SmartyMove

Privacy Policy

Last updated: January 2025 · Operator: SmartyMove (smartymove.com), part of the Smarty family · Contact: hello@smartymove.com

At SmartyMove (smartymove.com) we value your privacy and are committed to protecting your personal data. This Privacy Policy explains how SmartyMove collects, uses, stores, and protects your information when you use our movement screening and corrective program. Our practices comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, the ePrivacy Directive 2002/58/EC, and applicable data protection laws worldwide.

1. Data We Collect

Account & Profile Data

  • Name, email address, age, and password (stored hashed) when you create an account.
  • Optional profile information: display name, avatar, timezone, and notification preferences.
  • Self-reported information from your readiness questionnaire (e.g. current pain level, recent injuries, ability to walk/run/jump without pain, red-flag symptoms) and the joint/area issues you select.
  • Your selected goal (e.g. recover from knee pain, start running, improve general mobility).
  • Your acceptance of the liability waiver, with timestamp.

Movement Screening Data

  • On-device processing only: Pose detection runs locally in your browser using MediaPipe. Raw camera frames are not uploaded to our servers and are not stored.
  • We do store the derived metrics from each screen: joint angles, sub-scores (mobility, control, symmetry), Movement Score, Movement Age estimate, and the timestamp of each screen.
  • Your corrective program selections, completions, streaks, and re-screen history.

Usage & Technical Data

  • Technical data such as IP address, browser type, device type, and operating system.
  • Aggregated usage analytics (which screens you start, which corrective routines you complete).
  • Push notification tokens, if you enable notifications.

2. How We Use Your Data

  • Provide and personalize the movement screens, scoring, and corrective program.
  • Filter out tests that are unsafe based on your readiness questionnaire and selected joint issues.
  • Calculate your Movement Score, Movement Age, and progress over time.
  • Process payments and subscriptions via Stripe.
  • Send transactional emails (account, security, billing) and, with consent, product updates.
  • Send in-app reminders for daily routines and re-screens.
  • Improve SmartyMove through anonymized, aggregated analytics.
  • Ensure legal compliance and platform security.

We will never sell or rent your personal data to third parties.

3. Legal Basis for Processing (GDPR Article 6)

  • Consent (Art. 6(1)(a)): Push notifications, marketing emails, optional analytics.
  • Contractual necessity (Art. 6(1)(b)): Running the app, screens, scoring, and your subscription.
  • Legal obligation (Art. 6(1)(c)): Tax and accounting records, fraud prevention.
  • Legitimate interests (Art. 6(1)(f)): Service security, fraud prevention, product improvement.
  • Health-related self-reports from the readiness questionnaire and joint-issue selection are processed only with your explicit consent and used solely to make the in-app experience safer for you. We do not share them for any other purpose.

4. Data Sharing & Sub-Processors

  • Stripe — payment processing (PCI DSS compliant). Stripe Privacy Policy
  • Lovable Cloud (Supabase infrastructure) — database hosting and authentication (EU region).
  • MediaPipe (Google) — pose detection model that runs locally in your browser. No video data is transmitted to MediaPipe servers.
  • Email delivery provider — for transactional and (with consent) marketing emails.

All processors are required to comply with GDPR standards and maintain appropriate technical and organizational security measures.

5. Data Retention

  • Account data: retained while your account is active and for up to 30 days after a deletion request.
  • Screening & corrective program data: retained while your account is active.
  • Transaction records: retained for 7 years as required by tax law.
  • Marketing preferences: retained until you withdraw consent.
  • Anonymized analytics: may be retained beyond account deletion in fully anonymized form.

6. Your Rights Under GDPR

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate data.
  • Right to Erasure (Art. 17): Request deletion of your personal data via your profile settings.
  • Right to Restrict Processing (Art. 18): Request limitation of how we process your data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time for consent-based processing.
  • Right to Lodge a Complaint: You may lodge a complaint with your local data protection authority.
To exercise these rights, use the controls in your profile settings or email hello@smartymove.com. We respond within 30 days.

7. Security Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Hashed passwords and secure session management.
  • Row Level Security (RLS) ensuring each user can only access their own data.
  • Camera processing performed locally on your device — raw video is never uploaded.
  • Strict access controls and least-privilege principles for any operator access.
  • Regular dependency, infrastructure, and security reviews.

8. Cookies & Local Storage

SmartyMove uses cookies and local storage for the following purposes:

  • Essential: authentication tokens, session security, fraud prevention.
  • Functional: UI preferences, onboarding state, last-viewed screens.
  • Third-party (Stripe): payment fraud prevention at checkout.

You can manage cookies via your browser settings; disabling essential cookies will break core functionality.

9. Children

SmartyMove is intended for users aged 18 and over. Users between 13 and 18 may only use SmartyMove with parental or guardian supervision and consent. We do not knowingly collect data from children under 13. If you believe we have, contact us at hello@smartymove.com and we will delete it.

10. International Transfers

Your data is primarily processed within the EU. Where transfers outside the EU are necessary, we rely on Standard Contractual Clauses or other lawful transfer mechanisms approved under GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via the app or email. The "Last updated" date at the top reflects the latest revision.

12. Contact

Data Controller: SmartyMove (smartymove.com). For privacy questions or to exercise your rights, contact hello@smartymove.com.