[ LEGAL · GDPR ]

GDPR Notice for EU users

Last updated · 2026-04-21

This addendum supplements our privacy policy and applies to users located in the European Economic Area, the United Kingdom, and Switzerland. It describes how we comply with Regulation (EU) 2016/679 ("GDPR") and the Swiss FADP.

1. Controller

Ampersand Labs by Davide Morotti, Flüelastrasse 10, 8048 Zürich, Switzerland.
Privacy contact: hello@repflow.ch.

2. Legal bases (Art. 6 GDPR)

  • Art. 6(1)(b) — performance of the contract: to provide the Service you signed up for.
  • Art. 6(1)(f) — legitimate interests: security, abuse prevention, and product improvement (only when not overridden by your fundamental rights).
  • Art. 6(1)(c) — legal obligation: e.g. tax records.
  • Art. 6(1)(a) — consent: for non-essential cookies and marketing emails.

3. Special categories

Body metrics and training data are not considered "special category" data under Art. 9 GDPR unless they reveal information about your health. We do not request health diagnoses. If you choose to enter injury information, we treat it with elevated care and process it only to tailor your training plan.

4. International transfers

Your personal data is stored in the EU/Switzerland region. Where a sub-processor (e.g. AI inference provider) is located outside the EEA, we rely on the EU Commission's Standard Contractual Clauses and any additional safeguards required by the EDPB to ensure an adequate level of protection.

5. Retention

We keep your data only as long as needed for the purposes described above. Specifically: account & training data — for the lifetime of your account; technical logs — up to 90 days; backups — up to 30 days rolling.

6. Your rights

You have the right to:

  • access your personal data (Art. 15 GDPR);
  • request correction (Art. 16);
  • request erasure (Art. 17);
  • restrict processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interest (Art. 21);
  • withdraw consent at any time (Art. 7(3));
  • lodge a complaint with your local supervisory authority (Art. 77).

To exercise any of these rights, email hello@repflow.ch. We will respond within 30 days.

7. Automated decision-making

The AI plan generation produces training suggestions based on the profile you provide. It does not produce decisions with legal effects or similarly significant effects on you within the meaning of Art. 22 GDPR. You remain in full control: you can edit, ignore, or regenerate any plan.

8. Supervisory authority

For users in Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern.
For EU users: your national supervisory authority — see edpb.europa.eu.