Privacy Policy
TrainSync is committed to protecting your personal data. This policy explains what we collect, why we collect it, how we use it, and your rights as a data subject under the General Data Protection Regulation (GDPR) (EU 2016/679) and Belgian data protection law.
1. Who we are โ Data controller
TrainSync is operated by Louis Vangroenweghe, operating as a sole trader (eenmanszaak) registered in Belgium.
| Detail | Information |
|---|---|
| Company name | TrainSync |
| Operator | Louis Vangroenweghe |
| Country | Belgium |
| louis@trainsync.io | |
| Role under GDPR | Data Controller (for your account data) and Data Processor (for your organisation's training data) |
| Supervisory authority | Gegevensbeschermingsautoriteit (GBA) / Data Protection Authority Belgium โ www.gegevensbeschermingsautoriteit.be |
2. What personal data we collect
| Category | Data collected | Legal basis |
|---|---|---|
| Account data | Name, email address, organisation name, job title | Contract (Art. 6(1)(b) GDPR) |
| Training records | Training completion records, skill levels, electronic signatures, dates, company initials | Legitimate interests / Contract (Art. 6(1)(b)(f)) |
| Usage data | Login timestamps, IP address, browser type, pages visited | Legitimate interests (Art. 6(1)(f)) |
| Communication | Email correspondence, support requests | Legitimate interests (Art. 6(1)(f)) |
| Payment data | Billing name, company VAT number (payment handled by Paddle โ we do not store card details) | Contract (Art. 6(1)(b)) |
| Electronic signatures | Drawn signature image, timestamp, IP, user identity | Legal obligation / Contract (Art. 6(1)(b)(c)) โ required for GxP compliance |
3. Your rights as a data subject
- Right of access (Art. 15) โ request a copy of all personal data we hold about you
- Right to rectification (Art. 16) โ request correction of inaccurate personal data
- Right to erasure (Art. 17) โ request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
- Right to restriction (Art. 18) โ request that we restrict processing of your data
- Right to data portability (Art. 20) โ receive your data in a machine-readable format
- Right to object (Art. 21) โ object to processing based on legitimate interests
- Right to withdraw consent โ where processing is based on consent, withdraw at any time
- Right to lodge a complaint โ with the Belgian Data Protection Authority (GBA)
4. How long we keep your data
| Data type | Retention period | Reason |
|---|---|---|
| Account data | Duration of contract + 2 years | Contractual and tax obligations |
| GxP training records & signatures | Minimum 5 years (or as required by applicable GMP/GxP regulation) | 21 CFR Part 11, EU Annex 11, GxP compliance |
| Usage / access logs | 12 months | Security and fraud prevention |
| Payment records | 7 years | Belgian tax law (Wetboek van inkomstenbelastingen) |
| Support emails | 3 years | Legitimate business interests |
5. Data sharing and third parties
We do not sell your personal data. We share data only with the following categories of processor, under GDPR-compliant data processing agreements:
- Microsoft Azure โ cloud hosting infrastructure (EU West Europe region)
- Paddle โ payment processing and Merchant of Record for billing
- Resend / email provider โ transactional email delivery
All processors are contractually bound to process data only on our instructions and to implement appropriate technical and organisational security measures.
6. International data transfers
Your data is processed within the European Economic Area (EEA). Where any processor operates outside the EEA, we ensure adequate safeguards are in place (Standard Contractual Clauses or adequacy decisions per Art. 46 GDPR).
7. Security
We implement appropriate technical and organisational measures including TLS encryption in transit, encryption at rest, access controls, audit logging, and regular security reviews. Electronic signatures are cryptographically timestamped per 21 CFR Part 11 and EU Annex 11 requirements.
8. Automated decision-making
TrainSync does not use automated decision-making or profiling that produces legal or significant effects on individuals.
9. Children
TrainSync is a B2B professional tool. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a minor has submitted personal data, contact us immediately.
10. Contact our Data Protection Officer
Terms of Service
These Terms of Service govern your access to and use of the TrainSync platform. By creating an account or accessing the service, you agree to be bound by these terms.
1. Definitions
- "Service" โ the TrainSync web application and all associated features accessible at trainsync.io
- "User" โ any individual accessing the Service under an organisational subscription
- "Customer" โ the organisation or individual that has entered into a subscription agreement
- "GxP data" โ training records, signatures and compliance data managed within the Service
2. Subscription and access
Access to TrainSync is provided on a subscription basis. Subscription plans, pricing and included features are as described on the TrainSync pricing page at the time of purchase. During the beta period, access is provided free of charge under the terms of any applicable beta agreement.
