Privacy Policy

1. Who We Are

DigitAquos is operated by OARA TECH S.R.L., a company registered in Romania (CUI: 53927238), located in Cluj County, Romania. We provide a software platform for swimming club management, individual training, health monitoring, and performance tracking.

DigitAquos is available as a web application at app.digitaquos.com, and as native mobile applications on iOS (App Store) and Android (Google Play). The mobile apps wrap the web application in a native shell using Capacitor, providing access to device-level features including push notifications, Apple HealthKit, and Android Health Connect.

For any privacy-related inquiries, contact us at razvanoara@digitaquos.com.

2. Data We Collect

We collect different categories of data depending on how you use DigitAquos:

3. How We Use Your Data

We use your data exclusively to provide and improve the DigitAquos platform:

• Providing club management, training planning, and health monitoring features
• Generating readiness scores, recovery insights, and performance analytics
• Powering AI features: generating personalized training plans, workouts, session feedback, and daily check-ins based on your profile, goals, and wearable health data
• Adjusting workout intensity and volume based on recovery, sleep quality, and readiness metrics
• Enabling communication between coaches and swimmers
• Managing registrations, medical compliance, and GDPR consent tracking
• Processing payments and generating invoices
• Sending platform-related notifications via push notifications and in-app messaging (schedule changes, announcements, medical certificate reminders)
• Maintaining platform security and preventing abuse

We do not use your data for advertising, profiling, or any purpose unrelated to the swimming platform.

4. AI Data Processing

DigitAquos Pro includes AI-powered features that generate personalized training plans, workouts, session feedback, and coaching insights. To provide these features:

• Certain personal data is sent to Google (Gemini API) for processing. This includes: your swimming level, goals, training schedule, recent workout history, and wearable health metrics (readiness score, sleep quality, heart rate, recovery status).
• Data is transmitted securely over encrypted connections (HTTPS/TLS).
• Google processes the data solely to generate your requested content and does not store your data beyond the duration of the API request.
• Google does not use your data to train their AI models.
• No identifying information (full name, email, exact date of birth) is sent to the AI provider — only anonymized training and health context necessary for content generation.
• You can opt out of AI features at any time by not using them or by downgrading to the Basic plan. No data will be sent to AI services unless you actively use an AI-powered feature.

For more information on Google's data practices, see Google's Privacy Policy.

5. Legal Basis for Processing (GDPR)

• Contract performance — Processing necessary to provide you with the DigitAquos platform and its features, including AI-powered features included in your subscription.
• Consent — For health and medical data processing, wearable device connection, HealthKit and Health Connect data access, AI data processing via third-party services, push notification delivery, and for minors' data (parental consent required for users under 16).
• Legitimate interest — Platform security, preventing fraud, and service improvements.
• Legal obligation — Generating invoices and maintaining financial records as required by Romanian law.

6. Children's Data

DigitAquos serves swimming clubs that include minors of all ages. We take the protection of children's data seriously.

• There is no minimum age to have an account, provided a parent or legal guardian creates, manages, and assumes full responsibility for the account.
• Users under 16 require parental or guardian consent for all data processing, including health data, wearable integration, and HealthKit/Health Connect access.
• Club coaches are responsible for ensuring proper parental consent is obtained for all minors registered under their club.
• Medical and health data for minors receives the highest level of protection and encryption.
• AI-powered features for minor accounts require explicit parental consent for third-party data processing.
• Parents or guardians may request access to, correction of, or deletion of their child's data at any time.

7. Data Sharing

We do not sell, rent, or share your personal data for advertising or marketing purposes.

We share limited data with the following third-party services, solely to provide platform functionality:

• Garmin Connect API — One-way inbound integration. We receive wearable data from Garmin when a swimmer authorizes the connection. We do not transmit personal data to Garmin.
• Apple HealthKit — Device-side integration on iOS. Health data is read locally from the user's device with explicit permission and transmitted to our servers. No data is written back to HealthKit or shared with Apple.
• Android Health Connect — Device-side integration on Android. Health data is read locally from the user's device with explicit permission and transmitted to our servers. No data is written back to Health Connect or shared with Google via Health Connect.
• Google (Gemini API) — Anonymized training and health context is sent to generate AI-powered content (training plans, workouts, feedback). No identifying information is shared. Data is not stored by Google beyond the API request.
• Firebase Cloud Messaging — Device tokens are used to deliver push notifications. No personal data beyond the device token and notification content is shared with Firebase. Firebase is operated by Google and governed by Google's privacy policies.
• Cloudflare R2 — User-uploaded media files (profile photos, medical certificates, gallery images) are stored on Cloudflare R2. Files are encrypted in transit and accessible only through authenticated requests.
• Stripe — Payment information is processed by Stripe for subscription management. Stripe operates under their own privacy policy. We do not store credit card details.
• Oblio — Invoice data (name, email, subscription details) is sent to Oblio for Romanian e-invoicing compliance (e-Factura / ANAF).

