Privacy Policy — cellTrainer

Effective date: May 3, 2026 Version: 1.0

1. Controller

The data controller within the meaning of Article 4(7) GDPR is:

Michael Skerwiderski Zweigstraße 30a 82178 Puchheim Germany

Email: michael@skerwiderski.de Web: https://celltrainer.skerwiderski.cloud

2. Principle

cellTrainer is built on a privacy-by-design principle. The app processes training, sensor, and profile data exclusively on your iOS device. There is no provider-operated cloud backend: no personal data is transmitted to any server operated by the provider — except via third-party integrations that you explicitly enable (see Section 7).

cellTrainer contains no tracking, no telemetry, no advertising, and no analytics SDKs, and performs no profiling within the meaning of Article 4(4) GDPR.

3. Categories of Data Processed

3.1 Sensor Data (Bluetooth Low Energy)

cellTrainer connects to wireless sensors that you pair yourself. The following raw data fields are read and processed:

• Heart rate (HR) and RR intervals (time between consecutive heartbeats — basis of heart rate variability, HRV)
• Muscle oxygen saturation SmO₂ and hemoglobin concentrations O₂Hb / HHb (with compatible NIRS sensors such as Train.Red FYER)
• Power in watts (power meter)
• Cadence
• Speed, incline, distance, stride length, elapsed time (treadmill / indoor bike, standard FTMS)

3.2 Computed Training Metrics

cellTrainer derives metrics locally on your device from the raw sensor data:

• Detrended Fluctuation Analysis α1 (DFA α1) and quality score
• Training zones (power, pace) based on your FTP / pace threshold
• Ventilatory thresholds VT1 / VT2 (DFA-based, calibratable)

3.3 Profile and Settings

You voluntarily enter the following data in the app:

• First name, last name (optional)
• Date of birth (used for age-based calculations)
• Gender
• Body weight, height
• FTP, pace threshold, individual DFA thresholds
• App configuration (paired sensors, display layout, training modes)

3.4 Training Sessions

For each training session, the following are stored:

• Time series with one row per second — all sensor values from 3.1 and metrics from 3.2
• Summaries (duration, distance, elevation gain, average and peak values)
• Lap breakdowns
• Optionally: environment data (temperature, humidity) from your Home Assistant instance, if connected (see Section 7.4)

cellTrainer does not collect location (GPS) data, audio, video, or contact data. The app is designed for indoor training; distances are integrated from sensor speed, not derived from GPS positions.

4. Purposes and Legal Bases

4.1 Performance of Core Functionality — Article 6(1)(b) GDPR

Processing of sensor, profile, and training data is necessary to provide the app in the scope you adopt by installing and configuring it.

4.2 Health Data — Article 9(2)(a) GDPR

Sensor data such as heart rate, RR intervals, muscle oxygenation, and the metrics derived from them are health data within the meaning of Article 4(15) GDPR. Their processing is based exclusively on your explicit consent, which you give by pairing a sensor and starting a training session. You can withdraw consent at any time by unpairing the sensor or uninstalling the app (see Section 11).

4.3 Local Storage — Section 25(2)(2) TTDSG (German Telecommunications-Telemedia Data Protection Act)

Storing profile, settings, and training data on your device is technically necessary to provide the function you have requested; therefore, no separate consent under Section 25(1) TTDSG is required.

4.4 Third-Party Integrations — Article 6(1)(a) GDPR and Article 49(1)(a) GDPR

Data transmissions to Garmin Connect, Intervals.icu, HiDrive, and Home Assistant occur exclusively based on your explicit consent, which you provide by deliberately enabling and authenticating each integration (details in Section 7). To the extent data is transferred to a third country, the transfer is also based on your explicit consent within the meaning of Article 49(1)(a) GDPR.

cellTrainer does not rely on legitimate interests (Article 6(1)(f) GDPR) for any processing.

5. Local Storage

5.1 Storage Locations on Your Device

• iOS Keychain: OAuth tokens and API keys for the third-party integrations you have enabled (Garmin Connect, HiDrive, Intervals.icu, Home Assistant). The Keychain is hardware-backed encrypted and protected by your device passcode or Face ID / Touch ID.
• App sandbox: Training sessions as files (.ctd.json.gz, FIT, XLSX), profile settings, and app configuration. These files reside exclusively in the app's isolated data container and are protected by iOS device encryption.

5.2 Encryption

• All app data is protected by iOS device encryption, provided you have set a device passcode or Face ID / Touch ID.
• When exporting settings to the .cts format, you may set a passphrase; sensitive content such as third-party tokens is encrypted in this file using AES-256-GCM (PBKDF2-SHA-256, 200,000 iterations).

5.3 Deletion

• Uninstalling the app removes all data stored by cellTrainer.
• You can disconnect any third-party integration at any time in the app settings; the corresponding tokens are removed from the Keychain.
• You can delete your user profile within the app settings.

5.4 iCloud Backup

If you have enabled iCloud Backup on your device, training sessions and settings are — like all app data — backed up to your Apple iCloud account. Tokens stored in the Keychain are subject to your iCloud account's backup rules. The cellTrainer provider has no access to these backups; they are governed exclusively by your contract with Apple.

6. HealthKit

cellTrainer does not use HealthKit. The app does not read data from the Apple Health app and does not write data to it. No HealthKit permission is requested.

