TRAQA Home
Legal

Privacy Policy

Last updated: March 13, 2026

1. Data Controller

The data controller responsible for your personal data is:

Aritz Tellitu
Spain
privacy@traqa.app

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the TRAQA application ("the App"), in accordance with the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

2. Information We Collect

We collect and process the following categories of personal data:

Account data: Email address, display name, and authentication credentials (password stored as a hash — we never store plaintext passwords).

Profile data: Body weight, preferred units, timezone, preferences, and settings.

Workout data: Workout logs, set logs (weight, reps, RPE, rest time), workout duration, volume calculations, personal records, body weight history, training analysis and recommendations, skip reasons, and user comments.

Subscription data: Subscription status, entitlement, product identifier, store (Apple), and billing periods. Processed via RevenueCat — we do not store payment card details.

Device information: Device type, operating system version, and app version, collected for diagnostics and crash resolution.

Onboarding data (optional): If you optionally provide information during onboarding, it may be processed by a third-party AI service to generate a workout plan. This data is not stored after processing.

What we do NOT collect:

  • Apple HealthKit or Health app data
  • Location data or GPS coordinates
  • Contacts or address book information
  • Advertising identifiers (IDFA)
  • Third-party analytics or tracking services
  • Browsing history or data from other apps

3. Legal Basis for Processing

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

Contract performance (Art. 6(1)(b)): Processing of account data, profile data, workout data, and subscription data is necessary for the performance of the contract between you and TRAQA — i.e., providing the fitness tracking service you subscribed to.

Legitimate interest (Art. 6(1)(f)): Processing of device information for diagnostics and crash resolution, to maintain and improve the stability and security of the App.

Consent (Art. 6(1)(a)): Processing of onboarding data sent to a third-party AI service for workout plan generation is based on your explicit, informed consent, which you can withhold or withdraw at any time without affecting the core service.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery: Storing and displaying your workout history, tracking progress, detecting personal records, and providing the core fitness tracking functionality
  • Training analysis: Generating progression recommendations based on your training data
  • Subscription processing: Managing your subscription status, verifying entitlements, and coordinating with Apple and RevenueCat for billing
  • Diagnostics: Identifying and resolving crashes, performance issues, and bugs using device information
  • Workout plan generation (optional): If you opt in during onboarding, sending your provided information to a third-party AI service to generate a personalized workout plan

5. Data Sharing and Third Parties

We share your data with the following third-party service providers, solely for the purposes described:

Supabase (database and authentication): Your account data and workout data are stored in Supabase's infrastructure. Supabase acts as a data processor under our instructions.

RevenueCat (subscription management): Your subscription status, Apple transaction identifiers, and entitlement data are processed by RevenueCat to manage subscriptions.

Apple (payment processing and App Store): Apple processes all payments and manages your subscription billing. Apple's privacy practices are governed by their own privacy policy.

Third-party AI provider (optional workout plan generation): If you opt in during onboarding, your provided training information is sent to an AI service for workout plan generation. This data is not used to train AI models and is not retained after processing.

We do NOT sell, rent, or trade your personal data to any third party. We do not share your data with advertisers. We do not monetize your data in any way beyond providing the service you pay for.

We may disclose your information if required by law, in response to valid legal process, or to protect the rights, property, or safety of TRAQA, our users, or the public.

6. International Data Transfers

Your personal data may be transferred to and processed in the United States by our service providers. These transfers are protected by:

  • Standard Contractual Clauses (SCCs): Our US-based processors have executed EU Standard Contractual Clauses approved by the European Commission, providing appropriate safeguards for international data transfers
  • EU-US Data Privacy Framework: Where applicable, our processors participate in the EU-US Data Privacy Framework, which has been granted an adequacy decision by the European Commission

7. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide you with the service.

  • Active account: All your data is retained for the duration of your account to provide the service
  • Account deletion: When you delete your account (Settings > Delete Account), all your data is immediately and permanently deleted. This action cannot be undone.
  • Onboarding data: Any information sent to a third-party AI service during onboarding is discarded after processing and is not stored on our servers
  • Subscription data: RevenueCat may retain transaction records independently in accordance with their own data retention policy and legal obligations

8. Your Rights

Under the GDPR (Articles 15–22) and the LOPDGDD, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data
  • Right to erasure (Art. 17): Request deletion of your personal data (also available directly in the App via Settings > Delete Account)
  • Right to restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances
  • Right to data portability (Art. 20): Request your data in a structured, commonly used, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)): Withdraw consent for optional processing (e.g., AI plan generation) at any time, without affecting the lawfulness of processing based on consent before its withdrawal

To exercise any of these rights, contact us at privacy@traqa.app. We will respond to your request within 30 days.

Right to lodge a complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) at www.aepd.es, or with the supervisory authority in your EU member state of residence.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit: All data transmitted between the App and our servers is encrypted using TLS (Transport Layer Security)
  • Access isolation: Database-level security ensures you can only access your own data. No user can view, modify, or delete another user's data
  • Secure token storage: Authentication tokens are stored in encrypted device storage, not in plain text
  • No payment card storage: We never receive or store your payment card information — all payments are processed by Apple
  • Password security: Passwords are hashed and never stored in plaintext

10. Children's Privacy

TRAQA is not intended for users under 14 years of age, in accordance with the LOPDGDD (Art. 7), which sets the age of digital consent at 14 in Spain. We do not knowingly collect personal data from children under 14. If we discover that we have collected data from a child under 14, we will promptly delete that data. If you believe a child under 14 has provided us with personal data, please contact us at privacy@traqa.app.

11. Cookies and Local Storage

Website: The TRAQA website (traqalabs.com) does not use cookies or any tracking technologies.

App: The App uses local device storage to persist workout drafts and preferences locally on your device. This data never leaves your device unless synced as part of the core service. Authentication tokens are stored in encrypted device storage. No cookies or third-party tracking technologies are used in the App.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes through the App. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the App after notification of changes constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions, data requests, or to exercise your rights under the GDPR, contact us at:

privacy@traqa.app

Supervisory authority: Agencia Española de Protección de Datos (AEPD) — www.aepd.es