Privacy Policy
Last updated: 22 March 2025
Effective date: 22 March 2025
1. Who we are
Trivve is operated by Trivve B.V. (registration pending), based in the Netherlands.
- Website: https://trivve.app
- Contact: support@trivve.app
In this policy, “Trivve”, “we”, “us”, and “our” refer to Trivve B.V. “You” and “your” refer to you, the user of our services.
Where we process your personal data as described in this policy, Trivve B.V. acts as the data controller under the EU General Data Protection Regulation (GDPR).
2. What this policy covers
This policy explains how we collect, use, share, and protect your personal data when you:
- Visit our website at trivve.app
- Create an account and use the Trivve application
- Connect third-party integrations (e.g., Strava, Garmin, TrainingPeaks)
- Interact with our AI nutrition coach
- Subscribe to a paid plan
3. Data we collect
3.1 Account & profile data
When you create an account and complete onboarding, we collect:
- Identity data: name, email address
- Body & biometric data: age, sex, height, weight, goal weight, weight change targets
- Sport & preference data: sports practised, experience level, dietary preference (e.g., vegan, keto), allergies, food intolerances, disliked foods
- Race calendar data: race names, dates, and distance categories
3.2 Health & fitness data (special category data)
We collect and process data that may qualify as health dataunder GDPR Article 9. This includes:
- Body measurements (weight, height, BMI)
- Heart rate data (synced from connected platforms)
- Training activities (duration, distance, elevation, calories burned, sport type)
- Daily nutrition targets (calories, macronutrients, hydration)
- Food log entries (meal descriptions, estimated macronutrient breakdown)
- AI coaching conversations about your nutrition, training, and body composition
We process this data based on your explicit consent, which we obtain during account creation. You may withdraw consent at any time (see Section 9).
3.3 Data from connected platforms
When you connect third-party platforms, we receive data from those services:
| Platform | Data received |
|---|---|
| Strava | Activities (name, sport type, date, duration, distance, elevation, calories, heart rate), OAuth tokens |
| Garmin (planned) | Activities and training data similar to Strava |
| TrainingPeaks (planned) | Planned workouts (date, title, description, duration, TSS) |
You can disconnect these integrations at any time in your account settings. Disconnecting stops future data syncing but does not automatically delete previously synced data. You can request deletion separately (see Section 9).
3.4 Payment data
We use Stripe to process payments. Trivve B.V. is the merchant of record. When you subscribe to a paid plan:
- Stripe collects and stores your payment card details on our behalf
- We store your Stripe customer ID and subscription status
- We never see or store your full credit card number
For details on how Stripe handles your data, see Stripe's Privacy Policy.
3.5 Coaching conversation data
When you interact with the AI nutrition coach, we collect:
- Your messages to the coach
- The coach's responses
- A rolling coaching summary generated from your conversation history
Conversations are processed by Anthropic's Claude API. Anthropic does notuse API data for model training and retains API logs for a maximum of 7 days before deletion.
3.6 Automatically collected data
When you visit our website or use the app, we may automatically collect:
- Device & browser data: IP address, browser type, operating system, device type, screen resolution
- Usage data: pages visited, features used, session duration, click patterns
- Cookies & similar technologies:see Section 7
3.7 Analytics data
We use Mixpanel for product analytics to understand how our service is used and to improve it. Mixpanel may collect:
- Anonymised or pseudonymised usage events
- Feature usage patterns and funnel data
- Device and session metadata
4. How we use your data
We use your personal data for the following purposes:
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide AI nutrition coaching | Profile, health & fitness data, conversations, connected platform data | Explicit consent (Art. 9(2)(a)) + contractual necessity (Art. 6(1)(b)) |
| Calculate daily macro & calorie targets | Body data, training data, race calendar | Explicit consent + contractual necessity |
| Process payments and manage subscriptions | Payment data, email, subscription status | Contractual necessity (Art. 6(1)(b)) |
| Sync training data from connected platforms | OAuth tokens, activity data | Explicit consent (Art. 9(2)(a)) |
| Send transactional emails (e.g., magic link sign-in) | Email address | Contractual necessity (Art. 6(1)(b)) |
| Analyse usage and improve the product | Analytics & usage data | Legitimate interest (Art. 6(1)(f)) |
| Ensure security and prevent abuse | IP address, device data, session data | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
| Send marketing communications (only with your consent) | Email address | Consent (Art. 6(1)(a)) |
We will never sell your personal data to third parties.
