Privacy Policy

1. Who We Are

The data controller is:

• UnitLift, obrt za digitalne usluge, vl. Leon Lišinski
• Tax ID (OIB): 61111415884
• Business Registration Number: 99113821
• Email: support@unitlift.com

2. Data We Collect

2.1 Data You Provide Directly

• Full name
• Email address
• Profile photo (avatar) - optional
• Training and nutrition data (plans, meals, recipes, foods)
• Check-in data defined by your trainer - such as steps, sleep hours, mood, etc.
• Check-in photos submitted by the client as part of progress tracking
• Messages exchanged between trainer and client within the app

2.2 Data Collected Automatically

• Technical device information (device type, operating system, app version)
• Service usage data (login date and time, pages viewed)
• IP address

2.3 Payment Data

Payments are processed through Stripe. We do not store card data. Stripe processes data in compliance with the PCI DSS standard. Details at https://stripe.com/privacy.

2.4 Push Notifications

If you consent to receive push notifications, we collect the device token required to send them. You can opt out in your device settings at any time.

3. Purpose and Legal Basis for Processing

We process your data for the following purposes:

• Providing the service - performance of contract (Art. 6(1)(b) GDPR)
• Trainer-client communication - performance of contract
• Sending push notifications - your consent (Art. 6(1)(a) GDPR)
• Security and fraud prevention - legitimate interest (Art. 6(1)(f) GDPR)
• Compliance with legal obligations - legal obligation (Art. 6(1)(c) GDPR)

4. Sharing Data with Third Parties

We do not sell your data to third parties. We may share data with:

• Supabase Inc. - data storage and authentication (USA; protected via standard contractual clauses)
• Vercel Inc. - web application hosting
• Stripe Inc. - payment processing
• Resend Inc. - transactional email delivery (contact form)
• Push notification providers - Apple (APNs) and Google (FCM)

All recipients process data solely according to our instructions and are bound by appropriate data processing agreements.

5. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), such as in the USA. In such cases, appropriate safeguards are applied in accordance with GDPR, including Standard Contractual Clauses issued by the European Commission.

6. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law.

After account deletion, personal data is erased within 30 days, except data we are required to retain under applicable law.

7. Your Rights

As a data subject under GDPR, you have the following rights:

• Right of access - you may request a copy of your personal data
• Right to rectification - you may request correction of inaccurate data
• Right to erasure ("right to be forgotten") - you may request deletion of your data
• Right to restriction of processing - you may request temporary suspension of processing
• Right to data portability - you may request your data in a machine-readable format
• Right to object - you may object to processing based on legitimate interest
• Right to withdraw consent - if processing is based on consent, you may withdraw it at any time

Submit requests to: support@unitlift.com

You also have the right to lodge a complaint with a supervisory authority. In Croatia, the competent authority is the Croatian Personal Data Protection Agency (AZOP), www.azop.hr.

8. Account Deletion

You may request deletion of your account and all associated data:

• Within the app: Settings → My Account → Delete Account
• By email: support@unitlift.com

After the request is confirmed, your account and personal data will be deleted within 30 days.

9. Data Security

We implement technical and organizational security measures to protect your data from unauthorized access, loss, or destruction.

• All connections are protected with TLS encryption
• Access to data is restricted to authorized personnel only

As a platform operator, we may technically access stored files exclusively for the purpose of technical support, security, and troubleshooting. Access is restricted and documented.

10. Cookies and Similar Technologies

The web application may use essential cookies for service functionality (authentication, session management). We do not use cookies for tracking or advertising.

11. Minors

The service is not intended for persons under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it immediately.

12. Changes to This Privacy Policy

We reserve the right to modify this Policy. We will notify you of significant changes via email or in-app notification. Continued use of the service after changes are published constitutes acceptance of the updated terms.

13. Contact

For any privacy-related questions, contact us:

• UnitLift, obrt za digitalne usluge, vl. Leon Lišinski
• Email: support@unitlift.com