Privacy Policy

1. Data Controller

This Privacy Policy describes how personal data is processed when you use the TraineryApp service (the "Service") at trainery.app and its subdomains.

Data Controller: Individual entrepreneur (ФОП) [[Last Name First Name Patronymic]], Tax ID (РНОКПП) [[XXXXXXXXXX]], registered address [[postal code, region, city, street, building]] (the "Controller", "we").

Privacy contact: privacy@trainery.app.

Personal data is processed in accordance with the Law of Ukraine "On Personal Data Protection" of 01.06.2010 No. 2297-VI, and — for data subjects in the EU/EEA — the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).

2. Roles: Controller and Processor

• Customer (organization admin) data: name, contact, billing details. We act as controller.
• User data within an organization (members, trainers): name, contact, booking history, passes, attendance. The Customer is the controller and TraineryApp is the processor, processing data on the Customer's instructions. Additional terms are set out in the Data Processing Agreement.

3. Data We Collect

3.1. Data you provide directly

• Account data: first/last name, email, password (stored as a hash).
• Profile data: phone number, profile photo, language preferences.
• Organization data: studio name, address, logo, theme.
• Booking data: classes, passes, attendance, trainer notes.
• Payment data: amount, date, purpose. Card details are handled solely by the payment provider and are not stored by us.
• Support requests: content of messages you send to support.

3.2. Data collected automatically

• Technical data: IP address, browser type, OS, session ID.
• Activity logs: access times, pages viewed, operations performed.
• Usage data: features used, aggregated performance metrics.

3.3. Data from third parties

• Google OAuth: if you sign in via Google, we receive name, email and profile photo per the permissions you grant.
• Telegram: if you connect Telegram notifications, we receive your Telegram ID and (optionally) name to set up the notification channel.

4. Purposes and Legal Bases

5. Disclosure of Personal Data

We do not sell personal data. We disclose data only:

• Within the organization: as needed for operations (e.g. trainer sees their class roster).
• Sub-processors: infrastructure providers under data processing agreements (see Section 6).
• Legal compliance: at request of authorized state bodies as required by law.
• Business transfers: in case of reorganization, sale or merger, with notice to data subjects.

6. Sub-processors

We engage a limited list of vetted service providers under data processing agreements:

The list may be updated; the current version is always on this page. New sub-processors are announced at least 30 days in advance.

7. International Data Transfers

TraineryApp's primary systems are located in the EU (Hetzner, Germany). Where data is transferred to sub-processors outside the EU/EEA or Ukraine, we ensure adequate protection by entering into EU Standard Contractual Clauses (SCC) or other GDPR-/Ukrainian-law-compliant transfer mechanisms.

8. Retention Periods

• Account data: for the lifetime of the account and 30 days after deletion (for possible restoration).
• Backups: 30 days after data is deleted from production systems.
• Booking and attendance data: while membership in the organization is active; after departure, per the Customer-controller's decision but no longer than 3 years.
• Payment records: 1095 days (3 years) per the Tax Code of Ukraine.
• Security logs: 90 days.
• Support tickets: 2 years from ticket closure.

9. Your Rights

As a data subject, you have the right to:

• Be informed about the sources, purposes and retention of your data (Art. 8 UA DPL; Arts. 13–14 GDPR).
• Access a copy of your data (Art. 15 GDPR).
• Rectification of inaccurate data (Art. 16 GDPR).
• Erasure ("right to be forgotten") (Art. 17 GDPR), except where retention is required by law.
• Restriction of processing (Art. 18 GDPR).
• Data portability in a structured, machine-readable format (Art. 20 GDPR).
• Object to processing based on legitimate interest or for marketing (Art. 21 GDPR).
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with a supervisory authority:
  • in Ukraine — the Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua);
  • in the EU/EEA — your national data protection authority.

To exercise your rights, write to privacy@trainery.app. We respond within 30 days. For data where the Customer (your organization) is controller, please address your request to them first.

10. Security Measures

• TLS 1.2+ traffic encryption;
• Modern password hashing (Argon2/bcrypt);
• Physical database isolation between organizations (database-per-tenant);
• Role-based access control with least-privilege principle;
• Regular backups and security monitoring;
• Need-to-know access for personnel.

In case of a personal data breach posing a risk to data subjects, we notify the Ukrainian Parliament Commissioner for Human Rights within 72 hours, and EU supervisory authorities within the timelines of Art. 33 GDPR.

11. Cookies and Similar Technologies

• Strictly necessary: session tokens, tenant identifier, CSRF settings — required for the Service to function.
• Functional: language, theme (light/dark), widget sizing.
• Analytics: [[name your analytics tool here, e.g. Plausible (cookieless), or Google Analytics 4]] — anonymized usage statistics.

Cookie preferences can be managed through your browser settings. Disabling strictly necessary cookies may break the Service.

12. Changes to This Policy

We may update this Policy. Material changes are announced at least 30 days in advance via email or in-app notice. The "Last updated" date at the top reflects the current version.

13. Contact