Bodivine

Privacy notice and data protection statement

Italiano

Bodivine Privacy Notice

Last updated: 2024-- (replace with publication date)

This notice explains how Bodivine ("Bodivine", "we", "our", "us") processes personal data when you use our nutrition and workout planning tools, visit our websites, or otherwise interact with us. It covers both (a) individual users who create plans for themselves and (b) professional coaches, personal trainers, and dietitians who manage plans on behalf of their clients. The notice is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR where relevant, and related European privacy and consumer regulations.

Please read this notice together with our Cookie Policy and Terms of Service. If you have any questions, contact us using the details in Section 1.

1. Who is responsible for your data

  • Data controller: Bodivine (legal entity: insert full legal company name, registered office, company number, VAT).

  • Contact email: privacy@bodivine.com (replace with monitored inbox).

  • Postal address: insert mailing address for privacy requests.

  • Data Protection Officer (DPO): insert DPO name or external service at dpo@bodivine.com.

  • EU representative (if main establishment outside EU/EEA): insert representative details.

  • Controller role: Bodivine is the data controller for information about individual account holders and for the platform services provided directly to them.

  • Processor role for professional accounts: When professional users store information about their clients, Bodivine processes that data strictly on the professional user's documented instructions and under a Data Processing Agreement (DPA). Professional users remain the data controllers for their client data and must ensure they have a valid legal basis and consent where required.

  • Joint activities: Where we co-design personalised plans with independent coaches or partners for shared programmes, we define responsibilities in a joint controllership arrangement before onboarding you.

2. Personal data we collect

CategoryExamplesSourceMandatory?
Account identifiersName, email address, password hash, preferred languageProvided by youRequired to create an account
App usage & preferencesNutrition plans, workout plans, meal details, exercise notes, saved targets, localeProvided by youRequired for core service
Special-category health dataNutrition targets, macro intake, workout intensity, body-related notes you enterProvided by youOnly stored with your explicit consent
Client data managed by professionalsClient names or identifiers, plan assignments, notes, health or lifestyle information supplied by the client to the professionalEntered by professional account holderProfessional must obtain appropriate consent or other legal basis
Device & security logsIP address, device/browser metadata, session tokens, login timestampsAutomatically collected via Better AuthNecessary for security and fraud prevention
Support & marketingMessages sent to support, survey responses, marketing opt-ins, campaign interactionProvided by youOptional
Payment/subscription (if applicable)Billing name, address, transaction ID, plan purchasedPayment processorRequired for paid plans

We do not intentionally collect data from children under 16. If you believe we hold such data, contact us so we can delete it.

3. Purposes and legal bases

PurposeLegal basisSpecial-category condition (if applicable)
Create and manage user accounts, authenticate you, provide core nutrition/workout functionalityArt. 6(1)(b) GDPR (contract)Art. 9(2)(a) GDPR (explicit consent)
Personalise plans, track progress, and generate analytics dashboardsArt. 6(1)(b) GDPR (contract)Art. 9(2)(a) GDPR (explicit consent)
Enable professional users to manage client assignments, collaborate, and export plansArt. 6(1)(f) GDPR (legitimate interest in providing B2B services) or Art. 6(1)(b) GDPR (contract with professional user)Art. 9(2)(a) GDPR where client consent is captured by the professional
Service communications (password reset, verification, transactional messages)Art. 6(1)(b) GDPR (contract)Not applicable
Customer support and responding to queriesArt. 6(1)(b) GDPR (contract)Art. 9(2)(a) GDPR when health data is involved
Product analytics and service improvement (aggregated)Art. 6(1)(f) GDPR (legitimate interest in operating and improving the service)We aggregate or anonymise health data wherever feasible
Marketing communications (email newsletters, promotions)Art. 6(1)(a) GDPR (consent)Not processed unless you voluntarily share health data in responses
Security, fraud prevention, and legal complianceArt. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest)We avoid storing special-category data for this purpose unless indispensable

You may withdraw consent at any time via the in-app privacy centre or by contacting privacy@bodivine.com. Withdrawal does not affect the lawfulness of processing before withdrawal but may limit feature availability.

