Privacy Policy
Last updated: February 22, 2026
1. Data Controller
Digital Technologies OÜ
Registry code: 16576446
VAT number: EE102558489
Management board address: Calle Conde de Altea 46, 46005 Valencia, Spain
Contact person: Magrat OÜ (reg. 11730730), Harju maakond, Tallinn, Kesklinna linnaosa, Estonia
Email: [email protected]
2. Data We Collect
We collect the following personal data when you interact with our services:
2.1 Data You Provide Directly
- Registration data: name, email address, gym name
- Interview data: information about your business (services, pricing, target audience) collected via WhatsApp conversation
- Survey data: responses from your gym members (anonymized to build audience profiles)
2.2 Automatically Collected Data
- Usage data: pages visited, time on site, actions taken
- Technical data: IP address (anonymized), browser type, operating system, preferred language
- Ad performance data: campaign metrics (impressions, clicks, conversions) obtained from Meta Ads
2.3 Third-Party Data
- Meta (Facebook/Instagram): when you connect your account, we access public posts, engagement metrics, and ad campaign data
- WhatsApp Business API: conversation messages with our AI agents for onboarding and lead management
3. Legal Basis for Processing
We process your data under the following legal bases (Art. 6 GDPR):
| Purpose | Legal basis |
|---|---|
| Service delivery | Performance of contract (Art. 6.1.b) |
| Managing ad campaigns on Meta | Performance of contract (Art. 6.1.b) |
| Service communications (updates, alerts) | Legitimate interest (Art. 6.1.f) |
| Service improvement and usage analysis | Legitimate interest (Art. 6.1.f) |
| Marketing communications | Consent (Art. 6.1.a) |
| Tax compliance | Legal obligation (Art. 6.1.c) |
4. Purposes of Processing
- Create and manage your platform account
- Generate audience profiles (personas) based on your gym data
- Create ad creatives using artificial intelligence
- Launch, manage, and optimize Meta Ads campaigns
- Qualify leads and manage trial class bookings
- Provide analytics and performance reports
- Send service notifications (new leads, campaign status)
- Improve our algorithms and service quality
5. Data Recipients
We share data with the following third parties, all with adequate GDPR safeguards:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database and authentication | EU (Frankfurt) |
| Meta Platforms, Inc. | Ad campaign management | EU/USA (DPF) |
| Anthropic PBC (Claude AI) | Creative generation and analysis | USA (DPF) |
| Hetzner Online GmbH | Server hosting | EU (Germany) |
| Cloudflare, Inc. | CDN and DDoS protection | EU/Global (DPF) |
| Resend Inc. | Transactional email delivery | USA (DPF) |
DPF = EU-U.S. Data Privacy Framework, an adequacy mechanism approved by the European Commission.
6. International Transfers
When we transfer data outside the EEA, we ensure adequate safeguards are in place under Art. 46 GDPR, including:
- European Commission adequacy decisions
- EU-U.S. Data Privacy Framework
- Standard Contractual Clauses (SCC) approved by the European Commission
7. Data Retention
- Account data: while the account is active + 30 days after deletion
- Campaign data: 24 months after campaign completion
- Billing data: 7 years (legal tax obligation)
- Survey data (anonymized): indefinitely (no longer constitutes personal data)
- Server logs: 90 days
8. Your Rights
As an EU resident, you have the following rights under the GDPR:
- Access (Art. 15): Obtain a copy of your personal data
- Rectification (Art. 16): Correct inaccurate data
- Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
- Restriction (Art. 18): Restrict processing in certain circumstances
- Portability (Art. 20): Receive your data in a structured format
- Objection (Art. 21): Object to processing based on legitimate interest
- Withdraw consent (Art. 7.3): At any time, without retroactive effect
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
9. Cookies and Similar Technologies
Currently, this website does not use tracking cookies or third-party analytics. If we implement non-essential cookies in the future, we will request your prior consent via a cookie banner compliant with the GDPR and ePrivacy Directive.
10. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Restricted access with SSH key authentication
- Regular backups on EU-based servers
- Firewall (UFW) and intrusion protection (fail2ban)
11. Children
Our services are aimed at fitness industry professionals and are not designed for persons under 16 years of age. We do not knowingly collect data from minors.
12. Supervisory Authority
If you believe our processing of your data violates the GDPR, you have the right to lodge a complaint with:
- Andmekaitse Inspektsioon (Estonian Data Protection Authority): www.aki.ee
- The data protection authority of your EU country of residence
13. Changes
We reserve the right to update this policy. We will notify you of significant changes via email or a notice on the platform. The date of the last update appears at the top of this document.