Bodivine Privacy Notice

Last updated: 2024-- (replace with publication date)

This notice explains how Bodivine ("Bodivine", "we", "our", "us") processes personal data when you use our nutrition and workout planning tools, visit our websites, or otherwise interact with us. It covers both (a) individual users who create plans for themselves and (b) professional coaches, personal trainers, and dietitians who manage plans on behalf of their clients. The notice is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR where relevant, and related European privacy and consumer regulations.

Please read this notice together with our Cookie Policy and Terms of Service. If you have any questions, contact us using the details in Section 1.

1. Who is responsible for your data

Data controller: Bodivine (legal entity: insert full legal company name, registered office, company number, VAT).
Contact email: privacy@bodivine.com (replace with monitored inbox).
Postal address: insert mailing address for privacy requests.
Data Protection Officer (DPO): insert DPO name or external service at dpo@bodivine.com.
EU representative (if main establishment outside EU/EEA): insert representative details.
Controller role: Bodivine is the data controller for information about individual account holders and for the platform services provided directly to them.
Processor role for professional accounts: When professional users store information about their clients, Bodivine processes that data strictly on the professional user's documented instructions and under a Data Processing Agreement (DPA). Professional users remain the data controllers for their client data and must ensure they have a valid legal basis and consent where required.
Joint activities: Where we co-design personalised plans with independent coaches or partners for shared programmes, we define responsibilities in a joint controllership arrangement before onboarding you.

2. Personal data we collect

Category	Examples	Source	Mandatory?
Account identifiers	Name, email address, password hash, preferred language	Provided by you	Required to create an account
App usage & preferences	Nutrition plans, workout plans, meal details, exercise notes, saved targets, locale	Provided by you	Required for core service
Special-category health data	Nutrition targets, macro intake, workout intensity, body-related notes you enter	Provided by you	Only stored with your explicit consent
Client data managed by professionals	Client names or identifiers, plan assignments, notes, health or lifestyle information supplied by the client to the professional	Entered by professional account holder	Professional must obtain appropriate consent or other legal basis
Device & security logs	IP address, device/browser metadata, session tokens, login timestamps	Automatically collected via Better Auth	Necessary for security and fraud prevention
Support & marketing	Messages sent to support, survey responses, marketing opt-ins, campaign interaction	Provided by you	Optional
Payment/subscription (if applicable)	Billing name, address, transaction ID, plan purchased	Payment processor	Required for paid plans

We do not intentionally collect data from children under 16. If you believe we hold such data, contact us so we can delete it.

3. Purposes and legal bases

Purpose	Legal basis	Special-category condition (if applicable)
Create and manage user accounts, authenticate you, provide core nutrition/workout functionality	Art. 6(1)(b) GDPR (contract)	Art. 9(2)(a) GDPR (explicit consent)
Personalise plans, track progress, and generate analytics dashboards	Art. 6(1)(b) GDPR (contract)	Art. 9(2)(a) GDPR (explicit consent)
Enable professional users to manage client assignments, collaborate, and export plans	Art. 6(1)(f) GDPR (legitimate interest in providing B2B services) or Art. 6(1)(b) GDPR (contract with professional user)	Art. 9(2)(a) GDPR where client consent is captured by the professional
Service communications (password reset, verification, transactional messages)	Art. 6(1)(b) GDPR (contract)	Not applicable
Customer support and responding to queries	Art. 6(1)(b) GDPR (contract)	Art. 9(2)(a) GDPR when health data is involved
Product analytics and service improvement (aggregated)	Art. 6(1)(f) GDPR (legitimate interest in operating and improving the service)	We aggregate or anonymise health data wherever feasible
Marketing communications (email newsletters, promotions)	Art. 6(1)(a) GDPR (consent)	Not processed unless you voluntarily share health data in responses
Security, fraud prevention, and legal compliance	Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest)	We avoid storing special-category data for this purpose unless indispensable

You may withdraw consent at any time via the in-app privacy centre or by contacting privacy@bodivine.com. Withdrawal does not affect the lawfulness of processing before withdrawal but may limit feature availability.

4. How we handle special-category health data

We request explicit consent at account creation (separate checkbox) before storing nutrition or workout information. Professional users must collect explicit consent from their clients before entering any health data into Bodivine.
Health data is limited to information you enter into meal, macro, and workout planners.
We minimise collection by letting you skip fields, anonymising analytics, and removing identifiers from support screenshots/logs.
Health data is encrypted at rest and in transit. Access is restricted to authorised personnel with role-based access controls and logged activities.
You can delete specific plans or your entire account at any time; deletion cascades through all linked meals, items, and workout entries.
We conduct annual reviews of our Data Protection Impact Assessment (DPIA) and adjust safeguards accordingly.

5. Where we obtain data

Directly from you when you register, update your profile, or enter nutrition/workout details.
From professional users who input their clients' information into the platform (professionals must ensure they have lawful authority to share that data).
Automatically through our application (session cookies, device metadata).
From service providers processing data on our behalf, such as payment processors confirming transactions.

We do not buy personal data from third parties, nor do we source data from public records for consumer profiling.

6. Retention periods

Data set	Retention rule
Account profile and plans	Retained for the lifetime of the account and deleted within 30 days after confirmed deletion request
Health data inside plans	Same as above; health data is purged when plans are deleted or after 24 months of inactivity (with prior notice)
Authentication and security logs	12 months for critical logs (IP, login history); may be stored longer in hashed/anonymised form for security analytics
Support interactions	24 months after resolution unless needed for legal defence
Marketing consents	Until consent is withdrawn; we retain minimal proof of opt-in/out for 5 years
Billing records	10 years to meet accounting and tax requirements (stored by our payment processor)

When retention periods expire, we securely delete or anonymise the data. Wherever possible, we delete health data first and retain only minimal metadata for compliance.

