Privacy Policy
This Privacy Policy explains how Velka collects, uses, and protects your personal data when you use Velka Coach, the Velka client app, and the Kilo assistant. We are committed to protecting your privacy and handling your data in line with the EU General Data Protection Regulation (GDPR).
1. Who we are (Data Controller)
The data controller is Velka, [TODO: registered legal entity + address], established in Italy. For any privacy question or to exercise your rights, contact us at privacy@velka.fit.
2. Data we collect
We collect the following categories of personal data:
- Account and identity data: name, email address, optional phone number, and billing address.
- Health and fitness data (special category, GDPR Article 9): wellness profile (birth date, height, gender, training experience, goal, medical conditions, allergies), check-ins (body weight, energy), training and diet plans, training sessions, and medical certificates.
- Photos and images: check-in and session images you upload.
- Communications: messages between coaches and clients, threads, and your chat history with the Kilo AI assistant.
- Audio (Velka Coach only): voice you dictate to Kilo. Audio is transcribed in real time and is not stored as a recording.
3. Why we use your data (purposes)
- To deliver the coaching service and its core features.
- To provide AI assistance through Kilo.
- To keep the service secure and to maintain audit logs.
- To send you transactional email related to your account and the service.
4. Legal bases
We rely on the following legal bases under the GDPR:
- Article 6(1)(b), performance of a contract: to provide the service you sign up for.
- Article 6(1)(f), legitimate interests: to keep the service secure and audited.
- Article 9(2)(a), explicit consent: to process special-category health and fitness data. You can withdraw this consent at any time.
5. Who we share data with (recipients and subprocessors)
We do not sell your data. We share it only with the service providers we need to run Velka:
- Microsoft Azure (European Union, West Europe / Amsterdam): hosting, database, file storage, secrets, and error telemetry.
- OpenAI (United States): AI features and voice transcription. Medical conditions are excluded from the prompts sent to OpenAI.
- Resend (United States): transactional email delivery.
6. International transfers
Azure processing stays within the European Union. OpenAI and Resend are based in the United States; these transfers are protected under the EU-US Data Privacy Framework and Standard Contractual Clauses as applicable.
7. Retention
We keep your data while your account is active and for as long as needed for the purposes above or to meet legal obligations (for example, accounting). When you delete your account in-app, we delete your data. Security audit logs are retained for security purposes.
8. How we protect your data (security measures)
- Encryption in transit (TLS) and encryption at rest.
- PBKDF2 password hashing.
- Access controls and multi-tenant isolation.
- Rate limiting and private file storage.
- Audit logging, bearer-token authentication (no cookies), and no analytics or tracking in this release.
9. Your rights
Under the GDPR (Articles 15 to 22) you have the right to access, rectification, erasure, restriction, data portability, objection, and to withdraw your consent. To exercise these rights, email privacy@velka.fit or delete your account in-app. You also have the right to lodge a complaint with the Italian supervisory authority, the Garante per la protezione dei dati personali (the Garante).
10. Children
Velka is intended for users aged 18 and over. We do not knowingly process data of minors.
11. Changes to this policy
This is Version 1.0, effective 10 June 2026. If we make material changes, we will notify you by email and/or with an in-app notice. Continued use of the service after the effective date of a change constitutes acceptance of the updated policy.
12. Contact
Questions about this policy or your data: privacy@velka.fit.