Privacy Policy

The data controller is Athleex, with registered office in Italy. To exercise your rights or for any request relating to the processing of personal data, please write to: info@athleex.com.

Athleex processes the following categories of personal data, depending on how you interact with the service:

• Identification and contact data: first name, last name, email, phone, workplace address (for Personal Trainers).
• Authentication data: bcrypt-hashed password, encrypted JWT session tokens.
• Health data (Art. 9 GDPR): weight, body-fat percentage, body measurements, training goals and biometric data voluntarily provided by the athlete, strictly subject to separate explicit consent.
• Uploaded content: progress photos, chat attachments, invoices.
• Usage data: completed workouts, sets and reps, volume, streaks, unlocked trophies.
• Payment data: handled exclusively by Stripe. Athleex NEVER stores card numbers, CVV or banking details.
• Technical logs: IP address, user-agent, access timestamps, retained for security and abuse-prevention purposes.

• Service provision (Art. 6(1)(b) GDPR, contractual performance): account creation, PT-athlete relationship management, program assignment, chat, billing.
• Processing of health data (Art. 9(2)(a) GDPR, explicit consent): entry of biometric measurements, progress photos, food diary. Consent is revocable at any time from the profile settings.
• Predictive analytics (Athlete Twin / Athleex Score) (Art. 6(1)(a) GDPR, explicit consent): statistical projections on performance and recovery. See section 11 for details on the logic used and specific rights.
• Legal obligations (Art. 6(1)(c) GDPR): retention of billing data under Italian Presidential Decree 633/1972 for 10 years.
• Legitimate interest (Art. 6(1)(f) GDPR): infrastructure security, fraud and abuse prevention, aggregate non-identifying analytics.
• Marketing and newsletter (Art. 6(1)(a) GDPR, consent): only upon explicit opt-in. Revocable at any time.

• Account data: for the duration of the relationship plus 12 months after termination, unless a deletion request is made.
• Billing data: 10 years (civil and tax obligation).
• Security logs: 12 months.
• Health data: retained while consent is active; if withdrawn, deleted within 30 days.

Data may be disclosed to the following parties acting as data processors (Art. 28 GDPR):

• Hetzner Online GmbH (server infrastructure, Germany — EEA).
• Stripe Payments Europe Ltd. (payments, Ireland — EEA).
• Meta Platforms Ireland Ltd. (WhatsApp Business and Instagram integration, only if the PT enables the integration — EEA).
• Resend, Inc. (transactional email provider for service notifications, USA — transfer based on Standard Contractual Clauses).

Any transfer outside the European Economic Area is carried out subject to the adoption of Standard Contractual Clauses under Articles 44 et seq. GDPR.

Under Articles 15-22 GDPR, at any time you are entitled to:

• Access your data and obtain a structured copy (portability) from Settings » Export data (GDPR).
• Rectification of inaccurate data from your profile.
• Erasure ("right to be forgotten") from Settings » Delete account.
• Restriction and objection to processing for marketing purposes.
• Withdrawal of consent for health data and newsletters, at any time.
• Complaint to the Italian Data Protection Authority (garanteprivacy.it) if you believe processing infringes the GDPR.

Athleex uses only technical session cookies (name: athleex_session) strictly necessary for the operation of the service. We do not use profiling or third-party tracking cookies. Under Recital 30 GDPR and the Italian Authority's provision of 10 June 2021, technical cookies do not require prior consent.

We implement technical and organisational measures appropriate to the risk: encryption of sensitive data at-rest (AES-256-GCM) and in transit (TLS 1.3), bcrypt password hashing, least-privilege principle, session isolation via signed JWT cookies, rate limiting, administrative audit logs, encrypted backups.

The service is not intended for minors under 18 years of age. If it is discovered that an account belongs to a minor without parental or guardian consent, the account will be deleted.

