Back to home

Privacy Policy

Last updated: February 22, 2026

1. Data Controller

Digital Technologies OÜ(hereinafter, “Pilotium”, “we” or “our”)
Registration code: 16576446
VAT ID: EE102558489
Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Estonia
Management address: Calle Conde de Altea 46, 46005 Valencia, Spain
Contact person: Magrat OÜ (reg. 11730730)
Email: [email protected]

Dual role of Pilotium: With respect to the data of platform users (gym owners, authorised staff), Pilotium acts as data controller. With respect to the personal data of leads and third parties processed through the Service on behalf of clients (gyms), Pilotium acts as data processor, pursuant to GDPR Art. 28 and the Data Processing Agreement (DPA). The specific conditions of such processing are governed by the DPA entered into between Pilotium and each client.

2. Data We Collect

We collect the following personal data when you interact with our services:

2.1 Data provided directly

  • Registration data: name, email address, gym name, telephone number
  • Interview data: information about your business (services, pricing, target audience) collected through WhatsApp conversation
  • Survey data: responses from your gym members (anonymised to build audience profiles)
  • Billing data: payment information for the Subscription Fee and the Wallet (processed securely by PCI-certified payment providers)
  • Client Content: photographs, videos, logos and texts provided for the creation of advertising campaigns

2.2 Data collected automatically

  • Usage data: pages visited, time on site, actions performed on the platform
  • Technical data: IP address, browser type, operating system, preferred language, time zone
  • Cookie data: information collected through cookies and similar technologies, as detailed in our Cookie Policy
  • Advertising performance data: campaign metrics (impressions, clicks, conversions, cost) obtained from the Advertising Platforms (Meta, Google, TikTok, Snapchat)

2.3 Data from third parties

  • Meta (Facebook/Instagram): when we connect your business, we access public posts, engagement metrics and advertising campaign data
  • Google Ads: campaign metrics, audience data and advertising performance
  • TikTok Ads and Snapchat Ads: campaign metrics and performance data
  • WhatsApp Business API: conversation messages with our AI agents for onboarding and lead management

3. Legal Basis for Processing

We process your data on the following legal bases (Art. 6 GDPR):

PurposeLegal basis
Provision of the contracted servicePerformance of a contract (Art. 6(1)(b))
Advertising campaign managementPerformance of a contract (Art. 6(1)(b))
Wallet and billing managementPerformance of a contract (Art. 6(1)(b))
Service communications (updates, alerts)Legitimate interest (Art. 6(1)(f))
Service improvement and usage analysisLegitimate interest (Art. 6(1)(f))
Marketing communicationsConsent (Art. 6(1)(a))
Non-essential cookies and trackingConsent (Art. 6(1)(a))
Compliance with tax obligationsLegal obligation (Art. 6(1)(c))
Fraud prevention and securityLegitimate interest (Art. 6(1)(f))

4. Purposes of Processing

  • Create and manage your account on the platform
  • Generate audience profiles (personas) based on your gym’s data
  • Create advertising creatives using artificial intelligence
  • Launch, manage and optimise campaigns on Meta Ads, Google Ads, TikTok Ads and Snapchat Ads
  • Qualify leads and manage trial class bookings
  • Provide analytics and performance reports
  • Manage the Wallet and the Advertising Budget
  • Process payments and billing
  • Send service notifications (new leads, campaign status, balance alerts)
  • Improve our algorithms and service quality
  • Prevent fraud and ensure platform security
  • Comply with our legal and regulatory obligations

5. Data Recipients

We share data with the following third parties, all with appropriate data protection safeguards:

ProviderPurposeLocation
Meta Platforms, Inc.Advertising campaign managementEU/US (DPF)
Google LLCAdvertising campaign managementEU/US (DPF)
TikTok Inc.Advertising campaign managementUS/Singapore (SCC)
Snap Inc. (planned)Advertising campaign management (planned integration)US (DPF)
Anthropic PBC (Claude AI)Creative generation, AI conversational agentUS (DPF)
Hetzner Online GmbHServer and database hostingEU (Germany)
Cloudflare, Inc.DNS, CDN and DDoS protectionEU/Global (DPF)
Brevo (Sendinblue) SASTransactional email deliveryEU (France)
Resend Inc.Transactional email deliveryUS (DPF)
Stripe, Inc.Payment processingEU/US (DPF)

DPF = EU-U.S. Data Privacy Framework, an adequacy mechanism approved by the European Commission. For providers not covered by the DPF, Standard Contractual Clauses (SCCs) approved by the European Commission apply.

