Last Updated: 29 October 2025
Introduction
MyTriPal ("we," "us," "our," or "the Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise process your personal information in relation to our web-based application ("MyTriPal" or the "Service").
1. Information We Collect
1.1 Information You Provide Directly
Account Registration Information:
- Name
- Email address
- Password (hashed and encrypted)
- Profile information you choose to add
Training Profile Information:
- Training goals (event name, type, date, priority)
- Peak performances (past race results with times and distances)
- Weekly hour budget for training
- Preferred training times
- Injury limitations and notes
- Equipment availability
- Unavailable days/rest days
- Plan adjustment preferences
Fitness and Activity Data:
- Strava account information (with your permission)
- Training history and activity data from Strava
- Workout completion status and timestamps
- Workout notes and completion notes
1.2 Information Collected Automatically
Technical Information:
- Device type and operating system
- Browser type and version
- IP address
- Cookies and similar tracking technologies
- Access logs and usage patterns
Analytics Data (via Google Analytics 4):
- Page view events
- User interaction events (clicks, scrolls, form submissions)
- Device and browser information
- Geographic location (based on IP address)
- Traffic source and referral information
- Session duration and engagement metrics
1.3 Information from Third Parties
Strava Integration: When you connect your Strava account, we receive your profile information, historical activity data, and activity details.
2. Legal Basis for Processing
Under UK data protection law (Data Protection Act 2018 and UK General Data Protection Regulation), we rely on:
- Consent: Where you have explicitly consented to specific processing
- Contract: Processing necessary to provide the Service you've requested
- Legal Obligation: Compliance with UK law and regulation
- Legitimate Interests: Our legitimate business interests, including service improvement and security
3. How We Use Your Information
3.1 Service Delivery
- Creating and maintaining your account
- Providing training plan generation and personalisation
- Processing plan adjustments and modifications
- Storing and displaying your training history
- Enabling workout tracking and completion recording
3.2 Strava Integration
- Fetching and caching your historical activity data
- Using your training history to personalise training plans
- Synchronising fitness data with your training preferences
3.3 AI-Powered Features
- Sending training data to Anthropic's Claude API to generate personalised training plans
- Processing your natural language adjustment requests
- Creating contextual training recommendations
3.4 Service Improvement
- Analysing usage patterns to improve the application via Google Analytics 4
- Identifying and fixing bugs and technical issues
- Understanding user behaviour to enhance features
- Tracking which pages are most visited and how users interact with the service
3.5 Security and Compliance
- Detecting and preventing fraud and misuse
- Protecting against malicious activity
- Enforcing our terms of service
- Bot protection through Cloudflare Turnstile
4. Third-Party Service Providers
We share your information with carefully selected third parties:
4.1 Anthropic (Claude AI)
Purpose: AI-powered training plan generation
Data Shared: Your training goals, peak performances, preferences, and Strava
activity data
4.2 Strava
Purpose: Fetching your fitness activity data
Note: We do not share your data with Strava; we only retrieve data you've
already authorised
4.3 Cloudflare Turnstile
Purpose: Bot protection on authentication pages
4.4 Google Analytics 4
Purpose: Website analytics and user behaviour tracking
Measurement ID: G-PM0YVPSFRH
Data Shared: Page views, user interactions, device information, IP address
Note: Google Analytics does not store your personal information directly; it
tracks general usage patterns and aggregated metrics
Opt-Out: You can opt out using Google's opt-out browser
extension, your browser's Do Not Track settings, or Google advertising
preferences
4.5 Digital Ocean
Purpose: Cloud hosting and infrastructure
5. Data Retention
We retain your personal information for as long as necessary to provide the Service:
- Account information: For the duration of your account + 30 days after deletion
- Training data: For the duration of your account + 30 days after deletion
- Workout history and notes: For the duration of your account + 30 days after deletion
- Training plans (inactive): Indefinitely (for user reference)
- Strava activity cache: 2 hours (refreshed on access)
- LLM usage logs: 24 months (for analytics and compliance)
- Session data: Until logout or 8 hours of inactivity
6. Your Rights Under UK Data Protection Law
Under the Data Protection Act 2018 and UK GDPR, you have the following rights:
6.1 Right of Access
You have the right to request a copy of the personal information we hold about you in a structured, commonly-used, and machine-readable format.
6.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal information.
6.3 Right to Erasure
You have the right to request deletion of your personal information, subject to certain exceptions.
6.4 Right to Restrict Processing
You have the right to request that we limit how we process your information.
6.5 Right to Data Portability
You have the right to request your personal information in a portable format.
6.6 Right to Object
You have the right to object to certain types of processing.
6.7 Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time.
6.8 Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: https://www.ico.org.uk
7. Security Measures
We implement comprehensive security measures to protect your personal information:
7.1 Technical Security
- SSL/TLS encryption for data in transit (HTTPS only)
- AES encryption for sensitive data at rest (Strava tokens, password hashes)
- Secure password hashing using industry-standard algorithms
- Regular security audits and vulnerability assessments
7.2 Access Controls
- Role-based access control (admin vs. regular users)
- Strong authentication requirements for account access
- 8-hour session timeout for security
7.3 Infrastructure Security
- Secure cloud hosting on Digital Ocean
- Isolated network architecture
- Regular software updates and patches
8. International Data Transfers
Your information may be transferred to and stored in countries outside the United Kingdom, including the United States (Anthropic, Cloudflare, Digital Ocean). These transfers are made with appropriate safeguards in place.
9. Children's Privacy
MyTriPal is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information immediately.
10. Contact Information
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:
By Email: cameron@vnss.co.uk
Response Time: We aim to respond to all data subject requests within 30 days.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices or legal requirements. We will notify you of any material changes via email and update the "Last Updated" date at the top of this policy.
12. Additional Information
For complete details on our data processing practices, including specific information on automated decision-making, profiling, and data processors, please refer to the full Privacy Policy document available in our repository.