TRUNK

Privacy Policy

Last updated: January 19, 2026

This privacy notice for TRUNK (operated by Spynu D. N.) (\'Company\', \'we\', \'us\', or \'our\'), describes how and why we might collect, store, use, and/or share (\'process\') your information when you use our services (\'Services\'), such as when you visit our website at trunk.by, or any website of ours that links to this privacy notice, or engage with us in other related ways, including any sales, marketing, or events. Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at info@trunk.by.

SUMMARY OF KEY POINTS

This summary provides key points from our privacy notice. You can find out more details about any of these topics by clicking the link following each key point or by using the table of contents below.

  • What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with TRUNK, the choices you make, and the products and features you use. This includes information you provide directly, information collected automatically, and information obtained from third-party services you connect.
  • Do we process any sensitive personal information? We may process sensitive personal information, such as health and activity data obtained from third-party services you connect (e.g., Garmin, Polar, Suunto, Wahoo), when necessary, with your consent or as otherwise permitted by applicable law, to provide and improve the Services.
  • Do we receive any information from third parties? Currently, all training data is entered manually by users. We plan to add integration with third-party devices (e.g., smartwatches, fitness trackers) and platforms such as Garmin, Polar, Suunto, Wahoo in the future. When such integrations become available, you will be able to connect these devices and platforms to import activity data, health metrics, and related information. Additionally, our AI assistant feature is powered by Mistral AI, and when enabled with read or edit permissions, relevant portions of your data may be transmitted to Mistral AI for processing.
  • How do we process your information? We process your information to provide, improve, and administer our Services, personalize your training plans, communicate with you, ensure security and fraud prevention, and comply with legal obligations.
  • In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties, such as service providers that help us operate our Services. We do not sell your personal information.
  • How do we keep your information safe? We have implemented organizational and technical measures to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure.
  • What are your rights? Depending on your location, you may have rights under applicable privacy laws to access, update, or delete your personal data. You have the right to request deletion of your data, including data imported from connected third-party services.
  • How can you exercise your rights? The easiest way is to contact us using the details provided in this policy. You can also manage some of your data directly within your account settings.

DATA CONTROLLER INFORMATION

For users, the data controller is: Spynu D. N. Registered under the laws of Belarus. UNP: KE9146114. Contact Email: info@trunk.by.

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include: names, email addresses, usernames, passwords, contact preferences, AI assistant permission settings, and any other information you choose to provide.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Information collected from third-party services (e.g., Garmin Connect)

Currently, all training data is entered manually by users. We plan to add integration with third-party services or devices (such as Garmin, Polar, Suunto, Wahoo, etc.) in the future. When such integrations become available, you will be able to connect these services to your TRUNK account to import activity and health data. When you choose to connect such services, we will collect information from these services as authorized by you. This typically includes:
- Activity data: type of activity, duration, distance, speed/pace, elevation, route/GPS data, laps, and other performance metrics.
- Health and physiological data: heart rate, heart rate variability, calories burned, sleep data (if provided and authorized), stress levels, and other related health metrics.
- Device information: type of device used for the activity.
We process this information to provide the core functionalities of our Services, such as creating personalized training plans, analyzing your performance, and offering insights. You can manage or disconnect these third-party services at any time through your account settings or through the respective third-party platform.

AI ASSISTANT DATA PROCESSING

AI Assistant Feature

Our Services include an AI-powered assistant powered by Mistral AI that provides personalized training recommendations and analysis. You control what data the AI assistant can access through three permission levels in your account settings:

Permission Levels


- Disabled: The AI assistant has no access to your data or database schema. Responses will be generic.
- Read Data: The AI assistant has read-only access to your database data (training diary, plans, metabolism). It can analyze this data to provide highly relevant responses.
- Read and Edit Data: The AI assistant has full read and edit access to your database data. It can analyze data, suggest changes, and perform write operations.

