Privacy Policy — True Effort

This Privacy Notice for Derrick Blackwell (doing business as True Effort) ("we," "us," or "our") describes how and why we might access, collect, store, use, and share your personal information when you use our services, including when you visit trueeffort.co, use the True Effort platform, or engage with us in other related ways.

Questions or concerns? Contact us at [email protected].

Overview

Summary of Key Points

What we collect: Personal info you provide (name, email, wearable health data, heart rate, fitness metrics) plus data automatically collected when you use the platform.

Sensitive data: We process health data and biometric data from your connected wearable devices. This is always handled with your consent and used only to power your effort scores and coaching.

Third parties: We share data with service providers (cloud, AI, email) who help us operate the platform. We never sell your personal information.

Your rights: Depending on where you live, you may access, correct, or delete your data. Contact [email protected] to exercise any right.

Section 01

What Information Do We Collect?

Information you provide directly

We collect personal information you voluntarily provide when you register, participate in activities on the platform, or contact us. This includes:

Name and display name
Email address
Username
Contact and communication preferences
Date of birth or age
Biological sex or gender (for age/gender-group challenges)
Fitness level or experience level
Primary sport or activity preference
Profile photos or avatars
Resting heart rate and max heart rate (manual entry or from wearable)
Heart rate data, fitness and workout data, wearable device data

Sensitive information

With your consent or as permitted by law, we process the following sensitive categories:

Health data — heart rate zones, HRV, VO2 max, effort scores derived from biometric data
Biometric data — wearable sensor measurements used to calculate effort
Account login credentials — stored securely (bcrypt, 12 rounds; never in plain text)

Information collected automatically

When you use the platform, we automatically collect log and usage data (IP address, device info, browser type, activity timestamps) and device data. We also derive fitness performance metrics from your wearable data — effort scores, HR zone classifications, baselines, and training consistency streaks.

Information from other sources

We receive workout and health data from wearable device providers (such as Garmin) through the Open Wearables API when you connect your device. We notify you of this at the time of connection and obtain your consent.

Section 02

How Do We Process Your Information?

We process your personal information for the following purposes:

To deliver the service — calculate effort scores, baselines, streaks, and leaderboards
Account management — create and maintain your account
User communications — enable community features, leaderboards, and challenges
Administrative info — send platform updates, policy changes, and service notifications
Coaching notifications — send AI-powered training insights via your preferred channel (email or SMS)
Feedback — understand how you use the platform to improve it
Security and fraud prevention — protect the platform from gaming or abuse of the scoring system
Usage trends — analyze aggregate patterns to improve baseline calculations and platform fairness
Community leaderboards and challenges — aggregate effort scores for community competition features

Section 03

Legal Bases for Processing

We rely on the following legal bases:

Consent — for processing sensitive health and biometric data, and for AI coaching features. You can withdraw consent at any time.
Performance of a contract — to provide the effort scoring service you signed up for
Legitimate interests — to improve the platform, prevent scoring abuse, and maintain fair competition
Legal obligations — to comply with applicable law

If you are in Canada, we process your information with your express or implied consent. You may withdraw consent at any time by contacting us.

Section 04

When and With Whom Do We Share Your Information?

We disclose your data only to service providers who need it to operate the platform. We never sell your personal information.

Service provider categories

Cloud computing services — Railway (backend hosting)
Data storage providers — Supabase (database)
Website hosting — Netlify (frontend)
Communication tools — Resend (transactional email)
AI platforms — Anthropic (Claude API, AI coaching)
Authentication services — Supabase Auth
Wearable data providers — Open Wearables API (data normalization layer)
Performance monitoring — future analytics tooling

Other situations

Business transfers — if True Effort is acquired or merged, your data may transfer as part of that transaction
Other users — your display name, effort score, and streak are visible to community members based on your visibility settings. You can toggle these off at any time in account settings.

Section 05

Do We Offer AI-Based Features?

Yes. True Effort uses AI to power personalized coaching notifications. We use Anthropic (Claude API) as our AI provider.

When you interact with AI coaching, your workout history, current streak, baseline trend, and goal progress are shared with the AI to generate a personalized response. Your HR zone data and raw biometric numbers are not included in AI prompts.

To opt out of AI coaching, update your preferences in account settings or contact [email protected].

Section 06

How Long Do We Keep Your Information?

We keep your personal information for as long as you have an active account with us. After account termination, we retain data for up to 12 months to handle disputes, fraud prevention, and legal obligations, after which it is deleted or anonymized.

Section 07

How Do We Keep Your Information Safe?

We implement technical and organizational security measures including:

JWT authentication with role-based access control (RBAC)
bcrypt password hashing (12 salt rounds)
HMAC-SHA256 webhook signature validation
HTTPS on all endpoints
Environment variable secret management — no secrets in code
Audit logging for sensitive operations

No system is 100% secure. Transmission of personal information is at your own risk. Please use the platform within a secure environment.

Section 08

Do We Collect Information from Minors?

We do not knowingly collect data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18. If we learn that data from a user under 18 has been collected, we will deactivate the account and delete the data. Contact [email protected] if you become aware of any such data.

Section 09

What Are Your Privacy Rights?

Depending on your location, you may have the following rights:

Right to access your personal data
Right to correct inaccuracies
Right to request deletion
Right to data portability
Right to withdraw consent at any time
Right to object to processing
Right to opt out of AI coaching
Right to opt out of marketing communications (unsubscribe link in emails or reply STOP to SMS)

To exercise any right, contact [email protected]. We will respond in accordance with applicable law.

Account information

You can review or update your account information by logging into account settings. To terminate your account, contact us directly. We will deactivate the account and remove your data from active systems within the retention window above.

Mobile information

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. SMS opt-in data and consent will not be shared with third parties.

Section 10

Controls for Do-Not-Track Features

We do not currently respond to Do-Not-Track browser signals as there is no finalized industry standard. If a standard is adopted that we must follow, we will update this notice accordingly.

Section 11

Do United States Residents Have Specific Privacy Rights?

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights under your state's privacy law.

Categories of data collected

Category	Examples	Collected
Identifiers	Name, email, username, IP address	No
Protected characteristics	Age, gender, date of birth	No
Biometric information	Heart rate, wearable sensor data	No
Internet activity	Usage logs, page views	No
Inferences from collected data	Effort scores, baselines, streaks, training profiles	Yes
Sensitive personal information	Account login, biometric data, health data	Yes

Note: Categories marked "No" reflect that we currently have no users. This table will be updated as the platform launches.

How to exercise your rights

Email [email protected]. Under certain laws, you may designate an authorized agent to make a request on your behalf.

Appeals

If we decline your request, you may appeal by emailing [email protected]. If your appeal is denied, you may submit a complaint to your state attorney general.

Section 12

Do We Make Updates to This Notice?

Yes. We will update this notice as necessary to stay compliant with relevant laws. Material changes will be communicated via a notice on the platform and via email for material changes.

Section 13

How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may contact us at:

Data Controller

Derrick Blackwell DBA True Effort

derrick@trueeffort.co

Harrisburg, NC 28075 · United States