Privacy Policy - Pilates.Online

Legally Binding Version: This English language version of the Privacy Policy is the legally binding version. Translations into other languages are provided for your convenience only. In case of any discrepancy between the English version and a translation, the English version shall prevail.

This Privacy Policy explains how Pilates.Online, operated by Indigo Holdings Limited ("we," "our," "us"), collects, uses, and protects personal information when you interact with our website, mobile applications, and services. By using our services, you agree to the terms outlined here.

1. Information We Collect

1.1 Information You Provide

Account Information: When you create an account, we collect your name, email address, and password.
Profile Information: You may provide additional information such as your preferred name, birthday, experience level, and fitness goals.
Payment Information: Payment details are collected and processed securely by our payment processor, Paddle. We do not store your full payment card details.
Communications: When you contact us for support or use our direct messaging feature with instructors, we collect the information you provide in your messages.

1.2 Information Collected Automatically

Device Information: Device type, operating system, and browser type (major version only to protect your privacy).
Device Identifier: On our apps, we collect a unique device identifier to prevent abuse of our free trial system and provide account security. This identifier is tied to your device and is used for fraud prevention and account recovery purposes.
Visitor Identification: When you first visit our website or app, we generate a random identifier stored on your device. This allows us to understand how visitors use our service before creating an account. When you create an account, we link this identifier to your account to provide a seamless experience and understand your complete journey with our service. If you access our service from multiple devices or browsers, we may link these identifiers together once you sign in, creating a unified view of your activity.
Usage Data: We track detailed usage patterns including video playback behaviour, feature interactions, progress toward goals, and navigation within the app. This data helps us improve our services. For Premium subscribers, your instructor can view your workout history, progress, goals, and contact information to provide personalised guidance and support.
Location Data: We derive your approximate location (country, region, city) from your IP address for pricing localisation and analytics. On our apps, we also receive your app store country from the platform.
Fraud Prevention: We collect and store your IP address and device information to prevent abuse of our free trial system and protect against fraudulent activity.
Marketing Attribution: Referral source and campaign information to understand how you found us.
Link Tracking: When you click links in our emails or marketing materials, we may use our own link tracking service to understand which content you engage with. This helps us measure marketing effectiveness and send more relevant communications.

1.3 Communications Data

Our Premium subscription includes direct messaging with instructors. When you use this feature:

Message content is stored to maintain conversation history and provide continuity of instruction
Messages may be reviewed by our team to ensure quality of instruction and adherence to our guidelines
Conversation data is retained as part of your account records

1.4 Cookies and Similar Technologies

We use cookies and local storage to:

Remember your preferences and settings (essential)
Maintain your session (essential)
Understand how you use our services (analytics)
Measure advertising effectiveness (marketing, with your consent)

Essential cookies are necessary for the service to function. Analytics data is collected using a randomly generated identifier and does not personally identify you unless you create an account. Marketing cookies are only used with your consent, obtained through our cookie banner.

1.5 Email Tracking

For marketing and content emails (which you can unsubscribe from at any time), we may track whether you open the email and which links you click. This helps us send more relevant content and measure the effectiveness of our communications. Essential account emails (such as password resets and verification codes) are not tracked in this way.

2. How We Use Your Information

2.1 Service Delivery

Provide and maintain our Pilates video streaming service
Process your subscription and payments
Personalise your experience and content recommendations
Enable your instructor to provide personalised guidance (Premium subscribers)
Send transactional emails (account verification, password resets, subscription confirmations)

2.2 Communication

Respond to your enquiries and provide customer support
Send service updates and important notices
Send marketing communications (with your consent, which you can withdraw at any time)
Send automated message sequences based on your activity (for example, helpful tips during your free trial, or re-engagement messages if you haven't visited in a while). You can opt out of marketing sequences at any time; service-related messages that are part of your subscription cannot be opted out of.

