This Privacy Policy explains how Activeo ("we", "our", or "us") collects, uses, and protects information when you use activeo.app and related services (collectively, the "Service"). By using the Service, you agree to this policy.

1. Data We Collect

Account Data

When you register or sign in, your identity is managed by our authentication provider. We receive and store:

User ID (subject identifier)
Email address
First and last name (if provided at registration)
Preferred language / locale

Business Data

Data you provide to build and manage your gym's website, including:

Company name, description, logo, and branding assets
Branch locations and details
Coach profiles and achievements
Packages, pricing, and equipment listings
Media uploads (photos, gallery images)

Billing Data

We do not store full card numbers. Payment processing is handled by Stripe (see Sub-processors). We store:

Billing contact name and address
Payment method type and last four digits
Subscription plan and status

Usage & Technical Data

IP address and browser / device type (security and diagnostics)
Error logs and crash reports via error monitoring
Aggregated analytics (page views, session counts) via Google Analytics 4

Live Chat Data

The landing page uses Tawk.to live chat. If a visitor initiates a chat, Tawk.to may collect: name, email address, chat transcript, IP address, and browser or device information. This data is processed by Tawk.to in accordance with their privacy policy and is used solely for support purposes.

Gym Visitor Data (Contact Forms)

When a visitor submits a contact form on a gym's public website, the name, email, and message provided are collected. This is delivered to the gym owner's email and not retained in Activeo's systems beyond delivery.

2. How We Use Your Data

To provide and operate the Service
To process subscriptions and payments
To send transactional emails (verification, password reset, billing)
To enforce usage limits and terms
To diagnose errors and improve reliability
To analyse usage patterns and improve the product (with consent)
To comply with legal obligations

We do not sell your data or use it for advertising targeting.

3. Legal Basis (GDPR)

Contract performance — processing necessary to deliver the Service
Legitimate interests — security monitoring and fraud prevention
Legal obligation — compliance with applicable laws (tax, financial regulations)
Consent — analytics cookies (Google Analytics), requested via our cookie banner

4. Sub-Processors

We share data with the following third-party sub-processors to operate the Service:

Provider	Purpose	Location
Stripe	Payment processing and subscription management	USA / EU
Keycloak (self-hosted)	User authentication and identity management	Self-hosted on AWS
Amazon Web Services (AWS)	Cloud hosting — EC2, S3, CloudFront, RDS	EU / USA
Google Analytics 4	Aggregated usage analytics (landing page, with consent only)	USA
Sentry	Error monitoring and crash reporting	USA / EU
Tawk.to	Live chat support widget (landing page)	USA / EU

Each sub-processor is bound by data processing agreements and complies with applicable privacy regulations.

5. Data Retention

Account data is retained for the duration of your subscription plus 90 days after cancellation.
Billing records are retained as required by financial regulations (typically 7 years).
Error logs are retained for up to 30 days.
After account deletion, data is purged within 30 days from all systems.

6. Your Rights (GDPR)

If you are in the EEA, you have the right to:

Access — request a copy of personal data we hold about you
Rectification — correct inaccurate data
Erasure — request deletion of your account and associated data
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interests
Withdraw consent — opt out of analytics at any time by clearing your browser's localStorage

To exercise these rights, contact us via the official channels at activeo.app. We respond within 30 days.

7. Cookies

Session cookies — required for authentication (set by Keycloak)
Preference cookies — language and consent choices (localStorage)
Analytics cookies — Google Analytics 4, loaded only after you click "Okay" on the consent banner
Live chat cookies — set by Tawk.to when the live chat widget is loaded; used to maintain chat session state

Activeo does not use advertising or cross-site tracking cookies.

8. Data Security

TLS / HTTPS encryption in transit on all endpoints
Access controls and role-based permissions
Regular security audits and dependency scanning
Error monitoring with PII scrubbing where applicable

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by updating the date above. Continued use of the Service after changes constitutes acceptance.

10. Contact

For privacy inquiries, data deletion requests, or to exercise GDPR rights, contact us via the official channels at activeo.app.