Privacy Policy

When a trainer or coaching business (the “Customer”) uses Traneos to manage information about their clients, the Customer is the controller of that client information and Traneos acts as a processor on the Customer’s behalf. The Customer decides what client information to collect, how long to keep it, and the legal basis for processing it. If you are a fitness client and want to access, correct, or delete your data, please contact your trainer or coaching business first.

Traneos is the controller of personal information about Customers themselves (the people who sign up for Traneos accounts) and website visitors.

Account information. When you register, we collect your name, email address, password (hashed with bcrypt), profile photo, contact number, business address, tax ID, currency, timezone, and similar profile fields.

Customer Data.Trainers enter or upload information about their clients into Traneos, including names, contact details, goals, body metrics (weight, BMI, body-fat %, muscle mass, etc.), progress photos, workout schedules and attendance, diet plans, payments and invoices, and message logs. The trainer chooses what to enter; we process this Customer Data on the trainer’s behalf to provide the Service.

Client portal data. When a client signs in to the client portal via email OTP, we collect their email address, the OTP codes (with limited TTL), session tokens, and basic device identifiers used for the sign-in.

Payments. Subscription payments are processed by Razorpay. Traneos receives subscription and invoice metadata (e.g. subscription IDs, statuses, amounts, last-four digits where applicable) but does not store full card numbers.

Messaging. When a trainer sends WhatsApp or email reminders through the Service, we store metadata about each send (template, status, timestamps, delivery receipts) and any STOP opt-out responses received via the WhatsApp webhook.

Usage and device data. We collect logs about how the Service is used, including IP address, browser type, pages viewed, actions taken, and error reports, to operate, secure, and improve the Service.

Cookies. We use only strictly necessary cookies for authentication (NextAuth session cookies), CSRF protection, and remembering your light/dark theme preference. We do not use advertising or cross-site tracking cookies. Aggregate marketing-site traffic is measured via Vercel Web Analytics, which is cookieless and does not identify individual visitors.

We use the information described above to:

• provide, maintain, and improve the Service;
• authenticate users, including via NextAuth credentials and Google OAuth, and authorize access based on role and permissions;
• send transactional emails (verification, password reset, invites, reminders, billing) and, where enabled, WhatsApp messages;
• process subscriptions and invoices, prevent fraud, and comply with tax and accounting obligations;
• generate AI-assisted outputs (e.g. body-metrics scan, diet nutrition estimates) when a trainer triggers them;
• monitor performance and security, debug issues, enforce rate limits, and protect against abuse;
• communicate with you about the Service and respond to support requests; and
• comply with legal obligations and enforce our Terms.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract— to provide the Service to Customers, including authenticating users and processing subscriptions;
• Legitimate interests — to secure, debug, and improve the Service, prevent abuse, and run our business;
• Consent— for non-essential analytics or marketing communications, where we ask for it; you can withdraw consent at any time;
• Legal obligation— to comply with tax, accounting, and other applicable laws.

For users in India, we process personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), primarily on the basis of consent (express or deemed) or for legitimate uses recognized under the Act.

We rely on the following service providers to operate the Service. Each is bound by appropriate confidentiality and data-processing terms. The list may change as we update our infrastructure; we will keep this section current.

• Vercel— application hosting and Vercel Analytics (United States / global).
• Neon— managed PostgreSQL database hosting (United States; encrypted at rest).
• Cloudflare R2— object storage for profile photos, business logos, client avatars, and progress photos (global; signed URLs).
• Resend— transactional email delivery (United States).
• Razorpay— subscription billing and invoice processing (India).
• WhatsApp (Meta) Cloud API — outbound template messages and inbound delivery / opt-out webhooks (global).
• OpenAI— AI-assisted body-metrics extraction and diet-nutrition estimates, triggered only on trainer action (United States). We do not use Customer Data submitted via the API to train OpenAI’s models.
• Upstash Redis— sliding-window rate limiting (global).
• Google— OAuth sign-in for Customers who choose “Continue with Google” (United States / global).

We do not sell personal information. We share information only with the service providers listed above, with other users in your organization as required by the Service (e.g. trainers see clients assigned to them; Owners see everything in their organization), and as needed to:

• comply with applicable law, regulation, legal process, or government request;
• enforce our Terms or protect the rights, property, and safety of Traneos, our users, or others;
• in connection with a merger, acquisition, financing, or sale of assets — we will notify you and require any successor to honor this Privacy Policy.

Traneos operates from India and uses service providers that may process data in the United States, the European Union, India, and other regions. Where required (e.g. for transfers from the EEA / UK), we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

We retain personal information for as long as your account is active and as needed to provide the Service. Some examples:

• Account and Customer Data are retained for the life of the account;
• Email-OTP codes for the client portal expire within minutes and are pruned by a daily cron;
• Verification, password-reset, and invitation tokens have short TTLs (typically 1–24 hours);
• Logs, message-delivery metadata, and security records are retained for a limited period for operational and audit purposes;
• Invoices and billing records are retained as required by tax and accounting law.

When you delete your account, we delete or de-identify Customer Data and associated files (including R2 objects) within a reasonable period, except where we must retain certain records to comply with legal obligations or to resolve disputes.

We use technical and organizational measures designed to protect personal information, including TLS in transit, encryption at rest for databases and object storage, hashed passwords, sliding-window rate limiting on sensitive endpoints, signed URLs for file access, role-based access controls within organizations, and signed webhook verification for Razorpay and WhatsApp. No system is perfectly secure; we cannot guarantee absolute security.

Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal information, or to object to certain processing. If you are a Customer (account holder), you can exercise many of these rights directly from Settings, including updating your profile, downloading invoices and CSV exports, and deleting your account.

If you are a fitness client whose information was added by a trainer, please contact that trainer to exercise your rights with respect to the data they hold about you. You can also contact us at privacy@traneos.com; we will route your request appropriately.

You have the right to lodge a complaint with a data protection authority. In India, that is the Data Protection Board established under the DPDP Act. In the EEA / UK, it is your local supervisory authority.

The Service is not directed to children under 18, and we do not knowingly collect personal information from children. If a Customer chooses to manage records about a minor client, the Customer is responsible for obtaining the consent of a parent or guardian as required by applicable law.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date above and, for material changes, give you reasonable notice (e.g. by email or in-app). Your continued use of the Service after changes take effect means you accept the updated Privacy Policy.

For questions about this Privacy Policy or your data, email us at privacy@traneos.com. You can also review our Terms of Service.