Athleex reserves the right to update this notice in case of regulatory or organisational changes. The date of the last update is shown at the top of the document. Material updates will be notified by email to registered users.

Athleex offers athletes an optional feature called Athlete Twin which, based on workout data already in the account (training log, sets, weights, RPE ratings, active goals), computes:

• an estimated 1-rep max (1RM) projection at 4 weeks for compound lifts;
• a recovery / overtraining risk index;
• a goal completion projection;
• a composite 0-100 score called Athleex Score.

Legal basis: Art. 6(1)(a) GDPR — explicit athlete consent. The feature is disabled by default and can be enabled by the athlete from Settings » Athlete Twin.

Logic used (Art. 13(2)(f) and 22(3) GDPR — right to a meaningful explanation): all projections are computed using classical, deterministic statistical methods, with no opaque machine learning:

• 1RM estimation via the Epley formula on training data;
• linear regression (least squares) on weekly best 1RM with 95% confidence interval;
• exponential weighted moving average (EWMA) on fatigue signals;
• linear extrapolation for goal projections.

Significance and expected consequences: projections are exclusively informational and motivational. Athleex does NOT use these projections to make decisions with legal effects or significantly impacting the athlete. The feature does not constitute medical or sports advice and does not replace consultation with a doctor or Personal Trainer.

Visibility to the PT: when enabled, projections and the score are visible to the connected Personal Trainer as a coaching management tool only.

Data subject rights: the athlete may at any time (i) revoke consent from Settings — revocation triggers immediate deletion of all stored projections (Art. 17 GDPR); (ii) obtain a detailed explanation of the logic used by writing to info@athleex.com; (iii) object to the processing (Art. 21 GDPR).

Retention: projection history is kept for at most 60 days and then overwritten.

To exercise your rights or for any questions write to info@athleex.com. We reply within 30 days pursuant to Art. 12 GDPR.

To deliver the service we rely on the following sub-processors. Each is bound by a Data Processing Agreement (DPA) and an appropriate transfer mechanism for non-EEA recipients (Standard Contractual Clauses or EU-US Data Privacy Framework where applicable).

• Hetzner Online GmbH (DE) — hosting infrastructure (Postgres, app server). Data location: Germany. Legal basis: Art.6(1)(b) contract performance.
• Stripe, Inc. (US) — payment processing. Recipient under EU-US DPF + SCCs. Receives only billing data (card token, billing address, amount). PCI-DSS Level 1 certified.
• Meta Platforms Ireland Ltd / Meta Platforms, Inc. (IE/US) — advertising effectiveness measurement (Pixel + Conversions API). Recipient under EU-US DPF. Only with marketing consent. Receives hashed identifiers (email, phone, name, country, external ID) plus event metadata. Personal data is never shared in the clear.
• Apple Inc. (US) — push notification delivery to iOS / Safari devices (APNs gateway). Receives only the encrypted device endpoint; no payload contents. Recipient under EU-US DPF.
• Resend, Inc. (US) — transactional email delivery + waitlist audience. Recipient under SCCs. Receives email + name + locale.
• OpenStreetMap Foundation / Nominatim (UK) — geocoding for trainer search. Receives only the address string the user enters (no other identifiers).
• Google Ireland Limited / Google LLC (IE/US) — Google Analytics 4 (web property G-GRLNNH64JH) for product usage measurement and Google Search Console for SEO indexing. Only with analytics consent (Consent Mode v2 default-denied). Receives anonymised IPs and aggregated event metadata; we enable IP anonymisation, ads_data_redaction and url_passthrough. Recipient under EU-US DPF + SCCs.

The full sub-processor list with DPA links is also published at /legal/sub-processors and updated whenever a new sub-processor is added (with at least 30 days notice for material changes).

