Privacy Policy

* Email (so we can deliver your program and send you the download link)

* Program ID (to let you re-access your purchase)

Purpose / legal basis: contract performance (GDPR Art. 6(1)(b)).

Retention: kept indefinitely so you can re-download your program later (until you ask us to delete).

During program generation, you may provide fitness-related inputs such as:

* Goals & preferences (e.g., primary/secondary goals, training frequency, workout duration, location/equipment, diet preferences and "other" notes)

* Profile inputs (gender, age range, height, weight, fitness level, meals per day)

* Health-related info (optional): injuries or medical conditions affecting training

Important: we do not permanently store your answers. They live in a temporary "job" record used to generate your program and are deleted after 7 days (audit/debug).

health-related information (e.g., injuries), we rely on your explicit consent (GDPR Art. 9(2)(a)). This field is optional.

consent (Art. 6(1)(a) + Art. 9(2)(a))

* Program content and PDF (do not include your personal answers)

Purpose / legal basis: contract performance (Art. 6(1)(b)).

Retention: indefinitely (until you ask us to delete).

not use these to profile you.

Purpose / legal basis: security and service integrity (legitimate interests, Art. 6(1)(f)).

Retention: 7 days, then deleted.

email in a separate newsletter list. You can unsubscribe anytime.

Purpose / legal basis: consent (Art. 6(1)(a)) or permissible direct marketing rules where applicable.

Retention: until you unsubscribe or we delete the list.

We use essential cookies (e.g., for Stripe embedded elements and basic session needs) and, with your consent, we use analytics/marketing cookies and pixels.

* Analytics: Google Analytics

* Session replay/UX: Microsoft Clarity

* Marketing / ads: Meta Pixel (Facebook/Instagram), TikTok Pixel, Google Ads

consent (Art. 6(1)(a)) via our cookie banner/manager

Your choice: You can accept/decline non-essential cookies in the banner, and change your selection anytime. You can also set your browser to block cookies.

We use Stripe (embedded elements) to process one-time payments. Stripe acts as an independent controller for certain payment data.

Legal basis: contract performance (Art. 6(1)(b)); fraud prevention = legitimate interests (Art. 6(1)(f)).

We use reputable providers to host and operate Selpflow. We only share what's necessary.

* Amazon Web Services (AWS) (hosting, S3 storage, Amazon SES email) - EEA and (where applicable) other regions

* MongoDB (database) - region as configured (we aim for EEA where possible)

* OpenAI (program generation AI) - data may be transferred to the United States

* Stripe (payments)

We have data processing terms in place and, where required, EU Standard Contractual Clauses (SCCs) or equivalent safeguards for international transfers (GDPR Arts. 44–49).

* OpenAI (US): We send your job inputs to generate your plan. These "jobs" are deleted from our database after 7 days; your generated program/PDF stored by us does not include your personal answers. Transfers rely on SCCs and appropriate safeguards.

Selpflow is not intended for persons under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided data, email info@selp.life and we will delete it.

You can email info@selp.life to exercise your rights. We will verify your identity and respond without undue delay.

* Access - get a copy of your personal data and information about processing

* Rectification - correct incomplete or inaccurate data

* Erasure - request deletion (e.g., email/programId; we will also remove your generated files)

* Restriction - ask us to pause certain processing

* Objection - object to processing based on legitimate interests (e.g., analytics/marketing)

* Portability - receive your data in a machine-readable format (where legally applicable)

* Withdraw consent - for anything we process based on your consent (e.g., injuries field; cookies/analytics; newsletter)

Supervisory authority: You may lodge a complaint with State Data Protection Inspectorate (VDAI), Lithuania.

We use appropriate technical and organizational measures (encryption in transit, access controls, least-privilege roles, logging, backups) to protect your data against unauthorized access, loss, or misuse.

* Contract performance (Art. 6(1)(b)): generating the program, delivering links/PDFs, letting you re-access

* Legitimate interests (Art. 6(1)(f)): security logs, service reliability, essential cookies, limited fraud prevention

* Consent (Art. 6(1)(a)): analytics/marketing cookies, newsletter, optional injuries/medical details (also Art. 9(2)(a) for special-category data)

* Legal obligations (Art. 6(1)(c)): if we must retain certain records under applicable laws

We do not sell your personal data. We share data with our processors listed above and may disclose data if required by law or to defend legal claims. If our service is reorganized, merged, or sold, your data may transfer to the new operator under the same protections.

We may update this Privacy Policy from time to time. We'll post the new version here and update the effective date. Material changes will be highlighted where reasonable.

Questions or rights requests: info@selp.life