Effective · 2026-04-30
Privacy Policy
This document describes which personal data we collect through the Melveo app and website, for what purposes, how long we retain it, and what your rights are. It is based on Regulation (EU) 2016/679 (GDPR), Czech Act No. 110/2019 Coll., and related Czech legislation.
1. Operator and Data Controller
The data controller within the meaning of GDPR Art. 4(7) is:
QUIX Global s.r.o.
Company ID (IČO): 22466444
Registered office: Příčná 1892/4, Nové Město, 110 00 Prague 1, Czech
Republic
Data box (datová schránka): g7v78rx
Commercial Register: file C 416432, Municipal Court in Prague
Contact: hello@melveo.app
Given the size and nature of processing, the controller is not required to appoint a Data Protection Officer (DPO) under GDPR Art. 37. All data-related communication goes via the contact email above.
2. Definitions
- App — Melveo mobile application for iOS/iPadOS.
- Website —
melveo.app. - Club — sports organization that has entered a licence agreement.
- Player — natural person invited by a club into a team; user of the app.
- Coach / staff — natural person authorized by the club to manage the team.
- Wellness check-in — daily self-rating (energy, sleep, soreness, mood, motivation) on a 1–5 scale.
3. What personal data we process
3.1. Identifiers
- First and last name
- Email address
- User identifier (UUID generated by the system)
- Club role (player / coach / manager / club admin / club owner)
- Optional: profile photo, locale (cs/en)
3.2. Sport activity data
- Wellness check-ins — five numeric values 1–5 with timestamp
- Optional pain notes; player-private notes
- Attendance at training sessions
- Subjective perceived load (RPE) on a 1–10 scale post-session
3.3. Device and sensor data (optional, only with consent)
- Apple Health: only the values the player explicitly shares from iOS Health
- Polar (optional): heart rate during training
3.4. Operational and technical data
- Login time, IP address (processed only for fraud detection, retained max 30 days)
- Device identifier (for push notifications)
- Anonymized crash logs
3.5. Payment data (clubs only)
- Club billing details (name, IČO/VAT, address)
- Stripe Customer ID (we never process card data — handled entirely by Stripe Inc.)
3.6. Cookies and similar technologies
- Necessary cookies (required for site function)
- Analytics cookies — only with explicit consent (Google Analytics)
- Marketing cookies — only with explicit consent (Meta Pixel)
Details under "Cookie settings" in the page footer.
4. Purpose of processing and legal basis (GDPR Art. 6)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the service | Contract performance — Art. 6(1)(b) |
| User communication and support | Legitimate interest — Art. 6(1)(f) |
| Statutory obligations (accounting) | Legal obligation — Art. 6(1)(c) |
| Analytics and product improvement | Consent — Art. 6(1)(a) |
| Marketing communication | Consent — Art. 6(1)(a) |
| Apple Health / Polar integration | Consent — Art. 6(1)(a) + Art. 9(2)(a) |
5. Data aggregation principle (privacy by design)
Coaches and club leadership never see raw wellness data of individual players. They see only aggregates (averages, submission counts, warning flags) for the entire team. These rules are encoded in our internal contract "doc 174 §3" and enforced at the database level (RLS policies and SECURITY DEFINER RPC functions).
A player has access only to their own data. A club has access to aggregated reports for its teams.
6. Retention
- Identifiers: for the duration of the account + 1 year after deletion (for handling potential disputes)
- Wellness check-ins and sports data: for the duration of club membership + 1 year
- Accounting and billing data: 10 years per Czech VAT Act No. 235/2004 Coll. and Accounting Act No. 563/1991 Coll.
- Operational data (IP, crash logs): max 30 days
- Analytics cookies: per the tool's setting (Google Analytics: 14 months, Meta Pixel: 90 days)
7. Recipients and processors
| Processor | Purpose | Jurisdiction |
|---|---|---|
| Supabase (self-hosted in EU) | Database, authentication | EU |
| Stripe Payments Europe Ltd. | Club payments processing | EU/Ireland |
| Resend, Inc. | Transactional email | USA — Standard Contractual Clauses |
| Cloudflare, Inc. | CDN, DDoS protection, web analytics | EU/USA — DPF |
| Apple Inc. | App Store, push notifications, App Privacy | USA — DPF |
| Google LLC (after consent) | Web traffic analytics | USA — DPF |
| Meta Platforms, Inc. (after consent) | Advertising pixel | USA — DPF |
8. International transfers
Some processors are based outside the EU. In those cases, transfers are secured by:
- European Commission adequacy decision (Data Privacy Framework)
- or Standard Contractual Clauses (SCCs) under GDPR Art. 46
9. Your rights (GDPR Art. 15-22)
As a data subject you have the right:
- To access — see what data we process about you. In the app under "Account → Download my data" you can export a JSON with your full history at any time.
- To rectification — incorrect data corrected.
- To erasure ("right to be forgotten") — in the app under "Account → Delete account". Deletion is irreversible and removes all your data except records we must keep for legal reasons (accounting).
- To restriction of processing — write to hello@melveo.app.
- To data portability — JSON export provides a machine-readable format.
- To object to processing based on legitimate interest.
- To withdraw consent at any time, without affecting the lawfulness of processing before withdrawal. For analytics / marketing cookies via the footer link "Cookie settings".
- To file a complaint with the supervisory authority:
Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
www.uoou.cz
10. Children under 15
Many youth clubs include players under 15. In accordance with §11 of Czech Act No. 110/2019 Coll., we process personal data of such players only with the explicit consent of their legal guardian. The club is responsible for obtaining this consent before inviting a player into the app.
11. Security
We implement reasonable technical and organizational measures:
- Transport encryption (TLS 1.3)
- Data-at-rest encryption (PostgreSQL)
- Row-Level Security policies for per-user isolation
- Regular backups with integrity verification
- Access logging for sensitive data
- Two-factor authentication for developer access
12. Changes to this policy
We may update this policy. For substantive changes, existing users will be notified by email at least 30 days before they take effect. Version and effective date are shown at the top.
13. Contact
All inquiries about personal data processing, requests to exercise your rights, or complaints, send to:
hello@melveo.app
Data box: g7v78rx
We respond without undue delay, no later than 30 days from receipt.
This document is the operator's own draft based on applicable legislation. For enterprise contracts and complex processing, we recommend a legal review. The Czech version is authoritative in case of disputes (jurisdiction CZ).