SwimKit Privacy Policy

1. Who is the data controller?

The data controller is: Edward Baltaza (sole proprietorship), NIP 8212577665, ul. Lindleya 16, 02-013 Warsaw, Poland, contact: edward@swimkit.io.

2. What data do we process?

Depending on how you use the Service, we process:

1. Account data: email, authentication identifiers (e.g., Google), login/security data;
2. Business data entered into the application by the Administrator (instructor/school): names of clients/participants, contact details, lesson schedules, notes, payment entries, packages, reports;
3. Support communication data;
4. Technical data (logs, IP addresses, timestamps) for security and reliability purposes.

3. Purposes and legal bases (Art. 6 GDPR)

We process data when necessary for:

1. Performance of a contract and provision of Services (Art. 6(1)(b) GDPR) - maintaining your Account, providing features, subscription billing, support;
2. Legitimate interests (Art. 6(1)(f) GDPR) - security, fraud prevention, claims enforcement, minimal technical analytics;
3. Legal obligations (Art. 6(1)(c) GDPR) - accounting/tax requirements (e.g., billing documents).

4. GDPR roles: controller vs. processor

1. Regarding User data (account data, payments, support) - SwimKit is the data controller.
2. Regarding client/participant data entered by the instructor/school - in most cases SwimKit acts as a data processor, and the instructor/school is the data controller.

5. Data recipients and sub-processors

We use trusted services:

• Supabase - data storage (EU region);
• Google - authentication, if you choose "Sign in with Google";
• Polar - subscription and payment processing.

We share only the minimum data necessary for these services to function (e.g., authentication identifiers, subscription status).

6. Transfers outside the EEA

According to current infrastructure declarations (Supabase in the EU region), data is stored in the EU. However, some providers (e.g., Google) may involve transfers outside the EEA depending on configuration.

7. Data retention period

1. We retain data for the duration of your Account activity and service provision.
2. After account deletion: we delete or anonymize data within 30 days, except for data required by law (e.g., billing records) and data necessary for security purposes.
3. Backups may persist for a limited technical period.

8. Rights of data subjects

You have the right to: access, rectification, erasure, restriction, objection, data portability, and to lodge a complaint with a supervisory authority (Arts. 15-22 GDPR).

If you are a client/parent/participant whose data was entered by an instructor/school - please contact that school first (they control the data). SwimKit will help redirect your request: edward@swimkit.io.

9. Cookies and similar technologies

1. We use essential cookies for authentication and settings (e.g., language).
2. We do not use advertising or tracking cookies.
3. You can manage cookies in your browser, but disabling essential cookies may affect the Service.

10. Children's data

The Service is intended for instructors/schools, not for children. The Administrator (instructor/school) is responsible for the legal basis and - where required - parental consent for children's data entered into the Service.

11. Policy changes

We may update this Policy for legal or organizational reasons. We will notify you of significant changes within the Service or by email.