Privacy Policy
Effective Date: March 1, 2026 | Last Updated: March 1, 2026
QMC Training Intelligence (OPC) Private Limited ("QMC", "we", "our", or "us") is building TrainingSets (qmc-gamma-trainingsets.web.app), a training analytics platform for endurance athletes. platform for endurance athletes. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our services, including data obtained through third-party integrations such as Garmin Connect and Wahoo Cloud.
Summary: We collect your fitness and health data solely to provide you with training analytics. We do not sell your data. You can request deletion of your data at any time.
1. Information We Collect
1.1 Account Information
When you create an account on TrainingSets, we collect:
- Name and email address
- Password (stored in encrypted form)
- Profile information you choose to provide (age, weight, sport preferences)
1.2 Fitness and Health Data from Connected Devices (Garmin, Wahoo)
When you connect your Garmin or Wahoo account to TrainingSets, we access the following data through the Garmin Health API or Wahoo Cloud API with your explicit authorization:
| Data Category | Specific Data |
|---|---|
| Activity Files | .FIT files from Garmin and Wahoo devices containing GPS tracks, heart rate, power, cadence, speed, elevation, temperature, running dynamics, swimming metrics |
| Activity Summaries | Duration, distance, calories, sport type, device information |
| Physiological Metrics | VO2 Max, training load, training effect, HRV data, performance condition |
| Daily Summaries | Steps, sleep data, stress levels, body battery (only if you grant access) |
1.3 Data We Do NOT Collect
- We do not access your Garmin Connect or Wahoo login credentials. Authentication is handled through each provider's secure OAuth process.
- We do not collect financial or payment information through the Garmin integration.
- We do not access data from other Garmin Connect users through your connection.
2. How We Use Your Data
We use the data collected exclusively for the following purposes:
- Training Analysis: Parsing .FIT files to generate performance metrics, power analysis, pace zones, and training load calculations.
- Performance Tracking: Displaying trends, progress, and historical comparisons of your fitness data.
- Personalized Insights: Providing sport-specific analytics for cycling, running, swimming, and triathlon activities.
- Service Improvement: Aggregated, anonymized data may be used to improve our analytics algorithms.
We do NOT: Sell, rent, or trade your personal data or fitness data to any third party. We do not use your data for advertising or marketing purposes.
3. Data from Connected Devices (Garmin, Wahoo) — Specific Provisions
In compliance with Garmin's developer program requirements:
- Purpose Limitation: Data obtained through the Garmin Health API or Wahoo Cloud API is used solely to provide training analytics services to you within the TrainingSets platform.
- No Secondary Use: We do not use Garmin data for purposes unrelated to the services you have requested.
- No Data Resale: Health and fitness data from any connected device is never sold, licensed, or shared with third parties for their independent use.
- User Control: You may disconnect your Garmin or Wahoo account at any time through your TrainingSets account settings or through your device provider's account permissions.
- Data Deletion: Upon disconnection or account deletion, all device-sourced data is permanently deleted from our servers within 30 days.
4. Data Storage and Security
- All data is stored on secure, encrypted servers.
- Data in transit is protected using TLS 1.2 or higher.
- Data at rest is encrypted using AES-256 encryption.
- Access to user data is restricted to authorized personnel only, on a need-to-know basis.
- We conduct regular security reviews and follow industry best practices for data protection.
4.1 Data Retention
We retain your data for as long as your account is active. If you delete your account:
- All personal data and fitness data is permanently deleted within 30 days.
- Anonymized, aggregated analytics data (which cannot identify you) may be retained for service improvement purposes.
5. Data Sharing
We share your data only in the following limited circumstances:
- Service Providers: With trusted infrastructure providers (cloud hosting, database services) who process data on our behalf under strict contractual obligations.
- Legal Requirements: If required by law, regulation, or legal process.
- With Your Consent: If you explicitly choose to share data with a coach, team, or other users within the TrainingSets platform.
6. Your Rights
You have the following rights regarding your data:
- Access: Request a copy of all data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request permanent deletion of your account and all associated data.
