Privacy Policy
This Privacy Policy describes how PrimeFlow Labs collects, uses and protects the personal data of users of the PrimeFlow Core and PrimeFlow Pearl applications.
PrimeFlow is a personal wellness and fitness training application. The data we process consists of activity and training data, not medical or clinical data.
Summary
- What data do we collect? Registration data, app usage data and training activity data
- How do we use it? To provide the service, personalise the experience and improve the app
- Do we share it? Only with essential providers; we never sell data
- Where is it stored? On secure servers within the EU
- How long do we keep it? While your account is active, plus legal retention periods
- What are your rights? Access, rectification, erasure, portability, objection and restriction
1. CONTROLLER INFORMATION
1.1 Identity of the Controller
| Field | Information |
|---|---|
| Trade name | PrimeFlow Labs |
| Owner | Sole trader (self-employed) |
| Tax ID (NIF) | 39371050H |
| Privacy email | privacy@prime-flow-app.com |
| Website | https://prime-flow-app.com |
1.2 Privacy Contact
For data protection matters, please contact our privacy team: privacy@prime-flow-app.com
2. DATA WE COLLECT
2.1 Data You Provide to Us
2.1.1 Registration Data
- Name: personalisation of the experience
- Email: identification and communications
- Password: access security (stored encrypted)
- Date of birth: age verification, personalisation
- Country: regional adaptation, legal compliance
2.1.2 Onboarding Data
- Wellness goals: routine and exercise personalisation
- Available time: session duration adaptation
- Notification preferences: sending reminders
2.1.3 Training Activity Data
PrimeFlow collects personal physical activity data solely to provide the training tracking and experience personalisation service. This data consists of fitness and personal activity data, not medical or clinical data:
- Completed sessions: training progress tracking
- Exercises performed: personal activity statistics
- Training time: physical activity habit analysis
- Consecutive day streaks: motivation and gamification
- Level reached: personalised training progression
- Wellness self-assessment results: physical activity level assessment
We request your consent to process this activity data during registration. You may withdraw it at any time from the application settings.
2.1.4 AI System Usage Data (optional)
If you activate the AI System, your training activity data (anonymised) is processed to generate personalised recommendations. This data never includes medical or clinical information. You may disable the AI System at any time from Settings > Artificial Intelligence.
2.2 Automatically Collected Data
2.2.1 Technical Data
- Device type: app optimisation
- Operating system: technical compatibility
- Application version: technical support
- Device language: localisation
- Time zone: accurate reminders
2.2.2 Usage Data
- Screens visited: UX improvement
- Features used: product development
- App errors: bug fixing
- Date and time of access: security and analysis
2.2.3 Identifiers
- Internal user ID: service operation
- Local notification token: sending reminders on the device
We do NOT collect:
- Precise GPS location
- Phone contact data
- SMS or call content
- Data from other applications
- Financial information (payments are processed by Apple/Google)
3. HOW WE USE YOUR DATA
3.1 Primary Purposes
- Providing the service: registration, profile and activity data (contract performance)
- Personalising routines: goals, level and training progress (contract performance)
- Sending reminders: local notifications per time preferences (consent)
- Showing progress: session training data (consent)
- Managing subscription: email and billing data via stores (contract performance)
- Generating AI activity analysis: anonymised training data (consent, only if AI System is active)
3.2 Secondary Purposes
- Improving the application: anonymous usage data (legitimate interest)
- Statistical analysis: aggregated and anonymous data (legitimate interest)
- Fraud prevention: usage patterns (legitimate interest)
- Legal compliance: as required (legal obligation)
3.3 Communications
- Training reminders: with your consent (local notifications, can be disabled in settings)
- Service communications: contract performance (cannot be disabled)
- News and updates: legitimate interest (can be disabled via email link)
- Marketing and promotions: with your consent (can be disabled in settings or via email link)
4. LEGAL BASES FOR PROCESSING
4.1 Contract Performance (Art. 6.1.b GDPR)
We process data necessary to:
- Create and maintain your account
- Provide the application's features