5. Who we share your data with
We share personal data only with the following categories of processors and partners, all of whom are contractually bound by Data Processing Agreements (DPAs):
| Service provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Cloudflare (Workers, D1, Queues, R2) | Application hosting, database, background jobs | Global edge / US | EU-US Data Privacy Framework / DPA |
| Vercel | Frontend hosting (Next.js) | US | EU-US Data Privacy Framework / DPA |
| Anthropic (Claude API) | AI coaching responses | US | DPA; data not used for model training |
| Stripe | Payment processing | US | EU-US Data Privacy Framework / DPA |
| Google Firebase | Authentication (magic link sign-in) | US | EU-US Data Privacy Framework / DPA |
| Strava | Training data sync (OAuth) | US | EU-US Data Privacy Framework / DPA |
| Garmin (planned) | Training data sync (OAuth) | US | DPA |
| TrainingPeaks (planned) | Training plan sync (OAuth) | US | DPA |
| Nutritionix | Food search and macro lookup | US | DPA |
| Mixpanel | Product analytics | US | EU-US Data Privacy Framework / DPA |
We may also disclose data:
- When required by law, regulation, or legal process
- To protect the rights, safety, or property of Trivve, our users, or the public
- In connection with a merger, acquisition, or sale of assets (you will be notified)
6. International data transfers
Trivve B.V. is based in the Netherlands (EU). Some of our service providers are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure it is protected by:
- The EU-US Data Privacy Framework (for certified providers)
- Standard Contractual Clauses (SCCs) approved by the European Commission (for non-DPF-certified providers)
- Data Processing Agreements (DPAs) with all processors
7. Cookies and tracking technologies
Cookies we use
| Cookie type | Purpose | Legal basis |
|---|---|---|
| Strictly necessary | Authentication, session management, security | Legitimate interest (no consent required) |
| Analytics | Product usage measurement (Mixpanel) | Consent |
| Functional | User preferences (e.g., theme) | Consent |
We do not use advertising or third-party tracking cookies.
Managing cookies
You can manage your cookie preferences at any time through:
- Our cookie consent banner (shown on first visit)
- Your browser settings
8. Data retention
We retain your data for as long as necessary to provide the service and comply with legal obligations:
| Data type | Retention period |
|---|---|
| Account & profile data | Until you delete your account |
| Health & fitness data | Until you delete your account or request deletion |
| Training activities (synced) | Until you delete your account or disconnect the integration and request deletion |
| Coaching conversations | Active conversations retained during account lifetime; older conversations summarised and original messages deleted after 90 days |
| Food log entries | Until you delete your account |
| Payment records | As required by Dutch tax law (7 years from transaction date) |
| Analytics data | Anonymised/pseudonymised; retained per Mixpanel’s retention settings |
When you delete your account, we delete or anonymise all personal data within 30 days, except where retention is required by law.
9. Your rights
9.1 Rights under GDPR (EU/EEA users)
You have the following rights under the GDPR:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate or incomplete data
- Erasure (“right to be forgotten”) — Request deletion of your data
- Restriction — Request we limit processing of your data
- Portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Withdraw consent for health data processing at any time (this does not affect the lawfulness of processing before withdrawal)
- Automated decision-making— You have the right not to be subject to decisions based solely on automated processing. Trivve's AI coach provides nutritional suggestions, not binding decisions. You are always free to disregard any suggestion.
To exercise any of these rights, email support@trivve.app. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
- Website: https://autoriteitpersoonsgegevens.nl
- Phone: +31 (0)70 888 85 00
9.2 Rights under US state privacy laws
If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or other US states with comprehensive privacy laws, you have the right to:
- Know what personal data we collect, use, and share
- Access your personal data
- Delete your personal data
- Correct inaccurate personal data
- Opt out of the sale or sharing of personal data — Trivve does not sell or share your personal data for advertising purposes
- Limit the use of sensitive personal data — We only use sensitive data (health/fitness) to provide the coaching service
- Non-discrimination — We will not discriminate against you for exercising your privacy rights
To exercise these rights, email support@trivve.app.
9.3 Do Not Sell or Share My Personal Information
Trivve does not sell your personal information. We do not share your personal information for cross-context behavioural advertising. No opt-out is necessary, but you may contact us at any time to confirm.
10. Children’s privacy
Trivve is not intended for anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal data, please contact us at support@trivve.app.
11. AI-specific disclosures
Trivve uses artificial intelligence to provide nutrition coaching. Here is how AI processes your data:
- AI provider: Anthropic (Claude API)
- What is sent to the AI: Your athlete profile, training context, conversation history, and your messages
- Data retention by AI provider:Anthropic retains API logs for a maximum of 7 days, then deletes them
- Model training: Anthropic does not use API data to train its models
- Human review: Conversations may be flagged and reviewed by Trivve staff for safety purposes (e.g., detecting harmful content). Flagged conversations are handled confidentially.
- Not medical advice: AI coaching responses are nutritional suggestions only. They are not medical advice and should not replace consultation with a qualified healthcare professional.
12. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Access controls and authentication (JWT + OAuth 2.0)
- Input sanitisation and output validation on AI interactions
- Regular review of security practices
- Use of reputable, security-certified infrastructure providers
No system is 100% secure. If you become aware of a potential security issue, please contact us immediately at support@trivve.app.
13. Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Notify you via email or in-app notification for significant changes
- Where required by law, obtain your consent before applying changes to how we process your data
We encourage you to review this policy periodically.
14. Contact us
If you have questions about this privacy policy or how we handle your personal data:
- Email: support@trivve.app
- Entity: Trivve B.V., the Netherlands