GDPR Compliance

SkyFlight d.o.o. is committed to protecting your personal data and respecting your privacy rights in accordance with the General Data Protection Regulation (GDPR).

Data Controller and Processor

SkyFlight d.o.o. (FiTepAI) acts as a data processor for most client/patient data. Professional organizations (physiotherapists, kinesiologists, personal trainers, gyms, sports centers, clinics) using our platform are data controllers responsible for the personal data they collect and enter. FiTepAI is the data controller only for platform operation data (professional accounts, AI analysis, usage data).

Data We Collect

We collect and process the following types of personal data:

  • Personal identification information for clients (name, email)
  • Health data related to physiotherapy exercises and rehabilitation
  • Usage data and analytics from mobile application and web platform
  • Heart rate and health metrics from connected smartwatches (Diamond package only)

Legal Basis for Processing

We process your data based on:

  • Your explicit consent for processing health data
  • Performance of contract for providing physiotherapy services
  • Legitimate interests in improving our AI algorithms
  • Legal obligations for maintaining medical records

Your Rights

Under GDPR, you have the following rights:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ('right to be forgotten')
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority

Data Security

We implement appropriate technical and organizational measures including:

  • End-to-end encryption for all health data
  • Regular security audits and penetration testing
  • Access controls and authentication protocols
  • Secure data centers within the EU
  • Employee training on data protection

Data Retention

FiTepAI retains platform data (data we control) for the following periods. Professional organizations using our platform are responsible for retention policies of client/patient data they enter:

  • Professional account information: Retained while account is active, deleted within 30 days after account closure.
  • AI movement analysis data: Retained during active treatment period.
  • Device and usage data: Up to 24 months, then anonymized or deleted.
  • Billing records: Minimum 5 years as required by Croatian law.
  • Client/patient data entered by professionals: Retention period determined by the professional organization (data controller). Healthcare regulations may require minimum retention (typically 10 years for medical records in Croatia).
  • Free user data: Stored locally on device only, not transmitted to FiTepAI.

International Transfers

All data is stored and processed within the European Union. We do not transfer personal data outside the EU/EEA without appropriate safeguards.

Contact Data Protection Officer

For all questions regarding your data protection rights, contact our DPO at: legal@fitep.eu