- Manage your subscription
- Provide technical support
4.2 Consent (Art. 6.1.a GDPR)
We request your explicit consent to:
- Process training activity data (sessions, exercises, progress)
- Activate the AI System for personalised physical activity analysis
- Send commercial communications
- Activate reminder notifications on the device
- Use non-essential cookies (web)
You may withdraw your consent at any time from the application settings or by contacting privacy@prime-flow-app.com
4.3 Legitimate Interest (Art. 6.1.f GDPR)
We rely on legitimate interest for:
- Improving the application through usage analysis
- Preventing fraud and abuse
- Ensuring system security
- Sending essential service communications
4.4 Legal Obligation (Art. 6.1.c GDPR)
We fulfil legal obligations such as:
- Retention of tax records
- Response to judicial requests
- Compliance with consumer regulations
5. WITH WHOM WE SHARE YOUR DATA
5.1 Service Providers (Data Processors)
We share data with providers who help us operate the service:
| Provider | Service | Location |
|---|---|---|
| Google Firebase | Database and authentication | EU (Belgium) |
| RevenueCat | Subscription management | USA |
| Google Analytics | Anonymous usage analysis | USA |
| Anthropic (Claude API) | AI analysis generation (only if AI System active, anonymised data) | USA |
| Sentry | Technical error monitoring | USA |
Reminder notifications are local and managed exclusively on the user's device. No data is transmitted to external servers for this purpose.
These providers are certified under the EU-US Data Privacy Framework or have Standard Contractual Clauses (SCCs) in place.
5.2 App Stores
Subscription payments are processed directly by Apple (App Store) and Google (Play Store). We do not have access to your full payment data.
5.3 Third Parties with Whom We Do NOT Share Data
We never sell, rent or share your personal data with:
- Marketing or advertising companies
- Data brokers
- Social networks
- Insurance companies or healthcare organisations
- Employers or unauthorised third parties
6. INTERNATIONAL TRANSFERS
6.1 General Principle
Your data is stored primarily on servers located within the European Union.
6.2 Transfers to the USA
Some of our providers are based in the United States. For these transfers, we use the following safeguards:
- EU-US Data Privacy Framework: providers certified under this framework
- Standard Contractual Clauses (SCCs): contracts approved by the European Commission
- Supplementary measures: encryption, pseudonymisation, access controls
You may request further information about specific safeguards by contacting privacy@prime-flow-app.com
7. DATA RETENTION
7.1 General Criteria
| Data type | Retention period |
|---|---|
| Account data | While the account is active |
| Training activity data | While the account is active |
| Session history | 2 years from the session |
| Billing data | 5 years (tax obligation) |
| Security logs | 1 year |
| Anonymous data | Indefinitely |
7.2 After Account Deletion
When you delete your account:
- Immediate deactivation: 24 hours
- Deletion of personal data: 30 days
- Deletion of backups: 90 days
- Retention of tax records: 5 years (as required by law)
7.3 Inactive Accounts
If your account remains inactive for 24 months, we will send an inactivity notice. If there is no response within 30 days, the account may be deleted with prior notification.
8. DATA SECURITY
8.1 Technical Measures
- Encryption in transit: TLS 1.3 for all communications
- Encryption at rest: AES-256 for stored data
- Password hashing: bcrypt with unique salt
- Authentication: JWT tokens with expiry
- Firewall: perimeter server protection
8.2 Organisational Measures
- Restricted access: principle of least privilege
- Audits: periodic security reviews
- Procedures: incident response protocols
- Contracts: confidentiality agreements with providers
8.3 Breach Notification
In the event of a security breach affecting your data:
- We will notify the supervisory authority within 72 hours
- We will inform you without undue delay if there is a high risk
- We will take measures to mitigate the damage
9. YOUR RIGHTS
9.1 Rights under the GDPR
| Right | Description |
|---|---|
| Access | Know what data we process about you |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Delete your data ("right to be forgotten") |
| Portability | Receive your data in a structured format |
| Objection | Object to certain processing activities |
| Restriction | Temporarily restrict processing |
| Withdraw consent | Revoke previously given consents |
9.2 How to Exercise Your Rights
Option 1 — From the application: Go to Settings > Privacy and select the relevant option.
