PRIVACY POLICY

Effective Date: 13.12.2024

1. Introduction

Welcome to Eylo, Inc. (“Eylo,” “we,” “us,” or “our”). We are committed to safeguarding your privacy and handling your personal information in a manner that respects your rights and complies with applicable privacy and data protection laws, including the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, store, protect, and transfer your personal data when you use our mobile application and related services (“the Eylo app”).

Key Principles & Legal Compliance:

• Transparency: We clearly describe the categories of personal data we collect and the purposes for which we use it.
• Lawfulness & Fairness: We ensure that every data processing activity has a valid legal basis (for example, your consent, the performance of a contract, compliance with legal obligations, or our legitimate interests) as required under the GDPR.
• Data Minimization & Security: We only collect data that is necessary for the intended purposes and implement robust security measures to protect your personal data, including health-related information.
• Your Control: You have rights over your personal data, such as the rights of access, rectification, deletion, and objection. We will honor your requests and ensure you can exercise control over how your personal data is processed.

By creating an account and using the Eylo app, you confirm that you understand and agree to this Privacy Policy. If you do not agree, you must refrain from using the Eylo app. When we process data that requires your explicit consent—such as certain health data or optional features—you will be asked to provide that consent separately, and you may withdraw it at any time.

If you have questions about how we handle your data, or if you wish to exercise your rights, you can contact us at:

Email: contact@eylo.club
Postal Address:
Eylo, Inc.
251 Little Falls Drive,
Wilmington, New Castle County, Delaware, 19808, USA.

2. What Data We Collect

We collect personal data that you provide directly, as well as information collected automatically through the Eylo app. The types of data we process and the legal bases for doing so vary depending on the nature of the data and how you interact with our services.

a. Data You Provide During Account Registration

• Categories of Data: Name, email address, and onboarding information such as your primary health goal, weight, height, target weight, preferred program length, date of birth, biological sex, and activity level.
• Legal Basis: We generally process this data to perform our contract with you and to provide personalized services (Art. 6(1)(b) GDPR). Where this data involves health-related or other special categories of personal data, we will rely on your explicit consent (Art. 9(2)(a) GDPR) unless another exemption under GDPR applies.

b. Data You Provide During Profile Use

• Categories of Data: Updates to your profile, changes to your weight or activity levels, as well as any data you voluntarily share through the in-app chat, including details about your food intake, physical activities, and health-related goals.
• Legal Basis: This data is processed under the performance of our contract with you (Art. 6(1)(b)) and, for special category data (health), your explicit consent (Art. 9(2)(a)).

c. Data We Automatically Collect

• Categories of Data: Device type, operating system, app version, anonymized IP address, session frequency, duration of usage, and interaction patterns.
• Legal Basis: We rely on our legitimate interests (Art. 6(1)(f) GDPR) to ensure the app’s functionality, maintain security, and improve user experience. Where required by law, we will seek your consent before collecting analytics or similar data not strictly necessary for the service.

d. Data Collected for Future Features (with Separate Consent)

• Voice Inputs: When introduced, you will have the option to log meals, activities, or ask questions via voice. Processing of voice data (which may contain health-related information) will be subject to your explicit consent and can be withdrawn at any time.
• Images: You may choose to upload images, such as pictures of meals or activities, to enhance personalization. These will also be processed only with your explicit consent and handled in compliance with GDPR.

e. Data from Cookies and Tracking Technologies

• Categories of Data: Necessary session data to keep your account logged in and ensure core features function, as well as optional analytics data to understand usage trends and improve services.
• Legal Basis: Necessary tracking is processed for the performance of the contract (Art. 6(1)(b)) and our legitimate interests in maintaining app stability (Art. 6(1)(f)). Optional analytics and tracking may rely on your consent (Art. 6(1)(a)), as required by applicable law. You can control certain tracking preferences in your device’s privacy settings.

f. Data from Third-Party Integrations

• Categories of Data: Information shared with APIs such as OpenAI and Anthropic to generate personalized responses based on your inputs, as well as data stored on Microsoft Azure infrastructure.
• Legal Basis: The primary basis is the performance of our contract (Art. 6(1)(b)), and where health-related data is involved, your explicit consent (Art. 9(2)(a)). We have Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) in place with these providers to ensure GDPR compliance and robust data protection.

3. How We Use Your Data

We use your personal data, including health-related information, to provide you with personalized and effective health and wellness services, improve our offerings, and communicate with you. Our processing activities are designed to respect your rights, and we always rely on appropriate legal bases as required under GDPR and other applicable laws.

a. Delivering and Personalizing Services
We use the data you provide—such as health goals, dietary habits, activity levels, and other wellness indicators—to create tailored recommendations, customized meal plans, activity suggestions, and motivational tips that support your progress and overall experience.

