Privacy Policy

Last updated: 20 April 2026

English  ·  Deutsch

1. Overview

Triple Peaks ("we", "us") respects your privacy. This policy explains what personal data we process, why we process it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR), the revised Swiss Federal Act on Data Protection (revFADP), and the UK GDPR where applicable. It covers triplepeaks.coach, app.triplepeaks.coach, and our iOS and Android apps.

2. Who We Are

Lukas Carullo
Basel
Switzerland
Email: triplepeaks@online.de

For any privacy-related request, contact us at the email above.

3. What We Collect

  • Account data: email address, first name (optional), and authentication identifiers from Strava OAuth. We never see or store your Strava password.
  • Training data: activities and profile fields received from Strava after you connect it — duration, distance, pace, heart rate, GPS, power, cadence, and training history. This is health-adjacent data and is processed based on your explicit consent.
  • Content you provide: training goals, availability, workout and race feedback, and messages to the AI coach.
  • AI-generated data: training plans, workout analyses, race analyses, and coach chat responses.
  • Subscription data: subscription status and purchase confirmations from the app store. We never receive your payment card details.
  • Technical data: device type, operating system, app version, IP address (shortened where feasible), and crash reports.

4. Why We Use It & Legal Basis

  • Contract (GDPR Art. 6(1)(b); revFADP Art. 31(2)(a)) — operating the service you signed up for: generating training plans, analyzing workouts and races, adapting plans, and answering coaching questions.
  • Explicit consent (GDPR Art. 9(2)(a); revFADP Art. 6(7)) — processing of training data relating to your health, including transmission to our AI provider.
  • Consent (GDPR Art. 6(1)(a)) — optional coaching and notification emails.
  • Legitimate interest (GDPR Art. 6(1)(f); revFADP Art. 31(1)) — security, abuse prevention, and operating essential technical functions.
  • Legal obligation (GDPR Art. 6(1)(c); revFADP Art. 31(1)) — retention for Swiss tax and commercial law.

You can withdraw consent at any time with effect for the future, for example by disconnecting Strava, disabling a feature, or deleting your account. We do not use your data to train third-party AI models, we do not sell personal data, and we do not run behavioral advertising.

5. AI-Powered Coaching

We use a third-party large language model (LLM) provider to generate training plans, analyze workouts and races, adapt plans, and power the AI coach chat. On your behalf, we send this provider your training profile, summarized workout metrics (not the raw GPS track), race results and feedback, and the content of your messages to the coach. We do not send your Strava access tokens, your password, or your subscription data.

Our LLM provider acts as our processor under a signed Data Processing Addendum. It does not use our data to train its models. API content is retained by the provider for up to 30 days and then deleted, unless a longer period is required by applicable law.

Training plans and adaptations are produced by a large language model and are advisory only. They are not medical advice and do not replace professional judgment. You are free to ignore or modify any suggestion, and you can disable AI features or delete your account at any time.

6. Who Else Processes Your Data

We engage a small number of service providers to operate Triple Peaks. We disclose them by category below. We will notify registered users before making material changes.

CategoryPurposeLocationTransfer mechanism
LLM provider AI coach chat, plan generation, workout & race analysis, plan adaptation EU entity; processing may occur in the United States DPA; EU SCCs Module 2; FDPIC-recognized amendments for Swiss data
Cloud hosting provider Application hosting, database, backups Germany (EU) DPA; no third-country transfer
Email delivery provider Transactional and notification emails EU / United States DPA; EU SCCs Module 2 where applicable
Activity data source (Strava) OAuth sign-in and activity import, which you authorize United States Your direct authorization; Strava's own terms and privacy policy apply
App store operator App distribution and subscription billing (App Store / Google Play) EU / United States The store operator acts as an independent controller for its own processing

You can request the specific identity of any provider in the list above by emailing us.

7. International Data Transfers

Some of the providers above process data in the United States. Those transfers are safeguarded by the EU Standard Contractual Clauses (Module Two, Controller-to-Processor), together with the Swiss-specific amendments recognized by the Federal Data Protection and Information Commissioner (FDPIC) where Swiss data subjects are concerned. Where a provider self-certifies under the EU-US Data Privacy Framework, we may rely on that framework as an additional safeguard.

8. Retention

  • Account and training data are retained while your account is active.
  • On account deletion, personal data is deleted from our systems within 30 days, and from backups within 90 days.
  • Content sent to our LLM provider is retained by the provider for up to 30 days and then deleted.
  • Records required by Swiss tax and commercial law (Art. 958f CO) are retained for 10 years.

9. Your Rights

Under GDPR and revFADP you have the right to access, rectify, erase, or port your personal data; to restrict or object to processing; and to withdraw consent at any time. To exercise any of these rights, email triplepeaks@online.de. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority — for Swiss residents the Federal Data Protection and Information Commissioner (FDPIC), for EU residents the authority in your country of residence, for UK residents the Information Commissioner's Office (ICO).

10. Security, Cookies, Children & Changes

Security: we use TLS for all network connections, encryption at rest for sensitive data, least-privilege access, and regular encrypted backups. If we become aware of a data breach likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours where required and inform affected users without undue delay.

Cookies: this marketing website sets no cookies and uses no analytics or advertising trackers. The app uses only strictly necessary cookies for authentication and session management.

Children: Triple Peaks is not intended for users under 16. We do not knowingly collect data from children under 16.

Changes: we may update this policy. For material changes we will notify registered users at least 14 days in advance. The "Last updated" date above reflects the current version.