Athliko Athliko
← Back to home 🇵🇱 Polityka Prywatności w polskiej wersji językowej

Privacy Policy

Version dated 09 May 2026

This Privacy Policy explains what personal data we collect, the purposes for which we process it, with whom we share it, and what rights Users have. It has been prepared in accordance with Regulation (EU) 2016/679 (GDPR) and the Polish Personal Data Protection Act of 10 May 2018. In the event of any discrepancy between the Polish and English versions, the Polish version shall prevail.

I. DATA CONTROLLER

  1. The controller of Users' personal data is Mateusz Zielinski, conducting business under the Athliko brand, with a correspondence address at Kopinska 20/22/26, 02-327 Warsaw, Poland, e-mail: support@athliko.com (hereinafter: the "Controller").
  2. For any matters concerning personal data protection, Users may contact the Controller at: support@athliko.com.

II. DATA COLLECTED AND PURPOSES OF PROCESSING

The scope of data collected and the purposes for which it is processed depend on how the Applications are used:

  1. First and last name, e-mail address, telephone number - account creation and management, communication with the User. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
  2. Health and training data (weight, body fat percentage, measurements, training progress) - provision of training services. Legal basis: Art. 9(2)(a) GDPR (explicit consent).
  3. Payment data (purchase confirmation from App Store / Google Play) - subscription and billing management. Legal basis: Art. 6(1)(b) and (c) GDPR.
  4. Device token (Firebase Cloud Messaging) - sending push notifications. Legal basis: Art. 6(1)(b) GDPR.
  5. Analytics data (Firebase Analytics: in-app events, device information, anonymous identifiers) - analysis and improvement of the Applications. Legal basis: Art. 6(1)(f) GDPR (legitimate interests).

Health data constitutes special category data under Article 9 GDPR. It is processed exclusively on the basis of the User's explicit consent, which may be withdrawn at any time. The Controller does not process payment card or bank account data directly - payments are handled by Apple Inc. and Google LLC.

III. DATA SHARING BETWEEN COACH AND ATHLETE

  1. Within the coach-athlete relationship, a Coach has access to an Athlete's training data (progress, results, training history) to the extent necessary to provide training services.
  2. An Athlete's health data (weight, body fat percentage, body measurements) is shared with a Coach only after the Athlete has granted explicit, voluntary consent within the Application. Consent is granted separately for each Coach and may be withdrawn at any time.
  3. By gaining access to an Athlete's health data, the Coach becomes an independent controller of that data and bears sole responsibility for such processing.

IV. DATA PROCESSORS

The Controller entrusts the processing of personal data to the following third-party providers (under appropriate data processing agreements):

  1. Neon, Inc. (neon.tech) - database storage (account, training, and health data) - location: European Union.
  2. Google LLC - Firebase Cloud Messaging - push notifications - USA / EU (Standard Contractual Clauses).
  3. Google LLC - Firebase Analytics - application analytics - USA / EU (SCC).
  4. Apple Inc. - App Store - payment and subscription processing (iOS) - USA (SCC).
  5. Google LLC - Google Play - payment and subscription processing (Android) - USA / EU (SCC).
  6. Google LLC - Google AdMob - displaying advertisements (free plan) - USA / EU (SCC).

Data stored by Neon, Inc. is located exclusively on Microsoft Azure servers within the EU and is not transferred outside the EEA. Transfers to processors headquartered in the USA are carried out on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission.

V. DATA RETENTION PERIODS

Personal data is retained for the period necessary to fulfil the purposes for which it was collected, and no longer than:

  1. Account and training data - for the duration of the active account, and up to 30 days following account deletion, after which the data is anonymised.
  2. Payment and billing data - for the period required by tax and accounting regulations (generally 5 years from the end of the relevant financial year).
  3. Analytics data (Firebase Analytics) - in accordance with Google's retention policy, by default 14 months.
  4. Data processed on the basis of consent - until the User withdraws their consent.

Upon expiry of the applicable retention period, data is anonymised or permanently deleted.

VI. USERS' RIGHTS

Every User has the following rights with respect to their personal data:

  1. the right of access to their data and to receive a copy thereof (Article 15 GDPR);
  2. the right to rectification of inaccurate or incomplete data (Article 16 GDPR);
  3. the right to erasure (the "right to be forgotten") in the cases set out in Article 17 GDPR;
  4. the right to restriction of processing (Article 18 GDPR);
  5. the right to data portability in respect of data processed on the basis of consent or a contract (Article 20 GDPR);
  6. the right to object to processing based on the Controller's legitimate interests (Article 21 GDPR);
  7. the right to withdraw consent at any time, without affecting the lawfulness of prior processing.

Requests should be directed to support@athliko.com. The Controller will respond no later than 30 days from receipt. Users also have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl.

VII. DATA SECURITY

The Controller applies the following technical and organisational measures to protect personal data:

  1. encryption of data transmitted between the Applications and servers (TLS/HTTPS protocol);
  2. storage of data in the Neon, Inc. database with encryption at rest and access control mechanisms;
  3. restriction of access to personal data to authorised persons only.

In the event of a personal data breach likely to result in a risk to Users' rights and freedoms, the Controller will notify the UODO within 72 hours, and will notify affected Users without undue delay where the risk is high.

VIII. PUSH NOTIFICATIONS AND ANALYTICS

  1. The Applications send push notifications via Firebase Cloud Messaging (Google LLC). A device token is stored on the User's device for this purpose. Users may disable push notifications at any time through their device settings.
  2. The Applications use Firebase Analytics to analyse usage and improve functionality. Firebase Analytics collects anonymised data on in-app events and device information that does not allow direct identification of the User.
  3. Users may opt out of analytics tracking through their device privacy settings (e.g., "Limit Ad Tracking" on iOS or advertising settings on Android).

IX. ADVERTISING (GOOGLE ADMOB)

  1. The free version of the Applications displays advertisements served by Google AdMob (Google LLC). In connection with advertisements, Google may collect and process User data in accordance with its own privacy policy: policies.google.com/privacy.
  2. Users with an active Athliko Coach Subscription are not shown advertisements.
  3. Users may manage advertising preferences through the privacy settings on their device or Google account.

X. COOKIES AND SIMILAR TECHNOLOGIES

  1. The mobile Applications do not use cookies. Local device storage is used to remember User preferences and maintain login sessions.
  2. The website www.athliko.com may use cookies necessary for its proper operation. Detailed information will be provided in a separate cookie notice.

XI. CHANGES TO THIS PRIVACY POLICY

  1. The Controller reserves the right to amend this Privacy Policy in the event of changes in law, technology, or the scope of services provided.
  2. Users will be informed of material changes with at least 14 days' notice via an in-app notification or e-mail. The current version is always available within the Applications and at www.athliko.com.

XII. FINAL PROVISIONS

  1. This Privacy Policy takes effect on 09 May 2026.
  2. Matters not governed by this Privacy Policy are subject to the GDPR, the Polish Personal Data Protection Act of 10 May 2018, and other applicable provisions of Polish law.
  3. This Privacy Policy is available in Polish and English. In the event of any discrepancy, the Polish version shall prevail.