Privacy Policy — MoovX

Last updated: 17 May 2026

Version: 1.0

Preamble

This Privacy Policy (hereinafter "the Policy") aims to inform users of the MoovX Platform about how their personal data is collected, processed, stored, and protected.

This Policy complies with:

The Swiss Federal Act on Data Protection (revFADP) in force since 1 September 2023;
The General Data Protection Regulation (GDPR) of the European Union (Regulation EU 2016/679);
The Swiss Data Protection Ordinance (DPO).

The revFADP considers data relating to health as sensitive data subject to enhanced protections. MoovX processes this type of data within the framework of its fitness and nutrition coaching activity. This Policy details the protection measures in place.

1. Identity of the data controller

The data controller of personal data is:

Marco Ferreira

Trading under the commercial name MoovX

Chemin Clair Val 2

1226 Thônex, Canton of Geneva, Switzerland

Contact email for data protection matters: contact@moovx.ch

Note: The Provider is not required to appoint a Data Protection Officer (DPO) within the meaning of Article 10 revFADP or Article 37 GDPR, as its activity does not meet the cumulative conditions required (large-scale processing of sensitive data). For any data protection question, the Provider responds personally to requests sent to contact@moovx.ch.

2. Fundamental principles

The processing of personal data is based on the following principles:

Lawfulness, fairness, and transparency: data is processed lawfully, fairly, and transparently.
Purpose limitation: data is collected for specified, explicit, and legitimate purposes.
Data minimization: only data necessary for the intended purpose is collected.
Accuracy: measures are taken to ensure data accuracy.
Storage limitation: data is not kept longer than necessary.
Integrity and confidentiality: data is protected by appropriate technical and organizational measures.
Privacy by Design and Privacy by Default: data protection is integrated from service design, and default settings are the most privacy-respectful possible.

3. Personal data collected

3.1 Data categories

a) Identification and account data

Last name, first name
Email address
Password (stored as secure hash, never in plain text)
Registration date, last login

b) Profile data

Age / date of birth
Sex / gender
Height, weight
Physical activity level
Sports objectives (weight loss, muscle gain, performance, etc.)
Food preferences, allergies, restrictions (vegetarian, etc.)

c) Sensitive data relating to health and fitness (processing with enhanced protections)

Body measurements (weight, height, waist circumference, etc.)
Progress photos (only if voluntarily uploaded by the User)
Sports performance (sessions, loads, times, repetitions)
Nutritional data (caloric intake, macronutrients)
Training and nutrition history

d) Payment data

This data is collected and processed exclusively by our service provider Stripe Payments Europe Ltd.
The MoovX Provider does not store any banking data.
Stored internally only: amount paid, payment date, Stripe transaction ID, subscription type.

e) Interaction data with Athena

Content of conversations with the AI assistant Athena
Generated responses (used to improve service quality)

f) Technical data

IP address (anonymized for analytics)
Device type, operating system, browser
Pages visited, session duration
Cookies (see Cookie Policy)

g) Communication data

Emails exchanged with support
Notification preferences

3.2 Data sources

All data is collected:

Directly from the User (during registration, profile filling, Platform use);
Automatically through Platform use (logs, analytics cookies after consent).

No data is obtained from third parties or data brokers.

4. Purposes and legal bases for processing

| Purpose | Data categories | Legal basis (GDPR / revFADP) |

|---------|-----------------|-------------------------------|

| User account creation and management | Identification, profile | Performance of contract (Art. 6.1.b GDPR) |

| Service provision (programs, tracking, Athena) | Profile, health, fitness | Performance of contract (Art. 6.1.b GDPR) + explicit consent for sensitive data (Art. 9.2.a GDPR / Art. 6 para. 7 revFADP) |

| Payment processing | Payment data | Performance of contract (Art. 6.1.b GDPR) |

| Transactional communication (confirmation, invoices, support) | Email | Performance of contract |

| Service improvement | Anonymized technical data, anonymized Athena conversations | Legitimate interest (Art. 6.1.f GDPR) |

| Anonymized statistics (analytics) | Technical data | Consent (Art. 6.1.a GDPR) |

| Commercial communication (newsletter) | Email | Explicit opt-in consent (Art. 6.1.a GDPR) |

| Compliance with legal obligations (accounting, anti-fraud) | All concerned data | Legal obligation (Art. 6.1.c GDPR) |

5. Subprocessors and data recipients

MoovX uses several technical service providers acting as processors within the meaning of Article 28 GDPR and Article 9 revFADP. Each is bound by a processing contract imposing strict obligations of confidentiality and security.

5.1 List of subprocessors

|--------------|------------------|---------------|----------------|

5.2 Transfers outside Switzerland / EU

Some subprocessors are established in the United States. These transfers are governed by:

Subprocessors' adherence to the EU-US Data Privacy Framework (DPF), a mechanism recognized by the European Commission (adequacy decision of 10 July 2023);
Supplementation, where applicable, by Standard Contractual Clauses (SCCs) approved by the European Commission.

For Swiss users, Switzerland published its own adequacy decision for the DPF in September 2024, enabling data transfers from Switzerland to certified US companies.

5.3 Special case of Athena (Anthropic)

Conversations with Athena are transmitted to Anthropic PBC's API for AI processing. Anthropic contractually commits not to use data received via the API to train its models (zero data retention policy available on Anthropic's website).

Users are advised not to communicate sensitive medical data in their exchanges with Athena (e.g., medical diagnosis, treatment, health identifiers).

5.4 No data sale

The Provider does not sell, rent, or transfer Users' personal data to third parties for commercial or advertising purposes.

