Back to Home

GDPR Compliance

Last updated: February 2026

BioFrame is fully GDPR compliant.

The General Data Protection Regulation (GDPR — EU Reg. 2016/679) grants European Union citizens enhanced rights over their personal data. We respect these rights and have implemented adequate measures to ensure compliance, in accordance with Italian Legislative Decree 196/2003 (Italian Privacy Code) and the Data Protection Authority Guidelines.

Your GDPR Rights

Right of Access (Art. 15)

Obtain a copy of all personal data we process.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete data.

Right to Erasure (Art. 17)

Request the deletion of personal data ("right to be forgotten").

Right to Restriction (Art. 18)

Request the restriction of data processing.

Right to Portability (Art. 20)

Receive data in a structured, machine-readable format (JSON/CSV).

Right to Object (Art. 21)

Object to data processing in certain circumstances.

How to Exercise Your Rights

1. Submit a Request

To exercise any GDPR right, contact our Data Protection Officer:

Email: gdpr@bioframe.it

Subject: GDPR Data Request

2. Identity Verification

To protect your privacy, we must verify your identity before processing the request. We may require additional information to confirm you are the data subject.

3. Response Times

We will respond to your request within 30 days of receipt (Art. 12 GDPR). In complex cases, we may extend this period by an additional two months, notifying you promptly.

Legal Basis for Processing

Under the GDPR, we process personal data on the following legal grounds:

Contract Performance (Art. 6.1.b)

Processing necessary to provide Platform services and fulfill contractual obligations.

Legal Obligation (Art. 6.1.c)

Processing necessary to comply with legal and regulatory obligations (Italian Legislative Decree 196/2003, tax obligations).

Legitimate Interest (Art. 6.1.f)

Processing necessary for our legitimate interests (account security, fraud prevention, service improvement).

Explicit Consent (Art. 9.2.a)

For the processing of health data (special category Art. 9 GDPR), we require explicit consent from the data subject.

Data Protection Measures

Technical Measures

  • End-to-end encryption (AES-256)
  • TLS 1.3 for all communications
  • Secure authentication (bcrypt + JWT)
  • ISO 27001 data centers in Europe
  • Daily encrypted backups
  • Row Level Security (RLS) on database

Organizational Measures

  • Regular GDPR training for staff
  • Art. 28 contracts with all providers
  • Privacy by Design and by Default
  • Regular Data Protection Impact Assessments (DPIA)
  • Incident response procedures
  • Complete audit logs

International Transfers

Some data may be transferred outside the European Economic Area (EEA) for service provision. In such cases, we ensure adequate safeguards:

  • Standard Contractual Clauses (SCC): Contractual clauses approved by the EU Commission
  • Anthropic (Claude API): USA — Active SCCs, zero-retention policy on input/output
  • Supabase: EU data center (Frankfurt) — no extra-EU transfer
  • Railway/Vercel: USA with EU CDN — Active SCCs

Data Breach Notification

In case of a data breach posing risks to the rights and freedoms of data subjects:

  • We will notify the Data Protection Authority within 72 hours (Art. 33 GDPR)
  • We will inform data subjects without undue delay (Art. 34 GDPR)
  • We will provide clear information about the nature of the breach
  • We will describe the measures taken to remedy the situation
  • We will advise on actions you can take to protect yourself

Right to Complain

If you believe that the processing of your personal data does not comply with the GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)

www.garanteprivacy.it
Piazza Venezia, 11 — 00187 Rome
Phone: +39 06 696771
Email: garante@gpdp.it

Contact the Data Protection Officer

Controller: 2014 FITNESS S.S.D. a R.L
Via Trento Trieste 12, 41012 Carpi (MO), Italy
VAT: IT03587400361 — Tax Code: 90037470367

DPO: dpo@bioframe.it
GDPR Requests: gdpr@bioframe.it
Certified Email (PEC): 2014fitness@pec.it

Submit GDPR Request