TriathleteAI Privacy Policy

TriathleteAI (“we”, “us” or “our”) is committed to protecting your personal data and using it responsibly. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data. Our website and service are hosted on TriathleteAI.com, and our contact email is contact@TriathleteAI.com. All aspects of data collection and use follow applicable laws, including the GDPR as adopted in Norway.

Information We Collect

• Account Information: We collect your email address and a hashed password (not readable text) when you sign up. You may also be asked to verify your account using security codes (e.g. via email). This information is used only for account authentication and contacting you about your account.
• Health and Activity Data: With your explicit consent, we connect to Garmin Connect via their API to retrieve your personal health metrics (such as heart rate, distance, time, workouts, etc.). This data is collected only after you authorize us, and is linked internally to a unique user ID. We do not collect names or other unnecessary identifiers – only the user ID, email, and the health metrics you authorize. All such data is treated as personal (and sensitive) data.
• Usage Data & Cookies: We may collect minimal usage data (like page visits) to maintain the service. We use standard secure cookies or session tokens only as needed for login/security. We do not use tracking or marketing cookies. No user activity or personal data is logged beyond the scope described here.

How We Use Your Data

• Personalized Training Plans: The primary use of your health data is to generate custom triathlon training programs. We feed your anonymized health metrics into our AI engine (hosted on Azure AI Foundry) to create workout plans tailored to your needs. Your email address is used to manage your account and optionally send you your training plans and notifications.
• Transparency and Consent: We use your data only for the purposes you have consented to. We will never use your data for marketing, sell it to third parties, or share it beyond what is necessary for the service. You can always review or withdraw your consent in your account settings.
• Anonymization: Internally, we treat your Garmin data as pseudonymized. Your real identity is not stored with health metrics; we only maintain a user ID. This means we cannot identify you beyond your account without the link between email and user ID, which we keep confidential.

Data Encryption and Security

• Encryption In Transit: All communication between your device, TriathleteAI.com, Garmin’s API, and Azure is secured using industry-standard encryption (HTTPS/TLS). This ensures your data cannot be intercepted during transfer.
• Encryption At Rest: Any data stored by TriathleteAI or on Azure servers is encrypted at rest. Microsoft Azure encrypts stored data with AES-256 by default. In practice, this means your health metrics and personal data are kept encrypted on disk. According to Microsoft, stored data in Azure AI Foundry “is always encrypted at rest with Microsoft’s AES-256-encryption”.
• Strong Authentication: We store only hashed passwords, not plaintext. Our login system may use email or SMS security codes as a second factor for added security. We follow best practices to protect your credentials and personal information.
• Data Isolation: Your data is stored within our secure Azure tenant and region. Azure ensures that your inputs (prompts) and outputs (AI-generated recommendations) are not shared with others or used to train other AI models. In fact, Microsoft explicitly states that data you submit “are NOT used by Azure Direct Model providers to improve their models or services”. This means your training data and AI outputs remain private to our application.

Third-Party Services

• Garmin Connect API: We only access Garmin data with your permission. Garmin’s system ensures you authorize any data sharing. Once obtained, we use that data solely for generating your training plan. We do not send any of your Garmin data back to Garmin or other companies.
• Microsoft Azure AI Foundry: Our app uses Azure AI Foundry for processing. Microsoft’s Foundry service is designed for privacy – data processed there “are NOT available to other customers” and are kept within our Azure environment. We do not use any other third-party analytics, and we never sell or distribute your data.
• No Data Sales: We will never sell your personal or health data. We also do not share your data with advertisers or other unrelated third parties. Only the above services (Garmin and Azure) see your data, and only as needed to run the app.

Data Retention and Deletion

• Retention Period: We retain your data only as long as needed to provide the service. Training plans are generated on-demand; once generated, the raw input data (health metrics) is not stored permanently beyond active session use. Where we do store data (e.g. for enabling you to revisit past plans), we keep it only as long as your account is active. We implement the GDPR’s storage limitation principle by deleting unnecessary data promptly.
• User Deletion: You have the right to delete your data at any time. If you choose to delete your account or data, all personal data and health data will be erased from our systems. This is irreversible: once deleted, we cannot recover it. This aligns with your “right to erasure” under GDPR. According to GDPR rules (applicable in Norway) you can ask us to erase your personal data without undue delay, and we will comply.
• Data Backups: For system stability, we may keep encrypted backups for a short period (in line with security best practices), but these are also purged regularly. Ultimately, we have no logs or hidden records of your personal data beyond what is necessary for operation.

Your Rights

Under GDPR and Norwegian data protection law, you have rights regarding your personal data. These include (but are not limited to):

• Access & Portability: You can request a copy of the personal data we hold about you (e.g. your account info and authorized health data). We will provide it in a standard format.
• Correction: If any information is incorrect or outdated, you may request that we correct it.
• Deletion: As noted, you can request that we erase all your personal data and health data, and we will do so promptly (subject to any legal obligations).
• Consent Withdrawal: If you withdraw your consent to data processing, we will stop processing your data and delete it if requested, unless we have another legal basis to retain it (e.g. compliance with law).
• Complaint: You also have the right to lodge a complaint with a data protection authority (in Norway, the Datatilsynet) if you believe your data has been mishandled.

To exercise any of these rights or for any privacy concerns, please contact us at contact@TriathleteAI.com.

Children’s Privacy

TriathleteAI is intended for adult athletes. We do not knowingly collect information from children under 16. If we learn we have inadvertently collected a child’s personal data, we will delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time (for example, if we add new features or legal requirements change). The date at the top reflects the latest revision. Any material changes will be posted on our homepage (TriathleteAI.com), and we may notify active users by email. Please review this policy periodically.

By using TriathleteAI and our services, you agree to the terms of this Privacy Policy. We take your trust seriously and are dedicated to protecting your personal and health data. If you have any questions or need further information, contact us at contact@TriathleteAI.com.

TriathleteAI
Operated by Andreas Sandsmark Bakke
Norway
Email: contact@TriathleteAI.com
Website: https://TriathleteAI.com