Privacy Policy
1. Who we are (Data Controller)
Digilab Sports Ltd (“we”, “us”, “our”) operates AthlioConnect and is the data controller for personal data processed under this Privacy Policy.
Data protection contact: ted@digilabsports.com
You can also contact us at: ted@digilabsports.com
If you are a practitioner or organisation using AthlioConnect to share exercises, videos or programmes with your clients/patients, you may be an independent controller for the information you upload or share. See section 7.
2. What this policy covers
This policy explains what personal data we collect, why we collect it, how we use it, how we keep it secure, and your rights. It applies to visitors to our websites and users of our apps and services.
3. What data we collect
3.1 Data you provide
- Account data: name (optional), email address, authentication identifiers (e.g., Auth0 user ID).
- Support communications: messages you send us (e.g., emails) and any information you choose to include.
- Practitioner assignment data: where applicable, identifiers needed to link an athlete/patient to an assigned practitioner (e.g., invite code, assignment ID).
3.2 Data we collect automatically (website)
- Technical data: IP address, browser type, device information, and basic logs for security and performance.
- Cookie preferences: your consent choices for non-essential cookies (where used on the website).
3.3 Data we do not collect as a service feature (health data)
AthlioConnect is designed not to operate as a medical record system and does not require you to provide clinical notes, diagnoses, medical history, or other special category health information to use the core service.
If the app includes “set logging” or training/rehab logging features, the current implementation is: stored locally on your device (and not uploaded to our servers) unless and until you choose to share information with an assigned practitioner via a specific sharing feature.
If a practitioner or organisation uploads health-related content into AthlioConnect despite this design, they are responsible for ensuring they have a lawful basis to do so and that their use complies with applicable law.
4. How we use your data (purposes, legal bases, retention)
Under UK GDPR and EU GDPR we must have a lawful basis to process personal data. In most cases our processing is necessary to provide the service you request (a contract) or for our legitimate interests (e.g., preventing fraud), balanced against your rights.
| Data category | Purpose | Lawful basis | Typical retention |
|---|---|---|---|
| Account data (email, auth identifiers, optional name) | Create and manage your account; provide core service functionality; security | Contract (performance of a contract); Legitimate interests (security) | While your account is active; deleted on request or after inactivity + reasonable period (typically 24 months), unless legally required to retain longer |
| Support communications | Respond to queries, troubleshoot, improve support quality | Legitimate interests; Contract (where related to service delivery) | Typically up to 24 months after ticket closure, unless longer is needed for legal claims |
| Website technical logs | Maintain website security, detect abuse, debug issues, performance monitoring | Legitimate interests | Typically 30–180 days (may vary by infrastructure logs) |
| Cookie preferences (website) | Store your cookie consent choices | Consent (for non-essential cookies); Legitimate interests (essential cookies) | Typically 6–12 months (or until you change your preferences) |
| Payments / billing data (via Stripe) | Process payments, manage subscriptions, handle refunds/chargebacks, prevent fraud | Contract; Legitimate interests; Legal obligation (accounting/tax) | As required by Stripe and applicable law; typically 6 years for certain financial records (UK) |
5. Cookies and analytics
Website: We use a cookie banner to request consent for non-essential cookies (if any). Essential cookies may be used to make the site function and to remember your preferences.
App: We do not use cookies in the mobile app. We do not run third-party analytics in the app (as of the effective date above).
6. Who we share data with (processors)
We share personal data only with trusted service providers (“processors”) needed to operate AthlioConnect, such as:
- Authentication: Auth0 (account login and identity management)
- Payments: Stripe (billing and subscription management)
- Hosting and infrastructure: AWS and related cloud infrastructure providers
- Database and storage (where used): Supabase and related services
We maintain appropriate contractual protections with these providers (including data processing terms available through their management portals).
7. Sharing with assigned practitioners
AthlioConnect may enable an athlete/patient to be assigned to a practitioner (or organisation) so that the practitioner can share programmes and related content with them. Where a feature allows you to share information with an assigned practitioner, you acknowledge that:
- the practitioner may process that information for their own purposes (typically as an independent controller), and
- you should review any privacy information the practitioner provides to you.
8. International data transfers
We are based in the UK. Some of our service providers may process data outside the UK/EEA. Where this occurs, we rely on appropriate safeguards such as adequacy decisions and/or standard contractual clauses and equivalent mechanisms (e.g., UK IDTA/UK Addendum where applicable).
9. Security
We implement reasonable technical and organisational measures to protect your data, such as access controls, encryption in transit where supported, and least-privilege practices. No system is 100% secure; you use the service at your own risk.
10. Your rights
Depending on your location, you may have the right to:
- request access to your personal data
- request correction or deletion
- object to, or request restriction of, processing
- request data portability (where applicable)
- withdraw consent (where processing relies on consent)
To exercise your rights, contact ted@digilabsports.com. We may need to verify your identity before fulfilling a request.
11. Complaints
If you are in the UK, you can complain to the Information Commissioner’s Office (ICO). If you are in the EEA, you can complain to your local supervisory authority. We encourage you to contact us first so we can try to resolve your concern.
12. Children
AthlioConnect is not intended for children under 13. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete it.
13. Changes to this policy
c We may update this policy from time to time. We will post the updated version on our website and update the effective date above.