PRIVACY POLICY AND PERSONAL DATA PROCESSING POLICY
Adoption date: March 13, 2026
Last updated: March 13, 2026
1. General provisions
This Privacy Policy and Personal Data Processing Policy (hereinafter — the “Policy”) defines the procedure for processing and protecting personal data collected by LLC “Madness” (hereinafter — the “Operator” or “We”) when using the Unlete web platform, including mobile applications and the website https://unlete.com (hereinafter — the “Platform”).
The Policy has been developed in accordance with Federal Law dated 27.07.2006 No. 152-FZ “On Personal Data” (FZ-152), Resolution of the Government of the Russian Federation dated 01.11.2012 No. 1119, Order of FSTEC of Russia dated 18.02.2013 No. 21, Order of the FSB of Russia dated 10.07.2014 No. 378, Law 420-FZ (on database localization), as well as in accordance with the General Data Protection Regulation of the European Union (GDPR) when working with users from the European Union.
The Policy applies to all users: coaches and athletes.
We have created this Privacy Policy in order to explain:
- what personal data we collect;
- why and on what grounds we process it;
- with whom we share data and how we protect it;
- how long we store data;
- what rights you have and how you can exercise them.
By using the Platform, you confirm that you have read and agree with this Policy.
At present, cross-border transfer of personal data to countries that are not members of the European Union or the European Economic Area is not carried out: all databases containing personal data of citizens of the Russian Federation are located in data centers within the territory of Russia. The Operator does not use foreign services for storage or processing of personal data and strives for local data processing.
If in the future it becomes necessary to transfer data outside Russia, such transfer will be carried out only if there are legal grounds and in strict compliance with Federal Law No. 152-FZ, GDPR and other applicable acts, using mechanisms provided for by legal acts (for example, standard contractual clauses), and with mandatory ensuring of an adequate level of data protection.
1.1. Our approach to privacy
We create services for achieving sports goals while maintaining your trust. Information about you is necessary for the operation of the platform, but we are guided by the principles of “privacy by default”. This means:
- Transparency: the Policy is written in clear language and explains what data we collect, why it is needed and how you can manage it. We regularly inform users about changes.
- Minimization: we collect only the data necessary for providing the service and do not process excessive information (we do not request social security numbers, passport data, full contact lists or other sensitive information; storage of search queries and related information is not linked to IP addresses).
- No marketing tracking: we do not transfer your data to third-party marketing companies and do not use third-party advertising trackers; data is used only to ensure the functioning of the Platform and development of the service.
- Control: the user has access to privacy settings where they can independently manage which training metrics are visible to other Users. We provide tools for viewing, downloading and deleting your data.
- Protection and local processing: to the maximum extent possible, calculations of training indicators and recommendations are performed locally on the user’s device. We use cryptographic technologies to protect data during transmission and storage. Aggregated and anonymized data is used for analytics and improvement of algorithms, but it does not allow identification of a specific user.
1.2. Terms and definitions
The following basic concepts are used in this Policy, formulated in accordance with Federal Law No. 152-FZ and other regulatory acts:
- Personal data (PD) — any information relating directly or indirectly to an identified or identifiable individual (data subject), including information about surname, first name, patronymic, date of birth, contact details, as well as other information allowing identification of a person.
- Personal data subject — an individual to whom personal data relates.
- Operator — a legal entity or individual who independently or jointly with others organizes and/or carries out processing of personal data, and also determines the purposes and composition of processed data and the actions performed with them.
- Processing of personal data — any action (operation) or set of actions performed using automation tools or without them, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion and destruction of personal data.
- Automated processing of personal data — processing of personal data using computer technology.
- Anonymization (de-identification) of personal data — actions as a result of which it becomes impossible, without the use of additional information, to determine the affiliation of personal data to a specific subject.
- Special categories of personal data — information relating to racial or national origin, political views, religious or philosophical beliefs, health condition, intimate life, as well as biometric personal data. Such data is processed only with separate written consent and in cases directly provided by law.
- Consent of the personal data subject — a freely given, specific, informed and unambiguous expression of the will of the personal data subject to process their personal data, expressed in electronic or written form.
- Cookies — small text files stored on the user’s device that contain data about settings and actions on the website and are used to ensure operation of the website, analyze behavior and personalize.