4. How we handle special-category health data

  • We request explicit consent at account creation (separate checkbox) before storing nutrition or workout information. Professional users must collect explicit consent from their clients before entering any health data into Bodivine.
  • Health data is limited to information you enter into meal, macro, and workout planners.
  • We minimise collection by letting you skip fields, anonymising analytics, and removing identifiers from support screenshots/logs.
  • Health data is encrypted at rest and in transit. Access is restricted to authorised personnel with role-based access controls and logged activities.
  • You can delete specific plans or your entire account at any time; deletion cascades through all linked meals, items, and workout entries.
  • We conduct annual reviews of our Data Protection Impact Assessment (DPIA) and adjust safeguards accordingly.

5. Where we obtain data

  • Directly from you when you register, update your profile, or enter nutrition/workout details.
  • From professional users who input their clients' information into the platform (professionals must ensure they have lawful authority to share that data).
  • Automatically through our application (session cookies, device metadata).
  • From service providers processing data on our behalf, such as payment processors confirming transactions.

We do not buy personal data from third parties, nor do we source data from public records for consumer profiling.

6. Retention periods

Data setRetention rule
Account profile and plansRetained for the lifetime of the account and deleted within 30 days after confirmed deletion request
Health data inside plansSame as above; health data is purged when plans are deleted or after 24 months of inactivity (with prior notice)
Authentication and security logs12 months for critical logs (IP, login history); may be stored longer in hashed/anonymised form for security analytics
Support interactions24 months after resolution unless needed for legal defence
Marketing consentsUntil consent is withdrawn; we retain minimal proof of opt-in/out for 5 years
Billing records10 years to meet accounting and tax requirements (stored by our payment processor)

When retention periods expire, we securely delete or anonymise the data. Wherever possible, we delete health data first and retain only minimal metadata for compliance.

7. Sharing and international transfers

We only share personal data with:

  • Infrastructure and hosting providers (e.g. managed PostgreSQL, cloud platforms) that store encrypted data in the EEA or in jurisdictions covered by an EU adequacy decision.
  • Email delivery provider (Resend, Inc.) for transactional email. We rely on Standard Contractual Clauses (SCCs) and conduct transfer impact assessments.
  • Customer support tooling (if used) with appropriate data processing agreements.
  • Analytics providers configured to use pseudonymised or aggregated data.
  • Payment processors for managing subscriptions (no card data is stored on Bodivine systems).
  • Professional advisers (lawyers, accountants) when necessary for legal compliance.
  • Regulators or law enforcement when legally required.

Every processor operates under a GDPR-compliant Data Processing Agreement (DPA). For transfers outside the EEA/UK, we rely on SCCs or other recognised safeguards and assess local laws to ensure adequate protection.

8. Role assignments with professional users

  • Bodivine acts as the primary data controller for personal data relating to individual end users, professional account holders, billing contacts, and platform analytics.
  • For client information that professional users upload or create, Bodivine acts as a data processor. We only process that data to provide the services requested by the professional, and we implement contractual safeguards (DPA, confidentiality, security controls).
  • Professional users are responsible for informing their clients about their use of Bodivine, collecting any required consents, and handling client rights requests. We support them with tooling to export, correct, or delete client data on request.
  • When we jointly offer a programme with another organisation (for example, a co-branded challenge), we will provide a specific joint controller arrangement outlining roles, responsibilities, and contact points before onboarding participants.

9. Data subject rights

Under GDPR you may:

  • Request access to your data and receive a copy in a portable format.
  • Ask for corrections or updates to inaccurate information.
  • Request deletion of your account and associated data.
  • Restrict processing or object to certain uses (e.g. marketing, analytics).
  • Withdraw consent for health data processing.
  • Opt out of automated decision-making (we currently do not make automated decisions that produce legal or similarly significant effects).

