Privacy Policy

v2026.07 · July 3, 2026

This Privacy Policy explains what personal data OneRealSet processes, why, on what legal basis, and what rights you have over it, when you use our web app and our artificial intelligence coach via web chat and WhatsApp. It is written to meet Articles 13 and 14 of the GDPR, in plain language: if anything is unclear, write to us at [RELLENAR: email de contacto].

Data controller

The controller of your personal data is [RELLENAR: nombre y apellidos del titular], Spanish tax ID (NIF) [RELLENAR: NIF], with address at [RELLENAR: domicilio], the individual operator of OneRealSet ("OneRealSet", "we", "us"). Contact for any data protection matter: [RELLENAR: email de contacto]. OneRealSet is an online personal training platform operated from Spain and available in Spanish and English. It combines a web app with an artificial intelligence coach available via web chat and WhatsApp; this policy covers both channels. Applicable legal framework: Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 (LOPDGDD), Spanish Law 34/2002 (LSSI-CE), Royal Legislative Decree 1/2007 (TRLGDCU) and Regulation (EU) 2024/1689 (AI Act) as regards transparency. Spanish law and jurisdiction apply, without prejudice to any consumer rights you hold in your place of residence.

What data we process

We process only the data needed to provide the service: - Account data: email address, name and, if you provide it, phone number (required to use the coach via WhatsApp). - Training profile: weight, body measurements, injuries, physical condition and goals. This is health data, a special category of data under Article 9 GDPR, and we only process it with your explicit consent (see the dedicated section below). - Workout history: sessions, exercises, sets, loads and progress recorded in the app. - Chat messages: the content of your conversations with the AI coach, both in the web chat and on WhatsApp. - Billing data: handled by Stripe as our payment provider; we do not store card numbers on our systems. - Technical data: a language preference cookie and certain information kept in your browser's local storage (detailed in the cookies section). We do not collect data from external sources: all information comes from you and from your use of the service.

Cookies and local storage

OneRealSet only uses technical, strictly necessary cookies and local storage, required for the app to work: - A language preference cookie (SameSite=Lax), which remembers whether you use the service in Spanish or English. - Browser local storage: the application state ("one-realset-store"), the Supabase authentication session, and a local flag for training streak alerts. We do not use analytics, advertising or third-party cookies. Because these are exclusively strictly necessary technical elements, they are exempt from the consent requirement under Article 22.2 of the LSSI-CE and the Spanish Data Protection Agency (AEPD) cookies guidance. That is why we do not show a cookie banner: one is not required. If we ever add analytics or other non-exempt cookies in the future, we will ask for your prior consent before enabling them and update this policy.

The AI coach and your data

The OneRealSet coach is an artificial intelligence system. We tell you this expressly to comply with the transparency duty in Article 50 of Regulation (EU) 2024/1689 (AI Act), applicable from 2 August 2026: when you talk to the coach, you are not talking to a person. To generate its replies, the AI model receives the necessary context from your account: the relevant data from your training profile (including, if you have consented, your health data), your workout history and your chat messages. The AI model providers are OpenAI and/or Groq, which act as data processors under the corresponding contracts. The coach's recommendations are AI-generated fitness guidance. They are not medical or healthcare advice and do not replace assessment by a professional: consult a healthcare professional before starting to train if you have injuries or medical conditions. The coach does not make decisions producing legal effects concerning you.

Recipients and data processors

We do not sell or share your data with third parties for commercial purposes. To run the service we rely on the following processors and sub-processors, each bound by a data processing agreement under Article 28 GDPR: - Supabase: database and authentication (hosted in the EU region, AWS eu-west-2). - Vercel: web application hosting. - Railway: infrastructure for the AI coach backend. - Twilio: WhatsApp messaging. - OpenAI and/or Groq: providers of the coach's AI models. - Stripe: payment processing and billing. Beyond these providers, we will only disclose data to authorities or public bodies where a legal obligation requires us to do so.

International transfers

Our main database is hosted in the European Union (Supabase, AWS eu-west-2 region). However, some of our providers (for example Vercel, Railway, Twilio, OpenAI, Groq or Stripe) may process data outside the European Economic Area, mainly in the United States. Where this happens, the transfer is covered by appropriate safeguards under Chapter V of the GDPR: standard contractual clauses (SCCs) approved by the European Commission and/or the provider's certification under the EU-US Data Privacy Framework (DPF), depending on the provider. You can request further information about the safeguards applicable to each provider by writing to [RELLENAR: email de contacto].

Data retention

We keep your data while your account is active and it is needed to provide the service. If you request deletion of your account, a 72-hour grace period starts during which you can cancel the request. Once it has elapsed, we permanently delete your data from our active systems. After deletion, copies may temporarily persist in our backups, which are overwritten in their normal cycles, and we retain only the minimal records required by law (for example, billing records for tax purposes), for the applicable statutory periods and blocked from any other use.

Your rights and how to exercise them

You can exercise most of your rights directly from the app, without writing to us: - Access and portability: download a full export of your data in JSON format from Settings > Privacy. - Rectification: edit your profile at any time within the app. - Erasure: request deletion of your account from Settings > Privacy, with a cancellable 72-hour grace period. - Withdrawal of your health data consent: from Settings > Privacy. You can also exercise these rights, together with the rights to object and to restrict processing, by writing to [RELLENAR: email de contacto]. We will reply within the maximum one-month period set by the GDPR. If you believe we have not handled your rights properly, you can lodge a complaint with the Spanish Data Protection Agency (AEPD), the competent supervisory authority: www.aepd.es.

Minors

OneRealSet is intended for people aged 14 or over. Under Article 7 of the Spanish LOPDGDD, people aged 14 or over may consent to the processing of their personal data themselves. Children under 14 may not use the service. We do not create accounts for children under 14 and, if we detect that an account belongs to a child under that age, we will delete it together with its data.

Security

We apply technical and organisational measures appropriate to the risk, in line with Article 32 GDPR, including: encryption of communications (HTTPS/TLS), authentication and access control managed by Supabase, restricted data access policies in the database, hosting of the database in the European Union, and selection of providers offering contractual security guarantees. No system is infallible. If a security breach occurred that posed a risk to your rights and freedoms, we would notify the AEPD and, where required, inform you directly, in accordance with Articles 33 and 34 GDPR.

Changes to this policy

We may update this policy to reflect changes in the service or in the law. The current version is v2026.07, last updated on July 3, 2026. If we make substantial changes, we will notify you through the app or by email before they take effect. If a change affects the processing of your health data, we will ask for your consent again through a new version of the consent gate. We recommend reviewing this policy periodically: the version and date in the header always indicate the latest revision.