- Legal basis — a law, contract or consent of the personal data subject allowing lawful processing of data.
- Register of personal data processing operations — a documented record of processing operations containing information about the composition of data, purposes, retention periods and legal grounds, provided for by paragraph 7 of Article 18.1 of FZ-152.
2. Principles of personal data processing
The Operator adheres to the fundamental principles of data processing established in the GDPR and Russian legislation:
- Lawfulness, fairness and transparency: processing is carried out on lawful grounds, openly and fairly. We inform Users about the purposes and methods of processing.
- Purpose limitation: data is collected for specific and legitimate purposes and is not further processed in a manner incompatible with those purposes.
- Data minimization: we collect only the data necessary to provide the service. We do not store data about third-party websites, do not record calls or text messages, and do not link behavioral data to your IP address.
- Accuracy: we take measures to maintain data in an accurate and up-to-date condition. Users may correct their information in their account.
- Storage limitation: data is stored no longer than necessary for the purposes of processing.
- Integrity and confidentiality: we apply technical and organizational measures to prevent unauthorized access, including encryption, access control and audit.
- Accountability: we document processes and are ready to demonstrate compliance with this Policy and applicable legislation.
3. Scope of processed personal data
Personal data — any information relating directly or indirectly to an identified or identifiable individual (personal data subject). The Operator processes the following categories of data depending on the user’s role on the Platform. We deliberately do not collect passport or other government identification documents, social numbers (TIN, SNILS), identity document data, biometric characteristics, content of personal correspondence outside the Platform, contacts from address books, or metadata of photographs or files. Such information is not required for the operation of the service and is not processed.
You give your consent to the Operator to perform the following actions with your personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, anonymization, transfer (access, provision), blocking, deletion, destruction of personal data.
3.1. Athlete data
- Registration data: email address, password, surname, first name, patronymic (if provided), login/username (if applicable).
- Profile information: date of birth, gender, city of residence, biography, personal sports records.
- Geolocation data: information about the user’s location and route during training sessions, collected from connected devices (for example, Garmin watches) or via the mobile application when location tracking is enabled. Such data is processed to provide service functionality (distance calculation, route building) and is available only upon the user’s explicit consent to geolocation collection.
- Training data: distance, time, pace, average heart rate, maximum heart rate, elevation gain, calories burned, average speed, steps (cadence), heart rate zones, sleep and recovery metrics, use of training plans, coach comments and other metrics.
- Contact data: phone number (if provided), country, city, delivery address (when purchasing goods on the Marketplace).
- Communication data: messages within the Platform, responses to coach assignments, comments in the community, social networks, uploaded photos and video recordings.
- Cookies and technical data: IP address, browser data, device type, unique cookie identifiers, information about actions on the website (page visits, clicks, transitions).
3.2. Coach data
- Registration data: email address, password, surname, first name, patronymic (if provided), login/username (if applicable).
- Profile information: date of birth, gender, country and city, description of experience and qualifications (including certificates and documents), sport type and specialization (e.g., running, swimming, triathlon), languages spoken, indication of distances and training levels, cost of services and bank details (for payouts), phone number (if provided).
- Athlete data: list of clients (athletes), training schedule, training plans, results and comments.
- Communication data: messages with athletes, notifications, management of clubs and groups, social networks, uploaded photos and video recordings.
- Cookies and technical data: IP address, browser, device, unique cookie identifiers.
3.3. Physical activity and training metrics
Within the operation of the Platform, data obtained from wearable devices (for example, fitness watches) may be processed, such as heart rate, sleep and recovery indicators.
Such data does not belong to special categories of personal data within the meaning of Article 10 of Federal Law No. 152-FZ, and is also not considered special categories of data within the meaning of Article 9 of the GDPR, because:
- the devices through which it is collected are not medical devices;
- the data is not used for diagnosis, treatment or prevention of diseases and does not have a medical purpose;
- data processing is carried out exclusively to provide service functionality (activity calculation, statistics tracking, training recommendations).
At the same time, the Operator applies to such data protection measures comparable to those applicable to special categories of data in order to minimize risks for data subjects.
The Operator also confirms that it does not carry out biometric identification of users and does not use photographic images or other physiological data to establish identity based on biometric characteristics. Profile photos and similar data are processed exclusively as ordinary personal data.
