Privacy Policy

Effective 2026-07-06

Draft — pending legal review. This document is a working draft and not yet legal advice or a final policy. Some details are placeholders shown in [brackets].

This Privacy Policy explains what personal data TriHonu (“we”, “us”, “our”) collects, why we collect it, who we share it with, and the rights you have over it. TriHonu is an invite-only, AI-assisted triathlon-coaching app. Because it works with your health and training data, we treat your privacy seriously.

1. Who we are

The controller responsible for your data is [LEGAL ENTITY NAME], [ADDRESS], reachable at [privacy@trihonu.com]. TriHonu operates at trihonu.com and trihonu.ai.

2. What we collect

  • Account — your email address and, if you set one, a password (stored only as a salted hash by our authentication provider; we never see it in plain text).
  • Profile — name, sex, date of birth, height, weight, home location, language, your chosen AI coach, and your goals and races.
  • Health & training data — activities and their metrics (heart rate, power, pace, distance, duration), recovery and wellness signals (HRV, sleep, resting HR, body battery), daily check-ins, injuries and niggles, performance thresholds, and nutrition information (dietary preferences, targets, and any food you log). Some of this is health data, treated as a special category under EU/Swiss law (see “Legal bases”).
  • Connected services — if you connect Garmin or TrainingPeaks, we import the activity, workout, and wellness data you authorize, and store the access tokens needed to keep syncing.
  • AI coaching — your conversations with the AI coach, and the training and health context we send to the AI model so it can generate your coaching.
  • Media — photos or videos you choose to upload (e.g. meals, gear, or technique clips).
  • Technical — sign-in cookies and minimal usage records (including AI-usage counts we keep to manage costs). We do not use third-party advertising or cross-site tracking.

3. Legal bases (GDPR / Swiss FADP)

Where the EU GDPR or the Swiss FADP applies, we rely on:

  • Performance of a contract — to provide the coaching service you signed up for.
  • Your explicit consent — for health / special-category data (Art. 9(2)(a) GDPR), given when you accept the in-app disclaimer and this policy. You can withdraw consent at any time by deleting the relevant data or your account.
  • Legitimate interests — to keep the service secure and within cost and fair-use limits, balanced against your rights.

4. How we use your data

  • Generate your plan, morning briefings, weekly reviews, and coaching replies.
  • Adapt your training to your recovery, goals, and how you’re responding.
  • Sync with your connected devices and provide nutrition guidance.
  • Keep your account secure and within fair-use limits.

We do not sell your personal data.

5. AI processing & service providers

To run the service we share data with a small set of processors, each only to the extent needed:

  • Anthropic (Claude) — receives the relevant training/health context and your chat messages to generate coaching. [Confirm retention terms / use zero-retention where available.]
  • Garmin, TrainingPeaks — you connect these; data flows to and from them per your authorization and their own terms.
  • Supabase — hosts the database, authentication, and file storage.
  • Vercel — hosts the application.
  • [Email provider, e.g. Resend] — sends sign-in emails. [Complete if used.]

6. Where your data is stored & international transfers

Your data is stored in our hosting providers’ infrastructure in [REGION — confirm]. Some providers (e.g. Anthropic, Vercel) may process data in the United States; where they do, transfers are covered by appropriate safeguards such as Standard Contractual Clauses. [Confirm mechanisms before launch.]

7. How long we keep it

We keep your data while your account is active. When you delete your account (self-service in the app), your data is deleted, subject to short-lived rolling backups (currently up to [7] days) and any records we must retain by law. [Confirm.]

8. Your rights

Subject to applicable law, you can request access to, correction of, deletion of, a portable copy of, restriction of, and objection to the processing of your data, and you can withdraw consent.

  • Export — download your data yourself in-app under Profile → Your data.
  • Delete — delete your account and its data in-app under Profile → Your data, or contact us.
  • Other requests / complaints — contact [privacy@trihonu.com]. You also have the right to lodge a complaint with a supervisory authority (in Switzerland, the FDPIC; in the EU, your local data-protection authority).

9. Security

We isolate every user’s data at the database level (row-level security keyed to your account), encrypt data in transit, store passwords only as salted hashes, and never expose your device tokens to other users. No system is perfectly secure, but we work to protect your data.

10. Children

TriHonu is not intended for anyone under [16], and we do not knowingly collect data from children.

11. Changes to this policy

We may update this policy; material changes will be surfaced in-app. The “Effective” date above shows the current version.

12. Contact

Questions or requests: [privacy@trihonu.com].