When you enable AI assistant features with 'Read Data' or 'Read and Edit Data' permissions, relevant portions of your training data may be transmitted to Mistral AI for processing to generate personalized responses. This also includes the vector search feature, which transmits your search queries to Mistral AI for generating embeddings necessary for semantic search across your data. This data transmission is necessary for the AI assistant feature and vector search to function. You can change or disable these permissions at any time in your account settings.

Data transmitted to Mistral AI is subject to Mistral AI's privacy policy and terms of service. We have configured Mistral AI to not use your data for training their models, ensuring your privacy is protected. We encourage you to review Mistral AI's privacy policy at https://mistral.ai/legal/privacy-policy/. By using the AI assistant feature with any permission level other than 'Disabled', you consent to the transmission and processing of your data by Mistral AI for the purpose of providing the AI assistant functionality.

We collect anonymized conversation data for the purpose of improving our AI assistant service through fine-tuning and quality improvements. All personal information (names, dates, locations, email addresses, IP addresses) is automatically anonymized before storage. This data is used exclusively for improving the quality and accuracy of our AI assistant responses and will not be used for any other purpose. You can opt out of data collection for training purposes by contacting us.

AI Interaction Logging

We maintain logs of AI assistant interactions, including input queries and generated responses, for the following purposes: (a) quality assurance and service improvement; (b) investigation of complaints or disputes regarding AI-generated content; (c) compliance with legal obligations and regulatory requirements; and (d) security and fraud prevention. These logs are stored in an immutable format with cryptographic hashes to ensure integrity and auditability. Logs are retained for a period of 12 months from the date of the interaction, unless a longer retention period is required by law or for ongoing legal proceedings. After the retention period, logs are securely deleted or anonymized beyond recovery.

PAYMENT INFORMATION PROCESSING

General Provisions

All payment card operations on our website/application are performed through a third-party payment provider (e.g., Webpay) and Acquiring Bank (e.g., BSB Bank). During the payment process, your bank card details (PAN, expiration date, CVV/CVC) are entered directly into the secure interface of the Payment Provider/bank and transmitted to them for processing. We do not transmit, process, or store unencrypted bank card details on our servers.

What We Receive and Store

Our system may store only the following data related to payment operations: (a) transaction identifier (payment_id); (b) amount, currency, and date of operation; (c) last-4 (last 4 digits of card) and card brand (Visa/Mastercard) — if provided by the payment provider; (d) token or payment method identifier issued by the payment provider (in secure form); (e) operation status and webhook notifications from the payment provider; (f) proof of consent (consent_id, checkbox text, timestamp, IP, version of terms).

This data is used exclusively for managing subscriptions, issuing receipts, servicing transactions, processing refunds, and investigating disputes. PAN and CVV/CVC are not stored and are not accessible to our team.

Tokenization, Encryption, and Payment Processor

We do not collect and do not store unencrypted bank card details (PAN, CVV/CVC) on our infrastructure and do not have access to unencrypted card data. Any processing, storage, or tokenization of card details is performed exclusively by the payment provider and/or acquiring bank. Card details are processed and stored by the payment provider/bank in encrypted or tokenized form in accordance with their security policies and legal requirements. We work with providers that implement encryption and/or tokenization on the provider side; if necessary, we will provide the bank with copies of agreements and technical integration documentation. (See Webpay Personal Data Processing Policy: https://docs.webpay.by/webpay/Personal_Data_Processing_Policy_WEBPAY_17.03.2025.pdf)

Storage and Retention Periods

Payment metadata, consent logs, and related records are stored for 7 (seven) years or such other period as required by applicable law or tax rules. If necessary (e.g., during investigations or legal proceedings), such records may be retained longer in accordance with government authority requirements. Usage logs used to determine 'substantial use' are retained for at least 12 months.