How to exercise your rights

  1. Use the in-app privacy dashboard (Settings > Privacy) to download, correct, or delete data.
  2. If your data was added by a professional coach or dietitian, contact them first so they can action the request; we will support them as their processor.
  3. Email privacy@bodivine.com from your registered address (or through your professional contact) with your request.
  4. For identity verification, we may request additional information (e.g. recent login timestamp).
  5. We respond within one month (extendable by two months for complex requests).
  6. If you are unsatisfied, you can lodge a complaint with your local supervisory authority (see https://edpb.europa.eu/about-edpb/board/members_en).

10. Security measures and DPIA

  • Encryption in transit (HTTPS/TLS) and at rest (managed database encryption).
  • Least-privilege, role-based access for staff; mandatory MFA and logging of administrative actions.
  • Automated monitoring for unusual login activity and rate-limiting to reduce brute-force attacks.
  • Regular dependency patching and penetration testing prior to public release.
  • Incident response plan covering detection, containment, notification, and remediation, including a 72-hour breach notification workflow.
  • DPIA completed in Q1 2024, identifying residual risks as "low" after implementing encryption, consent controls, and data minimisation. Reviews scheduled annually and after major product changes.

11. Cookies and similar technologies

We use strictly necessary cookies for authentication and session continuity. Non-essential analytics or marketing cookies are set only after you provide consent via our cookie banner. Detailed information, including partners and retention, is available in our Cookie Policy.

You can withdraw cookie consent at any time through the banner preferences or browser settings. Rejecting non-essential cookies does not affect access to the core service but may impact personalised tips.

12. Children's privacy

The service is not intended for individuals under 16. We do not knowingly collect data from minors. If we discover that a minor has created an account without verified guardian consent, we will deactivate the account and delete associated data promptly.

13. Changes to this notice

We will update this notice when we introduce new features, change processors, or modify our legal basis. Material changes will be announced in-app and via email at least 30 days before they take effect. Continue using the service only if you agree with the updated notice.

14. Summary of records of processing activities (ROPA)

Processing activityData categoriesData subjectsPurposeLegal basisRetentionProcessors
Account registration & authenticationAccount identifiers, security logsApp usersProvide secure accessContract; Legitimate interest (security)Life of account + 30 daysBetter Auth (self-hosted), hosting provider
Nutrition & workout planningHealth data, preferencesApp usersDeliver personalised plansContract; Explicit consentLife of account or inactivity purgeCloud hosting, backup provider
Notifications & transactional emailsAccount identifiersApp usersService communicationsContract12 monthsResend (email delivery)
Customer supportAccount identifiers, support contentApp usersResolve issuesContract24 monthsSupport platform (if enabled)
Marketing communicationsAccount identifiers, marketing preferencesSubscribersSend optional updatesConsentUntil withdrawalEmail marketing platform (if enabled)
Billing & subscriptionsBilling details, transaction IDsPaying customersProvide paid services & comply with tax lawContract; Legal obligation10 yearsPayment processor
Professional client managementClient identifiers, health or lifestyle notes supplied by professionalClients of professional usersAllow professional users to create and share plans for their clientsContract with professional user; Legitimate interest in providing service; Explicit consent collected by professionalLife of client record or until deletion request from professional/clientCloud hosting, backup provider

The full ROPA is maintained internally and reviewed annually. Contact the DPO to request a copy.

15. How to contact us or challenge our practices

  • Email: privacy@bodivine.com
  • Postal: insert address
  • DPO: dpo@bodivine.com
  • EU/EEA supervisory authority: You may contact your local authority or our lead supervisory authority once appointed.

If you are a resident of the EEA or UK, you also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.

By continuing to use Bodivine after this notice takes effect, you acknowledge that you have read and understood how we process your personal data. Do not use the services if you cannot agree to this notice or withdraw consent where required.