Legal

GDPR

Your data rights and how we protect them

Last updated: May 2026

1. Overview

Anviil is committed to full compliance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Swedish Dataskyddslagen (SFS 2018:218). This page is a dedicated reference for your data rights, our lawful bases for processing, and how we handle data protection obligations. It should be read alongside our Privacy Policy.

Who this applies to: GDPR applies to all users whose personal data is processed by Anviil, regardless of where they are located, if they are in the EU/EEA. UK users are covered by UK GDPR. German users are additionally covered by the BDSG. US and Canadian users are covered by our Privacy Policy's US/CA addendum.

2. Data Controller and Processor Roles

Anviil — Controller

Anviil determines the purposes and means of processing personal data in connection with platform accounts, subscriptions, billing, and platform-level communications. Anviil is the data controller for trainer accounts and for any data it processes on its own behalf.

Trainers — Controllers for client data

When a trainer uses Anviil to manage their clients, the trainer independently determines what client data to collect and how to use it (e.g. health notes, session records, goals). The trainer is the data controller for that data. Anviil acts as a data processor on the trainer's behalf, processing client data only as instructed by the trainer through the platform.

Data Processing Agreement (DPA)

The relationship between Anviil (as processor) and trainers (as controllers) for client data is governed by a Data Processing Agreement, incorporated into these terms by reference. The DPA sets out the subject matter, duration, nature, and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the trainer as controller.

Health data note: Client health and training data (measurements, health notes, progress photos, mood logs) constitutes special category data under GDPR Article 9. Both the trainer (as controller) and Anviil (as processor) apply heightened safeguards to this data. Trainers must ensure they have a valid Art. 9(2) basis — typically explicit consent — before recording health data about a client.

3. Lawful Bases for Processing

Every processing activity carried out by Anviil is tied to a documented lawful basis under GDPR Article 6. The primary bases are:

Contract (Art. 6(1)(b))

Account creation and management
Subscription billing and payment processing
Delivering platform features (workout plans, booking, chat)
Sending transactional emails (confirmations, receipts, password resets)
Stripe Connect onboarding for trainers

Legal obligation (Art. 6(1)(c))

Retaining financial records for 7 years (Bokföringslagen SFS 1999:1078)
Responding to lawful requests from Swedish or EU authorities
Data breach notification obligations (GDPR Art. 33–34)

Legitimate interests (Art. 6(1)(f))

Fraud detection and abuse prevention
Platform security monitoring and incident response
Aggregated, anonymised analytics for platform improvement
Service-related communications (not marketing)

For each legitimate interest we conduct a balancing test to ensure our interests do not override your rights and freedoms. You may request details of any specific balancing test by contacting privacy@anviil.se.

Consent (Art. 6(1)(a) and Art. 9(2)(a))

Marketing emails and promotional communications
Processing of health and special category data (client onboarding consent)
Any optional features where consent is explicitly requested

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

4. Your Rights

As a data subject under GDPR, you have the following rights. We respond to all verified requests within 30 days. Where a request is complex or numerous, we may extend this by a further two months and will notify you accordingly.

Right	Article	What it means	How to exercise	Deadline
Access	Art. 15	Obtain a copy of all personal data we hold about you, along with information about how and why we process it.	Email privacy@anviil.se — subject: "GDPR Access Request"	30 days
Rectification	Art. 16	Have inaccurate or incomplete personal data corrected without undue delay.	Update in account settings, or email privacy@anviil.se	30 days
Erasure	Art. 17	Have your personal data deleted where it is no longer necessary, consent is withdrawn, or processing is unlawful. Subject to legal retention obligations.	Account settings › Delete account, or email privacy@anviil.se	30 days
Restriction	Art. 18	Restrict processing of your data while accuracy is contested, processing is unlawful, or you have objected to processing.	Email privacy@anviil.se	30 days
Portability	Art. 20	Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller.	Account settings › Export data, or email privacy@anviil.se	30 days
Object	Art. 21	Object to processing based on legitimate interests or for direct marketing. For direct marketing objections, processing stops immediately.	Email privacy@anviil.se — subject: "GDPR Objection"	Immediately for marketing; 30 days otherwise
Withdraw consent	Art. 7(3)	Withdraw consent at any time where processing is consent-based (e.g. health data, marketing). Does not affect prior lawful processing.	Account settings, or email privacy@anviil.se	Without undue delay
Complaint	Art. 77	Lodge a complaint with a supervisory authority without prejudice to any other legal remedy.	Contact IMY (SE), ICO (UK), or your local DPA	No fixed deadline

Identity verification: To protect your data, we may ask you to verify your identity before processing a rights request. We will not use verification information for any other purpose.

5. International Data Transfers

Anviil is based in Sweden (EU/EEA). Some of our processors operate outside the EU/EEA — principally Stripe (US) and Amazon Web Services (US, with EU region storage). All transfers outside the EU/EEA are conducted under one of the following safeguards:

Standard Contractual Clauses (SCCs)

European Commission-approved clauses incorporated into our data processing agreements with sub-processors (Stripe, AWS).

Adequacy decisions

Transfers to countries with a European Commission adequacy decision are permitted without additional safeguards.

UK transfers

Transfers to the UK are covered by the EU-UK adequacy decision. UK user data transferred to Sweden is covered by the UK's own adequacy framework for EEA transfers.

A copy of the relevant SCCs or transfer mechanism for any specific processor is available upon request at privacy@anviil.se.

6. Sub-processors

Anviil uses the following sub-processors to deliver the platform. All sub-processors are bound by data processing agreements and required to implement appropriate technical and organisational security measures:

Stripe, Inc. (US)

Payment processing, subscription billing, Stripe Connect payouts. Stripe acts as an independent controller for payment data and as a processor for platform-instructed operations.

Amazon Web Services, Inc. (US)

Cloud infrastructure, file storage (S3 — EU region), email delivery (SES). AWS processes data under SCCs with EU region storage configured.

We will notify you of any material changes to our sub-processor list by updating this page and, for significant additions, by email notification with 30 days advance notice.

7. Data Retention Schedule

Active account data

Retained for the lifetime of the account.

Account closure

Personal data deleted within 30 days of account closure. A grace period allows data export before deletion.

Financial and billing records

Retained for 7 years from the date of transaction (Bokföringslagen SFS 1999:1078).

Suspended accounts

Data retained for 30 days post-suspension. If payment is resolved, access is restored. Otherwise data is deleted.

Health and special category data

Deleted within 30 days of account closure or earlier if the trainer-client relationship ends, unless the trainer's own legal obligations require longer retention.

Security logs

IP addresses and access logs retained for 90 days for fraud and abuse detection, then deleted.

Anonymised analytics

Aggregated and anonymised data is not subject to retention limits as it no longer constitutes personal data.

8. Security Measures

Anviil implements appropriate technical and organisational measures (TOMs) as required by GDPR Article 32:

Technical measures

TLS encryption for all data in transit
AES-256 encryption for data at rest
httpOnly, Secure, and SameSite=Lax cookie attributes for authentication tokens
JWT-based authentication with short-lived access tokens (15 min) and rotating refresh tokens (30 days)
Role-based access control — trainers cannot access other trainers' client data
Presigned S3 URLs for secure, time-limited file access
Input validation and parameterised queries to prevent injection attacks

Organisational measures

Access to personal data limited to personnel who require it to perform their role
Regular security reviews of infrastructure and dependencies
Incident response plan covering detection, containment, notification, and post-incident review
Sub-processor vetting and contractual security obligations

9. Data Breach Procedure

In the event of a personal data breach, Anviil will:

Assess the breach within 24 hours of detection
Notify Integritetsskyddsmyndigheten (IMY) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms (GDPR Art. 33)
Notify affected individuals without undue delay if the breach is likely to result in a high risk (GDPR Art. 34)
Notify the ICO (for UK users) and relevant German DPA (for German users) concurrently or as required by applicable law
Document all breaches in an internal breach register regardless of whether notification is required

If you suspect unauthorised access to your account or a potential breach involving your data, contact us immediately at privacy@anviil.se with the subject line "Security Incident".

10. Supervisory Authorities

Under the GDPR one-stop-shop mechanism, Anviil's lead supervisory authority is:

Integritetsskyddsmyndigheten (IMY) — Sweden (Lead SA)

Box 8114, 104 20 Stockholm · www.imy.se · imy@imy.se

Information Commissioner's Office (ICO) — United Kingdom

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF · www.ico.org.uk

Bundesbeauftragte für den Datenschutz (BfDI) — Germany (Federal)

Graurheindorfer Str. 153, 53117 Bonn · www.bfdi.bund.de

German users may alternatively contact the data protection authority of their federal state (Bundesland). You always have the right to lodge a complaint with the supervisory authority in your country of residence, regardless of where Anviil is established.

11. Contact and Requests

Anviil

Email: privacy@anviil.se

Subject: "GDPR Request"

Lead supervisory authority

Integritetsskyddsmyndigheten (IMY) · www.imy.se

When contacting us about a data rights request, please include your full name, the email address associated with your account, and a description of your request. We may ask for additional information to verify your identity before processing the request.