• Legal Basis:
  • For non-sensitive personal data, processing is necessary for the performance of our contract with you (Art. 6(1)(b) GDPR).
  • Where special category data (e.g., health-related information) is involved, we rely on your explicit consent (Art. 9(2)(a) GDPR).

b. Improving and Developing Features
We use aggregated, anonymized, or pseudonymized data from user interactions, feedback, and app usage patterns to refine our AI models, enhance the accuracy of recommendations, and develop new features. This may involve analyzing trends to understand what services users value most and identifying areas for improvement.

• Legal Basis:
  • Our legitimate interests (Art. 6(1)(f) GDPR) in improving our app and delivering a better user experience. Where feasible, we use anonymized data to avoid identifying individuals.

c. Communication
We use your personal data (e.g., email address, in-app profile details) to send notifications, reminders, and updates relevant to your goals and activities. We may also inform you of significant changes to the Eylo app or this Privacy Policy, as well as respond to your inquiries.

• Legal Basis:
  • Performance of a contract (Art. 6(1)(b) GDPR) for essential service communications.
  • Legitimate interests (Art. 6(1)(f) GDPR) for optional engagement communications, with the ability for you to opt out at any time.

d. Ensuring Security and Preventing Misuse
We analyze data to maintain the security and integrity of our services, detect and prevent fraud, address unauthorized access, and protect your account and information. This includes system monitoring, access controls, and encryption measures.

• Legal Basis:
  • Our legitimate interests (Art. 6(1)(f) GDPR) in protecting the integrity and security of the Eylo app and our users’ information.

e. Compliance with Legal Obligations
In certain cases, we may need to process your data to comply with applicable laws, regulations, or legal requests, such as responding to authorities or retaining records for tax, audit, or dispute resolution purposes.

• Legal Basis:
  • Compliance with a legal obligation (Art. 6(1)(c) GDPR).

4. Sharing Your Data

We respect the confidentiality of your personal data and only share it with third parties under strictly defined circumstances. Wherever possible, we use contractual and technical measures to ensure that any third party accessing your information adheres to the same high standards of privacy and security that we do.

a. Sharing with Service Providers (Data Processors)
We engage trusted third-party service providers to help us deliver and improve the Eylo app. These entities may process your personal data solely on our behalf and under our instructions. Examples include:

• AI Processing APIs (e.g., OpenAI, Anthropic): These assist in generating personalized responses and insights. We have Data Processing Agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs) in place to ensure GDPR compliance.
• Cloud Infrastructure (Microsoft Azure): Your data is hosted and managed using Azure services, such as Azure App Service, Cosmos DB, and Blob Storage. Azure is contractually obligated to implement robust security measures, comply with applicable laws, and not use your personal data for any unauthorized purpose.

Legal Basis:

• For sharing data with these processors, we rely on the necessity to perform our contract with you (Art. 6(1)(b) GDPR). Where special category data is involved, we rely on your explicit consent (Art. 9(2)(a) GDPR). Additionally, we ensure all processors protect your data in a manner consistent with this Privacy Policy and legal requirements.

b. Legal and Regulatory Disclosures
We may disclose your personal data if required by law or if we believe in good faith that doing so is necessary to:

• Comply with a legal obligation, legal process, or regulatory request (e.g., a court order or government inquiry).
• Enforce our Terms of Service or other agreements.
• Protect the rights, property, or safety of Eylo, our users, or the public.

Legal Basis:

• Compliance with a legal obligation (Art. 6(1)(c) GDPR) governs such disclosures.

c. Business Transactions
In the event of a merger, acquisition, sale of assets, or similar corporate transaction, your personal data may be transferred to the acquiring or successor entity. If such a transfer occurs, we will notify you of any material changes to this Privacy Policy or the handling of your data and provide options to exercise your rights where applicable.

Legal Basis:

• Our legitimate interests (Art. 6(1)(f) GDPR) in facilitating a lawful business transition, balanced against your privacy interests, guide data transfers in these cases. Any new entity receiving your personal data will be required to respect your rights and comply with applicable privacy laws.

