Privacy Notice

1) Who we are and scope

• Controller: VIGILANT FRONT, S.L., Calle Serrano Anguita, 13, 28004, Madrid, Spain, ES VAT (NIF): B22983811, Registration: registered in "Registro Mercantil de Madrid" in volume 0; book 0; folio 0; section GNE; page 864596
• Contact (privacy): privacy@gonorth.it
• Scope: This notice explains how we process personal data in our web application that tracks habits, goals, milestones, and journaling, and integrates with third-party health devices/services (notably Garmin) to import activity and health metrics for your personal insights.

2) What we collect and why (data map aligned to our product)

We only collect data necessary for the app's functionality (data minimisation). Based on the app's current design and database models, we process:

3) Special section: Garmin connection and health/activity data

4) Purposes of processing and legal bases (summary)

• Provide the service you requested (habit/goal tracking, insights, journaling, device connection): Art. 6(1)(b) GDPR (contract).
• Improve, secure, and maintain the service (e.g., debugging, preventing abuse, feature flags): Art. 6(1)(f) GDPR (legitimate interests) with appropriate balancing test.
• Health/fitness data from Garmin or similar: Art. 6(1)(a) + Art. 9(2)(a) GDPR (explicit consent). You may withdraw at any time.
• Comply with legal obligations (e.g., tax or regulatory record-keeping if applicable): Art. 6(1)(c) GDPR.

5) Cookies and similar technologies

• We use strictly necessary cookies to operate sign-in sessions, protect against fraud, and remember essential preferences.
• Any analytics/marketing cookies (if used) will be opt-in with a compliant consent banner. You can change preferences at any time.

6) Disclosures, recipients, and processors

• We use vetted service providers (processors) for hosting, storage, security, and operational tooling (e.g., cloud infrastructure, database, email). These providers are bound by Data Processing Agreements (DPAs) and act only on our documented instructions.
• If we use third-party AI providers to generate insights, they act as processors under DPAs; we set data handling/retention limits and disable training on your data where available.
• Garmin is a separate controller that provides your data to us after you authorise access. Our app does not share your personal data back to Garmin except as necessary for the connection you initiate.
• We will disclose data to competent authorities only when lawfully required.

7) International data transfers

When we transfer personal data outside the EEA/UK (e.g., to cloud providers), we implement appropriate safeguards (e.g., European Commission Standard Contractual Clauses, UK IDTA/Addendum, and supplementary measures). Where applicable, we prefer providers certified under EU–US Data Privacy Framework for the specific services.

8) Data retention (high-level; subject to a formal retention schedule)

• Account and session data: as long as your account is active; basic logs for security for a short rolling period.
• Habits/goals/milestones/challenges/rewards/journal: until you delete the items or your account; we may keep limited backups for a short time after deletion.
• AI interactions: minimal logs to ensure safety/traceability, retained for a defined period; generated outputs exist in your account until deleted.
• Garmin-imported data: retained while the connection is active and for a short period after disconnect to support recovery/backups, unless you request deletion sooner.
• Technical logs: short rolling windows necessary for security/diagnostics.
• We maintain and publish a detailed retention schedule; where retention periods must be longer (e.g., legal obligations), we restrict access and purpose.

9) Your GDPR rights

• Access: obtain a copy of your personal data we process.
• Rectification: correct inaccurate data.
• Erasure: request deletion ("right to be forgotten"), including imported Garmin data.
• Restriction: limit processing in certain cases.
• Portability: receive your data in a machine-readable format (where applicable) and transmit it to another controller.
• Objection: object to processing based on legitimate interests; we will honour unless we have compelling legitimate grounds.
• Withdraw consent: for any processing relying on consent (including Garmin health data) at any time without affecting prior lawful processing.
• Complaint: lodge a complaint with your local supervisory authority in the EEA/UK.
• How to exercise: Use in-app controls (export/delete, disconnect Garmin) or contact us at privacy@gonorth.it. We verify identity before fulfilling requests.

10) Security

We implement appropriate technical and organisational measures, including encryption in transit and at rest, least-privilege access, role-based permissions, audit logging, secure key management, regular backups, and vulnerability management.

We test and improve controls periodically. In case of a personal data breach, we assess risk and, where required, notify the supervisory authority within 72 hours and affected users without undue delay.

11) Children's privacy

Our service is not directed to children under 16. Users under the age of digital consent (13–16 depending on country) should not use the service without verified parental consent. We will take steps to delete data inadvertently collected from ineligible users upon notice.

12) Automated decision-making and profiling

We compute progress analytics and insights (e.g., habit adherence, goal progress, fitness summaries). These do not produce legal or similarly significant effects on you. We do not perform automated decision-making within the meaning of Art. 22 GDPR.

13) Changes to this notice

We may update this notice as our product or legal requirements evolve. We will post changes here and, where material, notify you in-app or by email.