking for Trinity Pro Pseudonymous user identifier (your Trinity user ID), App Store / Play Store transaction identifiers, subscription status. No name, email, or health data.
Strava, Inc. USA Optional activity import (only if you connect your Strava account) OAuth tokens (stored encrypted) and the activity data described in Connected Services.

Legal & Regulatory Disclosure

We may disclose your data if required by law, regulation, or a valid legal process (such as a court order), or to protect the rights, property, or safety of Trinity, our users, or the public.

Business Transfer

In the event of a merger, acquisition, or sale of assets, your personal data may transfer to the acquiring entity. You will be notified at least 30 days before any such transfer takes effect and given the opportunity to delete your account and data if you do not wish to continue.

Subscriptions & Payments

Trinity Pro is available as a monthly or annual auto-renewing subscription, purchased through Apple's App Store (iOS) or Google Play (Android). All payment information — card details, billing address, transaction processing — is handled by Apple or Google under their own privacy policies. Trinity never sees, stores, or processes your payment card information.

We use RevenueCat, Inc. as our subscription-management sub-processor to validate App Store / Play receipts and track entitlement state across devices. RevenueCat receives a pseudonymous identifier (your Trinity user ID), the platform transaction identifier, and your subscription status (active, expired, in trial, refunded). It does not receive your name, email, or any health or training data. RevenueCat's privacy policy is available at revenuecat.com/privacy.

Trial periods, renewals, refunds, and cancellations are governed by the rules of the App Store or Play Store you purchased through. To manage your subscription, open Settings on your device:

  • iOS: Settings > [your name] > Subscriptions > Trinity
  • Android: Google Play app > Profile > Payments & subscriptions > Subscriptions > Trinity

Legal basis: Article 6(1)(b), contract performance — processing your subscription payment is necessary to provide the Trinity Pro service you have purchased.

International Data Transfers

Some of our sub-processors are based in the United States. Transferring your personal data outside the UK requires appropriate safeguards under UK GDPR.

Supabase Inc. (USA, EU-hosted)

While Supabase Inc. is a US-incorporated company, your data is stored exclusively on servers located in the United Kingdom (AWS eu-west-2, London). The Supabase corporate entity is covered by Standard Contractual Clauses in our data-processing agreement.

PostHog Inc. (USA, EU-hosted)

Analytics data is routed to PostHog's EU-hosted infrastructure. PostHog Inc. as a US entity is covered by Standard Contractual Clauses. Only pseudonymous usage data (no name, email, or health data) is transmitted.

RevenueCat, Inc. (USA)

Subscription receipt validation routes through RevenueCat's US infrastructure. Coverage by Standard Contractual Clauses is part of our agreement with RevenueCat. Only a pseudonymous user identifier and platform transaction identifier are transmitted — no name, email, or health/training data.

Strava, Inc. (USA)

If you connect Strava, your authorisation tokens are exchanged with Strava's US-hosted servers and your activity data is fetched on demand. Standard Contractual Clauses apply. Trinity is the controller of imported activity records once they reach our infrastructure.

You have the right to request details of the specific safeguards in place for any international transfer. Contact us at hello.trinityapp@gmail.com.

Push Notifications

With your permission, Trinity sends push notifications to your device to support your training programme. We request notification permission explicitly within the app; you may grant or deny it at any time through your device settings.

Notifications we send include:

  • Training reminder — sent at 7:30am on your scheduled training days
  • Sleep reminder — sent at 9:30pm to prompt your nightly wind-down
  • Weekly overview — sent Monday mornings with your upcoming week's plan
  • Event-triggered notifications — for example, a personal record notification when you set a new strength or pace best

Notifications are delivered via Apple Push Notification Service (APNs) or Google Firebase Cloud Messaging (FCM), which receive a pseudonymous device token but not your name or email. You can disable all notifications at any time in Settings > Notifications within the app, or through your device's notification settings.

We do not send marketing push notifications without separate opt-in consent.

Retention

We retain your personal data for as long as your account is active or as needed to provide services to you. If you delete your account, we will delete or irreversibly anonymise your personal data within 30 days, except where we are required to retain it for legal, tax, or regulatory purposes (typically up to 6 years for financial records under UK law).

Health data (body weight, sleep data, and any HealthKit / Health Connect metrics imported on your behalf) is deleted within 30 days of account deletion or upon receipt of a valid erasure request, whichever is sooner. There is no legal retention requirement that overrides your right to erasure for health data.

Strava-imported activities are retained for the same period as your account. Upon account deletion, disconnection of Strava, or explicit erasure request, we will erase all Strava-sourced records within 30 days.

Pseudonymous analytics data (PostHog) and subscription transaction records (RevenueCat, Apple, Google) may be retained in aggregate or for legally required retention periods (typically up to 6 years for financial records under UK law) beyond account deletion.

Security

We implement technical and organisational measures appropriate to the sensitivity of your data, including:

  • Encryption of all data in transit (TLS 1.2+) and at rest
  • Row-level security policies on our database — each user can only access their own records
  • Authentication via Supabase Auth with support for Apple Sign-In, Google Sign-In, and email/password (with secure token management and HaveIBeenPwned-based leaked-password rejection)
  • OAuth-based integration with Strava — we never see or store your Strava credentials
  • OS-level permission gates for HealthKit / Health Connect — Trinity only sees the data types you've explicitly granted
  • Set-log writes are mirrored to encrypted on-device storage before reaching the server, so a network drop in a basement gym doesn't lose your training data
  • Access controls ensuring staff access to production data is restricted and auditable
  • Regular review of security practices and third-party sub-processor security posture

No method of transmission over the internet is 100% secure. If you become aware of any security concern relating to your Trinity account, please contact us immediately at hello.trinityapp@gmail.com.

Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restriction — ask us to restrict processing of your data in certain circumstances
  • Portability — receive your data in a structured, machine-readable format (JSON)
  • Objection — object to processing based on legitimate interests or for direct marketing
  • Withdraw consent — where processing is based on consent (including for health data, HealthKit / Health Connect access, and Strava connection), withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Automated decision-making - the right not to be subject to solely automated decisions that produce significant legal or similarly significant effects. Trinity generates training suggestions for your review and choice. No automated decision removes any right or opportunity from you.

To exercise any of these rights, contact us at hello.trinityapp@gmail.com. We will acknowledge your request within 72 hours and respond substantively within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data lawfully.

Children

Trinity is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at hello.trinityapp@gmail.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will notify you via the app and by email at least 14 days before the changes take effect, and will clearly describe what has changed and why.

Where a material change affects the legal basis on which we process your data (for example, adding a new category of health data or a new sub-processor), we will seek fresh consent where required rather than relying on your continued use of the app as acceptance. The "Last updated" date at the top of this page reflects the most recent revision.

Contact

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your data, please contact us:

Trinity — Privacy Enquiries
Email: hello.trinityapp@gmail.com
Website: trainwithtrinity.co.uk
Jurisdiction: England & Wales, United Kingdom
ICO Registration: Pending (will be confirmed prior to public launch)

We aim to acknowledge all privacy enquiries within 72 hours. If you are not satisfied with our response, you have the right to complain directly to the Information Commissioner's Office.