Last updated: 30 May 2026 — added phone number verification (Twilio)
1. Data controller
TriMates, accessible at trimates.fr, is the controller of personal data collected through the Platform.
2. Data collected
Sign-up data
Username, first name, last name
Email address
Date of birth (used only to verify legal age)
Gender (optional)
Profile picture (optional)
Sports profile data
Favourite sports and sub-types
Performance levels
Geographic outing area (GPS coordinates of the area centre)
Weekly availability
Usage data
Outings created and joined (location, date, participants)
Messages sent in outing and group chats
Uploaded GPX files (sports route tracks)
Subscriptions between users (follows)
Membership in training groups
Technical data
Browser geolocation data (only if explicitly authorised)
Connection data (IP address, browser)
Account verification data
Mobile phone number (international format, e.g. +33…) — collected when you verify your account to create or join an outing
Date and time the number was verified
3. Location data
TriMates processes location data that reveal where and when you practise sport. This data is considered sensitive and is subject to enhanced protection measures:
Outing area: GPS coordinates of the centre of your search area, not visible to other users
Meeting points: GPS coordinates of the meeting points of outings you create, visible on the map to logged-in users
GPX files: GPS tracks of sports routes, stored securely and accessible only to logged-in users
Geocoding: when you search for an address or click on the map, the coordinates are sent to the Nominatim service (OpenStreetMap) to retrieve the place name. Nominatim does not store these requests for tracking purposes
You can block a user to prevent them from seeing your outings, your profile and your activity.
4. Purposes of processing
Service operation: account management, outings display, connecting athletes
Smart Notifications: sending emails when an outing matches your profile (sport, level, area, availability). This automated processing can be disabled in your email preferences
Security: verification of the minimum age (18 years) on the client and server side, blocking between users
Account verification: validating your phone number with a code received by SMS, to limit fake and duplicate accounts and strengthen trust within the community, in particular for in-person meetings between members. The SMS is sent via our sub-processor Twilio
Service improvement: anonymised statistics
5. Legal basis
Consent: acceptance of the Terms of Service and the Privacy Policy at sign-up (logged with timestamp and version)
Performance of a contract: provision of the sports connection service
Legitimate interest: security, abuse prevention, moderation, and phone number verification to fight fake accounts and make member meetings more trustworthy
6. Data sharing
Your personal data is never sold. It may be shared with:
Other users: username, picture, level, sports (public profile and outings). You can block a user to hide this information
Our technical sub-processors:
Supabase (database, authentication, file storage) — hosted on AWS EU (Ireland)
Vercel (application hosting) — serverless functions running in Paris (CDG), global Edge network
Brevo (sending notification emails) — French company, data hosted in the EU — receives your email and the content of notifications
Twilio (sending the SMS to verify your phone number) — US company — receives your phone number only for the time needed to send and validate the code. Covered by standard contractual clauses and the EU–US Data Privacy Framework
Sentry (technical error monitoring, optional) — EU region (Frankfurt) — collected only with your explicit consent via the cookie banner
Vercel Speed Insights / Analytics (performance measurement, optional) — collected only with your explicit consent via the cookie banner
Google Analytics 4 (audience measurement, optional) — collected only with your explicit consent via the cookie banner. IP anonymised by Google
Nominatim / OpenStreetMap (geocoding) — receives GPS coordinates to convert them into readable addresses
Google (OAuth authentication, optional) — provides name and picture if you sign in with Google
Strava (activity import, optional) — only if you connect your Strava account
First name, last name, email, date of birth and gender are never visible to other users.
