Privacy Policy
Last updated: 10 April 2026 · Version 2026-04-10
This Policy is available in Portuguese at wiseofit.com/pt/privacy. The binding version is English where required by applicable law.
1. Data Controller
WiseoFit Lda, a company incorporated under Portuguese law (registered in Portugal), is the data controller for personal data processed through the WiseoFit platform.
Data Protection Officer (DPO) / Encarregado LGPD:
You may write in Portuguese, English, or Spanish. We respond within 15 business days (GDPR Art. 12(3)) / 15 days (LGPD Art. 19).
EU Representative (Art. 27 GDPR): same address above while we are established in Portugal. Brazilian Representative (LGPD Art. 65): same contact above.
2. Data We Collect
Account & Identity
Full name, e-mail address, phone number, date of birth, profile photo, country, city.
⚠️ Special-Category / Sensitive Health Data
Body weight, height, body-fat percentage, injuries, dietary restrictions, fitness goals, training history, and nutrition plans. Under GDPR this is special-category data (Art. 9); under LGPD it is sensitive data (Art. 11). We process it only on the basis of your explicit consent and to perform the fitness and nutrition services you request.
Professional Data (Coaches / Professionals / Nutritionists)
Profession, declared professional license number (CREF, CRN, IPDJ, NASM, etc.), biography, and service area.
Affiliate Data
Display name, primary channel, channel URL, traffic source, country, and Stripe account for commission payouts.
Financial Data
Payment processing is handled by Stripe, Inc. Card payments are processed in hosted Stripe checkout pages. We store subscription and transaction references, but full card data does not touch our servers.
Usage & Technical Data
IP address, browser/device, pages visited, features used, timestamps. Used for security, fraud prevention, and platform improvement.
Consent Records
Timestamp and version of your acceptance of these Terms and Privacy Policy at account creation — kept as a legal audit trail.
3. Legal Basis for Processing
| Processing Activity | GDPR Basis (Art. 6 / 9) | LGPD Basis (Art. 7 / 11) |
|---|---|---|
| Providing fitness & nutrition services | Contract (Art. 6(1)(b)) | Contract (Art. 7, V) |
| Processing health data | Explicit consent (Art. 9(2)(a)) | Explicit consent (Art. 11, I) |
| AI plan personalisation | Consent + contract | Consent + contract |
| Marketing communications | Consent (Art. 6(1)(a)) | Consent (Art. 7, I) |
| Fraud prevention & security | Legitimate interest (Art. 6(1)(f)) | Legitimate interest (Art. 7, IX) |
| Legal & fiscal obligations | Legal obligation (Art. 6(1)(c)) | Legal obligation (Art. 7, II) |
| Affiliate commission payouts | Contract (Art. 6(1)(b)) | Contract (Art. 7, V) |
California residents: WiseoFit does not sell or share personal information for cross-context behavioural advertising under the CCPA/CPRA.
4. How We Share Data
We do not sell your personal data. We share it only with:
- Your assigned Coach / Personal Professional / Nutritionist: if you subscribe to a professional's plan, authorized professionals linked to your active service (coach, personal professional, nutritionist) receive access to your profile, goals, training history, active workout, and nutrition data strictly on a need-to-know basis to deliver and review your protocol with clinical accuracy. They act as independent data processors under our Professional Code of Conduct.
- Stripe, Inc. (USA): payment processing. Transfer to the USA is covered by Stripe's Standard Contractual Clauses (SCCs) under GDPR and its privacy framework under LGPD.
- Cloud infrastructure providers: servers hosted in the EU/EEA (primary) and/or Brazil, under Data Processing Agreements (DPAs) with GDPR-equivalent safeguards.
- AI model providers (OpenAI / Anthropic): your health profile data is sent to generate personalised plans. These providers are bound by contractual obligations not to use your data to train their models. No data is sent without your consent.
- Competent authorities: when required by applicable law, court order, or regulatory request.
- Successors: in the event of a merger, acquisition, or asset transfer, your data may be transferred to the acquiring entity under equivalent protections. You will be notified in advance.
5. International Data Transfers
WiseoFit is established in Portugal (EU). Data may be transferred to processors outside the EEA (e.g. Stripe in the USA, OpenAI in the USA). All such transfers are safeguarded by:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
- Adequacy decisions where applicable (e.g. EU–US Data Privacy Framework).
- For transfers from Brazil, equivalent safeguards under LGPD Art. 33.
You may request a copy of the applicable safeguards by writing to privacy@wiseofit.com.
6. Cookies & Tracking
Strictly necessary
Session token, CSRF token, language preference. Cannot be disabled — required for the platform to function.