6. International Transfers

When we transfer data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place pursuant to Art. 46 GDPR, including:

  • Adequacy decisions of the European Commission (Art. 45 GDPR)
  • EU-U.S. Data Privacy Framework (DPF)
  • Standard Contractual Clauses (SCCs) approved by the European Commission

Should any transfer mechanism be invalidated at any time, Pilotium shall adopt alternative measures in compliance with applicable legislation.

7. Data Retention

  • Account data: for as long as the account remains active + 30 days following cancellation
  • Campaign and lead data: for as long as the account remains active + 30 days following cancellation
  • Billing data: 7 years (legal tax obligation)
  • Survey data (anonymised): indefinitely (does not constitute personal data)
  • Server logs: 90 days
  • Cookie data: in accordance with the periods set out in our Cookie Policy
  • Restricted accounts register: 5 years from the date of account termination, or until the outstanding debt is settled in full, whichever occurs first. Legal basis: legitimate interest (GDPR Art. 6.1.f). The right of erasure (Art. 17 GDPR) may be deferred while an outstanding debt remains unsettled

Once the stated periods have elapsed, data shall be deleted or irreversibly anonymised, unless the law requires its retention for an additional period (in which case the data shall be kept blocked and accessible solely for the purpose of fulfilling that legal obligation).

8. Your Rights

8.1 Rights under the GDPR (European Union)

If you are located in the European Economic Area, you have the following rights:

  • Access (Art. 15): Obtain a copy of your personal data
  • Rectification (Art. 16): Correct inaccurate or incomplete data
  • Erasure(Art. 17): Request the deletion of your data (“right to be forgotten”)
  • Restriction (Art. 18): Restrict processing in certain circumstances
  • Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Objection (Art. 21): Object to processing based on legitimate interest
  • Withdraw consent (Art. 7(3)): At any time, without retroactive effect
  • Not to be subject to automated decision-making (Art. 22): Right to human intervention in decisions that significantly affect you

8.2 Rights under the CCPA/CPRA (United States)

If you are a resident of California or another US state with applicable privacy legislation, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: Request information about what personal data we have collected in the past 12 months, the sources, the purposes, and the categories of third parties with whom it is shared
  • Right to delete: Request the deletion of your personal data, subject to legal exceptions
  • Right to correct: Request the correction of inaccurate personal data
  • Right to opt out (“Do Not Sell or Share”): Pilotium does not sell or share personal data as defined by the CCPA/CPRA. We use remarketing cookies (such as the Meta Pixel) exclusively with your prior consent. If you wish to opt out of targeted advertising, you may do so by rejecting non-essential cookies in our cookie banner or by sending an email to [email protected]with the subject line “CCPA Opt-Out”
  • Right to limit the use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA
  • Non-discrimination: You will not be discriminated against for exercising your rights under the CCPA/CPRA

Categories of personal information collected: Identifiers (name, email, telephone, IP address); commercial information (subscription history, transactions); Internet activity (pages visited, interactions with the service); geolocation data (approximate, derived from IP); professional information (business name, job title).

To exercise your CCPA rights, send an email to [email protected]with the subject line “CCPA Request”. We shall respond within a maximum of 45 days. You may designate an authorised agent to make requests on your behalf by providing written authorisation.

8.3 Rights under the LGPD (Brazil)

If you are a resident of Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018):

  • Confirmation and access (Art. 18.I-II): Confirm the existence of processing and access your data
  • Correction (Art. 18.III): Correct incomplete, inaccurate or outdated data
  • Anonymisation, blocking or deletion (Art. 18.IV): Of unnecessary or excessive data, or data processed in breach of the LGPD
  • Portability (Art. 18.V): Request the portability of your data to another service provider
  • Deletion (Art. 18.VI): Request the deletion of data processed with your consent
  • Information about sharing (Art. 18.VII): Know the public and private entities with which your data has been shared
  • Revocation of consent (Art. 18.IX): Revoke your consent at any time
  • Objection(Art. 18.§2): Object to processing carried out without your consent if you consider it to be in breach of the LGPD

Legal basis for processing under the LGPD (Art. 7): We process your data on the basis of: performance of a contract (Art. 7.V), legitimate interest (Art. 7.IX), and consent (Art. 7.I) for marketing communications and non-essential cookies.

To exercise your rights, contact us at [email protected]. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD): www.gov.br/anpd.

8.4 Rights under the LFPDPPP (Mexico)

If you are a resident of Mexico, you have the following ARCO rights under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP):

  • Access: Know what personal data we hold about you and the conditions of its processing
  • Rectification: Request the correction of inaccurate or incomplete personal data
  • Cancellation: Request the deletion of your data when you consider that it is not being processed in accordance with the law
  • Objection: Object to the processing of your data for specific purposes
  • Revocation of consent: Revoke your consent for the processing of your data at any time
  • Limitation of use or disclosure: Request that we limit the use or disclosure of your data

Primary purposes of processing: Provision of the contracted service, advertising campaign management, payment processing and billing. Secondary purposes: Marketing communications, service improvement, statistical analysis. You may object to the secondary purposes at any time.

Transfers: Your data may be transferred to the providers listed in section 5 of this Policy. Transfers necessary for the provision of the contracted service do not require your consent (Art. 37.II LFPDPPP).

To exercise your ARCO rights or revoke your consent, send an email to [email protected]with the subject line “ARCO Request”, including: your full name, a copy of your official identification, a clear description of the data and rights you wish to exercise, and any document that may facilitate the location of your data. We shall respond within a maximum of 20 business days. You may also lodge a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI): home.inai.org.mx.

8.5 How to exercise your rights

To exercise any of these rights, please write to us at [email protected]with “Privacy request” in the email subject line. Response times: 30 days (GDPR), 45 days (CCPA), 20 business days (LFPDPPP Mexico), 15 days (LGPD Brazil). We may request a copy of your identity document to verify your identity.

9. Cookies and Similar Technologies

We use cookies and similar technologies to enhance your experience, personalise content and analyse performance. For detailed information about the cookies we use, their purposes, providers and expiry periods, please refer to our Cookie Policy.

When you first visit our website, we shall request your consent for the installation of non-essential cookies by means of a consent banner in compliance with the GDPR and the ePrivacy Directive (2002/58/EC). You may modify your cookie preferences at any time.

10. Automated Decision-Making and Profiling

Pilotium uses artificial intelligence and automated algorithms to:

  • Generate advertising creatives
  • Optimise advertising campaigns
  • Qualify leads
  • Build audience profiles

These operations are carried out exclusively in the context of providing the contracted service and do not produce legal effects nor significantly affect data subjects on an individual basis. The data used for audience profiling is anonymised and aggregated. Under no circumstances are solely automated decisions taken that produce legal effects on identified natural persons.

At any time you may request human intervention, express your point of view or obtain an explanation of any automated process by contacting us at [email protected].

11. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256-CBC)
  • Role-based access control (principle of least privilege) with SSH key authentication
  • Regular backups on servers within the EU
  • Firewall (UFW) and intrusion protection (fail2ban)
  • Continuous system monitoring and security alerts
  • Payment data handled by PCI-DSS certified processors (card data is not stored on our servers)

12. Security Breach Notification

In the event of a security breach affecting your personal data, Pilotium shall:

  • Notify the competent supervisory authority within a maximum of 72 hours from becoming aware of the breach (Art. 33 GDPR)
  • Inform you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR)
  • Document all security breaches and the remedial measures taken

13. Minors

Our services are aimed at fitness industry professionals and are not designed for individuals under 16 years of age (or the equivalent age under the legislation of your jurisdiction). We do not knowingly collect data from minors. If you become aware that a minor has provided us with personal data, please contact us at [email protected] and we shall proceed with its immediate deletion.

14. Supervisory Authority

If you consider that the processing of your data infringes your rights, you have the right to lodge a complaint with:

  • Andmekaitse Inspektsioon (Estonian Data Protection Authority): www.aki.ee
  • The data protection authority of your country of residence within the EU
  • For US residents: the Federal Trade Commission (FTC) or your state Attorney General’s office
  • For residents of Brazil: the Autoridade Nacional de Proteção de Dados (ANPD)
  • For residents of Mexico: the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)

15. Amendments

We reserve the right to update this Privacy Policy. We shall notify you of significant changes by email or by notice on the platform with a minimum of 30 days’ prior notice. The date of the last update appears at the beginning of this document. Continued use of the Service following the amendments shall constitute acceptance of the new policy.

16. Contact

For any enquiries regarding the processing of your personal data, to exercise your rights or for any other privacy matter, please write to us at [email protected].