Anviil logoAnviil

Legal

Privacy Policy

Last updated: May 2026

1. Introduction

Anviil ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Anviil platform, in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Swedish Dataskyddslagen (SFS 2018:218).

Anviil is the data controller for personal data processed in connection with your use of the platform. Where a trainer processes client data through the platform, the trainer acts as a data controller and Anviil acts as a data processor on their behalf.

2. Data Controller

Anviil

Email: privacy@anviil.se

For GDPR inquiries, use the subject line “GDPR Request”.

3. What Personal Data We Collect

Trainers

  • Account information: name, email address, phone number, business name
  • Professional information: bio, specialties, certifications
  • Profile photo (if uploaded)
  • Billing information: processed and stored by Stripe — we do not store full card numbers
  • Stripe Connect data: payout account details managed via Stripe
  • Usage data: login timestamps, feature usage, IP address

Clients

  • Account information: name, email address, phone number, date of birth
  • Health and training data: goals, health notes, workout logs, measurements, progress photos, mood and energy ratings, journal entries
  • Booking history and session notes
  • Payment history for services paid to trainers
  • Messages exchanged with trainers via in-app chat
  • Usage data: login timestamps, app activity, IP address

Automatically collected data

  • Device and browser information
  • IP addresses and approximate location
  • Cookies and similar tracking technologies (see Section 9)

4. Legal Bases for Processing

We process personal data on the following legal bases under GDPR Article 6:

Contract (Art. 6(1)(b))
Processing necessary to provide the services described in our Terms of Service, including account management, payment processing, and service delivery.
Legal obligation (Art. 6(1)(c))
Processing required to comply with Swedish and EU law, including accounting obligations under Bokföringslagen.
Legitimate interests (Art. 6(1)(f))
Security monitoring, fraud prevention, platform improvement, and service-related communications.
Consent (Art. 6(1)(a))
Marketing communications and optional features where consent is requested.
For special category data (health data, GDPR Art. 9), we process this data on the basis of your explicit consent (Art. 9(2)(a)) or, where applicable, for the purposes of preventive or occupational medicine (Art. 9(2)(h)).

5. How We Use Your Data

  • To create and manage your account
  • To provide, maintain, and improve the platform
  • To process payments and manage billing
  • To enable communication between trainers and clients
  • To send transactional emails (account verification, booking confirmations, payment receipts)
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations
  • To send marketing communications (with your consent, which you may withdraw at any time)

6. Data Sharing and Third Parties

Stripe, Inc.
Payment processing and Stripe Connect. Stripe is an independent data controller for payment data.
Amazon Web Services
Cloud infrastructure and file storage (S3). Data is stored in the EU region.
AWS SES
Sending transactional and notification emails.
Trainers
Trainers can view and process personal and health data of their own clients. Trainers are independent data controllers for this data.

We do not sell your personal data to third parties. We do not share your data with advertisers. Where we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs).

7. Data Retention

Active accounts
Data is retained for the duration of your account.
Deleted accounts
Data is deleted within 30 days of account closure, except where required by law.
Financial records
Transaction and billing records are retained for 7 years (Bokföringslagen, SFS 1999:1078).
Suspended accounts
Data is retained for 30 days after suspension before deletion.
Health data
Retained only as long as the client relationship is active, or as required by the trainer's legal obligations.

8. Your Rights Under GDPR

Access (Art. 15)
Request a copy of the personal data we hold about you.
Rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Erasure (Art. 17)
Request deletion of your personal data, subject to legal retention obligations.
Restriction (Art. 18)
Request that we limit how we use your data in certain circumstances.
Portability (Art. 20)
Receive your personal data in a structured, machine-readable format.
Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing.
Withdraw consent
Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@anviil.se. We will respond within 30 days. You also have the right to lodge a complaint with Integritetsskyddsmyndigheten (IMY) at www.imy.se.

9. Cookies

Strictly necessary
Authentication tokens stored as httpOnly cookies. Essential for the platform to function and cannot be disabled.
Functional
Used to remember your preferences such as language and region settings.

We do not use advertising or tracking cookies. We do not use third-party analytics services that track you across websites.

10. Health Data and Special Category Data

The platform enables trainers to record health-related information about clients (e.g., measurements, health notes, progress photos). This constitutes special category data under GDPR Article 9.

Clients provide explicit consent to this processing during onboarding. You may withdraw this consent at any time by contacting your trainer or Anviil support. Withdrawal does not affect the lawfulness of prior processing.

11. Security

  • Encryption of data in transit (TLS) and at rest (AES-256)
  • httpOnly, Secure, and SameSite cookie attributes for authentication tokens
  • Role-based access controls
  • Regular security reviews

In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay (GDPR Articles 33-34).

12. Children

The platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@anviil.se.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notification. The updated policy will indicate the date it was last revised. Continued use of the platform after the effective date constitutes acknowledgement of the updated policy.

14. United Kingdom Addendum

This addendum applies to users based in the United Kingdom and supplements the main Privacy Policy above.

The processing of personal data of UK users is governed by the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018. Your rights under Section 8 above apply equally under UK GDPR.

The relevant supervisory authority for UK users is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, tel: 0303 123 1113, www.ico.org.uk. You have the right to lodge a complaint with the ICO at any time.

International transfers: Personal data of UK users may be transferred to Sweden (Anviil) and to other countries where our processors operate (e.g., US-based AWS and Stripe). Such transfers are made under the UK's International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, as appropriate.

UK users may exercise their data rights by contacting privacy@anviil.se with the subject line "UK GDPR Request". We will respond within one calendar month.

15. Germany Addendum (Deutschland-Datenschutzergänzung)

This addendum applies to users based in Germany and supplements the main Privacy Policy above.

In addition to GDPR, the processing of personal data of German users is subject to the Bundesdatenschutzgesetz (BDSG). Where BDSG provides stricter or supplementary rules (e.g., regarding employee data, Section 26 BDSG), those rules apply.

Aufsichtsbehörde (Supervisory Authority): German users may lodge complaints with the competent German data protection supervisory authority (Datenschutzbehörde) of the federal state (Bundesland) in which they reside, or with the Swedish IMY as the lead supervisory authority for Anviil under the GDPR one-stop-shop mechanism.

German users have the right to object to the processing of their personal data for direct marketing purposes at any time (Art. 21 GDPR, § 1 Abs. 4 BDSG). Upon such objection, we will cease processing for that purpose without delay.

Where we process personal data on the basis of legitimate interests (Art. 6(1)(f) GDPR), German users may request information about the specific legitimate interests pursued by contacting privacy@anviil.se.

Health data processed on the platform constitutes sensitive data under both GDPR Art. 9 and § 22 BDSG. We apply appropriate technical and organisational measures as required by § 22 Abs. 2 BDSG.

16. United States and Canada Addendum

This addendum applies to users based in the United States or Canada and supplements the main Privacy Policy above.

We do not sell your personal information, share it for cross-context behavioural advertising, or use it for targeted advertising. This applies to all US users regardless of state of residence.

California residents (CCPA/CPRA): You have the right to know what personal information we collect about you, the right to delete it, the right to correct it, the right to opt out of sale or sharing (we do neither), and the right to non-discrimination for exercising these rights. To submit a verifiable consumer request, contact privacy@anviil.se with the subject line "CCPA Request". We will respond within 45 days.

Residents of other US states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Texas, and Washington) have similar rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising and profiling. Contact us at privacy@anviil.se to exercise these rights.

Canadian users: The collection, use, and disclosure of your personal data is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (including Quebec Law 25). You have the right to access the personal data we hold about you and to request corrections. To exercise these rights, contact privacy@anviil.se with the subject line "PIPEDA Request".

Quebec residents: In accordance with Quebec Law 25 (Law 25), you have additional rights including the right to data portability and the right to request anonymisation of your data. Anviil's Privacy Impact Assessment (PIA) is available upon request for high-risk processing activities.

Data transfers: Personal data of US and Canadian users is transferred to and processed in Sweden and the EU. These transfers are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission. By using the platform, you consent to this transfer.

17. Contact

Anviil

Email: privacy@anviil.se

Swedish supervisory authority

Integritetsskyddsmyndigheten (IMY) · www.imy.se