Skip to content
Train Ultra
Get started Download on the App Store

Legal

Privacy Policy

Effective May 26, 2026

This Privacy Policy explains what data Train Ultra collects, how we use it, who we share it with, how long we keep it, and your rights over it. It applies to use of the Train Ultra iOS app and the Train Ultra web dashboard. If you do not agree with this policy, do not use the service.

1. Who we are

Train Ultra is operated by Spare Mile Studio, based in the State of Washington, USA. For the purposes of GDPR and similar laws, Spare Mile Studio is the data controller of the personal data described in this policy. You can reach us at [email protected]. Given our size and the nature of our processing, we have not appointed a Data Protection Officer.

2. What we collect

Train Ultra collects only the data needed to deliver AI-generated activity titles, workout evaluations, coaching conversations, training summaries, and the other features you use.

  • Account data — your email address (used for sign-in via a 6-digit code), your first and last name (where you provide them), and the account-creation timestamp.
  • Strava activity data — when you connect Strava, we read your activity history, including activity metadata (name, type, start time, duration), splits, heart-rate streams, GPS streams, and laps. We do not write data back to Strava except the AI-generated title you have configured Train Ultra to set.
  • Garmin Connect wellness data — if you connect Garmin, we ingest the daily summaries and events made available by the Garmin Health API: daily summaries, sleep, heart-rate variability (HRV), stress, respiration, pulse-oximetry, skin temperature, and the user-metrics events that update them.
  • Oura data — if you connect Oura, we ingest similar daily wellness summaries via the Oura API.
  • User-generated content — goals you create, coach conversation history, and athlete-profile fields you fill in (such as sex, age, training history, optional injury notes, and optional max-heart-rate or threshold-pace values).
  • Device tokens — when you grant push-notification permission on iOS, the APNs device token is stored so we can deliver notifications about your activities and coach prompts.
  • Billing identifiers — if you subscribe to a paid tier, we store the Stripe customer id and subscription metadata returned by Stripe. We do not store full card numbers; Stripe handles card storage and processing.
  • Operational logs — limited request and response metadata for debugging, capacity planning, and abuse prevention. These logs may include IP address, user-agent, timestamps, the route accessed, and error details.
  • Legal acceptance records — when you accept the Terms of Service or this Privacy Policy, we record the version accepted, the timestamp, your IP address, your user-agent string, and the platform (web or iOS) so we can demonstrate consent if asked.
  • Analytics — anonymous web-page metrics via Google Analytics 4 (GA4) on our marketing pages. We do not run analytics inside the authenticated dashboard or the iOS app.

3. How we use it

  • To generate creative AI-written titles for your Strava activities.
  • To generate AI workout evaluations and coaching responses grounded in your training and wellness data.
  • To compute training summaries, weekly stats, year-over-year comparisons, and other derived views.
  • To send transactional emails (sign-in codes, account-deletion confirmations, billing receipts).
  • To send push notifications about your activities, evaluations, and coach prompts.
  • To operate, debug, secure, and improve the service.
  • To prevent fraud and abuse and to enforce our Terms of Service.
  • To comply with legal obligations (for example, tax record-keeping for billing data).

We do not sell your personal information, and we do not share your personal information with third parties for cross-context behavioral advertising. We do not use your training data to train third-party foundation models beyond the per-request inference described below.

4. Who we share it with

We share personal data with the third parties below, only as needed to deliver the features you use. Each is a processor acting on Spare Mile Studio’s behalf under the contractual terms we have in place with them.