For California residents, Athleex complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). You have the right to: (a) know what personal information we collect, use, disclose; (b) delete personal information; (c) correct inaccurate personal information; (d) opt out of "sale" or "sharing" (Athleex does NOT sell personal information; cross-context behavioural advertising is governed by the cookie banner and may be disabled at /legal/do-not-sell); (e) limit use of "sensitive personal information" (which we do not use beyond strictly necessary purposes); (f) non-discrimination. Equivalent rights apply to residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Tennessee, Indiana, Iowa, Montana, Florida, Delaware, New Hampshire, New Jersey, Maryland, Minnesota under their respective state privacy laws. To exercise rights write to info@athleex.com. We respond within 45 days (CCPA) — extendable once by another 45 days. Athleex is NOT a HIPAA Covered Entity or Business Associate; the service is wellness-tracking and not medical care.

Washington — My Health My Data Act (MHMDA, RCW 19.373): workout logs, biometrics (with consent), wellness scores and any data that identifies a consumer's past, present, or future physical or mental health constitute "consumer health data" under MHMDA. By creating an Athleex account, Washington residents provide explicit consent (RCW 19.373.020) for Athleex to collect and process such data exclusively for the wellness-coaching purposes described in §3 above. Athleex does NOT sell consumer health data. Athleex does NOT share consumer health data with third parties for advertising. Sub-processors listed in §13 receive consumer health data solely as service providers under written DPAs forbidding any independent use. Washington residents may at any time withdraw consent and request deletion of consumer health data via info@athleex.com; deletion is propagated to all sub-processors within 30 days (RCW 19.373.040). Geofencing of consumer health data is prohibited and Athleex does not engage in such practices. See /legal/wa-consumer-health for the full standalone notice required by RCW 19.373.020(1).

For Canadian users, Athleex complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level and with Quebec's Law 25 (formerly Bill 64) for Quebec residents. Quebec Law 25 introduces requirements stricter than GDPR for sensitive data and automated decisions; Athleex's Art.22 protections (Athlete Twin / Athleex Score) extend to Quebec users by default. The competent authority is the Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca — and for Quebec residents the Commission d'accès à l'information du Québec (CAI). To exercise PIPEDA / Law 25 rights write to info@athleex.com.

Para los usuarios residentes en México, Athleex actúa conforme a la Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP). Tienes derecho a ejercer los derechos ARCO (Acceso, Rectificación, Cancelación, Oposición), así como a revocar tu consentimiento y limitar el uso o divulgación de tus datos. Para ello escribe a info@athleex.com. La autoridad competente es el Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (Secretaría Anticorrupción y Buen Gobierno (SABG, successor to INAI as of March 2025)) — gob.mx/sabg. Las transferencias de datos hacia destinatarios fuera de México se realizan exclusivamente para cumplir el contrato con el usuario y para fines de prestación del servicio.

Athleex is operated from Italy and processes personal data primarily under the EU GDPR. For users resident in Norway, Iceland, Liechtenstein, Andorra, Monaco, San Marino — the GDPR or a regime declared adequate by the European Commission applies. For users resident in countries with national data-protection laws aligned to the GDPR template — including Serbia, Bosnia and Herzegovina, Montenegro, North Macedonia, Albania, Kosovo, Ukraine, Moldova, Georgia, Armenia and Azerbaijan — Athleex applies GDPR-equivalent technical, organisational and contractual safeguards and recognises the rights granted by your local law. The competent supervisory authorities of those countries can be contacted directly; we cooperate with any lawful request. Where consent is required by your local law (e.g. Ukraine's 2024 amended Law on Personal Data Protection), the cookie banner and account-creation flows operate as the consent-collection mechanism. To exercise rights write to info@athleex.com.

Athleex does not knowingly accept registrations from territories subject to comprehensive EU, UK, US or UN sanctions, including (without limitation) Belarus, North Korea, Iran, Syria, Cuba, the Crimea, Donetsk and Luhansk regions of Ukraine. Should an account be created from such a territory, we reserve the right to suspend it without prior notice and to comply with applicable sanctions law.