7. Sharing and international transfers

We only share personal data with:

Infrastructure and hosting providers (e.g. managed PostgreSQL, cloud platforms) that store encrypted data in the EEA or in jurisdictions covered by an EU adequacy decision.
Email delivery provider (Resend, Inc.) for transactional email. We rely on Standard Contractual Clauses (SCCs) and conduct transfer impact assessments.
Customer support tooling (if used) with appropriate data processing agreements.
Analytics providers configured to use pseudonymised or aggregated data.
Payment processors for managing subscriptions (no card data is stored on Bodivine systems).
Professional advisers (lawyers, accountants) when necessary for legal compliance.
Regulators or law enforcement when legally required.

Every processor operates under a GDPR-compliant Data Processing Agreement (DPA). For transfers outside the EEA/UK, we rely on SCCs or other recognised safeguards and assess local laws to ensure adequate protection.

8. Role assignments with professional users

Bodivine acts as the primary data controller for personal data relating to individual end users, professional account holders, billing contacts, and platform analytics.
For client information that professional users upload or create, Bodivine acts as a data processor. We only process that data to provide the services requested by the professional, and we implement contractual safeguards (DPA, confidentiality, security controls).
Professional users are responsible for informing their clients about their use of Bodivine, collecting any required consents, and handling client rights requests. We support them with tooling to export, correct, or delete client data on request.
When we jointly offer a programme with another organisation (for example, a co-branded challenge), we will provide a specific joint controller arrangement outlining roles, responsibilities, and contact points before onboarding participants.

9. Data subject rights

Under GDPR you may:

Request access to your data and receive a copy in a portable format.
Ask for corrections or updates to inaccurate information.
Request deletion of your account and associated data.
Restrict processing or object to certain uses (e.g. marketing, analytics).
Withdraw consent for health data processing.
Opt out of automated decision-making (we currently do not make automated decisions that produce legal or similarly significant effects).

How to exercise your rights

Use the in-app privacy dashboard (Settings > Privacy) to download, correct, or delete data.
If your data was added by a professional coach or dietitian, contact them first so they can action the request; we will support them as their processor.
Email privacy@bodivine.com from your registered address (or through your professional contact) with your request.
For identity verification, we may request additional information (e.g. recent login timestamp).
We respond within one month (extendable by two months for complex requests).
If you are unsatisfied, you can lodge a complaint with your local supervisory authority (see https://edpb.europa.eu/about-edpb/board/members_en).

10. Security measures and DPIA

Encryption in transit (HTTPS/TLS) and at rest (managed database encryption).
Least-privilege, role-based access for staff; mandatory MFA and logging of administrative actions.
Automated monitoring for unusual login activity and rate-limiting to reduce brute-force attacks.
Regular dependency patching and penetration testing prior to public release.
Incident response plan covering detection, containment, notification, and remediation, including a 72-hour breach notification workflow.
DPIA completed in Q1 2024, identifying residual risks as "low" after implementing encryption, consent controls, and data minimisation. Reviews scheduled annually and after major product changes.

11. Cookies and similar technologies

We use strictly necessary cookies for authentication and session continuity. Non-essential analytics or marketing cookies are set only after you provide consent via our cookie banner. Detailed information, including partners and retention, is available in our Cookie Policy.

You can withdraw cookie consent at any time through the banner preferences or browser settings. Rejecting non-essential cookies does not affect access to the core service but may impact personalised tips.

12. Children's privacy

The service is not intended for individuals under 16. We do not knowingly collect data from minors. If we discover that a minor has created an account without verified guardian consent, we will deactivate the account and delete associated data promptly.

13. Changes to this notice

We will update this notice when we introduce new features, change processors, or modify our legal basis. Material changes will be announced in-app and via email at least 30 days before they take effect. Continue using the service only if you agree with the updated notice.

14. Summary of records of processing activities (ROPA)

Processing activity	Data categories	Data subjects	Purpose	Legal basis	Retention	Processors
Account registration & authentication	Account identifiers, security logs	App users	Provide secure access	Contract; Legitimate interest (security)	Life of account + 30 days	Better Auth (self-hosted), hosting provider
Nutrition & workout planning	Health data, preferences	App users	Deliver personalised plans	Contract; Explicit consent	Life of account or inactivity purge	Cloud hosting, backup provider
Notifications & transactional emails	Account identifiers	App users	Service communications	Contract	12 months	Resend (email delivery)
Customer support	Account identifiers, support content	App users	Resolve issues	Contract	24 months	Support platform (if enabled)
Marketing communications	Account identifiers, marketing preferences	Subscribers	Send optional updates	Consent	Until withdrawal	Email marketing platform (if enabled)
Billing & subscriptions	Billing details, transaction IDs	Paying customers	Provide paid services & comply with tax law	Contract; Legal obligation	10 years	Payment processor
Professional client management	Client identifiers, health or lifestyle notes supplied by professional	Clients of professional users	Allow professional users to create and share plans for their clients	Contract with professional user; Legitimate interest in providing service; Explicit consent collected by professional	Life of client record or until deletion request from professional/client	Cloud hosting, backup provider

The full ROPA is maintained internally and reviewed annually. Contact the DPO to request a copy.

15. How to contact us or challenge our practices

Email: privacy@bodivine.com
Postal: insert address
DPO: dpo@bodivine.com
EU/EEA supervisory authority: You may contact your local authority or our lead supervisory authority once appointed.

If you are a resident of the EEA or UK, you also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.

By continuing to use Bodivine after this notice takes effect, you acknowledge that you have read and understood how we process your personal data. Do not use the services if you cannot agree to this notice or withdraw consent where required.