This Privacy Policy explains how PREMIUM INFINITY S.R.O. (“we”, “us”) collects and processes personal data when you use the 35’ Health Clubs App, including your rights under the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
Because the Controller is established in the European Union (Czech Republic), we apply GDPR-level standards to the processing described here.

1) Data Controller (who is responsible)
PREMIUM INFINITY S.R.O.
Company Registration No.: 24701114
Registered address: U Bulhara 1611/3, Nove Mesto, 110 00, Praha 1, Czech Republic
Phone: +420777643565
Email (privacy contact): temur.rakhimov@gmail.com

2) Scope: where the App is used
The App is intended for supporting 35’ Health Clubs locations and is used by customers and club staff for service-related purposes (e.g., QR-based flows, user requests, and club assistance).

3) Personal data we collect
3.1 Data you provide directly
We collect the data you enter in the App, which may include:

• Phone number
• First name
• Last name
• Address
• “What bothers you” / complaint
• Health problem(s)
• Height
• Weight
• Date of birth
• Sex
• Health/fitness goal

Special category data (health): Your complaint, health problem(s), and related information may qualify as health data and therefore special category personal data under GDPR Article 9.
3.2 Camera (QR code scanning)
The App requests access to your camera only to scan QR codes.
We do not record video, take photos, or use facial recognition as part of QR scanning.
3.3 Maps (Google Maps)
The App uses Google Maps to display club locations.
The App does not request or use your precise device location; it only shows the locations of clubs.
3.4 Technical data (Firebase / Google infrastructure)
We use Google Firebase / Google developer services to operate the App. This may involve processing limited technical data necessary for app delivery, stability, and security (e.g., device/app identifiers, service logs).
You confirmed:

• No analytics SDKs (e.g., Firebase Analytics)
• No crash analytics (e.g., Crashlytics)

If this changes, we will update this policy.

4) Mandatory vs optional data (what happens if you don’t provide it)

• Required to use core account/service flows: at minimum your phone number (and typically your name, depending on the workflow).
• Optional (but may limit service): last name, address, and any health-related fields (complaint, health problem, height/weight/DOB/sex, goal). If you do not provide optional data, you can still use the App where possible, but club staff may have less information to help you.

5) Purposes of processing (why we use your data)
We process personal data to:

1. Create and manage your user profile/account.
2. Provide App functionality connected to 35’ Health Clubs (including QR-related flows).
3. Enable club staff to view your submitted information and assist you (including responding to your complaint/request).
4. Communicate with you via SMS and WhatsApp for service messages (e.g., verification, operational updates, replies).
5. Show club locations using Google Maps.
6. Secure and maintain the App (prevent abuse, troubleshoot, keep service reliable).

6) Legal bases (GDPR)
6.1 Processing of general personal data (GDPR Article 6)
Where GDPR applies, we rely on:

• Contract / steps to enter a contract (Art. 6(1)(b)): to deliver the App service you request.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, and service reliability (with appropriate balancing against your rights).
• Consent (Art. 6(1)(a)): where we specifically ask for it (e.g., if marketing features are introduced later).

6.2 Processing of health data (special category) (GDPR Article 9)
Where information qualifies as health data, we process it only under:

• Your explicit consent (Art. 9(2)(a)).

How explicit consent is collected (in practice):
When the App allows you to submit health-related fields, you must explicitly agree to a consent statement (e.g., a checkbox/toggle) such as:
“I give explicit consent to the processing of my health-related data for the purpose of allowing 35’ Health Clubs staff to review it and assist me.”
If you do not give explicit consent, we will not process health-related fields (and may not be able to provide health-related assistance through the App).

7) Who receives your data (sharing & recipients)
We do not sell your personal data.
We may share data with the following categories of recipients:
7.1 35’ Health Clubs staff (service access)
Authorized club staff/administrators may access user data to provide services and support. Staff are trained/authorized and given access on a “need-to-know” basis.
7.2 Google (Firebase) — infrastructure provider
We use Google Firebase to run the App. Google acts as a service provider for infrastructure and may process personal data to provide the service (e.g., hosting, database, delivery, security).
7.3 Google Maps
We use Google Maps to display club locations. In some contexts, Google may act as an independent controller for certain data processed in connection with Maps services under applicable terms. Google Cloud+1
7.4 WhatsApp
If you communicate with us via WhatsApp, your messages and related metadata are processed through WhatsApp services (operated by Meta/WhatsApp entities) under their own terms and privacy practices.
7.5 SMS providers / telecom operators
To deliver SMS messages, your phone number and message delivery data may be processed by telecom operators and/or SMS service providers.

8) International transfers (cross-border processing)
Because:

• App usage and staff access occur in Uzbekistan and Kazakhstan, and
• Google/Firebase/Maps may involve global infrastructure,

your data may be processed outside your country and outside the EEA.
Where GDPR applies and transfers require safeguards, we rely on appropriate mechanisms such as Standard Contractual Clauses (SCCs) and related contractual protections used by major providers (including Firebase SCC frameworks). Firebase+1

9) Data retention (how long we keep data)
We keep personal data only as long as necessary for the purposes above:

• Account/profile data: retained while your profile is active; deleted when you delete your profile, subject to backup retention below.
• Health data: retained while your profile is active and for as long as needed to provide staff support, unless you withdraw explicit consent (see Section 10).
• Service communications (SMS/WhatsApp): we may retain records of service communications for up to 12 months for support, dispute handling, and service integrity (unless a longer period is required by law).
• Technical/security logs: typically retained for up to 180 days to maintain security and service reliability.

Backups: after profile deletion, some data may remain in backups for up to 90 days (backup rotation), then be overwritten or deleted unless legally required to keep specific records.

10) Your rights (GDPR) and how to exercise them
Where GDPR applies, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data (“right to be forgotten”) (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20), where applicable
• Object to processing based on legitimate interests (Art. 21)
• Withdraw consent at any time (Art. 7(3); and for health data Art. 9(2)(a))

How to request: email temur.rakhimov@gmail.com.
We may request verification (reasonable identity check) to prevent unauthorized disclosure.
Withdrawal of explicit consent for health data
If you withdraw explicit consent for health data, we will stop processing health data and will delete/neutralize it where feasible, unless we must retain minimal data for legal claims or compliance.
Deleting your data
You stated that individual field deletion/editing is not available and deletion happens by deleting the profile. If you want all your personal data removed, delete your profile (and/or email us to request erasure).

11) Complaints to a supervisory authority
Where GDPR applies, you may lodge a complaint with a supervisory authority, including in the EU.
For the Czech Republic, the supervisory authority is:
Úřad pro ochranu osobních údajů (UOOU)
Address: Pplk. Sochora 27, 170 00 Praha 7, Czech Republic uoou.gov.cz+1

12) Security measures
We implement reasonable technical and organizational measures designed to protect personal data, including access control, secure communications, and limiting staff access to what is necessary for their job role. No system can be guaranteed 100% secure, but we actively reduce risk.

13) Automated decision-making
We do not use automated decision-making, including profiling, that produces legal effects or similarly significant effects on you (GDPR Art. 22).

14) Children
The App is not intended for children under 16 without involvement/consent of a parent or legal guardian where required by applicable law. If we learn we collected children’s data unlawfully, we will take steps to delete it.

15) Changes to this Privacy Policy
We may update this Policy from time to time. The updated version will be published in the App with an updated effective date. Material changes will be communicated through the App or other appropriate channels.