7. Retention period
In accordance with Article 5(1)(e) of the GDPR (storage limitation), the following retention periods apply:
Account data (profile, sports, levels, area): kept as long as the account is active
Phone number: kept as long as the account is active, deleted upon final account deletion. The number is not retained by Twilio beyond the validation of the code
Inactive accounts: a notice email is sent after 22 months without any login. Without a response, the deletion process starts at 24 months of inactivity (with a further 30-day grace period to cancel by logging back in)
Deletion at your initiative: your account enters a 30-day suspension period (you remain hidden from other users and stop receiving notifications, but you can cancel at any time). After this period, the deletion is permanent and irreversible
Outings created: deleted upon final account deletion
Chat messages: kept as long as the outing or group exists
GPX files: deleted with the related outing or upon final account deletion
Connection logs: 12 months maximum
Error logs (Sentry, if consented): 90 days
8. Your rights (GDPR)
In accordance with Articles 15 to 22 of the GDPR, you have the following rights, which you can exercise directly from your profile or by email at contact@trimates.fr. Response time: 1 month maximum (Article 12).
Access and portability (Art. 15 and 20): export all your data in JSON format from your profile (Settings tab → "Export my data" button). Open and structured format, reusable
Rectification (Art. 16): freely update your data via the Profile and Sports tabs
Erasure (Art. 17): delete your account from the Settings tab → "Delete my account". 30-day reflection period before final deletion, during which your profile is immediately hidden from others and notifications are turned off. You can cancel at any time via the banner that appears at the top of the app
Objection (Art. 21): turn off email notifications from the Settings tab, block a user from their profile, hide your participations
Restriction of processing (Art. 18): pause your account using visibility toggles (hide participations, require approval of follows)
Withdrawal of consent: at any time, without justification, without affecting the lawfulness of prior processing
9. Security
Encryption of data in transit (HTTPS/TLS)
Secure authentication via Supabase Auth (passwords hashed with bcrypt)
Access control via Row Level Security (RLS) on all tables
GPX files stored privately, served via an authenticated endpoint
Server-side age verification (database trigger)
Phone number verification via a one-time code received by SMS (Twilio Verify through Supabase Auth); the number is stored in the protected authentication database
User blocking system
Certified hosting (Vercel SOC 2, Supabase SOC 2 Type II)
10. Cookies and trackers
TriMates uses two categories of trackers, distinguished by their purpose:
Essential cookies (always active): required for the platform to operate — authentication, session, UI preferences (map filters, in-app geolocation). No consent required (legitimate interest, CNIL exemption)
Audience and performance measurement (consent required): Vercel Speed Insights (load times), Sentry (technical error monitoring) and Google Analytics 4 (audience). Anonymised data, never used for advertising. Disabled until you give explicit consent via the banner
No advertising cookies, no commercial profiling cookies, no resale of data.
You can change your choice at any time:
Current state of your consent
Audience and performance measurement: refused
11. Transfers outside the EU
Most of your data is processed within the European Union: Supabase (Ireland), Vercel serverless functions (Paris), Brevo (France), Sentry (Frankfurt). Twilio (sending the verification SMS), Google (OAuth authentication, optional) and Strava (activity import, optional) may process data outside the EU (United States) under the standard contractual clauses approved by the European Commission and the EU–US Data Privacy Framework. For Twilio, only your phone number is transmitted, and only for the time needed to send and validate the code. Vercel, as a US company, remains subject to the Cloud Act despite the European hosting of its serverless functions — a risk mitigated by TLS encryption and the absence of sensitive data in edge functions.
12. Data Protection Impact Assessment (DPIA)
In accordance with Article 35 of the GDPR, a Data Protection Impact Assessment has been carried out due to the processing of location data. This assessment identifies the risks linked to behavioural profiling and location tracking, and documents the protection measures in place.
13. Changes
This policy may be updated. Users will be informed of any significant change.
14. Contact and complaint
For any question relating to the processing of your data or to exercise your rights:
Email: contact@trimates.fr
Response time: 1 month maximum (Article 12 GDPR), extendable by 2 months for complex requests (with prior notice)
If you consider that your rights are not being respected, you can lodge a complaint with the CNIL (the French Data Protection Authority):
