Privacy Policy
Last updated: February 2026
Version: 1.1
EXECUTIVE SUMMARY
This Privacy Policy describes how PrimeFlow Labs S.L. collects, uses and protects the personal data of users of the PrimeFlow Core and PrimeFlow Pearl applications.
| Aspect | Summary |
|---|---|
| What data do we collect? | Registration data, app usage data and exercise data |
| What do we use it for? | Providing the service, personalising the experience, improving the app |
| Do we share it? | Only with essential service providers and we never sell data |
| Where is it stored? | On secure servers within the EU |
| How long do we keep it? | As long as your account is active, plus legally required periods |
| What are your rights? | Access, rectification, erasure, portability, objection and restriction |
1. DATA CONTROLLER INFORMATION
1.1 Identity of the Controller
| Field | Information |
|---|---|
| Controller | PrimeFlow Labs S.L. |
| Tax ID (CIF) | [Pending registration] |
| Registered address | [Fiscal address], Spain |
| Privacy email | privacy@prime-flow-app.com |
| Website | https://prime-flow-app.com |
1.2 Privacy Contact
For data protection enquiries, you may contact our privacy team at: privacy@prime-flow-app.com
2. DATA WE COLLECT
2.1 Data You Provide to Us
2.1.1 Registration Data
| Data | Purpose | Legal basis |
|---|---|---|
| Name | Personalisation of the experience | Contract |
| Identification and communications | Contract | |
| Password | Access security (stored encrypted) | Contract |
| Date of birth | Age verification, personalisation | Contract |
| Country | Regional adaptation, legal compliance | Contract |
2.1.2 Onboarding Data
| Data | Purpose | Legal basis |
|---|---|---|
| Health goals | Personalisation of routines and exercises | Consent |
| Available time | Adaptation of session duration | Contract |
| Notification preferences | Sending reminders | Consent |
2.1.3 Exercise Data (Special Category)
IMPORTANT: Data related to pelvic floor exercises may be considered health-related data under Article 9 of the GDPR. We process this data based on your explicit consent, which you provide when you accept this Privacy Policy and begin using the application.
| Data | Purpose | Legal basis |
|---|---|---|
| Completed sessions | Progress tracking | Consent |
| Exercise type and duration | Programme personalisation | Consent |
| Level and progression | Automatic difficulty adjustment | Consent |
| Streaks and achievements | Motivation and gamification | Consent |
2.2 Data We Collect Automatically
| Data | Purpose | Legal basis |
|---|---|---|
| Device type and model | Technical compatibility | Legitimate interest |
| Operating system and version | Technical support | Legitimate interest |
| App usage statistics | Service improvement | Legitimate interest |
| Error and crash logs | Bug fixing | Legitimate interest |
| Subscription status | Service management | Contract |
2.3 Data We Do NOT Collect
We want to be transparent: we never collect:
- Precise geographical location
- Contacts or phone book
- Photos, videos or camera access
- Social media data (unless voluntary social login)
- Biometric data (fingerprint/Face ID is processed locally on the device)
3. HOW WE USE YOUR DATA
3.1 Primary Purposes
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing the service | Registration, profile, exercises | Performance of contract |
| Personalising routines | Goals, level, progress | Performance of contract |
| Sending reminders | Email, time preferences | Consent |
| Showing progress | Session data | Consent |
| Managing subscription | Email, billing data (via stores) | Performance of contract |
3.2 Secondary Purposes
| Purpose | Data used | Legal basis |
|---|---|---|
| Improving the application | Anonymous usage data | Legitimate interest |
| Statistical analysis | Aggregated, anonymous data | Legitimate interest |
| Fraud prevention | Usage patterns | Legitimate interest |
| Legal compliance | As required | Legal obligation |
3.3 Communications
| Type | Legal basis | Opt-out |
|---|---|---|
| Training reminders | Consent | App settings |
| Service communications | Performance of contract | Not applicable |
| News and updates | Legitimate interest | Link in email |
| Marketing and promotions | Consent | Settings or link in email |
4. LEGAL BASES FOR PROCESSING
Under the GDPR, we need a legal basis for each processing of data:
4.1 Performance of Contract (Art. 6.1.b GDPR)
We process data necessary to:
- Create and maintain your account
- Provide the application's functionalities
- Manage your subscription
- Offer technical support
4.2 Consent (Art. 6.1.a GDPR)
We request your explicit consent to:
- Process health data (pelvic floor exercises)
- Send commercial communications
- Activate push notifications
- Use non-essential cookies (website)
You may withdraw your consent at any time from the application settings or by contacting privacy@prime-flow-app.com
4.3 Legitimate Interest (Art. 6.1.f GDPR)
We rely on our legitimate interest to:
- Improve the application through usage analysis
- Prevent fraud and abuse
- Ensure system security
- Send essential service communications
We have carried out balancing assessments demonstrating that these processing activities do not override your rights and freedoms.
4.4 Legal Obligation (Art. 6.1.c GDPR)
We comply with legal obligations such as:
- Retention of tax records
- Responding to judicial requests
- Compliance with consumer regulations
5. WHO WE SHARE YOUR DATA WITH
5.1 Service Providers (Data Processors)
We share data with providers who help us operate the service:
| Provider | Service | Data | Location |
|---|---|---|---|
| Google Firebase | Database and authentication | Registration, usage | EU (Belgium) |
| RevenueCat | Subscription management | User ID, subscription status | USA* |
| Google Analytics | Usage analytics | Anonymous data | USA* |
| OneSignal | Push notifications | Token, preferences | USA* |
*These providers are certified under the EU-US Data Privacy Framework or have Standard Contractual Clauses (SCCs) ensuring an adequate level of protection.
