Arete
Back to home

Privacy Policy

Effective date: 16 April 2026

1. Controller identity

The controller responsible for the processing of your personal data is:

MUDr. Marek Filippi
IČO (Business ID): 19579446
Praha, Czech Republic
Email: hello@getarete.eu

The service is operated under the trading name Arete and is accessible at getarete.eu and via the Arete iOS application.

2. What data we collect

We collect the following categories of personal data:

2.1 Account data

  • Name and email address
  • Profile photograph (optional)
  • Password (stored in hashed form)

2.2 Athlete profile data

  • Sex, date of birth, height, weight
  • Preferred units (metric/imperial) and comparison sex for benchmarks

2.3 Health and fitness data (special category)

The following data constitutes health data under Article 9 GDPR and is processed only with your explicit consent:

  • Performance metrics: running times, cycling power, swim times, sprint times, strength lifts, calisthenics records
  • Body composition: body fat percentage, skeletal muscle percentage, bone density (DEXA T-score), visceral fat rating
  • Anthropometric measurements: waist circumference, hip circumference, waist-to-hip ratio, waist-to-height ratio
  • Cardiorespiratory markers: VO2 max, resting heart rate, maximum heart rate, heart rate recovery
  • Biomarkers: HbA1c (glycated haemoglobin)

2.4 Technical and usage data

  • IP address, device type, operating system, browser type
  • Session data, pages visited, features used (via PostHog analytics)
  • Error logs and crash reports (via Sentry)
  • Referral source, UTM parameters, promo codes used

2.5 Payment data

Payment card details and transaction data are processed exclusively by Stripe, Inc. We do not store full payment card numbers. We retain transaction IDs, subscription status, and payment history for accounting and support purposes.

3. Legal basis for processing

We process your data under the following legal bases:

  • Explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR) — for all health and fitness data you enter into the application. You may withdraw consent at any time by deleting your data or your account.
  • Contract performance (Article 6(1)(b) GDPR) — for account data and payment data necessary to provide the service.
  • Legal obligation (Article 6(1)(c) GDPR) — for accounting and tax records as required by Czech law.
  • Legitimate interests (Article 6(1)(f) GDPR) — for analytics and error monitoring necessary to maintain and improve the service, where these interests are not overridden by your rights.

4. Purposes of processing

  • Providing the Arete service: calculating domain scores, benchmark comparisons, trend tracking, and assessment reports
  • Account management: registration, authentication, profile settings
  • Processing payments and managing subscriptions
  • Sending transactional emails (account confirmation, receipts, report delivery)
  • Sending product updates and promotional communications — only with your separate consent
  • Monitoring service performance, diagnosing errors, and improving the application
  • Complying with legal and tax obligations

5. Third-party processors

We share data with the following sub-processors who process data on our behalf. All processors are contractually bound to handle data in accordance with GDPR.

  • Supabase, Inc. (USA) — database hosting and authentication. Data stored in EU region where selected.
  • Stripe, Inc. (USA) — payment processing. Stripe is certified under EU-US Data Privacy Framework.
  • PostHog, Inc. (USA) — product analytics. Data may be stored in EU region.
  • Sentry (Functional Software, Inc., USA) — error monitoring and crash reporting.

Where processors are based outside the EEA, data transfers are protected by Standard Contractual Clauses (SCCs) or an applicable adequacy decision.

6. Data retention

  • Account and profile data: retained for the duration of your account and deleted within 30 days of account deletion.
  • Health and fitness data: retained for the duration of your account and deleted within 30 days of account deletion or earlier upon request.
  • Payment and transaction records: retained for 10 years to comply with Czech accounting law (Act No. 563/1991 Coll.).
  • Anonymous session data (pre-registration assessment): retained for 24 hours, then permanently deleted.
  • Analytics and error log data: retained for up to 12 months in aggregated or anonymised form.

7. Your rights under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of access — you may request a copy of all personal data we hold about you.
  • Right to rectification — you may correct inaccurate data at any time via your account settings.
  • Right to erasure — you may request full deletion of your account and all associated data.
  • Right to restriction — you may request that we limit processing of your data in certain circumstances.
  • Right to data portability — you may request your data in a structured, machine-readable format.
  • Right to object — you may object to processing based on legitimate interests.
  • Right to withdraw consent — for health data and marketing communications, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — you may lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, www.uoou.cz).

To exercise any of these rights, contact us at hello@getarete.eu. We will respond within 30 days.

8. Minors

Arete is not intended for children under the age of 13. Users aged 13 to 17 must obtain verifiable parental or guardian consent before creating an account or entering health data. If we become aware that we have collected data from a child under 13 without appropriate consent, we will delete it promptly. Please contact hello@getarete.eu if you believe we have inadvertently collected such data.

9. Cookies and tracking

We use cookies and similar technologies for:

  • Session management and authentication (strictly necessary — no consent required)
  • Product analytics via PostHog (requires consent)
  • Error monitoring via Sentry (legitimate interests)

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a prominent notice within the application at least 14 days before taking effect. The current version is always available at getarete.eu/privacy.

11. Supervisory authority

You have the right to lodge a complaint with the supervisory authority:

Úřad pro ochranu osobních údajů (UOOU)
Pplk. Sochora 27, 170 00 Praha 7
www.uoou.cz