3.4. Biometric data
The Operator does not process biometric personal data within the meaning of Article 11 of Federal Law No. 152-FZ or Article 9 of the GDPR, i.e., data that allows unique identification of a person based on physiological or biological characteristics.
User profile photos and other images or information (for example, training metrics) are not used by the Operator for biometric identification purposes. Such data is treated and processed as ordinary personal data.
If in the future the Operator introduces functionality requiring biometric identification, such processing will be carried out only on the basis of explicit user consent and in full compliance with Article 9 of the GDPR, Article 11 of Federal Law No. 152-FZ and applicable legislation.
4. Purposes of processing and legal grounds
Personal data processing is carried out on lawful grounds, including on the basis of a contract (user agreement) with the data subject, their consent or requirements of legislation. For each purpose, a strictly necessary set of data is processed:
- Creation and maintenance of an account — registration of users as Athlete or Coach, provision of access to Platform functionality. Processed data: email, password, full name.
- Profile personalization — filling in date of birth, gender, photos, personal records, biography, as well as indicating sport type and specialization, languages spoken, training levels and distances. Processed data: profile data provided by the user.
- Organization of the training process — collection and analysis of training data, creation and tracking of training programs, feedback from the coach. Legal basis: performance of a contract (provision of services).
- Communication and notifications — sending messages, notifications about trainings, responses and comments, informing about new features and updates. Processed data: email, phone number, push identifier. Legal basis: user consent, performance of a contract.
- Marketing and promotion — informing about new products, promotions and Platform events, conducting surveys. Processed data: email address, cookies, behavioral data. Legal basis: user consent.
- Support of payment operations — transfer of remuneration to coaches, refunds, accounting of payments. Processed data: full name, payment details, amount, transactional metadata. Legal basis: performance of a contract, compliance with accounting legislation.
- Ensuring security and protection of the Platform — detection and prevention of fraud, ensuring operation of security systems, backup. Processed data: event logs, IP address, cookies, system logs. Legal basis: legitimate interest of the Operator.
- Compliance with legal requirements — provision of data upon request of authorized authorities, compliance with FZ-152, labor and tax legislation. All specified categories of data are processed within the necessary scope.
4.1. Legitimate interests
In addition to contract performance and legal compliance, we may process data based on legitimate interest, provided that such processing does not significantly affect the rights and freedoms of the user. In particular, legitimate interest includes:
- Service improvement: analysis of how users interact with the Platform to improve interfaces and functionality;
- Personalization without advertising: selection of training recommendations and offers based on your preferences and training history, without using third-party advertising;
- Development of new products: creation of new features and services, including testing improvements on anonymized data;
- Protection of rights and security: prevention of fraud, protection of user and Operator rights, detection of security threats;
- Statistical research: collection and analysis of anonymized statistical data to understand trends in sports and health;
- Ensuring payments: organization of payment acceptance and processing of refunds.
4.2. Matrix of compliance of processing purposes, data categories and retention periods
Personal data is stored no longer than required by processing purposes. The retention period is determined by: (1) the term of the contract; (2) the duration of consent; (3) the period necessary for accounting and tax reporting purposes; (4) limitation periods for possible claims. After expiration, data is deleted or anonymized. Data is stored on servers located in the Russian Federation; access is granted only to authorized persons and contractors who have signed data processing agreements. Storage and processing outside the territory of the Russian Federation is permitted only if the requirements of FZ-152 and international agreements are met.
| Purpose | Data categories | Legal basis | Retention period |
|---|---|---|---|
| Registration and identification | Email, password, full name, login/username (if applicable) | Performance of a contract | For the duration of the contract + 3 years for rights protection purposes |
| Profile personalization | Date of birth, gender, biography, sport type and specialization, languages spoken, training levels and distances | Consent | Until account deletion or withdrawal of consent |
| Training process and statistics | Distance, time, heart rate, training plans | Performance of a contract | Up to 3 years after cessation of service use |
| Communication and notifications | Email, phone, push identifier, social networks, uploaded photos and video recordings | Consent; performance of a contract | Until withdrawal of consent or account deletion |
| Payment operations (for coaches) | Full name, payment details, transaction amounts | Performance of a contract; law | 5 years (pursuant to accounting legislation) |
| Marketing and research | Email, cookies, behavioral data | Consent | Until withdrawal of consent or 12 months after last interaction |
| Security assurance | IP address, system logs, cookies | Legitimate interest | Up to 1 year, unless otherwise required by law |
5. Legal grounds
Personal data is processed on the following legal grounds:
- Article 6 of FZ-152 — processing is necessary for performance of a contract to which the data subject is a party; data is necessary for user registration and service provision.
