Privacy Policy

This privacy policy explains how we collect, use and protect your personal data when you use our Pilates platform. The controller for the data processing is the person or entity listed in the imprint.

We process personal data strictly on the basis of the EU General Data Protection Regulation (GDPR) and applicable German data-protection law. All data is processed in the European Union by default; the few exceptions — in particular transfers to our AI providers in the United States — are fully documented in section 5.

You have the right at any time to access, rectification, erasure, restriction of processing, data portability and objection — see section 6. You can request a machine-readable export of your stored data from your account settings at any time.

The controller within the meaning of Art. 4 no. 7 GDPR is the person listed in the imprint. You can reach us through the contact details provided there.

We have not appointed a data protection officer because the statutory thresholds under § 38 BDSG (at least 20 persons permanently engaged in automated processing) are not met. Please direct any data-protection enquiries to the email address shown in the imprint.

Processing of your account data, training content and all data required to provide the platform is carried out on the basis of Art. 6(1)(b) GDPR for the performance of our terms of service with you.

Technical safeguards such as IP-based rate limiting, abuse detection and security logging are based on Art. 6(1)(f) GDPR; our legitimate interest is the secure and abuse-free operation of the platform.

Optional processing activities — in particular product analytics and marketing emails — are carried out exclusively on the basis of Art. 6(1)(a) GDPR, following your prior, freely given and revocable consent. You can manage your consents in your account settings.

Where we are required by law to retain records — for example tax and commercial bookkeeping documents — the legal basis is Art. 6(1)(c) GDPR.

Account data: email address, hashed password (managed by our auth provider Supabase), registration and last-login timestamps, and a display name of your choice.

Profile data: language preference, first and last name (optional), role within your studio and training preferences such as preferred modalities, difficulty levels and teaching style.

Training content: class plans, templates, personal exercise cues, favourites and ratings you create. Personal exercise cues are classified as confidential and are never transmitted to any AI provider — see section 4.

Calendar data: your appointments, class times, optional notes and links to class plans. Appointments marked as private are visible only to you and, where applicable, authorised studio administrators.

Workflow and audit data: review decisions, plan handoffs between trainers and teaching logs. This data is required to make approval and handoff processes in your studio traceable.

GDPR records: granted consents, deletion requests and their timestamps. This processing is strictly necessary to fulfil our accountability obligations under Art. 5(2) GDPR.

Technical access data: on every request our processors briefly log IP address, user-agent string and timestamp for security monitoring and rate limiting. This data is automatically purged after at most 30 days; no profiling on this data takes place.

We rely on carefully selected processors to operate the platform. We have entered into a data processing agreement (DPA) pursuant to Art. 28 GDPR with each of them.

Supabase (Supabase Inc., 970 Toa Payoh North, Singapore) — database, authentication and file storage. The instance we use is hosted exclusively in the eu-central-1 region (Frankfurt); no replication outside the European Union takes place.

Anthropic PBC, 548 Market Street, San Francisco, CA 94104, USA — AI-assisted plan generation (Claude language models). We use Anthropic under a contractual training opt-out: your inputs are not used to train or improve any model.

OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA — computation of embeddings used to structure our exercise library. Only exercise descriptions from the platform library are sent to OpenAI; no personal data is transmitted.

Upstash, Inc. — Redis-based rate limiting and background jobs. The instance we use is hosted in the EU region.

Resend (Resend Inc.) — delivery of transactional email (e.g. signup confirmations, review notifications). Data transmitted is processed solely for delivery of the relevant email.

Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA — hosting and content delivery. We prefer EU edge regions; access logs are automatically deleted after at most 30 days.

Important notice regarding personal exercise cues: the personal cues stored in your account are never transmitted to Anthropic, OpenAI or any other AI provider at any stage. They are resolved server-side and inserted into the final result only after plan generation has completed — a property that is permanently enforced at the architectural level.

The majority of our processing takes place within the European Union. Transfers to third countries are limited to the US-based providers listed in section 4 (Anthropic, OpenAI, Vercel).

These transfers are covered by the Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR and — where available — by certification under the EU-US Data Privacy Framework pursuant to Art. 45 GDPR. We will provide a copy of the safeguards in place on request.

No other third-country transfers take place. In particular, we do not use any advertising networks, external analytics services or social-media plugins that would transfer personal data outside the European Union.

Right of access (Art. 15 GDPR): you have the right at any time to obtain a full copy of the personal data we hold about you. You can trigger a machine-readable JSON export directly from your account settings.

Right to rectification (Art. 16 GDPR): you can update your profile data, preferences and account details at any time directly in your settings, or contact us otherwise.

Right to erasure (Art. 17 GDPR): you can request deletion of your account directly from your settings. The deletion request is executed automatically after a 30-day grace period. Personal data is then removed completely; in shared records such as sharing links and review entries we only anonymise your link to them, to the extent that their retention is required to preserve the traceability of business processes.

Right to restriction of processing (Art. 18 GDPR): you can ask us to restrict processing of your data while disputed matters are being resolved.

Right to data portability (Art. 20 GDPR): you receive your data in a structured, commonly used and machine-readable format (JSON) via the account export mentioned above.

Right to object (Art. 21 GDPR): you can object at any time to processing of your data where we rely on Art. 6(1)(f) GDPR.

Right to withdraw consent (Art. 7(3) GDPR): you can withdraw consents at any time with effect for the future. Processing carried out until withdrawal remains lawful.

Right to lodge a complaint (Art. 77 GDPR): you have the right to lodge a complaint with a data-protection supervisory authority — in Germany the Federal Commissioner for Data Protection and Freedom of Information (BfDI) or the state data-protection authority responsible for your place of residence.

The platform enables Pilates trainers to maintain profiles for their private clients. The following data categories are processed: name, contact details (email, phone), date of birth, and optional personal notes.

Health-related information — in particular body areas with complaints, severity of injuries or restrictions, health conditions and observations — constitutes special category data under Art. 9 GDPR and is subject to enhanced protection requirements. This data is processed on the basis of the explicit consent of the trainer (Art. 9(2)(a) GDPR), which is obtained before health notes are first recorded.

Health-related client data is never transmitted to AI service providers (including Anthropic or OpenAI). The AI-powered plan generation uses only anonymised, structured categories (e.g. body area, severity) — without names, dates of birth or other personal identifiers. This separation is permanently embedded in the system architecture.

The trainer is the data controller under Art. 4(7) GDPR with respect to the data of their clients. My Pilates Flows processes this data on behalf of the trainer as a data processor under Art. 28 GDPR. A data processing agreement is available on request.