7. Optional Third-Party Integrations

The following integrations are optional. They are active only if you deliberately set them up and authenticate against the respective provider with your own account. You can disconnect any integration at any time in the app settings; the associated tokens are removed from the Keychain.

cellTrainer is not the operator of these services. Processing of your data by each third-party provider is governed exclusively by that provider's privacy policy.

7.1 Garmin Connect

• Provider: Garmin International, Inc., 1200 East 151st Street, Olathe, Kansas 66062, USA
• Authentication: OAuth 1.0a + OAuth 2.0 (you sign in with your Garmin account)
• Data flow:
• Upload (initiated by you or automatically after a session, if enabled): the full training file in FIT format, including all data from Section 3.4
• Download: athlete profile, training plans, training calendar, biometric thresholds (lactate threshold, FTP) — if available in Garmin Connect
• Third-country transfer: Garmin processes data in the United States. The transfer is based on your explicit consent under Article 49(1)(a) GDPR and — to the extent valid at the time of transfer — Garmin's EU-US Data Privacy Framework certification.
• Garmin's privacy policy: https://www.garmin.com/en-US/privacy/connect/

7.2 Intervals.icu

• Provider: David Federlein (Intervals.icu), Australia
• Authentication: API key (which you generate at https://intervals.icu/settings and enter into cellTrainer)
• Data flow:
• Upload: training data as FIT files (content as in Section 7.1)
• Download: training plan, athlete profile, training zones
• Third-country transfer: Intervals.icu is operated in Australia. There is no European Commission adequacy decision for Australia. The transfer is based exclusively on your explicit consent under Article 49(1)(a) GDPR.
• Intervals.icu privacy policy: https://intervals.icu/privacy

7.3 HiDrive (Strato)

• Provider: STRATO GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany
• Authentication: OAuth 2.0 (you sign in with your HiDrive account)
• Data flow:
• Upload: training exports (FIT, XLSX, CTD) into a folder of your choice
• Download: ZWO workout files from a folder of your choice
• Third-country transfer: None; HiDrive is operated in Germany.
• HiDrive privacy policy: https://www.strato.de/en/data-protection/

7.4 Home Assistant

• Provider: You operate the Home Assistant server yourself (local home network or self-hosted). The cellTrainer provider has no contract with any Home Assistant operator.
• Authentication: long-lived access token (which you generate in Home Assistant and enter into cellTrainer)
• Data flow:
• cellTrainer connects via WebSocket to the URL you specify
• Receive: live values of selected sensors (temperature, humidity)
• cellTrainer does not send any training data to your Home Assistant server
• Third-country transfer: depends entirely on where you operate your Home Assistant server. cellTrainer has no influence on this.

8. What Does Not Happen

In particular, cellTrainer does not:

• transmit data to any provider-operated server (no such server exists)
• engage in advertising tracking, advertising, or use the IDFA / advertising identifier
• collect analytics, telemetry, or usage statistics for the provider
• embed any tracking, analytics, or crash-reporter SDKs (Sentry, Firebase, Crashlytics, Mixpanel, Amplitude, Adjust, Branch, AppsFlyer, etc.)
• engage in profiling within the meaning of Article 4(4) GDPR
• share your data with third parties without your explicit action (you enable third-party integrations yourself; see Section 7)

9. App Store / Apple

cellTrainer is distributed via the Apple App Store. Your relationship with Apple when obtaining the app is subject to Apple's Privacy Policy (https://www.apple.com/legal/privacy/en-ww/).

If you have enabled "Share With App Developers" under iOS Settings → Privacy & Security → Analytics & Improvements, Apple transmits anonymized crash and performance reports to cellTrainer. These reports contain no personal data and no training data. You can disable this at any time in iOS Settings.

10. Your Rights

You have the following rights under the GDPR vis-à-vis the controller:

• Access to data processed about you (Article 15)
• Rectification of inaccurate data (Article 16)
• Erasure of your data (Article 17)
• Restriction of processing (Article 18)
• Data portability of data you provided (Article 20)
• Objection to processing (Article 21)
• The right not to be subject to a decision based solely on automated processing (Article 22)

Because cellTrainer transmits no personal data to any provider-operated server and the provider holds none of your data, your rights under Articles 15, 17, 18, and 20 GDPR can practically be exercised only through the app itself (delete profile, disconnect third-party integration, uninstall the app). For inquiries, please contact the controller listed in Section 1.

Right to lodge a complaint: You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority for the controller is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach, Germany https://www.lda.bayern.de/

11. Withdrawal of Consent

You can withdraw any consent you have given at any time with effect for the future:

• Bluetooth permission: iOS Settings → Privacy & Security → Bluetooth → disable cellTrainer. Without this permission, the app cannot read sensors.
• Photos permission: iOS Settings → Privacy & Security → Photos → disable or restrict cellTrainer. Without this permission, the app cannot save screenshots to your photo library.
• Third-party connections: disconnect each integration in the app settings; the tokens stored in the Keychain are removed.
• Complete removal of all data stored by cellTrainer: uninstall the app.

Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

12. Changes to This Privacy Policy

This privacy policy may be amended when app functionality changes or when required by law. The current version is available at https://celltrainer.skerwiderski.cloud. You will be notified in the app of any material changes before they take effect.

13. Date

Effective: May 3, 2026 Version: 1.0

Changelog

• 1.0 (2026-05-03): Initial version.