Privacy Policy

TrainState (“TrainState”, “we”, “us”, “our”) is operated by Nick van de Pas, based in Wellington, New Zealand. This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in connection with the TrainState application and website at trainstate.fit.

This policy complies with the New Zealand Privacy Act 2020 and the Information Privacy Principles contained within it. It also addresses our obligations under the Garmin Connect API terms regarding user data.

By using TrainState, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.

We use your personal information and Garmin data exclusively for the following purposes:

• To calculate your daily readiness score and recovery status.
• To generate personalised AI coaching insights and workout recommendations.
• To track training load trends over time and identify patterns relevant to your performance.
• To deliver workouts to your Garmin device where you have requested this feature.
• To maintain and improve the TrainState service.
• To communicate with you about your account or the service (transactional communications only).

We do not use your health data for advertising, marketing profiling, or any purpose beyond delivering the coaching service described above. We do not sell, rent, or trade your personal information.

TrainState uses artificial intelligence to analyse your Garmin data and generate coaching insights. Your health and activity data is processed by an AI service provider to produce these outputs.

When data is sent to our AI service provider for processing, it is transmitted securely and subject to that provider's data processing agreement. Your data is used only for the purpose of generating your coaching insight — it is not used to train AI models or shared with third parties by the AI provider.

AI-generated coaching insights are recommendations only. They are not medical advice and should not be used as a substitute for professional medical or clinical guidance. See our Terms of Service for the full health disclaimer.

We share your personal information only in the following limited circumstances:

• Garmin Connect: Data is retrieved from Garmin Connect using your authorised OAuth connection. Your Garmin credentials are never stored by TrainState — only the access token required to retrieve data on your behalf.
• AI service provider: Relevant Garmin health data is sent to our AI service provider to generate coaching insights. This provider is contractually bound not to use your data for purposes other than generating your coaching output.
• Hosting and infrastructure: TrainState is hosted on Vercel. Standard infrastructure data (logs, usage metrics) may be processed by Vercel in accordance with their privacy policy.
• Legal obligations: We may disclose personal information if required to do so by law, court order, or to protect the rights, property, or safety of TrainState, its users, or the public.

We do not sell, license, or share your personal information with any other third parties.

Your data is stored on servers operated by Vercel and its infrastructure partners. Vercel operates data centres in the United States and European Union. By using TrainState, you consent to your data being stored and processed in these jurisdictions.

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These measures include encrypted data transmission (TLS/SSL), secure token handling for Garmin API access, and access controls limiting who can access your data.

Despite these measures, no internet transmission or electronic storage is completely secure. We cannot guarantee absolute security of your data.

We retain your personal information and health data for as long as your account is active and as necessary to provide the service. Historical Garmin data and AI-generated insights are retained to enable trend analysis and performance tracking over time.

If you close your account or request deletion of your data, we will delete your personal information and associated Garmin health data within 30 days, except where we are required to retain it by law.

Garmin OAuth access tokens are retained only for as long as you maintain an active connection. You may revoke TrainState's access to your Garmin data at any time through your Garmin Connect account settings, which will immediately prevent any further data retrieval.

Under the New Zealand Privacy Act 2020, you have the following rights regarding your personal information:

• Right of access: You may request a copy of the personal information we hold about you.
• Right of correction: You may request that we correct personal information that is inaccurate or out of date.
• Right to deletion: You may request deletion of your personal information, subject to any legal retention obligations.
• Right to object: You may object to the collection or use of your personal information for specified purposes.
• Right to withdraw consent: Where processing is based on your consent (including your Garmin Connect authorisation), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, contact us at hello@trainstate.fit. We will respond within 20 working days as required by the Privacy Act 2020.

If you believe we have interfered with your privacy, you may complain to the New Zealand Office of the Privacy Commissioner at privacy.org.nz.

TrainState is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

TrainState uses session cookies to maintain your authenticated session. These are strictly necessary for the service to function and do not track you across other websites. We do not use advertising cookies or third-party tracking cookies.

We may update this Privacy Policy from time to time to reflect changes in our practices, the service, or applicable law. We will notify users of material changes by email and by updating the “last updated” date at the top of this page. Continued use of TrainState after changes take effect constitutes acceptance of the updated policy.

For privacy enquiries, data access requests, or any concerns about how we handle your personal information, contact us at: