LEGAL · RAULVIDAL.EUHOLEŠOVICE · PRAGUE

Privacy
policy.

LAST UPDATED·to be set on the day of publication
IN THIS DOCUMENT+
  1. 01Who processes your data
  2. 02What data, purpose, legal basis, and retention
  3. 2.AWebsite visitors
  4. 2.BMailing list subscribers
  5. 2.CContacts via WhatsApp, email, or others
  6. 2.DClients who contract the service
  7. 2.EPeople who book a first session
  8. 03External processors and recipients
  9. 04Rights of the Data Subject
  10. 05Data security and deletion
  11. 06Cookies, modifications, and final provisions
01

Who processes your personal data

1.1. The Controller of the personal data collected through this website is:

CONTROLLER
Raul Vidal.
PROFESSION
Self-employed natural person (OSVČ), not a VAT payer
IČO
21096520
ADDRESS
Jankovcova 1629/65, 170 00 Praha 7-Holešovice
COUNTRY
Czech Republic
EMAIL
hola@raulvidal.eu
WEBSITE
raulvidal.eu

1.2. The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter, "GDPR") and with Czech Act No. 110/2019 Coll., on Personal Data Processing.

1.3. The Controller is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, as its activity does not involve systematic large-scale processing of personal data nor systematic large-scale processing of special categories of data.

1.4. The supervisory authority competent for personal data protection in the Czech Republic is the Úřad pro ochranu osobních údajů (Office for Personal Data Protection; Pplk. Sochora 27, 170 00 Praha 7, uoou.gov.cz), to which the Data Subject has the right to lodge a complaint if they consider that their data is being processed unlawfully.

02

What personal data is processed, for what purpose, on what legal basis, and for how long

2.1. The Controller processes the following categories of personal data depending on the type of relationship the Data Subject has with the Controller.

2.A

Website visitor data

2.2. Data processed:

  • IP address.
  • Browser type and version.
  • Operating system and device type.
  • Browser language.
  • Pages visited, time spent on each page, and traffic source.
  • Aggregated web analytics data via Google Analytics.

2.3. Purpose: ensuring the technical operation of the website, protecting it against attacks or misuse, and obtaining anonymous, aggregated statistics on site usage in order to improve content and user experience.

2.4. Legal basis: the Controller's legitimate interest under Article 6(1)(f) GDPR for the technical operation and security of the website. For Google Analytics and other non-strictly-necessary cookies, the visitor's consent under Article 6(1)(a) GDPR and under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive), as transposed into Czech law by Section 89(3) of Act No. 127/2005 Coll. (the Electronic Communications Act), obtained through the cookie banner.

2.5. Retention period: technical server logs are kept for a maximum of 12 months. Google Analytics data is kept for 14 months from the visitor's last interaction.

2.B

Mailing list subscriber data

2.6. Data processed:

  • Email address.
  • Date and time of subscription.
  • IP address from which the subscription was made.
  • Language of the page from which the subscription was made.
  • Behavioural data on the mailing list: email opens, link clicks, date of last interaction.

2.7. Purpose: to send the subscriber the free material they requested (PDF guide), to send the subsequent welcome email sequence, and, after the welcome sequence ends, a monthly communication with the Controller's own content related to his professional activity as a personal trainer.

2.8. Legal basis: the Data Subject's explicit consent under Article 6(1)(a) GDPR, given by voluntary completion of the subscription form.

2.9. Retention period: until the Data Subject withdraws consent by unsubscribing from the mailing list. Unsubscription can be performed at any time via the link included in every email or by writing to hola@raulvidal.eu. After unsubscription, the data is kept for up to 12 additional months for the sole purpose of demonstrating compliance with the unsubscription request in case of a complaint, and is permanently deleted after that period.

2.C

Data of people who contact via WhatsApp, email, or other messaging channels

2.10. Data processed:

  • Phone number (when contact is made via WhatsApp).
  • Email address (when contact is made by email).
  • First and last name, if the Data Subject provides them.
  • Content of the conversation.

2.11. Purpose: to respond to the Data Subject's enquiry, assess whether the Controller's service fits their needs, and, where applicable, coordinate the booking of a first training session.

2.12. Legal basis: pre-contractual measures taken at the Data Subject's request under Article 6(1)(b) GDPR.

2.13. Retention period: if the conversation does not lead to contracting the service, the data is kept for a maximum of 6 months from the last contact, after which it is deleted. If the conversation leads to contracting, the data is incorporated into category 2.D and kept according to that category's rules.

2.D

Data of clients who contract the personal training service

This category is subdivided according to the type of data and the moment it is collected.

2.D.1. Identification and contact data

2.14. Data processed:

  • First and last name.
  • Date of birth or age.
  • Height and weight at the start of the collaboration.
  • Email address.
  • Phone number.
  • Information on employment situation and level of daily physical activity (sedentary, mixed, or physical).

2.15. Purpose: to identify the client, maintain operational communication regarding the contracted service, and design and adapt the training plan to the client's characteristics and circumstances.

2.16. Legal basis: performance of the service contract between the Controller and the client under Article 6(1)(b) GDPR.

2.17. Retention period: for the entire duration of the collaboration and up to 3 years after it ends, after which the data is deleted, except for data subject to tax retention obligations as detailed in subcategory 2.D.4.

2.D.2. Health data and special categories

2.18. Data processed:

  • Medication and supplements the client takes.
  • Food allergies and intolerances.
  • Current and past injuries.
  • Previous surgeries.
  • Health problems relevant to training.
  • Tobacco and alcohol consumption habits.
  • Any other information on health status the client shares to be taken into account in designing the plan.

2.19. Purpose: to adapt the training plan to the client's particular physical and health conditions, identify possible contraindications for certain exercises, and protect the client's safety during physical activity.

2.20. Legal basis: the Data Subject's explicit consent under Article 9(2)(a) GDPR, given by expressly ticking a specific consent box in the client's initial questionnaire. Without this explicit consent, the Controller cannot provide the training service safely and, consequently, the collaboration cannot begin.

2.21. Retention period: for the entire duration of the collaboration and up to 1 year after it ends, after which the health data is deleted in full. The Data Subject may request early deletion at any time, without this affecting the lawfulness of processing carried out beforehand.

2.D.3. Technical training-tracking data

2.22. Data processed:

  • Records of loads, repetitions, and sets per exercise.
  • Technical progress metrics (ranges, tempos, execution quality).
  • Technical notes on each session.
  • Body measurements (weight, girths) when the client accepts their tracking.

2.23. Purpose: to record the client's technical progression session by session, adjust programming based on objective progress data, and allow client and Controller to evaluate the plan's effectiveness over time.

2.24. Legal basis: performance of the contract under Article 6(1)(b) GDPR.

2.25. Retention period: for the entire duration of the collaboration and up to 3 years after it ends, in Google Sheets under the Controller's account. After that period, the data is deleted.

2.D.4. Billing and accounting data

2.26. Data processed:

  • Client's first and last name, or company name in the case of a legal-entity client.
  • Billing address.
  • Where applicable, the client's IČO and DIČ.
  • Service item billed, amount, and date.

2.27. Purpose: to issue invoices to clients who request them, keep the Controller's income ledger as a self-employed natural person (OSVČ), and comply with tax and social-security reporting obligations arising from the business activity.

2.28. Legal basis: compliance with a legal obligation of the Controller under Article 6(1)(c) GDPR. In particular, Act No. 563/1991 Coll., on Accounting (Zákon o účetnictví), Act No. 586/1992 Coll., on Income Tax (Zákon o daních z příjmů), and other tax and accounting rules applicable to self-employed natural persons in the Czech Republic.

2.29. Retention period: 10 years from the end of the tax period in which the invoice was issued or the income was recorded, in accordance with applicable Czech tax and accounting rules.

2.D.5. Physical progress images

2.30. Data processed:

  • Photographs of the client, usually in underwear or tight sportswear, taken by the client themselves and sent voluntarily to the Controller.

2.31. Purpose: solely and exclusively the Controller's private technical review of the client's physical progress. The images are not shared with third parties, not published on social media, not used in commercial or marketing material, and not viewed by anyone other than the Controller.

2.32. Legal basis: the Data Subject's explicit consent under Article 9(2)(a) GDPR, given through a specific consent form separate from the initial questionnaire. Consent is requested only at the moment the client decides to send images and is independent of the client's other consents with the Controller. The client may withdraw consent at any time, in which case the images are permanently deleted within a maximum of 7 days from receipt of the withdrawal request.

2.33. Retention period: for the entire duration of the collaboration, and up to 60 days after it ends. After that period, the images are deleted in full. The Data Subject may request early deletion at any time. The images are kept in the Controller's private storage (Google Drive under the Controller's Gmail account, with two-factor authentication enabled and a non-shared folder), never on the Controller's mobile device beyond the moment of download.

2.D.6. Operational communication with active clients

2.34. Data processed:

  • Messages exchanged with the client via WhatsApp, email, or other messaging channels.
  • Technical exercise images the client may send for technique review (not in underwear).

2.35. Purpose: operational management of the collaboration, plan adjustment between sessions, resolution of technical queries, and logistical coordination.

2.36. Legal basis: performance of the contract under Article 6(1)(b) GDPR.

2.37. Retention period: for the entire duration of the collaboration and up to 1 year after it ends.

2.E

Data of people who book a first session through a scheduling system

2.38. Data processed, collected through the booking platform Calendly:

  • First and last name.
  • Email address.
  • Time zone.
  • Date and time of the booked appointment.
  • Any additional information the Data Subject voluntarily provides when booking.

2.39. Purpose: to manage the booking, confirm availability, and send the Data Subject practical information about the first session.

2.40. Legal basis: pre-contractual measures taken at the Data Subject's request under Article 6(1)(b) GDPR.

2.41. Retention period: if the booking is cancelled and does not lead to an in-person session, 6 months from the appointment date. If the booking leads to an in-person session and contracting, the data is incorporated into category 2.D as applicable.

2.42. In all cases, personal data is processed solely for the purposes expressly stated in this document. The Controller does not carry out automated decision-making or profiling of the Data Subject within the meaning of Article 22 GDPR.

03

External processors and recipients of the data

3.1. The Controller uses certain services provided by third parties for the operation of the website, the management of communication with Data Subjects and clients, and compliance with accounting obligations. These third parties, to the extent they process personal data on the Controller's behalf, have the status of processors under Article 28 GDPR. The Controller maintains with each of them the contractual relationship required by the GDPR.

3.2. Personal data is not disclosed or transferred to any third party other than the processors listed in this section, unless there is a legal obligation of the Controller to disclose it (for example, to the Tax Administration of the Czech Republic) or the Data Subject's express consent for a specific disclosure.

3.3. The external processors used by the Controller are the following:

3.A. Website technical infrastructure

3.4. Vercel Inc. Hosting and delivery of the raulvidal.eu website.

  • Registered office: United States of America.
  • Data processed: technical data of website visitors (IP address, browser, device, pages visited) described in section 2.A.
  • International transfer: data may be transferred to Vercel servers in the United States. The transfer relies on the standard contractual clauses adopted by the European Commission under Article 46(2)(c) GDPR, as well as on Vercel's certification under the EU-U.S. Data Privacy Framework.
  • Full information: vercel.com/legal/privacy-policy and vercel.com/legal/dpa.

3.5. Hostinger International Ltd. Registrar of the raulvidal.eu domain and provider of the email server for hola@raulvidal.eu and info@raulvidal.eu.

  • Registered office: Republic of Lithuania, European Union.
  • Data processed: the Controller's domain registration data, and email data received at hola@raulvidal.eu and info@raulvidal.eu before being forwarded to the Controller's Gmail account.
  • International transfer: not applicable, data processed within the European Union.
  • Full information: hostinger.com/legal/privacy-policy.

3.B. Communication, storage, and analytics

3.6. Google LLC. The Controller uses the following Google services:

  • Gmail: receiving and sending email from the addresses hola@raulvidal.eu and info@raulvidal.eu, forwarded to the Controller's Gmail account.
  • Google Forms: collection of responses to the client's initial questionnaire (categories 2.D.1 and 2.D.2) and to the progress-image consent form (category 2.D.5), with automatic storage in the Controller's Google Drive.
  • Google Drive and Google Sheets: storage of technical training records, the Controller's income ledger, progress images sent voluntarily by clients as described in section 2.D.5, and responses to the forms mentioned in the previous point. Access to the folders containing this data is protected by two-factor authentication and the folders are not shared with any other account.
  • Google Analytics: aggregated, anonymous measurement of website usage.
  • Registered office: United States of America.
  • Data processed: all those described in categories 2.A, 2.B, 2.D.1, 2.D.2, 2.D.3, 2.D.4, and 2.D.5 depending on the specific service.
  • International transfer: data may be transferred to Google servers in the United States and other global locations. The transfer relies on the standard contractual clauses adopted by the European Commission under Article 46(2)(c) GDPR, as well as on Google's certification under the EU-U.S. Data Privacy Framework.
  • Full information: policies.google.com/privacy and cloud.google.com/terms/data-processing-addendum.

3.7. MailerLite Limited. Platform for managing the Controller's email list, automated sending of the free guide, welcome sequence, and subsequent monthly communication.

  • Registered office: Republic of Ireland, European Union.
  • Data processed: the subscriber's email address, date and time of subscription, behavioural data on the mailing list (opens, clicks, date of last interaction), and language of the page from which they subscribed, as described in section 2.B.
  • International transfer: not applicable, data processed within the European Union.
  • Full information: mailerlite.com/legal/privacy-policy and mailerlite.com/legal/data-processing-agreement.

3.8. Meta Platforms Ireland Limited. Messaging services used by the Controller for communication with prospects and clients:

  • WhatsApp Business: main communication channel with prospects and clients, linked to the Controller's Czech number.
  • Instagram Direct: secondary communication channel with prospects and clients.
  • Registered office of the entity responsible for processing in the European Economic Area: Republic of Ireland, European Union.
  • Data processed: phone number, Instagram username, content of conversations, metadata associated with messages, as described in sections 2.C and 2.D.6.
  • International transfer: Meta may transfer data outside the European Union, in particular to the United States. The transfer relies on the standard contractual clauses adopted by the European Commission under Article 46(2)(c) GDPR, as well as on Meta's certification under the EU-U.S. Data Privacy Framework.
  • Full information: whatsapp.com/legal/business-policy and privacycenter.instagram.com.

3.C. Booking system

3.9. Calendly LLC. Appointment management platform for booking the first session.

  • Registered office: United States of America.
  • Data processed: name, email address, time zone, date and time of the booked appointment, and any additional information voluntarily provided by the Data Subject when booking, as described in section 2.E.
  • International transfer: data may be transferred to Calendly servers in the United States. The transfer relies on the standard contractual clauses adopted by the European Commission under Article 46(2)(c) GDPR, as well as on Calendly's certification under the EU-U.S. Data Privacy Framework.
  • Full information: calendly.com/privacy and calendly.com/dpa.

3.D. Disclosures by legal obligation

3.10. The Controller may disclose personal data to the competent public authorities, in particular to the Tax Administration of the Czech Republic (Finanční úřad) and to the social-security and health-insurance administration, exclusively for compliance with the Controller's legal obligations as a self-employed natural person and always within the limits of applicable tax and social-security rules.

04

Rights of the Data Subject

4.1. Under the GDPR, the Data Subject has the following rights regarding the processing of their data by the Controller. All these rights can be exercised by sending a written request to the Controller at the email address hola@raulvidal.eu, or to the postal address indicated in section 1 of this document.

4.2. Right of access (Article 15 GDPR). The Data Subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning them is being processed and, if so, access to that data and to information on the purposes of processing, the categories of data, the recipients, the envisaged retention period, and the rest of the information provided for in Article 15 GDPR.

4.3. Right to rectification (Article 16 GDPR). The Data Subject has the right to obtain from the Controller, without undue delay, the rectification of inaccurate personal data concerning them, and to have incomplete personal data completed.

4.4. Right to erasure, or "right to be forgotten" (Article 17 GDPR). The Data Subject has the right to obtain from the Controller, without undue delay, the erasure of personal data concerning them, provided one of the circumstances set out in Article 17 GDPR applies. This right may be limited where processing is necessary for compliance with the Controller's legal obligations, in particular the tax and accounting obligations described in section 2.D.4 of this document.

4.5. Right to restriction of processing (Article 18 GDPR). The Data Subject has the right to obtain from the Controller the restriction of processing of their personal data where one of the circumstances set out in Article 18 GDPR applies.

4.6. Right to data portability (Article 20 GDPR). The Data Subject has the right to receive the personal data concerning them that they have provided to the Controller in a structured, commonly used, machine-readable format, and to transmit it to another controller without the Controller hindering this, where processing is based on consent or on the performance of a contract and is carried out by automated means.

4.7. Right to object (Article 21 GDPR). The Data Subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on the Controller's legitimate interest.

4.8. Right to withdraw consent (Article 7(3) GDPR). Where processing is based on the Data Subject's consent, they have the right to withdraw it at any time, without this affecting the lawfulness of processing carried out before the withdrawal. Withdrawal of consent can be exercised, in the case of the email list, via the link included in every email, or in any case by writing to hola@raulvidal.eu.

4.9. Right not to be subject to automated individual decisions (Article 22 GDPR). The Controller does not make automated individual decisions about the Data Subject within the meaning of Article 22 GDPR.

4.10. Right to lodge a complaint with a supervisory authority (Article 77 GDPR). Without prejudice to any other administrative remedy or judicial action, the Data Subject has the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. The competent supervisory authority in the Czech Republic is:

SUPERVISORY AUTHORITY
Úřad pro ochranu osobních údajů
Pplk. Sochora 27, 170 00 Praha 7
uoou.gov.cz

4.11. The Controller will handle requests to exercise the Data Subject's rights without undue delay and, in any event, within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests, in which case the Controller will inform the Data Subject of the extension within the first month.

4.12. Before handling a request to exercise rights, the Controller may ask the Data Subject for reasonable additional information to confirm their identity, where there are well-founded doubts about it. This verification is intended to protect the Data Subject's data against fraudulent requests by third parties.

4.13. The exercise of these rights is free of charge, except where requests are manifestly unfounded or excessive, in particular due to their repetitive character, in which case the Controller may charge a reasonable fee or refuse to act under Article 12(5) GDPR.

05

Data security and deletion

5.1. The Controller applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, under Article 32 GDPR. These measures include, in particular:

  • Access to the accounts and services containing personal data protected by strong passwords and, where available, two-factor authentication.
  • Storage of client images and sensitive data in private Google Drive folders with access restricted to the Controller only.
  • Encryption in transit of communications with the website via the HTTPS protocol.
  • Exclusive use of external processors that offer sufficient guarantees of applying appropriate technical and organisational measures, under Article 28 GDPR, as described in section 3 of this document.
  • Periodic review of processing procedures and tools used to detect and correct possible vulnerabilities.

5.2. No personal data processing system can absolutely guarantee data security against unauthorised access. The Controller undertakes to apply the reasonable measures provided for in the GDPR and to act diligently in the event of a security incident.

5.3. In the event of a personal data breach that may pose a risk to the rights and freedoms of the Data Subject, the Controller will notify the breach to the Úřad pro ochranu osobních údajů without undue delay and, at the latest, within 72 hours of becoming aware of it, under Article 33 GDPR. Where the breach may pose a high risk to the rights and freedoms of the Data Subject, the Controller will also communicate the breach to the affected Data Subject without undue delay, under Article 34 GDPR.

5.4. Personal data is deleted when it is no longer necessary for the purpose for which it was collected, when the applicable retention period detailed in section 2 expires, or when the Data Subject validly exercises their right to erasure, without prejudice to the legal retention obligations on the Controller.

5.5. Deletion of personal data is carried out effectively, which includes deletion of the data from the main system, from active backups within a maximum of 90 days from the main deletion, and the request for deletion to external processors that held the data in their system.

06

Cookies, modifications, and final provisions

6.1. Cookies. The Controller's website uses cookies and similar technologies. Detailed information on the cookies used, their purpose, and the mechanisms for managing consent can be found in the Cookie Policy, accessible at raulvidal.eu/en/cookies.

6.2. Minors. The services provided by the Controller are aimed exclusively at persons over 18 years of age. The Controller does not knowingly collect or process personal data of minors. If the Controller detects that it has received personal data of a minor without parental consent, it will delete it without delay.

6.3. Modifications of the policy. The Controller reserves the right to modify this policy at any time, solely for the purpose of adapting it to regulatory changes, the incorporation of new services or processors, or the improvement of data protection measures. Modifications take effect upon publication on the Controller's website. The date of the last update appears at the beginning of this document.

6.4. Languages of the policy. This policy is available in Spanish, English, and Czech. In case of discrepancy between versions, the Czech version prevails in accordance with Czech law.

6.5. Governing law and jurisdiction. The processing of personal data by the Controller is governed by the GDPR and by Czech Act No. 110/2019 Coll., on Personal Data Processing. The courts competent to hear any dispute arising from the processing are the courts of the Czech Republic.