No other third parties receive your data. We do not use analytics services, advertising networks, or data brokers.

8. Data Storage & Security

• All data is stored on Hetzner Cloud servers in Germany (European Union).
• Media files are stored on Cloudflare R2 with encryption in transit.
• Data is encrypted in transit (TLS/SSL — Grade A+ certified) and at rest.
• Passwords are securely hashed — we cannot see or recover your password.
• The platform has passed OWASP security testing.
• Access to production infrastructure is restricted to authorized personnel only.
• AI API communications use encrypted connections. No personal data is stored by AI providers beyond request processing.
• Mobile apps communicate with our servers exclusively over HTTPS. No data is stored locally on the device beyond session tokens and push notification tokens.

9. Data Retention

We retain your data for as long as your account is active. If you delete your account:

• Your personal data will be permanently deleted within 30 days.
• Anonymized, aggregated data (e.g., club statistics with no personal identifiers) may be retained.
• Data required by law (e.g., financial records, invoices) may be retained for the legally required period (typically 10 years for financial records in Romania).
• AI-generated content (plans, workouts) associated with your account will be deleted with your account.
• Media files stored on Cloudflare R2 will be permanently deleted with your account.
• Push notification device tokens are deleted immediately upon account deletion.

10. Your Rights (GDPR)

As a user in the European Union, you have the following rights:

• Access — Request a copy of your personal data.
• Rectification — Correct inaccurate or incomplete data.
• Erasure — Request deletion of your data (“right to be forgotten”).
• Restriction — Limit how we process your data.
• Portability — Receive your data in a structured, machine-readable format.
• Objection — Object to data processing based on legitimate interest.
• Withdraw consent — Revoke consent at any time (e.g., disconnect wearable, revoke HealthKit/Health Connect permissions, revoke medical data consent, stop using AI features, disable push notifications).
• Object to AI processing — You have the right to opt out of AI-powered data processing at any time by not using AI features or by contacting us.

To exercise any of these rights, email us at razvanoara@digitaquos.com. We will respond within 30 days.

You also have the right to file a complaint with the Romanian data protection authority (ANSPDCP — www.dataprotection.ro).

11. Cookies

DigitAquos uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics tools. The mobile apps do not use cookies — authentication is handled via secure tokens stored in device memory.

12. Mobile Applications

DigitAquos is available as a native mobile application on iOS and Android. The mobile apps provide the same functionality as the web application, with additional access to device-level features:

• Push Notifications — Delivered via Firebase Cloud Messaging. You can enable or disable notifications in your device settings at any time.
• Apple HealthKit (iOS) — With your permission, the app reads health data (heart rate, workouts, sleep) from HealthKit. Data is transmitted securely to our servers. You can revoke access in iOS Settings → Privacy → Health at any time.
• Health Connect (Android) — With your permission, the app reads health data (heart rate, exercise, sleep) from Health Connect. Data is transmitted securely to our servers. You can revoke access in Android Settings → Health Connect at any time.
• The mobile apps do not access your camera, contacts, location, microphone, or any other device sensors beyond those explicitly listed above.
• The mobile apps do not collect device identifiers for advertising purposes.

13. International Data Transfers

Your data is stored within the European Union (Germany). When AI-powered features are used, anonymized data may be processed by Google, whose servers may be located outside the EU (United States). This transfer is conducted under appropriate safeguards including:

• Data minimization — only anonymized, non-identifying context is transmitted.
• No data retention by the AI provider beyond request processing.
• Encrypted transmission (TLS/HTTPS).
• Google's compliance with applicable data protection frameworks.

Firebase Cloud Messaging and Cloudflare R2 may process data outside the EU. Both services maintain appropriate data protection safeguards and comply with applicable regulations.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our platform, third-party services, or legal requirements. Significant changes will be communicated through the platform and via push notifications where appropriate. The “Last updated” date at the top of this page will always reflect the most recent revision.

15. Contact

OARA TECH S.R.L.
Str. Luțerniștei Nr. 5, Municipiul Turda, Jud. Cluj, Romania
CUI: 53927238
Email: razvanoara@digitaquos.com