Last modified 1st June 2018
This policy describes Train Xhale Limited's commitment to protecting your privacy while using the Xhale software and interacting with our company. It describes what data we may store about you, who has access to it, what we do with that data and how we look after it.
1. Data we may hold about you and reasons for storing it
1.1 Data provided by you or your coach
Most data we hold will have been provided directly by you or your coach (if you have one) in order to make the software useful. For example, you have opportunities to enter personal details in your profile, add schedule and training plans to your diary, and upload files with training data. This means we may know information such as your name, gender, date-of-birth and where you train. You can see all of the data that you or your coach have provided via your account when you sign into the Xhale website.
We advise you not to include particularly private information such as more sensitive information about your health or any other data that you would not want a future coach or a member of our staff to be able to see.
Outside of the software itself, if you have contacted us via means such as our customer support email, we hold an archive of those queries and our responses. This helps us give you better customer support.
1.2 Location data
When you upload training data this will likely contain GPS data detailing the exact location and times that you train. This includes where you start and end your journey and in some cases may indicate the location of your home. This data is stored for your benefit to help you (or your coach) analyse your training.
1.2 Payment details
Should you provide us with payment details for any of our paid services we use a payment company to store your card details and process financial transactions. Once submitted we do not have further access to your payment card number (except for the last 4 digits). Additionally your card number never touches our servers but is instead sent directly to our payment processor. You can read more about the security of our payment processor at https://stripe.com/help/security.
In order to judge what tax is applicable to your payments we may need to collect your home or business address to confirm your country of residence. This is also held by the same secure company as your payment card details. We only use this address for billing purposes.
1.3 Other data
Our server logs other data such as what web browser was used to access our website (trainxhale.com), the address of the website that referred you to trainxhale.com, the name of your operating system and your IP address. This data is not normally associated with your account, but we may occasionally attempt to make the connection in order to fix issues you may be experiencing.
Additionally we log when certain activities occur, such as when a training session is deleted or when a coach looks at your training data. These help us solve issues as well as understand how the service is being used.
1.4 Tracking data and cookies
We use 'cookies' to recognise you as you interact with Xhale. When you log in we place a 'session cookie' in your browser which allows us to recognise you and provide your customised experience on Xhale. When you log out we disassociate your account from the cookie and won't be able to recognise you again until you log back in. If you access the website via more than one web browser (for example on your laptop and on your phone), logging out of one does not mean you are logged out of the other.
2. Access to your data
All your uploaded data is private except for the following conditions:
- you opt in to sharing a session publicly
- you give a coach access to your account (see below)
- you have agreed to be part of Xhale promotional activities
2.1 Your access
The vast majority of your data is available to see directly from the Xhale website when you log into your account. For security reasons, your payment card details are not visible except for the last 4 digits and certain server logs are not available (though you have the right to request them).
2.2 Train Xhale's access
Staff at Train Xhale may access your data in order to provide support, fix technical issues and to find ways to improve the software. Access is limited to authorised staff only, access by staff to diary content is logged and data is treated confidentially unless it has otherwise been agreed between you and Xhale that we can use your training data for promotional purposes.
2.3 Access by your coach
By giving a coach access to your account, you are volunteering to share certain data about yourself with that person or company. Your full training diary including all its history, any training data (potentially containing personal GPS location data) and profile information you have filled out will be made available to them so that they can effectively provide their coaching services.
If you are not expecting a request to be coached via Xhale, we advise you to check the identity of the person requesting access by asking your coach directly via some means not involving Xhale (such as with a phone call).
If you decide to, you may later revoke the coach's access to your account. The coach's use of your data is subject to an agreement you have made between yourself and your coach. Their legal obligations to protecting your privacy will depend on your country of residence and that of your coach.
2.4 Other access to your data
We will not sell your data to third parties.
You may opt into sharing specific training sessions publicly. If your training session file has been marked as public by another service we still default to keeping the data private on Xhale.
We use the services of a few companies to provide some of the functionality of Xhale. In those cases we share specific data to make that possible. For example we use a company that helps us send emails and to use this we must provide the content of the message as well as your email address. Another example is our payment processor which stores data related to making a payment. In these cases we share the minimum data required and provide this data with the understanding that the data will be used strictly for the service they are providing us.
2.5 Exporting your data
If you would like access to your data, please contact Xhale support. Exported data includes original training files and CSV exported data of your training data.
3. Security of your Data
Data is stored in secure servers in the United Kingdom. Passwords are encrypted, payment information is stored by a company with Level 1 PCI compliance (which is the highest credential for securing financial data). All connections to the site are made using a secure SSL connection. We regularly perform updates to our server software, as well as review and improve our security and backup procedures.
Your data is backed up on a regular basis using multiple methods to ensure a balance between frequency of the backup and long term security of the data. When you delete any data on your Xhale account, that data may remain in a backup for a period of time in case we run into issues and we have go back to an earlier state. We currently keep backed up data for a maximum of one year.
Some security of your individual account is your responsibly. In particular we advise you not to share your account password with any other individual or organisation. Passwords can be reset by anyone with access to your email account so it is important to keep your email account private and secure. We also suggest you use a strong password (a mixture of letters and numbers and other characters and at least 8 characters in length) that is unique to this website.
4. Deleting your data
You may delete diary entries and any information in your profile whenever you wish.
You can delete your entire account by visiting your account's settings page and requesting deletion of your account. Access to your account is removed immediately, however there will be a delay before you data is completely removed. This is to avoid accidental or malicious deletion requests giving you a chance to contact support and request your account to be restored.
It is not possible to delete back-up data without compromising the integrity of that backup as a whole (including many other customer's account details). However, we do delete backups after a maximum of one year.
5. Email and marketing
Sending you some email is required in order to operate your account. For example, when you create an Xhale account we will send you an email in order to verify your email address. This is required so that you have a means of resetting your password.
We may also occasionally send you reminders of the existence of your account if you have not been using it so that you are aware that we may still hold personal data and to make you aware of updates.
We also may send you marketing messages and updates on the software. You can opt out of receiving these messages.
6. Acceptance of this Policy
By creating an account and continuing to use our site we view that as acceptance of this Policy. However, we encourage you to contact us if you have any suggestions on how we should improve our privacy policies.
7. Changes to this Policy
We reserve the right to update or modify this policy at any time. Changes to this policy will be effective 30 days after posting it online.
8. Queries about this Policy
If you have any questions regarding this Policy or would like to make suggestions please contact us on firstname.lastname@example.org
Train Xhale Limited is a company registered in England and Wales with company #8891346