1. Who We Are
PBE Micro ("PBE", "we", "us") is the data controller responsible for the personal information collected through this Service. We are committed to protecting your privacy and processing your data lawfully and transparently in accordance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.
Contact: hello@pilatesbyelahe.com
2. Data We Collect
We collect the following categories of personal data:
Account data
- Email address and hashed password (required for registration)
- Invite token, if you joined through a company invitation
- Account creation date and authentication timestamps
Profile data
- First name, last name
- Date of birth, gender
- Weight (kg) and height (cm)
- Job type (e.g. desk worker, standing worker)
- Profile photo (optional)
- Time zone
Health and wellness data
- Questionnaire answers (health history, physical limitations, activity preferences)
- Session completion records, exercise history, and progress data
- Assigned and completed workout plans
Device and technical data
- Push notification device token (to send session reminders)
- Device type, operating system version, and app version
- IP address and approximate location (country-level, from IP)
- Log data and error reports
Communication data
- Messages sent through in-app support channels
- Email correspondence with our team
3. Legal Basis for Processing
| Purpose | Legal Basis (GDPR) |
|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) |
| Delivering personalised workout plans | Contract performance (Art. 6(1)(b)) |
| Processing health questionnaire data | Explicit consent (Art. 9(2)(a)) |
| Sending push notifications and reminders | Legitimate interest / Consent (Art. 6(1)(a)/(f)) |
| Improving the Service (analytics) | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
- Personalisation: to match you with the workout plan that fits your body, job type, and health profile.
- Service delivery: to run your account, schedule sessions, track your streak, and display your progress.
- Communication: to send session reminders, important account updates, and — where you have opted in — newsletters and wellness tips.
- Company features: if you joined via a company invitation, limited profile data (name, completion rates) may be visible to your company administrator. See Section 6.
- Safety and compliance: to detect abuse, protect the integrity of the Service, and comply with legal obligations.
- Product improvement: aggregated, anonymised analytics to understand how the Service is used and how we can improve it.
5. Data Retention
- Account and profile data is retained for the duration of your account plus 30 days following deletion, to allow account recovery.
- Health and session data is retained for the duration of your account. On deletion, it is permanently erased within 30 days.
- Log data is retained for up to 90 days for security and debugging purposes.
- Billing records may be retained for up to 7 years as required by financial regulations.
You may request early deletion of your data at any time (see Section 7).
6. How We Share Your Data
We do not sell your personal data. We share it only in the following circumstances:
- Company administrators: if you are part of a company plan, your administrator can see your name, email, and aggregated session completion stats. They cannot see your health questionnaire answers or detailed workout history.
- Service providers: we use vetted third-party processors (e.g. cloud hosting, push notification services) who process data on our behalf under strict data processing agreements.
- Legal requirements: we may disclose data to comply with a court order, legal obligation, or government request.
- Business transfer: in the event of a merger or acquisition, your data may be transferred to the successor entity, which will be bound by this Privacy Policy.
7. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Access: request a copy of the data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion of your data ("right to be forgotten").
- Portability: receive your data in a structured, machine-readable format.
- Restriction: ask us to restrict processing while a dispute is resolved.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: where we process data on the basis of consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at hello@pilatesbyelahe.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
8. Security
We take security seriously. Measures we employ include:
- Passwords stored as bcrypt hashes (cost factor 12) — never in plaintext.
- Health data encrypted at rest using AES-256-GCM column-level encryption.
- All data in transit encrypted via TLS 1.2 or higher.
- Access tokens with short expiry (15 minutes); refresh tokens rotated on every use.
- Role-based access controls limiting who can access what data.
No system is completely secure. If you discover a security vulnerability, please report it responsibly to hello@pilatesbyelahe.com.
9. Children
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy periodically. When we make material changes, we will notify you by email or in-app notice at least 14 days before the changes take effect. We encourage you to review this page regularly.