Privacy Policy

Last updated: March 2026

1. Data controller and contacts

Data controller: SUPALABS SRL, VAT IT04596950248, Italy.

To exercise the rights listed in Article 9 below or for questions about this policy: [email protected].

2. Types of data processed

Depending on the features you use, we process categories of data including:

• registration and account data: first name, last name, email address, access credentials or identifiers provided by third-party authentication providers (e.g. social login), phone number if provided;

• professional and content data: exercises, templates, questionnaires, notes, metrics, branding materials and any other content you enter into the Platform;

• data about your end clients that you enter or manage as a professional (e.g. basic profile information, questionnaire answers, measurements): such data is processed on behalf of the Coach's activity and according to the instructions you give us through use of the Service;

• technical and usage data: IP address, system logs, browser type, date and time of access, diagnostics for security and service improvement.

3. Purposes and legal bases

Data is processed for the following purposes, based on the indicated legal bases:

• provision of the Service, account management, support and IT security (Art. 6(1)(b) GDPR – performance of contract; Art. 6(1)(f) GDPR – legitimate interest in security and abuse prevention);

• legal compliance, disputes and protection of rights (Art. 6(1)(c) and (f) GDPR);

• product improvement and aggregate usage analysis, where technically possible in non-identifiable form or based on legitimate interest, respecting your rights and preferences (Art. 6(1)(f) GDPR);

• communications strictly related to the Service (e.g. technical notifications, relevant updates) (Art. 6(1)(b) GDPR).

4. Nature of data provision

Providing the data necessary for registration and use of the Service is mandatory to open and maintain an account; refusal means you will not be able to use the related features. Other data may be optional depending on the features you activate.

5. Processing methods

Processing is carried out using IT and electronic tools, following logic strictly related to the stated purposes and in accordance with the principle of data minimisation. Appropriate technical and organisational measures are in place to ensure a level of security appropriate to the risk.

6. Recipients and processors

Data may be processed by authorised Owner personnel and by service providers acting as data processors (e.g. hosting, cloud infrastructure, transactional email services, error monitoring tools), to the extent necessary to provide the Service. An up-to-date list of processors can be requested by contacting [email protected].

7. Transfers to third countries

Where the Owner's or suppliers' tools or infrastructure involve the transfer of data to non-EU countries, the transfer is based on European Commission adequacy decisions, standard contractual clauses approved by the European Commission, or other safeguards under Articles 44–49 GDPR, in line with evolving case law and supervisory authority guidelines.

8. Retention period

Data is retained for the time necessary for the purposes for which it was collected and subsequently for the time required by legal obligations or to assert or defend a right in legal proceedings. Upon termination of the contractual relationship, data may be retained within the limits permitted by law and deleted or anonymised when no longer necessary.

9. Data subject rights

Under Articles 15–22 GDPR, within the limits and conditions provided by law, you have the right to: access, rectification, erasure, restriction, portability of data you provide in structured and commonly used format, objection to processing based on legitimate interest and withdrawal of consent where given, without affecting the lawfulness of processing based on consent prior to its withdrawal.

You also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or the supervisory authority of the Member State where you reside or work.

10. Cookies and similar technologies

The Platform may use cookies and similar technologies strictly necessary for the operation and security of the Service (e.g. session management). Any analytical or profiling cookies, if introduced in future, will be activated in compliance with notice and, where required, consent obligations, through a dedicated preference management tool.

11. Minors

The Service is intended for professionals and is not directed at persons under 16 years of age (unless a different age is set by applicable law). We do not knowingly collect data from minors; if we become aware of a non-compliant registration, we will proceed with deletion.

12. Changes to this policy

The Owner may update this policy for regulatory or organisational reasons. We invite you to check this page periodically; for significant changes we may provide notice through the Platform or by email where appropriate.

Last updated: April 2026

1. Data controller and processor

The data controller for your personal data related to your fitness journey is your coach (or the business/professional who invited you to the platform). SUPALABS SRL (VAT IT04596950248, email: [email protected]) acts as data processor, providing the technology infrastructure through which your coach delivers their services.

2. Data we collect

When you use FitSuite, the following data is collected: identification data (name, email, phone number — optional); demographic data (date of birth, gender); body data (body weight, body measurements, progress photos); questionnaire answers (initial anamnesis and periodic check-ins); usage data (language preference, last active date, plan/workout viewing history). Progress photos are classified as health-related data under GDPR and are processed with appropriate protective measures.

3. Legal basis for processing

Your data is processed on the basis of: consent — given at registration by accepting the Terms of Use and this Privacy Policy; contract execution — necessary to deliver the service (displaying plans, tracking progress, communicating with your coach); legitimate interest — for platform security, abuse prevention, and service improvement.

4. Who accesses your data

Your personal data is accessible to: your coach — through the web dashboard, to manage your training and nutrition journey; FitSuite staff — exclusively for technical support and platform maintenance; sub-processors: MongoDB Atlas (database, EU servers), Cloudinary (image hosting), Resend (transactional email delivery). Your data is never sold to third parties or used for advertising purposes.

5. Data retention

Your data is retained for the duration of your active membership. Upon account deletion request (by you or your coach), data is deleted within 30 days, except where the law requires retention for longer periods. Security logs may be retained for up to 12 months for fraud prevention purposes.

6. International transfers

Some of our sub-processors may process data outside the European Economic Area (EEA). In such cases, transfers are covered by EU Standard Contractual Clauses (SCCs) or other adequate safeguards as required by GDPR.

7. Your rights (GDPR arts. 15-22)

Under the European General Data Protection Regulation (GDPR), you have the right to: access your personal data; rectify inaccurate or incomplete data; obtain erasure of your data (right to be forgotten); restrict processing of your data; obtain data portability in a structured format; object to processing; withdraw consent at any time. To exercise these rights, write to: [email protected]. We will respond within 30 days of your request.

8. Security

We adopt technical and organizational security measures to protect your data: TLS encryption for data in transit; encryption of data at rest; role-based access controls; continuous infrastructure monitoring.

9. Cookies and tracking

The FitSuite mobile app does not use cookies. There are no third-party analytics trackers or advertising systems. We do not perform profiling for advertising purposes.

10. Minors

The FitSuite service is restricted to individuals aged 18 and over. We do not knowingly collect data from minors. If we become aware that we have collected data from a minor, we will proceed with immediate deletion.

11. Changes to this policy

This Privacy Policy may be updated periodically. Changes will be published in the app and on the website. Continued use of the service after publication of changes constitutes acceptance of the new policy.

12. Contact and complaints

For any questions about this Privacy Policy or to exercise your rights, contact us at: [email protected]. You also have the right to lodge a complaint with the Italian Data Protection Authority: Garante per la protezione dei dati personali (www.garanteprivacy.it).