2.3 Improvement and Analytics

Analyse usage patterns to improve our services
Understand long-term user patterns and measure service effectiveness
Troubleshoot technical issues
Develop new features based on user needs

3. Legal Basis for Processing

We process your personal data based on:

Contract: Processing necessary to provide services you've requested
Consent: Marketing communications, marketing cookies, and optional data collection
Legitimate Interests: Analytics, fraud prevention, service improvement, and protecting our legal rights
Legal Obligation: Compliance with applicable laws and regulations

4. Information Sharing

4.1 Service Providers

We share information with trusted third parties who help us operate our services:

Paddle: Our payment processor and merchant of record, handling all subscription payments securely. See Paddle's Privacy Policy.
Postmark: For transactional emails (account verification, password resets) and marketing communications (with your consent). See Postmark's Privacy Policy.
IPinfo: For geolocation services to provide localised pricing. See IPinfo's Privacy Policy.
Cloudflare: For content delivery and secure storage of message attachments. Attachments you send through our messaging feature are encrypted using AES-256 encryption before being transmitted to Cloudflare; Cloudflare cannot access the contents of your attachments. See Cloudflare's Privacy Policy.

4.2 Advertising Partners

If you consent to marketing cookies, we may share data with advertising platforms (such as Meta/Facebook) to measure advertising effectiveness. These services may track your activity across websites. You can withdraw consent for marketing cookies at any time.

4.3 Affiliate Partners

We work with affiliate partners who may refer you to our service. When you arrive via an affiliate link, we track this referral to compensate our partners and provide them with aggregate performance metrics. We do not share your personal details with affiliates without your explicit consent.

4.4 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or to protect our rights, privacy, safety, or property.

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4.6 Third-Party Links

We may link to external websites for your convenience. We don't control these sites, so please review their privacy policies before sharing any personal information with them.

5. International Data Transfers

As a UAE-based service provider with servers in Australia and a global audience, your data may be transferred internationally:

To Australia: Where our servers are located. Australia has an EU adequacy decision and is recognised as providing adequate data protection.
From UAE: Transfers are made pursuant to UAE PDPL Article 22 on the basis of your explicit consent (provided when you accept these terms), contractual necessity, or implementation of appropriate safeguards.
From EU/UK: Transfers to Australia are under the adequacy decision. Transfers to UAE are made on the basis of your explicit consent and/or as necessary to perform our contract with you.

We implement appropriate technical and organisational measures to protect your data regardless of location.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including:

Encryption of data in transit (TLS/HTTPS) and at rest (AES-256)
Regular security assessments
Access controls limiting who can access your data
Secure password hashing

While we strive to protect your information, no method of transmission over the Internet is 100% secure.

7. Data Retention

We retain your data as follows:

Account Data: For as long as your account is active, plus 30 days after a deletion request to allow recovery.
Post-Cancellation: After you close your account or your subscription ends, we retain your data for up to 15 years as required to comply with legal obligations, resolve disputes, and enforce our agreements (in accordance with applicable statutes of limitations).
Anonymisation: After the retention period, data is either securely deleted or anonymised for aggregate analytics purposes (such as understanding long-term trends).

If you request account deletion, we will remove your personal information from active systems within 30 days, while retaining records as described above for legal compliance.

8. Your Rights

Depending on your location, you may have the following rights:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data (subject to legal retention requirements)
Portability: Request your data in a portable format
Withdraw Consent: Withdraw consent for marketing communications or marketing cookies at any time
Object: Object to certain processing of your data

To exercise these rights, contact us at privacy@pilates.online. We respond to all enquiries within 30 days.

9. Children's Privacy

Our content is suitable for all ages, but minors require an adult to create their account and supervise their use of our service. By creating an account for a minor, you represent that you are their parent or guardian and consent to our collection and use of their information as described in this Privacy Policy.

If you believe an account has been created for a child without appropriate parental consent, please contact us at privacy@pilates.online and we will take appropriate action.

10. Do Not Track

When you decline marketing cookies, we do not engage in cross-site tracking. If you accept marketing cookies, we may use third-party services (such as Meta/Facebook) to measure advertising effectiveness. These services may track your activity across websites. You can withdraw consent for marketing cookies at any time through our cookie banner or your browser settings.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by email or through the Service. The "Last Updated" date at the top indicates the most recent revision.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Indigo Holdings Limited
Suite 1006, Tiffany Tower
Jumeirah Lake Towers
Dubai, UAE
Email: privacy@pilates.online
Support: support@pilates.online
Website: pilates.online

13. Regional Information

For United Arab Emirates Residents

We comply with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL). You may exercise your data protection rights by contacting us at privacy@pilates.online.

For European Union and United Kingdom Residents

You have the right to lodge a complaint with your local data protection authority (in the EU) or the Information Commissioner's Office (in the UK) at ico.org.uk.

For California Residents

Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect and to request deletion. We do not sell your personal information.

For Australian Residents

We comply with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth).