Privacy Policy
This personal data processing policy (referred to as the “Policy”) is addressed to everyone who uses the 1club platform (“Service”), accessible at 1club.ai (“Website”) and the related mobile applications (“Applications”), provided by 1club EOOD (“1club”, “Controller”, or “we”), enabling the management of fitness/sports facilities, including the management of memberships, bookings, schedules, payments and communication with end users — members of the users of the Service (“Users”).
For the purpose of providing the Service and administering the Website and the Applications, the Controller processes the personal data of natural persons — representatives of the Users (“You” or “representatives of Users”). Both for You and for us, it is important to use your personal data in accordance with the law. This policy provides information on how we process the personal data of representatives of Users and answers the questions usually arising in this regard.
We provide you with this information regarding the processing of your personal data, in accordance with Regulation (EU) 2016/679 – the General Data Protection Regulation (referred to as the “GDPR”).
This Policy applies to the processing of personal data for which 1club acts in the capacity of an independent personal data Controller — specifically for the personal data that we collect directly from the Users (including their legal representatives and staff) who use the Service for the purposes of creating and managing accounts, billing and support.
When a User, our client, uses the Service to manage the data of its members (end users), the User (e.g. a fitness club) is the controller of the personal data of its members, and 1club acts as a processor of personal data. We process this data strictly on behalf of and in accordance with the documented instructions of the User (who is the controller of the personal data of its members) and solely for the purposes of providing the Service. In these cases, the processing of this personal data is not the subject of this Policy.
Who is the controller of the personal data?
The controller of personal data under this Policy is 1club EOOD, with its registered seat and management address at: 10 Tsar Osvoboditel Blvd., floor 3, Sofia 1000, Bulgaria, UIC: 208644166.
To contact the Controller, you may reach out at support@1club.ai, as well as at the postal address 10 Tsar Osvoboditel Blvd., floor 3, Sofia 1000, Bulgaria, Sredets district.
How is your personal data processed?
The Controller processes the personal data subject to this Policy by collecting it from the Users or by creating it itself. Under the conditions of the law, the Controller may engage third parties to process personal data.
For what purposes is your personal data processed?
- The Controller processes your personal data in order to fulfil the contractual obligations to provide the Service. For this purpose, we process personal data, such as your first and last name, telephone number, email address, the data from your Google profile, in accordance with the terms of use of the respective identification.
- The Controller processes personal data to protect against misuse of the Service, for which purpose access logs are stored.
- The Controller provides personal data to public authorities under the conditions of the law.
- The Controller processes the personal data that you provide as part of your message when you make contact through the contact form for technical questions relating to the use of the Service, for the purpose of providing a response to your enquiry.
This Policy also governs the processing, carried out by way of exception and in very limited cases, of personal data of natural persons that 1club may extract from the internet for the purpose of testing and developing the functionalities of the Service.
Your personal data will not be subject to automated decision-making which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the GDPR.
The Controller does not send marketing messages directly to the end users (e.g. members of fitness clubs and studios). All notifications (booking confirmations, welcome emails and the like) are initiated by the relevant User (fitness club, studio, or the like) through our platform.
What categories of personal data do we process?
The Controller processes the following categories of personal data of the Users:
- When you create a user profile on the Website or in any of the Applications, we collect your first and last name, telephone number, email address provided upon registration.
- When you use “Sign in with Google”, in accordance with the terms of use of the service, Google provides us with your name, email address and photo from your Google profile. For more information about what data is provided with “Sign in with Google”, please see the information in the Google Help Center (https://support.google.com/accounts) in the section on using your Google account with third-party apps and services.
- When you visit the Website without creating a profile, we process logs relating to access to the Service, which may include IP address, the browser User Agent (data about the operating system, the browser and its settings), the time and date of access, the URL opened and request data.
- When you use the Applications by registering, in addition to the personal data provided for the purposes of registration (email address and data received from the user identification service providers), we also process logs relating to access to the Service, which may include IP address and information about the version of the device’s operating system.
- When you contact the Controller through the contact form for technical questions relating to the use of the Service, you provide personal data as part of your message. The volume of personal data that you provide is determined by you, insofar as it is necessary for a response to the enquiry to be provided to you. We will use only those personal data that we need in order to fulfil our obligation and our commitments to the relevant User.
In very limited cases and by way of exception, the Controller processes personal data extracted from public sources on the internet for the purpose of testing and developing functionalities of the Service, such as the names of trainers, email addresses and the schedule of classes and the fitness clubs and studios in which they are offered.
The Controller does not collect, generate, or otherwise process special categories of personal data of users, such as, for example, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, data concerning health, and others.
What are the legal grounds on which we process personal data?
1. For the performance of obligations under the contractual relationships with the Users (Article 6(1)(b) of the GDPR):
In order to fulfil our obligations and commitments to provide the Service and maintain the Website and the Applications, we process your personal data, such as your first and last name, telephone number, email address, the data from your Google profile, as well as personal data included by you in the communications relating to the use of the Service.
2. For compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR):
The Controller provides personal data to public authorities under the conditions of the law.
3. Pursuing the legitimate interests of the Controller (Article 6(1)(f) of the GDPR):
The Controller processes personal data for the purposes of its legitimate interests by way of exception and where this is necessary, such as for the purpose of protection against misuse of the Service. To achieve this purpose, the Controller processes, through the Website, logs relating to access to the Service, which may include the user’s IP address, the browser User Agent (data about its operating system, the browser and its settings), the time and date of access, the URL opened and request data.
To achieve this purpose, the Controller processes, through the Applications, logs relating to access to the Service, which include the IP address and information about the version of the device’s operating system. To achieve these purposes, the processing of a minimal volume of personal data is necessary, as without processing it the controller would not be able to control and counteract any possible misuse of the Service.
The Controller processes personal data for the purposes of its legitimate interests by way of exception and where this is necessary for extracting data from the internet for the purpose of testing, improving and developing new functionalities of the Service. For this purpose, the Controller processes only the minimal quantities of data that are necessary to verify the technical soundness, accuracy, security and reliability of the relevant functionality. The data is processed insofar as it is publicly available or lawfully provided for the relevant purpose, and is not used to identify specific natural persons, unless this is technically necessary for the provision, protection or improvement of the Service.
Where possible, the Controller applies appropriate technical and organisational measures to limit the processing, including filtering, minimising, pseudonymising or anonymising the data, restricting access to it and applying retention periods tailored to the specific purpose. In cases where it establishes that the collected data is unnecessary for the relevant purpose, the Controller takes reasonable measures for its deletion, restriction or exclusion from further processing.
Before processing personal data on the ground of legitimate interest, the Controller must carry out an assessment of whether the interests, fundamental rights and freedoms of the data subjects do not override its interest. In this assessment, the Controller takes into account the nature and volume of the data, the reasonable expectations of the data subjects, the context of the processing, the possible consequences for them and the protective measures applied. Data subjects have the right to object to the processing of their personal data on the ground of legitimate interest under the conditions and following the procedure provided for in the GDPR.
Provision of personal data to third parties
In certain circumstances and in accordance with the law, the Controller shares your personal data with third parties who process your personal data as a separate controller or as a processor on the assignment and instruction of the Controller, for the purposes described above, as follows:
- public authorities under the conditions of the law;
- third parties, providers of payment services;
- third parties, providers of customer relationship management and marketing automation systems;
- third parties, providers of cloud office services and email;
- third parties, providers of customer support and real-time chat platforms;
- third parties, providers of infrastructure and database hosting services;
Provision of personal data outside the European Economic Area
The Controller transfers your personal data outside the European Economic Area in compliance with the GDPR on the basis of:
(a) a decision of the European Commission on the adequate protection of personal data, or
(b) standard contractual clauses (SCCs) approved by the European Commission, or
(c) another ground permissible under Article 46, Article 47 or Article 49 of the GDPR.
Since part of the Controller’s infrastructure and providers are located in the United States of America, your data may be transferred outside the European Economic Area. To ensure protection, we use a decision of the European Commission on the adequate protection of personal data and Standard Contractual Clauses (SCCs) with our providers based outside the European Economic Area.
How is your personal data protected?
The Controller maintains physical and electronic technical and organisational measures and procedures guaranteeing the protection of the confidentiality, integrity and availability of your personal data, including encryption and regular monitoring. Appropriate security measures have been taken against the unlawful or improper processing of personal data and against the accidental loss or damage of personal data.
For what period does the Controller store your personal data?
The Controller stores your personal data for as long as is necessary to fulfil the purposes for which it is processed and in accordance with the legal and regulatory requirements. The retention periods are determined by the purpose of the processing of the data, the quantity, nature and significance of this data; the potential risk of unauthorised access to or disclosure of the data; statutory periods, if applicable:
- The personal data processed for the purpose of providing the Service by the Controller, for the performance of the obligations under the contractual relationships with the Users, is stored for a period, for as long as your account is active. Upon closure of the account, the data is stored for a period of 3 years.
- The personal data contained in the logs of the use of the Service is stored for the time necessary to guarantee the security of the information systems, to investigate incidents, to detect unauthorised access — for a period of up to 3 days.
- The information about the individual sessions when using the Service, which may include the user’s IP address, User-agent and request data, is stored for the time necessary to guarantee the security of the information systems, to investigate incidents, to detect unauthorised access — for a period of up to 7 days.
- Financial records (invoices) are stored for 10 years in accordance with Bulgarian legislation.
- The retention period for cookies and in Local Storage used by the Website is set out in the Cookie Policy.
What are your rights as a data subject?
As a data subject and under the conditions of the law, you have the following rights:
- the right of access to the personal data processed by the Controller and information about the purposes of the processing;
- the right to request rectification of your personal data that is inaccurate or incorrect;
- the right to request erasure (the “right to be forgotten”) of your personal data when the ground for processing it has fallen away;
- the right to restrict the processing of your personal data;
- the right to request portability of your data, in which case the Controller will provide the data in a structured, commonly used and machine-readable format;
- the right to request that the Controller transfer your personal data to another personal data controller, where this is technically possible;
- the right to object to the processing of your personal data when the legal ground for it is the necessity for the legitimate interests of the Controller;
- the right to withdraw your consent at any time, in the cases where we process your personal data on the basis of consent, in which case the Controller will cease processing your personal data on this ground immediately from that moment onwards; and
- the right to lodge a complaint with the Commission for Personal Data Protection at the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., Telephone: 02/9153 518, kzld@cpdp.bg.
You may exercise the rights set out above at any time by written request to the Controller, using the contact forms set out at the beginning of the Policy. The Controller will respond to your request without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity and number of the requests. The Controller will inform you of any such extension within one month of receipt of the request, stating the reasons for the delay.
Questions?
For questions and additional information regarding the processing of your personal data under this Policy and the rights that you have as a data subject, you may contact us using the Controller’s contact details set out at the beginning of the Policy.
Changes to the Personal Data Processing Policy
The latest update of this Policy is from June 30th, 2026.
In the event of a material change, the amended Policy will be announced at https://1club.ai/en/privacy. At this address we publish the Policy in force at any given time.