5. Data Storage and Security

We take the security of your personal data very seriously. We apply industry-standard safeguards and adhere to best practices to protect your information from unauthorized access, loss, misuse, alteration, or disclosure.

a. Where Your Data Is Stored
Your personal data is stored on Microsoft Azure infrastructure, including Azure App Service, Cosmos DB, and Blob Storage. These services operate in regions designed to comply with the GDPR and other relevant data protection regulations, ensuring that your information is processed in line with European data protection standards whenever applicable.

b. How We Protect Your Data
We implement a combination of technical, organizational, and contractual measures to secure your personal data, such as:

• Encryption: Data is encrypted in transit and at rest to help prevent unauthorized interception or access.
• Access Controls: Strict authentication protocols ensure that only authorized personnel can access your data, and they do so solely on a need-to-know basis.
• Regular Audits and Monitoring: We continuously monitor our systems and conduct periodic security audits to identify vulnerabilities and maintain a robust security posture.
• Incident Response: In the unlikely event of a data breach, we will follow a documented incident response plan to mitigate harm and notify you and relevant authorities as required by law.

c. Your Responsibilities
You also play a role in protecting your personal data. We encourage you to:

• Use Strong Credentials: Choose a strong, unique password and do not share your login details with anyone.
• Stay Vigilant: If you suspect unauthorized access or suspect that your account credentials have been compromised, contact us immediately at contact@eylo.club.

Your proactive measures help us maintain a secure environment for your personal data.

6. Your Data Protection Rights

Under the GDPR and applicable laws, you have specific rights regarding your personal data. We are committed to ensuring that you can exercise these rights easily and that your requests are handled promptly and transparently.

a. Right of Access and Rectification
You have the right to access the personal data we hold about you and to request that we correct any inaccuracies or incomplete information. By keeping your data accurate, we can provide you with the best possible experience.

b. Right to Deletion (“Right to be Forgotten”)
You may request the deletion of your personal data at any time. We will honor your request unless we need to retain certain data to comply with our legal obligations, resolve disputes, or enforce our agreements. If we must retain some information for these reasons, we will anonymize it to ensure it can no longer be linked back to you.

c. Right to Data Portability
You have the right to obtain a copy of your personal data in a commonly used, machine-readable format. This right allows you to reuse your data across different services. Upon request, we will securely transmit your data to you or, where technically feasible, directly to another service provider.

d. Right to Restriction or Objection
You can request that we restrict certain types of data processing or object to the processing of your personal data altogether. For instance, if you believe the data we have is inaccurate or you disagree with the purposes for which we process it, we will review and accommodate your request where feasible under applicable law.

e. Withdrawing Consent
Where we rely on your explicit consent for processing certain data—such as health-related information, voice inputs, or image uploads—you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of data processed before your withdrawal.

f. Filing Complaints with Authorities
If you believe your data protection rights have been infringed, you have the right to lodge a complaint with a supervisory authority in your jurisdiction. We encourage you to contact us first, and we will do our best to resolve any concerns.

How to Exercise Your Rights:
To exercise any of these rights, please contact us at contact@eylo.club. We may need to verify your identity before fulfilling your request to protect your personal data from unauthorized access. We aim to respond to all valid requests within one month, or inform you if we require additional time.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. When personal data is no longer needed, we securely delete it or anonymize it so that it cannot be linked back to you.

a. Retention Periods

• Account and Profile Data: We retain personal data associated with your account (e.g., name, email, health profile) for the duration of your active use of the Eylo app. If you close your account or request deletion, we will remove or anonymize your data promptly, unless we must retain certain information for legal, regulatory, or legitimate business purposes.
• Chat Logs and User-Generated Content: Chat inputs and other user-generated content provided to enhance our services are retained as necessary to deliver personalized recommendations and track your progress. If you request deletion, we will remove or anonymize these data points unless retention is required for legal or regulatory compliance.
• Analytics and Usage Data: We store analytics data, such as usage patterns and performance metrics, in an anonymized form for a maximum of 14 months. This approach enables us to improve our services without retaining identifiable information longer than needed.

b. Criteria for Retention
We determine retention periods based on:

• The nature and sensitivity of the personal data.
• The purposes for which we process it.
• Legal, regulatory, or contractual obligations to retain certain records.
• Your requests, including account closure or data deletion requests.

c. Deletion Upon Request
If you request deletion of your personal data, we will honor your request and securely remove your information unless we are legally required or have a compelling legal reason to retain it. In such cases, we will anonymize the data so it can no longer be associated with you. To request deletion or exercise other data protection rights, contact us at contact@eylo.club.

8. International Data Transfers

In order to provide you with our services, your personal data may be transferred and processed outside of your country of residence, including countries that may not offer the same level of data protection as your home jurisdiction. We recognize the importance of maintaining appropriate safeguards in these scenarios and commit to ensuring your data is handled securely and lawfully, in line with GDPR and other applicable data protection laws.

a. Explanation of International Data Transfers
Some of our trusted third-party service providers—such as AI processing partners (e.g., OpenAI, Anthropic) and cloud infrastructure providers (e.g., Microsoft Azure)—operate servers or maintain staff in various regions worldwide. As a result, personal data, including data that may be considered special category (e.g., health data), can be transferred outside the European Economic Area (EEA) for processing, storage, or support purposes.

