top of page
Woman Stretching Pose
Privacy Policy – Vala
​

Last updated: 1.12.2025

This Privacy Policy explains how ATAO d.o.o. (“ATAO”, “we”, “us”, “our”) collects, uses, and protects your personal data when you use Vala, our mobile application and related services (“Vala” or the “Service”).

ATAO d.o.o. is the controller of your personal data:
ATAO d.o.o.
Savska cesta 41, 10000 Zagreb, Croatia
Corporate/Tax ID: 39263597256
Email: martin.kandus@gmail.com

We are subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Croatian data protection laws.

By using Vala, you acknowledge that you have read this Privacy Policy.

1. What data we collect

Depending on how you use Vala and the current development stage of the product, we may collect the following categories of data:

1.1 Account and contact data

  • Name (if provided)

  • Email address

  • Communication content (emails, feedback, survey responses)

1.2 Device and technical data

  • Device type, operating system, app version

  • IP address, approximate region

  • Log files and crash reports

1.3 Health, activity, and biometric data

If you choose to connect Vala with your wearable or platform-specific health app (e.g. Apple Health), we may receive:

  • Heart rate, heart rate variability (HRV)

  • Activity metrics (steps, workouts, training load, strain, etc.)

  • Sleep-related information (sleep duration, stages, timing, etc.)

  • Other health- or performance-related metrics exposed via your wearable or health platform integration

This data is special category data under GDPR (health data). We only process it with your explicit consent.

1.4 Usage and interaction data

  • How you use the app (features used, screens visited, time spent)

  • In-app settings, preferences

  • Responses to in-app questionnaires or feedback requests

1.5 Subscription and transactional data (when applicable)

  • Subscription tier, status, renewal dates

  • Limited payment metadata (e.g. transaction ID, masked details) from app stores or payment processors
    We do not store your full payment card details; these are handled by the relevant app store or payment provider.

2. How we use your data and legal bases

We process your personal data for the following purposes and under these legal bases:

2.1 To provide and operate Vala

  • To connect with your wearable and health platforms at your request

  • To process your physiological and activity data and generate nutrient-related insights

  • To maintain and secure the Service, troubleshoot, and provide support

Legal basis:

  • Performance of a contract (Art. 6(1)(b) GDPR)

  • Explicit consent (Art. 9(2)(a) GDPR for health data)

2.2 To improve and develop Vala

  • To analyze app usage and performance

  • To refine and test our inference-based algorithms and features

  • To run analytics through third-party tools such as Firebase

Legal basis:

  • Legitimate interests in improving and developing our services (Art. 6(1)(f) GDPR), balanced against your rights

  • Explicit consent for health data (Art. 9(2)(a) GDPR)

Where possible, we use aggregated or pseudonymized data for these purposes.

2.3 To communicate with you

  • To respond to your questions, feedback, or support requests

  • To invite you to participate in research, interviews, or early-access testing

  • To send you important updates about Vala

Legal basis:

  • Performance of a contract (Art. 6(1)(b) GDPR)

  • Legitimate interests in communicating with users and prospects (Art. 6(1)(f) GDPR)

For any marketing-style communications not strictly necessary to run the service, we will rely on your consent where required by law.

2.4 To comply with legal obligations

  • To comply with accounting, tax, and regulatory requirements

  • To respond to lawful requests from authorities

Legal basis:

  • Legal obligation (Art. 6(1)(c) GDPR)

3. Data sharing and processors

We do not sell your personal data.

We may share your data with:

  • Service providers / processors, such as:

    • Cloud hosting providers

    • Analytics providers (e.g. Firebase)

    • Email and communication tools

  • Professional advisors (legal, accounting) under confidentiality obligations

  • Authorities, where required by law or to protect our legal rights

These parties only process personal data on our behalf and according to our instructions (data processing agreements in place where required).

4. International data transfers

Some service providers (e.g., Firebase/Google) may be located outside the European Economic Area (EEA). When personal data is transferred outside the EEA, we will ensure an appropriate level of protection, for example by:

  • Using countries with an adequacy decision from the European Commission, or

  • Implementing Standard Contractual Clauses (SCCs) or equivalent safeguards.

5. Data retention

We retain personal data only for as long as necessary for the purposes described above, in particular:

  • Account and profile data: for the duration of your account and a reasonable period thereafter (e.g. to handle complaints or legal obligations).

  • Health and activity data: for as long as your account is active or until you withdraw consent or delete your data.

  • Analytics and logs: for a limited period necessary for security, performance, and improvements (subject to internal policies).

  • Legal records: for statutory retention periods required under Croatian and EU law.

When data is no longer needed, we will delete or irreversibly anonymize it.

6. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access – to know whether we process your data and obtain a copy.

  • Right to rectification – to correct inaccurate or incomplete data.

  • Right to erasure – to request deletion of your data in certain circumstances.

  • Right to restriction of processing – to limit processing under specific conditions.

  • Right to data portability – to receive your data in a structured, machine-readable format and transmit it to another controller, where technically feasible.

  • Right to object – to object to processing based on legitimate interests or direct marketing.

  • Right to withdraw consent – where processing is based on consent (especially for health data), you can withdraw it at any time; this will not affect the lawfulness of processing before withdrawal.

To exercise these rights, contact us at martin.kandus@gmail.com.

You also have the right to lodge a complaint with your local supervisory authority. In Croatia, this is:
Croatian Personal Data Protection Agency (AZOP).

7. Children and minors

Vala is intended for users aged 18 and over.
We do not knowingly collect personal data from persons under 18. If we become aware that we have collected data from a minor, we will delete it as soon as reasonably possible.

8. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, or alteration. No system is completely secure, but we aim to keep risks proportionate and reasonable given the nature of the data and our stage of development.

9. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a “Last updated” date. Where changes are material, we will take reasonable steps to inform you (e.g., in-app notice or email).

10. Contact

For any questions, data access requests, or privacy-related concerns, contact us at:
Email: martin.kandus@gmail.com
Post: ATAO d.o.o., Savska cesta 41, 10000 Zagreb, Croatia

bottom of page