  • DigitalOcean — hosts our backend, database, object storage, and AI-inference endpoint. Activity, wellness, coach-conversation, and goal data passes through DigitalOcean’s infrastructure and through the inference API for every AI feature.
  • ElevenLabs (via DigitalOcean’s text-to-speech endpoint) — when you use the audio-playback feature on a workout evaluation, the evaluation text is sent for speech synthesis. We do not retain the synthesized audio beyond what is needed to deliver it to you.
  • Strava, Garmin, Oura — OAuth providers from whom we read data with your authorization. We do not share your Train Ultra data back to these providers, except the AI-generated activity title we write to Strava when that feature is enabled.
  • Resend — transactional email delivery (sign-in codes, account-deletion confirmations, billing-related notices).
  • Stripe — payment processing for web subscriptions. Stripe receives the billing details you enter into its checkout form; Spare Mile Studio receives back a customer id and subscription metadata, not card numbers.
  • Apple Push Notification service — delivery of push notifications to your iOS device.
  • Google Analytics (GA4) — anonymized analytics on our public marketing pages only. Not used inside the authenticated dashboard or the iOS app.

We may also disclose personal data when we believe in good faith that disclosure is required to comply with a law, court order, or other valid legal process; to protect the rights, property, or safety of Spare Mile Studio, our users, or the public; or in connection with a corporate transaction such as a merger, acquisition, financing, or sale of assets (in which case we will give you advance notice and the chance to delete your account before the transfer where the law requires it).

5. How long we keep it

We retain personal data only as long as we need to provide the service or to meet a specific legal or operational requirement.

  • Account data (email, name, account-creation timestamp): for the lifetime of your account, plus up to 30 days after deletion to allow backup purges to complete.
  • Strava activity data: lifetime of account + 30 days.
  • Garmin and Oura wellness data: lifetime of account + 30 days.
  • User-generated content (goals, coach conversations, athlete profile): lifetime of account + 30 days.
  • Device tokens: removed when you uninstall the app, when APNs reports the token as invalid, or 30 days after account deletion — whichever happens first.
  • Billing identifiers and invoices: 7 years after the last transaction, to comply with US tax record-keeping requirements. Card numbers are never stored by us.
  • Operational logs: 90 days.
  • Legal acceptance records: kept indefinitely so we can demonstrate consent if disputed; references to the user are removed on account deletion (the audit row survives but is no longer linked to you).
  • Analytics (GA4): retained for the GA4 property’s configured retention window (currently 14 months). Data is anonymized at collection.

Activity titles Train Ultra previously wrote on your Strava activities remain on those Strava activities after you delete your account — deletion does not retroactively re-title past activities on Strava.

6. International data transfers

Train Ultra’s backend infrastructure and most of our processors are located in the United States. If you access Train Ultra from outside the United States — including from the European Economic Area, the United Kingdom, or Switzerland — your personal data will be transferred to and processed in the United States. Where required, we rely on Standard Contractual Clauses (or equivalent transfer safeguards) with our processors to protect personal data on transfer.

7. Your rights and how to exercise them

You have the following rights with respect to your personal data:

  • Access a copy of the personal data we hold about you.
  • Correct personal data that is inaccurate or incomplete.
  • Delete your account and the personal data we hold about you. You can do this directly from the iOS app (Settings → Delete Account) or the web dashboard (Settings → Delete Account), or by emailing us. Deletion permanently removes the data described in Section 5 within the listed retention windows and disconnects Train Ultra from your Strava, Garmin, and Oura authorizations.
  • Object to or restrict certain processing, where the law gives you that right.
  • Withdraw consent for processing that depended on your consent (for example, push notifications or optional provider connections), without affecting the lawfulness of earlier processing.
  • Receive a portable copy of personal data you provided to us, where the law gives you that right.

To exercise any of these rights, email [email protected]. We will respond within the time required by applicable law (no later than 30 days under GDPR, 45 days under CCPA) and may verify your identity before acting on a request. There is no fee for exercising these rights, and we will not discriminate against you for exercising them.

8. EEA, UK, and Switzerland (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the GDPR (or UK GDPR / Swiss FADP). We are the controller of your personal data. We process personal data under the following lawful bases:

  • Contract — processing necessary to deliver the service you signed up for (running AI features, storing goals and activities, processing payments).
  • Legitimate interests — processing necessary to secure the service, prevent fraud, debug operational issues, and maintain audit records of legal-document acceptance. Where we rely on legitimate interests, you may object as described in Section 7.
  • Consent — processing that depends on a permission you grant, including push notifications, optional connected providers (Garmin, Oura), and the use of optional athlete-profile fields. You may withdraw consent at any time.
  • Legal obligation — processing necessary to comply with law (for example, retaining billing records for tax purposes).

You also have the right to lodge a complaint with a supervisory authority — for example, your national data-protection authority in the EU, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC). We encourage you to contact us first so we can try to resolve the issue.

Your data is transferred to the United States and processed there. See Section 6 (International data transfers) for the safeguards we rely on.

9. California residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Categories of personal information we collect. In the 12 months preceding this policy’s effective date, we collected the following categories: identifiers (email, name, IP address, device token), commercial information (billing identifiers and subscription history), internet or other electronic-network activity (operational request logs), geolocation derived from activity data (GPS points within Strava activities you connect), and inferences drawn from the above to provide the service. We collect these directly from you, from Strava / Garmin / Oura when you authorize them, and from your device.

How we use it. See Section 3 (How we use it).

How we share it. See Section 4 (Who we share it with). Each recipient is a service provider acting on our behalf under contractual terms that restrict their use of the data to delivering the service.

Do not sell or share my personal information. We do not sell your personal information and we do not share your personal information for cross-context behavioral advertising. We do not knowingly process the personal information of minors under 16 for sale or sharing.

Sensitive personal information. Health-related fields (heart rate, HRV, sleep, athlete-profile injury notes) may qualify as sensitive personal information under California law. We use them only as needed to deliver the AI features you use, and we do not use them to infer characteristics about you for any purpose unrelated to the service.

Your California rights. You may request to know what personal information we have collected about you, to delete it, to correct it, and to limit our use of sensitive personal information. To exercise these rights, email [email protected]. We will respond within 45 days (extendable by an additional 45 days where reasonably necessary, with notice). There is no fee, and we will not discriminate against you for exercising your rights.

10. Children

Train Ultra is not directed at children. We do not knowingly collect personal data from anyone under 13 in the United States, or under 16 in the European Economic Area, the United Kingdom, or Switzerland (unless local law sets a different age and a parent or guardian has consented).

If you believe a child under the applicable age has provided personal data to Train Ultra, please contact [email protected]. We will delete the account and the personal data we hold about that child promptly upon verification.

11. Apple App Privacy disclosures

To help users on the iOS App Store understand how Train Ultra uses data, here is how the data described in this policy maps to Apple’s “App Privacy” categories. This summary is provided for transparency; the canonical declaration is the one we file with Apple.

  • Data linked to you: contact info (email, name); user content (goals, coach conversations, athlete-profile fields); health and fitness data (Strava activities, Garmin and Oura wellness data); identifiers (account id, device token); usage data (operational request logs); financial info (Stripe customer id and subscription metadata, not card numbers); diagnostics (debugging logs).
  • Data not linked to you: anonymized web analytics on our marketing pages via GA4.
  • Data used to track you: none. Train Ultra does not track you across apps or websites owned by other companies.

12. Cookies and similar technologies

We use a session cookie (HTTP-only, secure) on the web dashboard to keep you signed in. We use Google Analytics 4 cookies on our public marketing pages for anonymous traffic measurement. We do not use third-party advertising or cross-site tracking cookies. You can disable cookies in your browser, but doing so may break sign-in.

13. Security

We protect personal data using a combination of TLS-encrypted transport, encryption at rest in our managed database and object storage, least-privilege access controls, and routine review of operational logs for anomalous behavior. No service is perfectly secure, and we cannot guarantee absolute security; we will notify affected users of a personal-data breach as required by applicable law.

14. Changes to this Policy

We may update this Privacy Policy as the product evolves. Where we make material changes, we will announce them in the in-app changelog and bump the Effective date at the top of this page. For material changes, you will be asked to re-accept this Policy before continuing to use Train Ultra; we will tell you, in summary, what has changed. If you do not accept the updated Policy, you may stop using the service and delete your account at any time.

15. Contact

For any privacy-related question or request, email [email protected].