We conduct due diligence before engaging any such providers and ensure that any data transfer is strictly necessary for the performance of our services.

b. GDPR Safeguards
When transferring personal data outside the EEA, we implement appropriate safeguards to ensure a level of data protection that is essentially equivalent to that provided within the EU. These safeguards may include:

• Standard Contractual Clauses (SCCs): We enter into SCCs approved by the European Commission with our non-EEA service providers, obligating them to maintain high standards of data protection.
• Additional Technical and Organizational Measures: Where necessary, we use encryption, pseudonymization, and other security measures to protect your data during transfer and storage.
• Ongoing Monitoring: We periodically review our providers’ privacy and security practices to confirm ongoing compliance.

You may request more information about these safeguards, including copies of the relevant contractual provisions, by contacting us at contact@eylo.club, subject to any legal or confidentiality obligations.

c. Commitment to Data Protection
No matter where your personal data is processed, we are dedicated to upholding the principles and requirements of applicable data protection laws. We continue to monitor legal developments, update our processes, and engage with reputable third-party providers who demonstrate robust security, compliance, and respect for individual rights.

Our goal is to ensure that your personal data receives consistent, high-level protection, regardless of the country in which it is processed.

9. Children’s Privacy

We are committed to protecting the privacy of children and complying with all applicable data protection laws that govern the processing of minors’ personal information.

a. Age Restrictions
The Eylo app is not intended for use by anyone under 16 years of age (or the minimum age required by local laws in your jurisdiction, if higher). By creating an account and using the Eylo app, you confirm that you meet the age requirement. If we become aware that we have collected personal data from a child without the necessary consent or authorization, we will take prompt steps to delete that information.

b. Data Collection from Minors
We do not knowingly collect personal data from children under the age of 16. If you are a parent or legal guardian and believe that your child has provided personal data without your consent, please contact us at contact@eylo.club, and we will investigate and address the issue as required by law.

c. Parental and Guardian Involvement
If a parent or legal guardian requests access to, correction of, or deletion of a minor’s personal data, we will verify their relationship and authority before fulfilling the request. We encourage parents and guardians to supervise their children’s online activities and to help us maintain a safe environment by ensuring that children do not share personal data through the Eylo app without appropriate supervision or authorization.

10. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our data processing practices, legal requirements, or business operations. We are committed to maintaining transparency and will ensure that you remain informed about any significant changes affecting how we handle your personal data.

a. Reasons for Updates
We may revise this Privacy Policy to:

• Comply with new or updated laws, regulations, or industry standards.
• Introduce new features, services, or technologies that affect how we process your personal data.
• Address changes in our internal policies, business arrangements, or organizational structure.

b. Notification of Changes
If we make substantial updates to this Privacy Policy, we will notify you in a clear and timely manner—such as by providing in-app notifications, sending you an email, or posting a notice on our website. The “Effective Date” at the top of this Privacy Policy will also be updated to reflect the date on which the changes come into effect. For minor changes that do not significantly alter your rights or our obligations, we may not provide direct notification, but we will always publish the updated Privacy Policy on our website and within the app.

c. Encouraging Periodic Review
We recommend reviewing this Privacy Policy regularly to remain informed about how we protect your personal data. Your continued use of the Eylo app after any updates to this Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with any changes, you must discontinue using the Eylo app and may exercise your data protection rights as described in this Privacy Policy.

11. Contact Us

We value your privacy and are committed to addressing any questions, concerns, or requests related to this Privacy Policy or your personal data.

a. Primary Contact Information
If you have any inquiries about how we handle your personal data, wish to exercise your data protection rights, or need assistance with any privacy-related matter, you can reach out to us at:

Email: contact@eylo.club

Postal Address:
Eylo, Inc.
251 Little Falls Drive,
Wilmington, New Castle County, Delaware 19808, USA.

b. Our Commitment to Responding
We strive to respond to all inquiries promptly and comprehensively. In most cases, we will acknowledge your request within a few business days and aim to provide a full response within one month. If we need additional time to process complex requests, we will inform you and explain the reason for any delay.

c. Your Role in Collaboration
We encourage you to reach out if you have questions or concerns about our data handling practices. Maintaining an open dialogue helps us continually improve our services and better protect your privacy. If you believe that we have not adequately addressed your concerns, you have the right to contact a data protection authority in your jurisdiction.