Privacy Policy
Last updated: April 23, 2026
1. Data Controller
The controller of personal data collected through the Reekia platform and the reekia.io website is:
SAS BOUDIER
Email : privacy@reekia.io
2. Data We Collect
We collect the following categories of data:
2.1 Identification data
- First name, last name, email address
- Phone number (optional)
- Profile picture (optional)
2.2 Service usage data
- Connection data (logs, IP address, browser)
- Subscription and billing data
- Gym data (members, schedule, classes)
- Member training data (performance, injuries, programs)
2.3 Health data
Data such as injuries or medical restrictions are considered sensitive data under GDPR. They are collected only with the user's explicit consent and are strictly necessary for the proper operation of the coaching service.
3. Purposes of Processing
Your data is processed for the following purposes:
- Provision and management of the Reekia service
- User account management and authentication
- Billing and subscription management
- Service-related communications (notifications, updates)
- Service improvement and anonymized usage statistics
- Compliance with legal obligations
4. Legal Basis
The processing of your data is based on:
- Contract performance : to provide the service you subscribed to
- Consent : for sensitive data (health) and marketing communications
- Legitimate interest : for service improvement and security
- Legal obligation : for accounting and tax obligations
5. Data Recipients
Your data may be shared with:
- Your gym : the manager accesses member data as part of the service
- Technical subcontractors : hosting (OVH), payment (Stripe), transactional emails
- Competent authorities : in case of legal obligation
We never sell your data to third parties.
6. Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected and to comply with our legal obligations. The specific retention periods are as follows:
| Data type | Retention period |
|---|---|
| Account data | Subscription duration + 3 years |
| Billing data | 10 years (legal obligation) |
| Connection data (logs) | 12 months |
| Training data (performance, programs) | Subscription duration + 1 year, then anonymization |
| Cookies | 13 months maximum |
| Health data (injuries, medical restrictions) | Subscription duration + 1 year, then permanent deletion |
7. Your Rights
Under GDPR, you have the following rights:
- Right of access : obtain a copy of your data
- Right to rectification : correct inaccurate data
- Right to erasure : request deletion of your data
- Right to portability : receive your data in a structured format
- Right to object : object to certain processing
- Right to restriction : limit the processing of your data
- Right to withdraw consent : at any time for processing based on consent
To exercise these rights, contact us at: privacy@reekia.io
You also have the right to lodge a complaint with the French Data Protection Authority (CNIL - cnil.fr).
7.1 Delete your account
You can request the deletion of your account and your data at any time, directly from the mobile app or from the web.
From the Reekia mobile app
Open the app, log in, then go to Profile → Settings → Delete my account and confirm your request.
From the web (without installing the app)
Visit the dedicated page for your app:
You can also send an email to privacy@reekia.io with the subject Account deletion, from the email address associated with your account.
What is deleted and what is retained
- Deleted within 30 days: profile, photo, identification data, training data, health data, preferences.
- Retained for 10 years (legal accounting obligation): billing data (invoices, payments).
- Retained in anonymized form: aggregated usage statistics, non-identifying.
You will receive a confirmation email once the deletion is complete.
8. Security
We implement appropriate technical and organizational measures to protect your data:
- SSL/TLS encryption for all communications
- JWT token authentication with expiration
- Tenant-level data isolation (multi-tenant)
- Regular encrypted backups
- Restricted data access (least privilege principle)
9. International Transfers
Your data is hosted in France (OVH, Roubaix). Some subcontractors may process data outside the European Union: Stripe (payment, United States) under the EU Standard Contractual Clauses and the Data Privacy Framework; Firebase / Google Cloud (mobile push notifications, if applicable) under the Data Privacy Framework. In all cases, appropriate safeguards are in place to ensure a level of protection equivalent to GDPR.
10. Changes to This Policy
We reserve the right to modify this privacy policy. In case of substantial changes, we will notify you by email or through the platform.