3. Acceptable use
You agree to use the Service only for its intended purpose of managing GxP training compliance. You must not:
- Share login credentials with unauthorised persons
- Use the Service to store data unrelated to training compliance
- Attempt to reverse-engineer, copy, or distribute any part of the Service
- Falsify, alter or tamper with GxP training records or electronic signatures
- Use the Service for any unlawful purpose
4. GxP and regulatory use
TrainSync is designed to support compliance with 21 CFR Part 11 (FDA), EU Annex 11, and applicable GMP/GxP regulations. However, the Customer is solely responsible for:
- Validating the system for use in their regulated environment per applicable regulations
- Establishing and maintaining internal SOPs governing the use of electronic signatures
- Ensuring that the use of TrainSync electronic signatures meets their site-specific regulatory requirements
- Training their personnel on the appropriate use of the system
5. Data ownership
All training data, records, and signatures you enter into TrainSync remain your property. TrainSync processes this data on your behalf as a Data Processor. We will never use your GxP data for any purpose other than providing the Service.
6. Service availability
We aim to provide 99.5% uptime for paid plans. Planned maintenance will be announced with at least 24 hours notice where possible. We are not liable for downtime caused by circumstances outside our reasonable control.
7. Limitation of liability
To the fullest extent permitted by applicable law, TrainSync's total liability shall not exceed the amount paid by the Customer in the 12 months preceding the claim. We are not liable for indirect, incidental or consequential damages. Nothing in these terms limits liability for fraud, death, or personal injury caused by negligence.
8. Governing law
These terms are governed by Belgian law. Any disputes shall be subject to the exclusive jurisdiction of the courts of Belgium. Nothing in these terms affects your rights as a consumer under applicable law.
9. Changes to these terms
We may update these terms from time to time. We will notify Customers of material changes by email at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
Cookie Policy
This policy explains how TrainSync uses cookies and similar technologies. We comply with the EU ePrivacy Directive and GDPR requirements for consent.
What are cookies?
Cookies are small text files stored on your device when you visit a website. They help websites function correctly, remember your preferences, and (where you consent) provide analytics.
Cookies we use
| Cookie name | Type | Purpose | Duration | Consent needed |
|---|---|---|---|---|
| ts_session | Essential | Maintains your login session | Session | No โ strictly necessary |
| ts_csrf | Essential | CSRF protection token | Session | No โ strictly necessary |
| ts_consent | Essential | Stores your cookie consent preference | 12 months | No โ strictly necessary |
| ts_prefs | Functional | Remembers your UI preferences (language, view settings) | 12 months | Yes |
| ts_analytics | Analytics | Anonymous usage analytics (page views, feature usage) | 12 months | Yes |
Managing your cookie preferences
You can manage or withdraw your consent at any time using the cookie settings panel below, or by clearing your browser cookies and revisiting the site.
Data Processing Agreement (DPA)
This Data Processing Agreement supplements the Terms of Service and governs the processing of personal data by TrainSync on behalf of Customer organisations. It complies with GDPR Article 28 requirements.
1. Subject matter and duration
TrainSync (Processor) processes personal data on behalf of the Customer (Controller) for the purpose of providing the TrainSync training management service. Processing continues for the duration of the subscription.
2. Nature and purpose of processing
TrainSync processes the following categories of data on behalf of the Customer:
- Employee names, initials, and contact details for training management
- Training completion records, assessment results, and competency levels
- Electronic signatures and associated timestamps for GxP compliance
- User authentication and access control data
3. Processor obligations (TrainSync)
TrainSync agrees to:
- Process personal data only on documented instructions from the Customer
- Ensure persons authorised to process data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures per Art. 32 GDPR
- Assist the Customer in responding to data subject rights requests
- Delete or return all personal data upon termination of the agreement
- Make available to the Customer all information necessary to demonstrate compliance
- Notify the Customer without undue delay of any personal data breach
4. Sub-processors
TrainSync uses the following sub-processors. The Customer authorises their use subject to the same data protection obligations:
| Sub-processor | Location | Purpose |
|---|---|---|
| Microsoft Azure | EU West Europe (Netherlands) | Cloud infrastructure and data hosting |
| Paddle | UK (adequacy decision applies) | Payment processing and billing |
We will notify Customers of any changes to sub-processors with at least 30 days notice.
5. Security measures
TrainSync implements the following measures per Art. 32 GDPR:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest for all stored data
- Role-based access controls and principle of least privilege
- Full audit trail for all data access and modifications
- Regular security reviews and vulnerability assessments
- Cryptographic timestamping of electronic signatures per 21 CFR Part 11
6. Data breach notification
In the event of a personal data breach, TrainSync will notify the affected Customer within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
7. Return and deletion of data
Upon termination of the subscription, TrainSync will provide a full data export in machine-readable format within 30 days. Data will be securely deleted within 90 days of termination, except where retention is required by applicable law or GxP regulation.