5.2 App Stores
Subscription payments are processed directly by:
- Apple (App Store)
- Google (Play Store)
We do not have access to your complete payment data (card number, bank account).
5.3 Third Parties We Do NOT Share Data With
We never sell, rent or share your personal data with:
- Marketing or advertising companies
- Data brokers
- Social media platforms (except voluntary social login)
- Insurance companies or healthcare organisations
- Employers or other unauthorised third parties
5.4 Other Disclosure Scenarios
We may disclose data to third parties when:
- You expressly authorise us to do so
- It is necessary to protect legal rights
- Required by a judicial or administrative authority
- Necessary to prevent serious harm
6. INTERNATIONAL TRANSFERS
6.1 General Principle
Your data is primarily stored on servers located within the European Union.
6.2 Transfers to the USA
Some of our providers are based in the United States. For these transfers, we use the following safeguards:
| Safeguard | Description |
|---|---|
| EU-US Data Privacy Framework | Providers certified under this framework |
| Standard Contractual Clauses (SCCs) | Contracts approved by the European Commission |
| Supplementary measures | Encryption, pseudonymisation, access controls |
6.3 Risk Assessment
We have assessed the risk of each international transfer and concluded that the safeguards in place provide a level of protection essentially equivalent to that of the GDPR.
You may request further information about specific safeguards by contacting privacy@prime-flow-app.com
7. DATA RETENTION
7.1 Retention Periods
| Data type | Retention period | Reason |
|---|---|---|
| Account data | While the account is active | Service provision |
| Exercise data | While the account is active | Progress tracking |
| Billing data | 5 years after the last transaction | Tax obligations |
| Consent records | 5 years | Legal proof |
| Anonymous usage data | 2 years | Statistical analysis |
| Error logs | 90 days | Technical debugging |
7.2 After Deletion
When you delete your account or the retention periods expire:
- Personal data is permanently deleted or irreversibly anonymised
- Backups are purged within 30 days
- Data subject to legal retention is kept only for the required period
8. DATA SECURITY
8.1 Technical Measures
- Data encryption in transit (TLS 1.3) and at rest (AES-256)
- Encrypted password storage (bcrypt)
- Restricted and role-based access
- Continuous security monitoring
- Regular backups
8.2 Organisational Measures
- Confidentiality agreements with all staff
- Regular security training
- Periodic security audits
- Documented data breach response procedures
8.3 Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the Spanish Data Protection Agency (AEPD) within 72 hours
- We will inform affected users without undue delay
- We will detail the nature of the breach, potential consequences and measures taken
9. YOUR RIGHTS
Under the GDPR, you have the following rights:
| Right | Description | Timeframe |
|---|---|---|
| Access | Know what data we process about you | 1 month |
| Rectification | Correct inaccurate data | 1 month |
| Erasure | Delete your data ("right to be forgotten") | 1 month |
| Portability | Receive your data in a structured format | 1 month |
| Objection | Object to certain processing activities | 1 month |
| Restriction | Limit the processing in certain cases | 1 month |
| Withdraw consent | Withdraw previously given consent | Immediate |
How to Exercise Your Rights
- Email: privacy@prime-flow-app.com
- In-app: Settings > Privacy > My Rights
We will respond within one month. In complex cases, this may be extended by an additional two months with prior notice.
Right to Lodge a Complaint
If you believe your data protection rights have been infringed, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with your local supervisory authority.
10. CHILDREN
The application is intended for people aged 18 and over. We do not knowingly collect data from children. If we become aware that we have collected data from a person under 18, we will immediately delete such data.
11. ACCOUNT AND DATA DELETION
11.1 How to Delete Your Account
You may request the deletion of your account and all associated data:
- In-app: Settings > Account > Delete Account
- By email: privacy@prime-flow-app.com
11.2 What Happens When You Delete Your Account
- All personal data is permanently deleted within 30 days
- Active subscriptions must be cancelled separately through the App Store/Play Store
- Data subject to legal retention is kept only for the legally required period
- Anonymous, aggregated data that is no longer identifiable may be retained
12. COOKIES AND SIMILAR TECHNOLOGIES
12.1 In the App
The mobile application does not use traditional cookies. It uses local storage (AsyncStorage) to save preferences and session data on the device.
12.2 On the Website
Our website may use:
| Type | Purpose | Consent |
|---|---|---|
| Essential cookies | Basic website functionality | Not required |
| Analytics cookies | Understanding how visitors use the site | Required |
| Preference cookies | Remembering user settings | Required |
13. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. In the event of significant changes:
- We will notify you via email and/or in-app notification
- We will clearly indicate the date of last update
- Where required, we will request renewed consent
14. CONTACT
For any privacy-related enquiries:
- Privacy email: privacy@prime-flow-app.com
- General email: info@prime-flow-app.com
- Website: https://prime-flow-app.com
15. ADDITIONAL INFORMATION
This Privacy Policy has been drawn up in accordance with:
- General Data Protection Regulation (EU) 2016/679 (GDPR)
- Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD)
- Spanish Law 34/2002 on Information Society Services (LSSI-CE)
16. VERSION HISTORY
- Version 1.0 (January 2026): Initial version
- Version 1.1 (February 2026): Contact email updates and section extensions
© 2026 PrimeFlow Labs S.L. All rights reserved.