- Portability: Request your data in a machine-readable format.
- Revoke Consent: Disconnect third-party integrations (such as Garmin Connect) at any time.
- Restrict Processing: Request that we limit how we use your data.
To exercise any of these rights, contact us at [contact].
7. Children's Privacy
Our services are not intended for use by individuals under the age of 16. We do not knowingly collect data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
8. International Data Transfers
Your data may be processed in countries other than your country of residence. We ensure that appropriate safeguards are in place to protect your data in compliance with applicable data protection laws.
9. GDPR Compliance (European Economic Area)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following provisions apply under the General Data Protection Regulation (GDPR):
9.1 Legal Basis for Processing
We process your personal data under the following legal bases:
- Consent: When you connect your device account (Garmin, Wahoo) and authorize data access, you provide explicit consent for us to process your fitness and health data.
- Contract Performance: Processing necessary to provide you with the TrainingSets analytics service you have requested.
- Legitimate Interest: For service improvement using aggregated, anonymized data that does not identify you.
9.2 Your GDPR Rights
In addition to the rights listed in Section 6, EEA residents have the right to:
- Withdraw Consent: Withdraw your consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
- Object to Processing: Object to processing based on legitimate interests.
- Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA) if you believe your rights have been violated.
- Data Portability: Receive your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV).
9.3 Data Transfers Outside the EEA
When we transfer personal data outside the EEA, we ensure adequate protection through Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.
9.4 Data Protection Officer
For GDPR-related inquiries, contact our Data Protection Officer at [contact].
10. CCPA Compliance (California, USA)
If you are a California resident, the following provisions apply under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
10.1 Your CCPA Rights
- Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale: We do not sell your personal information. We never have and never will.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
10.2 Categories of Information Collected
| Category (per CCPA) | Examples | Sold? |
|---|---|---|
| Identifiers | Name, email address | No |
| Biometric Information | Heart rate, HRV data | No |
| Geolocation Data | GPS tracks from activities | No |
| Health & Fitness Data | Power, cadence, VO2 Max, training load | No |
| Internet Activity | Usage logs within TrainingSets | No |
10.3 How to Submit a Request
California residents can submit requests by emailing [contact] with the subject line "CCPA Request". We will verify your identity and respond within 45 days.
11. DPDPA Compliance (India)
If you are located in India, the following provisions apply under the Digital Personal Data Protection Act, 2023 (DPDPA):
11.1 Consent and Purpose
- We obtain your free, specific, informed, and unambiguous consent before processing your personal data.
- Data is processed only for the lawful purposes stated in this Privacy Policy (training analytics and performance tracking).
- You have the right to withdraw consent at any time by disconnecting your Garmin account or deleting your TrainingSets account.
11.2 Your Rights Under DPDPA
- Right to Access: Obtain a summary of your personal data being processed and the processing activities.
- Right to Correction and Erasure: Request correction of inaccurate data or complete erasure of your personal data.
- Right to Grievance Redressal: You may raise a grievance with us. If unsatisfied, you may approach the Data Protection Board of India.
- Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.
11.3 Data Fiduciary Obligations
As a Data Fiduciary under DPDPA, QMC Training Intelligence:
- Implements reasonable security safeguards to protect personal data.
- Retains personal data only for the duration necessary for the stated purpose.
- Erases personal data upon withdrawal of consent or when the purpose has been fulfilled, unless retention is required by law.
- Will notify the Data Protection Board of India and affected users in the event of a personal data breach.
11.4 Grievance Officer
For DPDPA-related inquiries or grievances, contact our Grievance Officer at [contact]. We will acknowledge your grievance within 48 hours and resolve it within 30 days.
Regulatory Compliance: TrainingSets is committed to complying with GDPR (EU), CCPA/CPRA (California), and DPDPA (India). If you have questions about how these regulations apply to your use of our platform, contact us at [contact].
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date above. Your continued use of our services after such changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
QMC Training Intelligence (OPC) Private Limited
Product: TrainingSets
Email: [contact]
Website: qmc-gamma-trainingsets.web.app