TrainOS

Privacy Notice

Last updated: 11 July 2026

This notice explains how TrainOS ("we", "us", "our") processes personal data of trainers who list on the directory and companies who buy a pass to access it. It is written to meet the transparency requirements of the EU/UK General Data Protection Regulation (GDPR) and the Saudi Personal Data Protection Law (PDPL). It is not a substitute for legal advice.

1. Who is the controller

TrainOS is the controller of the personal data described below. For questions or to exercise your rights, contact hello@thetrainos.com. A postal address will be published on the Contact page before commercial launch.

2. What we collect and why

  • Account data — email address and hashed password (via our authentication provider). Purpose: create and secure your account. Legal basis: performance of contract.
  • Trainer profile data — name, title, bio, photo, specialties, countries, languages, delivery modes, availability, day-rate, certifications, contact details (email, phones, LinkedIn), uploaded certificate files. Purpose: publish your profile to companies with an active pass. Legal basis: performance of contract; you actively submit this data.
  • Company data — company name, purchased pass, expiration date. Purpose: grant directory access. Legal basis: performance of contract.
  • Usage data — anonymous view and contact-open counts on trainer profiles, plus the ID of the pass-holder that opened a profile (so trainers can see "how many companies viewed me this month"). Legal basis: legitimate interest (basic analytics needed to run the directory).
  • Reports — the free-text you submit if you flag a profile. Purpose: moderation. Legal basis: legitimate interest.
  • Technical data — IP address, browser user-agent and time of request, handled by our infrastructure and edge providers for security, abuse prevention and DDoS protection. Legal basis: legitimate interest.

We do not knowingly collect special-category data (health, religion, political opinions, etc.). Do not upload documents that contain that kind of data or personal data of third parties.

3. Who can see what

Trainer contact details (email, phone numbers, LinkedIn URL, uploaded certificate files) are only visible to signed-in users with an active company pass, to administrators, and to the trainer themselves. Non-contact fields (name, bio, specialties, countries, languages, day-rate) may appear in previews. Access is enforced by database-level policies as well as UI checks.

4. Sharing and subprocessors

We share personal data only with the service providers we need to run the app (hosting, database, authentication, storage, AI features, and — once enabled — payments and email). A full list is at /privacy/subprocessors. We do not sell personal data and we do not use it for advertising.

5. International transfers

Our infrastructure is global. Personal data may be transferred to and processed in countries outside your own, including the EU, UK, US and Saudi Arabia. Where required, we rely on the European Commission Standard Contractual Clauses, the UK IDTA/Addendum, or PDPL-equivalent transfer mechanisms.

6. Retention

  • Trainer profiles: kept while your account is active. If you pause or close your profile it is hidden immediately. If you delete your account, profile data is deleted within 30 days.
  • Company records and pass history: kept for 7 years after the last pass expires, to meet tax and accounting requirements.
  • Usage events: kept for up to 24 months in identifiable form, then aggregated.
  • Support and moderation records: kept for 24 months.

7. Your rights

Under GDPR and PDPL you have the right to access, correct, delete, restrict, port and object to processing of your personal data, and to withdraw consent where processing is based on consent. You can exercise most of these directly from your dashboard: "Export my data" and "Delete my account" are available under Account & privacy. For everything else, email hello@thetrainos.com. You also have the right to complain to your local supervisory authority (in the EU/UK) or to the Saudi Data & AI Authority (SDAIA) in Saudi Arabia.

8. Cookies and similar technologies

We use only strictly-necessary cookies and local-storage entries required to keep you signed in, remember your language, and remember whether you have accepted this notice. We do not use advertising or third-party analytics cookies. Because these are strictly necessary, no prior consent is required under ePrivacy rules, but we still show a banner so you know they exist.

9. Security

Passwords are stored hashed by our authentication provider and checked against known-breached password lists. Access to trainer contact details and files is enforced at the database level. Uploaded certificate files are stored in a private bucket accessible only through short-lived signed URLs. More details: /security.

10. Children

TrainOS is not intended for anyone under 18. Do not create an account if you are under 18. We will delete any account we discover belongs to a minor.

11. Changes

We may update this notice. Material changes will be signalled at sign-in and by updating the date at the top of this page. Continued use after a change means you accept the updated notice.

12. Contact

For privacy requests, support, security reports or any other question, email hello@thetrainos.com.