6. Data retention periods

| Data type | Retention period |

|-----------|------------------|

| Account data (identification, profile) | As long as the account is active + 30 days after deletion |

| Sensitive data (health, photos, measurements) | As long as the account is active + immediate deletion upon account closure |

| Payment data (invoices, transactions) | 10 years (Swiss accounting legal obligation — Art. 958f CO) |

| Technical logs, IPs | 12 months maximum |

| Athena conversations | 90 days (for support and debugging purposes) then deletion / anonymization |

| Cookies | See Cookie Policy (variable duration by type) |

| Support emails | 3 years after last interaction |

Upon expiration of these periods, data is either permanently deleted or irreversibly anonymized.

7. Rights of data subjects

In accordance with GDPR and revFADP, the User has the following rights:

7.1 Right of access (Art. 15 GDPR / Art. 25 revFADP)

The User may request at any time which personal data concerning them is processed and obtain a copy of this data.

7.2 Right to rectification (Art. 16 GDPR / Art. 32 revFADP)

The User may request the rectification of inaccurate or incomplete data. Most of this data can also be modified directly from the profile.

7.3 Right to erasure ("right to be forgotten") (Art. 17 GDPR)

The User may request the deletion of their personal data, particularly when:

data is no longer necessary for the purposes for which it was collected;
the User withdraws consent;
data has been unlawfully processed.

Note: Some data may be retained beyond the deletion request due to legal obligations (notably accounting — 10 years).

7.4 Right to restriction of processing (Art. 18 GDPR)

The User may request the temporary freezing of certain processing in the cases provided by law.

7.5 Right to data portability (Art. 20 GDPR / Art. 28 revFADP)

The User may request to receive their data in a structured, commonly used, and machine-readable format (JSON, CSV), or request its direct transmission to another data controller, to the extent technically possible.

7.6 Right to object (Art. 21 GDPR / Art. 30 revFADP)

The User may object, at any time and for reasons relating to their particular situation, to the processing of their data based on the Provider's legitimate interest. The User may also object at any time and without reason to the use of their data for commercial prospecting.

7.7 Right to withdraw consent (Art. 7.3 GDPR)

When processing is based on consent (analytics cookies, newsletter, sensitive health data), the User may withdraw this consent at any time, without affecting the lawfulness of prior processing.

7.8 Right not to be subject to automated decision-making (Art. 22 GDPR / Art. 21 revFADP)

Athena's recommendations do not constitute "automated decisions producing legal effects" within the meaning of Article 22 GDPR. They are provided for informational purposes only and do not replace human judgment. The User may nevertheless request human intervention for any question raised by Athena's recommendations.

7.9 Procedures for exercising rights

Any request to exercise these rights may be addressed to: contact@moovx.ch

A response is provided within a maximum of 30 days from receipt of the request. This period may be extended by two months in case of complex requests, with reasoned notification to the User.

The User may be required to provide proof of identity to process their request securely.

7.10 Right to lodge a complaint

The User has the right to lodge a complaint with a competent supervisory authority:

Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — https://www.edoeb.admin.ch
France: Commission Nationale de l'Informatique et des Libertés (CNIL) — https://www.cnil.fr
Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI) — https://www.bfdi.bund.de
Other EU countries: supervisory authority of the Member State of residence (full list at https://edpb.europa.eu)

8. Data security

The Provider implements appropriate technical and organizational measures to ensure data security, in accordance with Articles 32 GDPR and 8 revFADP.

8.1 Technical measures

Encryption in transit: TLS 1.3 minimum (HTTPS on all pages);
Encryption at rest: AES-256 (Supabase and Vercel);
Passwords: hashed with bcrypt (never stored in plain text);
Authentication: secure sessions (httpOnly, secure, sameSite strict cookies);
Data isolation: Row Level Security (RLS) at database level — each User can only access their own data;
Security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy;
Protection against common attacks: OWASP Top 10 (XSS, CSRF, SQL injection, etc.);
Encrypted backups: automatic daily backups;
Idempotency keys on payment operations to prevent double charging.

8.2 Organizational measures

Data access limited to necessary persons (need-to-know principle);
Processing contracts compliant with Art. 28 GDPR with all providers;
Regular monitoring of software dependency vulnerabilities;
Security incident response plan.

8.3 Data breach

In the event of a data breach presenting a risk to the rights and freedoms of persons, the Provider will notify the incident:

to the FDPIC and/or competent EU authorities within 72 hours (Art. 24 revFADP / Art. 33 GDPR);
to affected Users without delay if the risk is high (Art. 24 para. 4 revFADP / Art. 34 GDPR).

9. Cookies and similar technologies

The use of cookies is detailed in the Cookie Policy, accessible via the consent management banner on the Platform.

Key principles:

Strictly necessary cookies (authentication, language preferences, cart) are placed without consent (legal basis: legitimate interest / contract performance);
Analytics cookies (Vercel Analytics, Speed Insights) are placed only after explicit consent (opt-in);
No advertising / marketing cookies are used at this date;
The User may modify their choices at any time via the management banner accessible in the footer.

10. Data concerning minors

The MoovX Platform is strictly reserved for persons aged 18 years or older. No data is knowingly collected from minors.

If you are a parent or guardian and suspect that a minor has created an account on the Platform, please contact contact@moovx.ch so that the account can be deleted.

11. Modification of the Privacy Policy

The Provider reserves the right to modify this Policy at any time to reflect changes in its practices, legislation, or its service providers. Substantial modifications will be notified to Users by email with a minimum 30-day notice before they take effect.

12. Contact information

For any question concerning this Policy or the exercise of your rights:

Marco Ferreira / MoovX

[Address to be completed]

1226 Thônex, Canton of Geneva, Switzerland

Email: contact@moovx.ch

This Policy is available in French, English, and German. In the event of any discrepancy in interpretation, the French version shall prevail.