Option 2 — By email: Write to privacy@prime-flow-app.com stating your request and attaching a copy of your ID/Passport. You will receive a response within a maximum of 30 days.
9.3 Right to Lodge a Complaint
If you believe that the processing of your data infringes the GDPR, you may lodge a complaint with:
Spanish Data Protection Agency (AEPD)
Website: www.aepd.es
C/ Jorge Juan, 6, 28001 Madrid, Spain
We recommend contacting us first to try to resolve any issue.
10. MINORS
10.1 Minimum Age
PrimeFlow is intended exclusively for users aged 18 and over. We do not intentionally collect data from minors.
10.2 Age Verification
During registration, we request the date of birth and verify that the user is at least 18 years old. Minors are not permitted to complete registration.
10.3 Detection and Deletion
If we detect that a minor has provided personal data, we will immediately delete the data and cancel the account. If you are aware of a minor using the application, please contact privacy@prime-flow-app.com
11. ACCOUNT AND DATA DELETION
11.1 How to Delete Your Account
You can delete your account and all associated data from: Profile > Settings > Delete account
11.2 Effects of Deletion
When you delete your account:
- All your personal data will be permanently deleted
- Your training history and progress will be removed
- Any active subscription will be cancelled
- This action is irreversible
12. LOCAL STORAGE TECHNOLOGIES
12.1 In the Mobile Application
The mobile application does NOT use traditional cookies, but employs local storage technologies:
- Device local storage: preferences and training data (persistent)
- Session tokens: authentication (until logout)
- Local notification tokens: device reminders (until revoked)
Notifications are local: managed entirely on the user's device without transmitting data to external servers.
12.2 On the Website (prime-flow-app.com)
Our website uses cookies. For detailed information, please consult our Cookie Policy.
13. CHANGES TO THIS POLICY
13.1 Updates
We may update this Privacy Policy periodically to reflect changes in our data practices, new features or updated legal requirements.
13.2 Notification of Changes
Material changes will be communicated via notification in the application, email to the registered address and a prominent notice on the website.
14. CONTACT
| Channel | Contact |
|---|---|
| Privacy email | privacy@prime-flow-app.com |
| General email | info@prime-flow-app.com |
| Web form | prime-flow-app.com/contacto |
Response times: Rights requests: maximum 30 days. General enquiries: 5-10 working days.
15. ADDITIONAL INFORMATION
15.1 Automated Analysis and AI System
PrimeFlow uses an optional artificial intelligence system (AI System) that generates personalised training recommendations based on your physical activity data. This system:
- Analyses exclusively training activity data (sessions, levels, progression)
- Does not process or interpret medical or clinical data of any kind
- Operates on anonymised fitness data
- Generates advisory, non-binding recommendations
- Does not produce legal effects or significantly affect the user beyond training personalisation
The AI System does not constitute automated decision-making with legal effects within the meaning of Art. 22 GDPR. You may ignore or disable its recommendations at any time.
15.2 Activity Profiling
We use usage data to create training activity profiles solely to personalise exercise routines, display progress statistics and suggest content tailored to the user's level.
This profiling is NOT used for credit decisions, employment assessments, discrimination of any kind or external advertising or marketing purposes.
16. VERSION HISTORY
| Version | Date | Main changes |
|---|---|---|
| 1.0 | January 2026 | Initial version |
| 1.1 | February 2026 | Contact email update, section expansion |
| 1.2 | April 2026 | Wellness/fitness positioning, AI System clause, local notifications architecture, sole trader legal form |