- Article 9 of FZ-152 — processing is carried out on the basis of consent of the data subject. Consent is expressed by acceptance of the User Agreement and a checkbox during registration, as well as in separate consent forms where required. From July 1, 2025, the Operator requests separate consent for processing cookies.
- Article 10 of FZ-152 — processing of special categories of data (e.g., health data) is carried out only with written consent of the data subject and exclusively for provision of training services.
- Article 17 of the Federal Law “On Advertising” — separate consent is required for sending marketing communications.
- Article 6 GDPR — processing is necessary for performance of a contract; the subject has given consent; processing is necessary for compliance with legal obligations; processing is carried out for legitimate interests.
6. Transfer to third parties
Transfer of personal data to third parties is carried out only on a legal basis and to the extent necessary to achieve processing purposes. We do not sell or disclose personal data without consent, except in the following cases:
- Technical support partners and hosting providers ensuring Platform operation, having concluded data processing agreements;
- Payment systems for settlements with coaches and refunds to users within PCI DSS;
- Government authorities, investigative bodies and courts — upon lawful requests.
All contractors undertake to ensure confidentiality and security of data. Cross-border transfer is currently not carried out; if required, the Operator will ensure compliance with FZ-152 and GDPR.
When transferring personal data to countries that do not provide adequate protection, the Operator applies legally prescribed safeguards — for example, Standard Contractual Clauses of the European Commission or similar guarantees ensuring compliance with Article 46 GDPR, and obtains necessary consents where required. Any cross-border transfer will be carried out only with sufficient legal grounds and ensuring an adequate level of data protection.
6.1. Data processing within the group and receipt from partners
Some Platform functions are provided by affiliated entities. Data transfer between group companies is carried out on the basis of agreements and with equivalent protection. We may also receive data from partners (payment systems, delivery services, telemetry providers) based on user consent or other legal grounds. Such data is used solely for Platform purposes and not for creation of advertising profiles.
7. Rights of data subjects
You have the right to:
- Obtain information about what data is processed and for what purposes.
- Obtain a copy of your data (right of access).
- Correct inaccurate or outdated data.
- Delete or block data if processing purposes are achieved or there are no grounds for further processing.
- Restrict or object to processing.
- Transfer data to another operator (where technically feasible).
- Withdraw consent at any time (withdrawal does not affect lawfulness of prior processing).
- Lodge a complaint with a supervisory authority — you may submit a complaint about the actions of the Operator to the federal body for the protection of personal data subjects' rights or another competent supervisory authority.
How to exercise rights
To exercise your rights, you may:
- Send a request to: support@unlete.com or via feedback form in your account. In the request, provide full name, contact details and the essence of the request.
- The Operator may request additional information to verify identity.
- We respond within the period established by law (no more than 30 calendar days) with a reasoned reply.
8. User obligations
The user undertakes to provide accurate data, update it, comply with the Policy and User Agreement, keep account credentials confidential, respect rights of other users and report data breaches or unauthorized access.
9. Privacy and user control
The user may manage privacy through the interface:
- Privacy settings: selection of visibility level for each category of training data.
- Data export and deletion: download data archive and delete account (data is deleted or anonymized within 10 business days).
- Opt-out of communications: subscription management.
- Data dashboard: history of training, payments and consents.
10. Processing of minors’ data
The Platform is intended for users aged 16+ (in the Russian Federation — 18+).The Company recognizes the special need to protect personal data of minors and establishes additional rules.
The Company does not process data of children under 13 without prior consent of parents/legal representatives. Technical and organizational measures are used to prevent such registration.
Users aged 16–18 provide data independently; however, the Company may request additional parental consent for higher-risk data (e.g., health or geolocation).