Functional
Remember your locale and theme preference. No tracking.
Analytics (optional)
Anonymised usage metrics to improve the platform. Analytics stays disabled until you opt in through the cookie banner or cookie settings, and you can withdraw consent later.
You can withdraw consent for optional cookies at any time via the cookie settings link in the footer. Withdrawing consent does not affect the lawfulness of prior processing.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account & health data | Held while account is active; deleted within 30 days of account deletion request. |
| Fiscal / billing records | 7 years (Portugal legal requirement) / 5 years (Brazil legal requirement). |
| Server access logs | 6 months (Brazil: Marco Civil da Internet, Art. 15); 12 months (EU: ePrivacy Directive). |
| Consent audit records | 5 years from last interaction (legal obligation to demonstrate compliance). |
| Affiliate commission records | 7 years (tax and accounting obligations). |
8. Your Rights
Depending on your country, you have the following rights:
Access (GDPR Art. 15 / LGPD Art. 18, I)
Obtain a copy of your personal data in a machine-readable format.
Rectification (GDPR Art. 16 / LGPD Art. 18, III)
Correct inaccurate or incomplete data.
Erasure / Deletion (GDPR Art. 17 / LGPD Art. 18, VI)
Delete your account and data. Available in Settings → Danger Zone.
Restriction (GDPR Art. 18)
Restrict processing in specific circumstances (EU users).
Portability (GDPR Art. 20 / LGPD Art. 18, V)
Receive your data in a structured, interoperable format.
Objection (GDPR Art. 21 / LGPD Art. 18, II)
Object to processing based on legitimate interest.
Withdraw consent
Withdraw consent at any time without affecting prior lawful processing.
Lodge a complaint
File a complaint with your supervisory authority: ANPD (Brazil), national DPA (EU/EEA).
Non-discrimination (CCPA § 1798.125)
California residents: we will not discriminate against you for exercising your privacy rights.
Know / Opt-out of Sale (CCPA § 1798.100)
We do not sell or share personal data. No opt-out required, but you may request confirmation.
To exercise your rights, go to Settings → Danger Zone or contact: privacy@wiseofit.com. We respond within 15 business days (GDPR / LGPD) or 45 days (CCPA, extendable once).
EU users may also contact their national Data Protection Authority. Brazilian users may contact the ANPD at gov.br/anpd.
9. Health Data & Artificial Intelligence
How AI uses your health data
- Your body metrics, goals, and restrictions are sent to AI models (OpenAI/Anthropic) to generate personalised training and nutrition plans.
- AI providers are contractually prohibited from using your data to train their own models.
- All AI-generated plans are labelled as such on the platform.
- AI-generated content is not a substitute for medical, nutritional, or physical-education advice. Always consult a qualified professional.
- You can withdraw health-data consent in Settings at any time. This stops new AI processing based on that data and limits AI personalisation features until consent is granted again.
10. Security Measures
We implement technical and organisational measures including: TLS encryption in transit, bcrypt password hashing, role-based access control, regular security audits, and incident response procedures.
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected users without undue delay (GDPR Art. 34 / LGPD Art. 48).
11. Children's Privacy
WiseoFit is not directed at children under 16 (EU) / 13 (USA) / 18 (Brazil for certain health data). We do not knowingly collect data from minors. If you believe a child has provided data, contact privacy@wiseofit.com and we will delete it promptly.
12. Affiliate Programme Data
Affiliates provide professional and payment data (channel URL, Stripe account) to receive commissions. This data is processed on the basis of contract performance and retained for the applicable fiscal period (7 years, Portugal; 5 years, Brazil). Affiliate referral links use a 30-day attribution cookie that is strictly necessary for commission tracking — no cross-site tracking is performed.
13. Changes to This Policy
We may update this Policy periodically. We will notify you by e-mail or in-app notification at least:
- 15 days in advance for routine updates (Brazil / LGPD).
- 30 days in advance for material changes affecting EU users (GDPR / DSA).
Continued use of the platform after the effective date constitutes acceptance of the updated Policy. The version date at the top of this page always reflects the current version.
14. Contact & Complaints
DPO / Data Protection Officer:
WiseoFit Lda · Portugal · wiseofit.com
If you are not satisfied with our response, you have the right to lodge a complaint with:
- EU / Portugal: CNPD — Comissão Nacional de Proteção de Dados (cnpd.pt)
- Brazil: ANPD — Autoridade Nacional de Proteção de Dados (gov.br/anpd)
- California: California Privacy Protection Agency (cppa.ca.gov)