Rights and Procedures

You have the right to request a copy of the payment record, operation status, and proof of consent. To request, write to: info@trunk.by. In case of questions regarding the security of payment information, we will redirect the request to the payment provider and acquiring bank and provide assistance within the framework of our contractual obligations.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your information for purposes based on legitimate business interests, the fulfillment of our contract with you, compliance with our legal obligations, and/or your consent. We use the information we collect or receive:
- To facilitate account creation and logon process.
- To provide and manage your training plans and analyses. This is the core purpose of our Service.
- To power the AI assistant feature, which analyzes your training data according to your configured permission levels to provide personalized recommendations and insights.
- To send administrative information to you.
- To protect our Services (e.g., for fraud monitoring and prevention).
- To respond to user inquiries/offer support to users.
- For other business purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns, and to evaluate and improve our Services, products, marketing, and your experience.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We may share your information with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. Examples include: payment processing, data analysis, email delivery, hosting services, customer service, and marketing efforts. \n\nSpecifically, when you enable AI assistant features with 'Read Data' or 'Read and Edit Data' permissions, relevant portions of your training data are transmitted to Mistral AI for processing. This also includes the vector search feature, which transmits your search queries to Mistral AI for generating embeddings necessary for semantic search. This data sharing is necessary for the AI assistant feature and vector search to provide personalized recommendations and insights. Mistral AI processes this data according to their privacy policy and terms of service. We have configured Mistral AI to not use your data for training their models, ensuring your privacy is protected. This means Mistral AI will not use your interactions or data to improve their AI models. We may also share your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company, or if we are legally required to do so.

4. HOW LONG DO WE KEEP YOUR INFORMATION (DATA RETENTION)?

We will only keep your personal information, including data imported from connected third-party services (e.g., Garmin Connect), for as long as it is necessary for the purposes set out in this privacy notice, which includes providing you with the features and services of our application, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us keeping your personal information for longer than the period of time in which users have an account with us.
When we have no ongoing legitimate business need to process your personal information, or upon your request for deletion, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If you delete your account, all your personal data stored in our systems, including data imported from connected services (when such integrations become available), will be deleted in accordance with these principles.

**AI Interaction Logs:** We retain logs of AI assistant interactions (input queries and generated responses) for 12 months from the date of interaction for quality assurance, complaint investigation, legal compliance, and security purposes. These logs are stored in an immutable format with cryptographic hashes. After the retention period, logs are securely deleted or anonymized beyond recovery, unless a longer retention period is required by law or for ongoing legal proceedings.

Please note: Any data that has been transmitted to Mistral AI in connection with AI assistant features is subject to Mistral AI's data retention policies and may not be immediately deleted upon your account termination. However, we have configured Mistral AI to not use your data for training their models, ensuring your privacy is protected. You can review Mistral AI's privacy policy (https://mistral.ai/terms#privacy-policy) for more information about their data retention practices.

5. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

6. WHAT ARE YOUR PRIVACY RIGHTS?

Depending on your geographic location, you may have certain rights regarding your personal information under applicable data protection laws. These may include the right to:
(a) request access and obtain a copy of your personal information,
(b) request rectification or erasure (deletion);
(c) to restrict the processing of your personal information; and
(d) if applicable, to data portability.
In certain circumstances, you may also have the right to object to the processing of your personal information. To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.
**Right to Deletion:** You have the right to request the deletion of your personal data. Upon such a request, or if you choose to delete your account, we will take steps to delete your information as outlined in our Data Retention section.

**AI Assistant Permissions:** You have full control over AI assistant permissions through your account settings. You can change your permission level at any time, including disabling the AI assistant feature completely. When you change your permission level, the amount of data transmitted to Mistral AI will change accordingly. If you set permissions to 'Disabled', no data will be transmitted to Mistral AI for AI assistant features. We have configured Mistral AI to not use your data for training their models, ensuring your privacy is protected.

7. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it in some circumstances. To request to review, update, or delete your personal information, please contact us at info@trunk.by. You can manage your connected third-party services (when such integrations become available) directly through your account settings within our application or via the respective third-party platforms.

8. UPDATES TO THIS NOTICE

We may update this privacy notice from time to time. The updated version will be indicated by an updated \'Revised\' date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.

9. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may contact us at info@trunk.by.
Back to Home