Privacy Policy

Ulvos is operated by Mattia Mellone, acting as sole data controller for all personal data processed through the platform.

For any privacy request — access, rectification, deletion, portability, objection, restriction, or complaint — write to privacy@ulvos.app. We respond within 30 days.

• Account data: email address, bcrypt-hashed password, display name, role (athlete, trainer, or admin).
• Fitness profile: bodyweight, height, age, training experience, available equipment, training goals, schedule preferences.
• Training data: assigned programs, completed sessions, sets, reps, RPE values, set durations, AI-generated evaluations, free-text feedback notes.
• Payment data: handled by Apple In-App Purchase. Apple processes the payment; Ulvos only receives the transaction confirmation, the product identifier, and renewal status. Ulvos never receives card or banking details.
• Technical data: IP address, user agent, device model, operating system version, application version, crash and error logs (collected via Sentry on the backend).
• Push notification data: Apple Push Notification service device token, stored only when notifications are explicitly opted in.

• Service delivery — generating personalised programs, AI-assisted evaluations, tracking sessions, applying entitlements.
• Transactional communication — workout reminders, subscription renewal and expiry notices, security alerts.
• Product improvement — aggregated and anonymised usage analytics to find bottlenecks and improve reliability.
• Tax and accounting compliance — limited records of subscription transactions handled through Apple, retained for the period required by Italian tax law.

Performance of the contract (GDPR Art. 6(1)(b)) for delivering the service you signed up for.

Legitimate interests (Art. 6(1)(f)) for security logging, fraud prevention, and aggregated analytics — balanced against your rights and freedoms.

Consent (Art. 6(1)(a)) for optional features such as push notifications. Consent can be withdrawn at any time from the device or in-app settings.

Legal obligation (Art. 6(1)(c)) for tax, accounting, and law-enforcement obligations under Italian and EU law.

Ulvos relies on a small set of contracted sub-processors. Each receives only the data needed to deliver its function, under the data-processing terms of the relevant provider.

• Apple (App Store, In-App Purchase, Apple Push Notification service) — receipt validation, subscription state, push delivery.
• Microsoft Azure (App Service and PostgreSQL, EU West Europe region) — application hosting, database, blob storage for uploaded artefacts.
• Azure OpenAI (gpt-4o family) — large-language-model inference for program generation and AI-assisted evaluations. Inputs include training profile and program structure data; we do not send your name, email, password, or payment details to the model. Azure OpenAI does not use Ulvos data to train its models.
• Sentry — backend error and performance monitoring. Personal identifiers in error events are minimised at source.

Application data is hosted in the European Union (Azure West Europe). Where a sub-processor (Apple, Microsoft, Sentry) processes data outside the EEA, the transfer is governed by the EU Standard Contractual Clauses and the supplementary measures published by each provider.

Account and training data is retained while your account is active. After you request deletion, the active dataset is removed within 30 days. Encrypted backups expire within 30 additional days.

Records strictly required for legal, tax, accounting, security, dispute, or fraud-prevention purposes can be retained longer for the period imposed by law (typically 10 years for tax records under Italian law).

• Access — obtain a copy of your personal data.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your account and personal data.
• Portability — receive your data in a structured, machine-readable format where technically feasible.
• Restriction or objection — limit or object to specific processing activities.
• Withdraw consent — for any processing based on consent, with no impact on prior lawful processing.
• Lodge a complaint — with the Italian Data Protection Authority (Garante per la protezione dei dati personali, www.garanteprivacy.it).

You can delete your account directly from the app: open Settings → Account → Delete Account, confirm with your password, and the deletion is processed in-app without any web redirect. The active dataset is removed within 30 days; encrypted backups expire within 30 additional days. You can also request deletion by writing to privacy@ulvos.app.

Ulvos is not directed to children. The minimum age to use the service is 16 years (the digital-consent age set by Italian law). We do not knowingly collect data from anyone under 13. If you believe a minor has registered, contact privacy@ulvos.app and the account will be removed.

Material changes are notified by email to the address associated with your account and through an in-app banner at least 30 days before the change takes effect, unless a shorter notice is required by law or by a security event.

Data Controller: Mattia Mellone — privacy@ulvos.app.

For any question about this policy, your data, or to exercise your GDPR rights, write to privacy@ulvos.app.