Additional safeguards apply: profiles are private by default; access is limited to approved users. Certain health-related metrics are restricted to users aged 16+.
If processing without proper consent is detected, the Company will stop processing and delete such data promptly.
11. Cookies and similar technologies
The Operator uses cookies and similar technologies to ensure proper operation of the website and improve service quality.
11.1. Cookie categories
- Necessary (technical) cookies — used for core functionality (authentication, settings, security). No consent required.
- Analytical and marketing cookies (e.g., Yandex.Metrica) — used only with prior user consent via cookie banner.
11.2. Cookie retention periods
- session cookies — until browser is closed;
- persistent cookies — up to 12 months unless otherwise specified.
You may withdraw consent and manage cookies via browser or site interface. Refusal does not affect core functionality but may limit personalization and analytics.
Cookie data is treated as personal data if it allows identification and is processed in accordance with FZ-152 and GDPR.
The Operator records user consent for cookies and stores logs for at least 6 months for compliance and regulatory audits.
12. Aggregated and anonymized data
We use anonymized data for statistics and analytics, without disclosing personal data and without using targeted advertising.
13. Profiling and automated decisions
We do not make decisions having legal consequences solely on the basis of automated processing. Recommendations are formed on the basis of user data, but final decisions are made by the user or the coach. The user has the right to request an explanation of the logic of the algorithm and to refuse profiling.
14. Measures for the protection of personal data
The Operator takes necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, distribution, as well as from other unlawful actions. In particular, the following measures are implemented:
- differentiation of employees’ access to data depending on their job duties;
- application of information protection tools certified in the prescribed manner;
- encryption of personal data during storage and transmission over communication networks;
- use of antivirus software and firewalls;
- backup and restoration of data;
- maintaining logs of access to and actions with personal data;
- carrying out internal control and audit of compliance with requirements for personal data protection;
- regular training of employees on personal data protection issues;
- incident response and notification of authorized authorities within the time periods established by the legislation of the Russian Federation and GDPR (24/72 hours).
15. Notifications of security breaches
In the event of an incident, the Operator informs the authorized authorities and affected users, reporting the nature and consequences of the breach, and takes measures to remedy it.
In the event of an incident related to unlawful access, leakage or other security breach of personal data, the Operator immediately begins carrying out the procedures provided for by our Incident Response Policy. We take emergency measures to prevent further dissemination of data, restore security and conduct an internal investigation of the causes of what happened. The Operator notifies the authorized supervisory authorities of the incident within the time periods established by law — an initial notification is sent no later than 24 hours from the moment the breach is detected, and an extended report on the results of the investigation — within 72 hours. If there is an obligation under the law or if it is established that the incident creates a high risk of violation of the rights and freedoms of personal data subjects, the Operator also informs the affected users personally about the incident, notifying them of the nature of the leakage and the measures taken to protect the data. Notification of subjects is not carried out only in cases where any harmful consequences have been prevented by the measures taken or where legislation excludes such an obligation (for example, if the data was securely encrypted). All incidents are documented in the internal register of security breaches; the Operator analyzes their causes and, if necessary, updates protection measures and procedures in order to prevent recurrence of similar situations.
16. Maintaining a register of operations and documentation
In accordance with paragraph 7 of Article 18.1 of FZ-152, the Operator maintains a register of processing operations containing information on the composition of data, purposes, periods and legal grounds. An annual self-assessment of compliance with legislative requirements is also carried out.
17. Contacts and procedure for requests
Name of the Operator: LLC “Madness” Legal address: 101990, Moscow, Maroseyka St., 3/13, building 1, office 56, floor 3 TIN/KPP: 9701085591/770101001 PSRN: 1177746897888 Person responsible for organizing personal data processing (DPO): support@unlete.com General address for inquiries: support@unlete.com
The request must contain full name, number of the identity document, essence of the request and contact details. The Operator reviews requests within up to 10 working days and sends a response in writing or by email.
For citizens of the European Union and other foreign states:
Name: IE Sergey Shabrov Address: 7 av. du Capitaine Scott, 06300, Nice, France General contact email: s.shabrov@madness.company
18. Amendment of the Policy
The Policy may be amended by the operator unilaterally. The update date is indicated at the beginning of the document; the new version comes into force from the moment of its publication on the website.
