Privacy Policy

OpenSwim Mobile Application & Website

Effective Date: April 28, 2026

1. WHO WE ARE

OpenSwim (“App,” “we,” “us,” “our”) is operated by SSO Active, a Société par Actions Simplifiée (simplified joint-stock company) incorporated and organized under the laws of France, registered with the RCS of Evry under number 810 963 306.

Legal Address: 

12 rue Fernand Léger, 91440 Bures-sur-Yvette, France

Contact Email: 

contact@openswim.fr

Jurisdiction-Specific Note: 

Under this Privacy Policy, SSO Active serves as the “data controller” for purposes of European data protection law (GDPR, UK GDPR, French CNIL regulations) and the “business” for purposes of U.S. state privacy laws (CCPA, CPRA, VCDPA, TDPSA, CTDPA, and similar laws).

This Privacy Policy is part of our Terms of Service and is incorporated by reference. By accepting the Terms of Service, you also accept this Privacy Policy. In the event of conflict, this Privacy Policy will prevail. Terms capitalized but not defined herein have the meaning ascribed to them in our Terms of Service.

OpenSwim is committed to protecting your privacy and maintaining transparency regarding how we collect, use, and protect your personal information. This comprehensive Privacy Policy describes our practices in detail and is designed to help you understand your rights and make informed decisions about your personal data.

 

2. WHERE YOU LIVE MATTERS

This Privacy Policy applies globally to all users of the OpenSwim App and Website, regardless of location. However, privacy laws vary by region, and your rights depend on where you reside. OpenSwim recognizes that privacy is a fundamental right and that different jurisdictions have established varying levels of legal protection for personal information. We aim to apply a high standard of privacy protection globally, while recognizing that rights and obligations vary by jurisdiction:

• If you are located in the European Union, the United Kingdom, or any other jurisdiction where the GDPR or similar data protection laws apply: You enjoy comprehensive privacy rights including access, rectification, deletion, portability, and the right to lodge complaints with a supervisory authority. These rights are described in Section 10.1.
• If you are located in California, Colorado, Connecticut, Utah, Virginia, Texas, or any other U.S. state with privacy laws: You may have rights to know, delete, correct, and opt out of certain data uses and sharing. These rights are described in Section 10.2. We recommend reviewing the state-specific language applicable to your location.
• If you are located elsewhere: You may have privacy rights under your local laws. Please contact us to understand what rights may apply to you (contact@openswim.fr).

 

3. PERSONAL INFORMATION WE COLLECT

We collect personal information from three primary sources: (1) information you directly provide to us, (2) information we collect automatically, and (3) information we receive from third parties. This section provides a comprehensive overview of all categories of personal information that we process in connection with the OpenSwim application and website. Understanding what data we collect helps you make informed choices about your privacy and exercise your rights effectively. We have organized this information by source and type to provide maximum transparency.

3.1 Information You Provide to Us

The following categories of information are collected when you create an account, set up your profile, or interact with OpenSwim features:

Account Registration & Profile Information:

• Name, email address, phone number
• Gender, date of birth, city/location
• Body measurements (weight, height)
• Photograph (optional; used for profile avatar)
• Swimming experience level (beginner, intermediate, advanced)
• Swimming discipline preferences (pool, open water, triathlon, etc.)
• Annual swimming goals and weekly training targets
• Notification preferences and communication settings
• Language and display settings

Account Usage & Personalization:

• Account settings and preferences (face ID/touch ID, push notifications, profile visibility)
• Profile status setting (public, partially public, or private)
• Followers and following list (if you set profile to public or semi-public)
• Messages, comments, and communications with other users
• Participation in groups, events, and challenges
• Feedback, reviews, and user support requests

Workout & Activity Data (User-Generated):

• Workout records you create or log (date, time, distance, duration, location, route)
• Performance metrics (speed, pace, splits, heart rate if recorded, calories burned, rest intervals)
• Photos and comments associated with activities
• Favorites, saved workouts, and custom training programs
• Personal bests and achievement records
• Calendar entries and scheduled training sessions

Third-Party Synchronization Data: 

When you connect OpenSwim to external fitness apps and devices (Strava, Garmin Connect, Apple Watch/Health, COROS, Suunto, Polar), we receive:

• Historical workout data from the last 30 days (or as permitted by the third-party app)
• Activity details: distance, time, speed, heart rate, calories, rest time
• Workout type and sport classifications
• Geolocation data of activities (if shared by third-party service)

3.2 Information Collected Automatically

As you use the OpenSwim App and Website, we automatically collect certain information about your device, your usage patterns, and your interactions with our platform. This automatic collection occurs even if you do not actively provide information to us and helps us improve our services and detect security issues:

Device & Technical Information:

• Device type and model (e.g., iPhone 15, Samsung Galaxy)
• Operating system and version (iOS or Android)
• App version and build number
• Unique device identifier / advertising identifier (IDFA on iOS, GAID on Android)
• Language and localization settings
• Internet connection type

Usage & Navigation Data:

• Pages and features you access within the App
• Frequency and duration of use
• Clicks, interactions, and navigation patterns
• Crash logs and error information
• Search queries within the App

Location Data:

• City/region (derived from IP address or profile)
• Precise geolocation (latitude/longitude) only if you have granted location permission in your device settings
• Geolocation of activities during workout tracking (if enabled)

Cookies, SDKs & Similar Technologies: See Section 6 for a complete description of the cookies, SDKs, and tracking technologies used by OpenSwim, including their purposes, data collected, and opt-out mechanisms.

3.3 Information from Third Parties

In addition to information you provide directly and information we collect automatically, we receive information from external sources. This helps us enhance our services and provide you with better functionality. All information received from third parties is treated with the same care and protection as information you provide directly:

Fitness & Health Platforms: 

When you authorize OpenSwim to connect to Strava, Garmin, Apple Health, COROS, Suunto or Polar, we receive fitness and health data shared through those platforms’ APIs.

Service Providers: 

Our service providers (described in Section 5) may provide information to us as part of fulfilling contracted services (e.g., customer support data, analytics).

Publicly Available Sources: 

If you set your profile to public, other users can view and reference your profile information, activities, and achievements.

 

4. HOW WE USE YOUR PERSONAL INFORMATION

We process your personal information for the following lawful purposes. Data protection laws require that we have a legal basis for processing your personal information. OpenSwim has identified multiple legal bases for our processing activities, each explained in detail below. Our approach to data processing is grounded in transparency and respect for your privacy. We only process your data when we have a valid legal basis, and we have carefully balanced your privacy rights against our legitimate interests in each case.

4.1 Performance of Contract & App Functionality

• Creating and maintaining your OpenSwim account
• Authenticating your identity and verifying account ownership
• Providing app features: workout logging, training programs, performance tracking, community interaction
• Storing and syncing your workout data across devices
• Displaying your profile, activities, and achievements (according to your privacy settings)
• Facilitating connections with other users (followers, groups, events, challenges)
• Processing third-party fitness app integrations (Strava, Garmin, Apple, COROS, Suunto, Polar)
• Providing customer support and resolving account issues
• Processing event registrations and payments via Njuko

4.2 Legitimate Interests 

We pursue the following legitimate interests, balanced against your rights and expectations. These legitimate interests are carefully evaluated to ensure they do not override your privacy rights and are communicated transparently so you can understand why we process your data in these ways.

App Improvement & Optimization: 

Analyzing usage patterns, feature adoption, and user behavior to identify bugs, improve performance, and develop new features that enhance your experience and the overall quality of the OpenSwim application.

Performance Analytics & Insights: 

Aggregating and anonymizing workout data to provide users with comparative statistics, trends, and insights (e.g., personal records, seasonal patterns) while protecting individual privacy through anonymization techniques.

Fraud Prevention & Security: 

Monitoring for unauthorized access, unusual account activity, and potential misuse to protect your account and the broader community from malicious actors and security threats.

Personalization: 

Customizing training recommendations, suggested workouts, and community suggestions based on your fitness level, goals, and activity history to provide a more engaging and relevant user experience.

Community Safety & Content Moderation: 

Enforcing community standards, detecting abuse, and managing public content to maintain a safe and respectful environment for all users of the OpenSwim platform.

Updates: 

Sending app updates, feature announcements, and community highlights to keep users informed about developments and opportunities. 

4.3 Compliance with Legal Obligations 

• Retaining records required by French tax and accounting law
• Responding to lawful requests from law enforcement or government agencies
• Defending against legal claims and dispute resolution
• Compliance with CNIL orders or supervisory authority requests

4.4 Consent 

Where required by law, we request your explicit consent for:

• Push notifications and email communications (opt-in during account setup; revocable in settings)
• Precise geolocation tracking (requested at device level and app level)
• Marketing emails 
• Processing of special category data (health information) beyond core service delivery

You may withdraw consent at any time by updating your account settings or contacting us.

4.5 Special Category Data 

Health Data: 

We process your workout records, heart rate, calories, and performance metrics based on:

• Contract Performance: Essential to provide fitness tracking and training program features you request
• Consent: Where additional processing (e.g., health insights, profiling) goes beyond the primary service

Precise Geolocation: 

Your precise location during workouts is processed based on your affirmative permission (typically at device level). We do not process precise location for non-fitness purposes without your consent.

4.6 Automated Decision-Making & Profiling

Current Status: 

OpenSwim does not currently employ automated profiling or automated decision-making that produces legal or similarly significant effects.

Planned Development: 

We are developing AI-driven personalized training plans that will analyze your workout data, goals, and performance history to generate tailored recommendations. When implemented:

• The AI will generate training recommendations and suggestions
• These recommendations are advisory only and will not produce binding or legally significant effects (such as account suspension, service denial, or eligibility changes)
• You retain full control and may: accept or reject any recommendation, modify your profile, goals, or preferences to change future recommendations, disable personalization features in account settings, and request human review of any recommendation

GDPR Art. 22 Compliance: 

When profiling is implemented, it will not constitute automated decision-making with legal/significant effects, as no binding decisions are made solely by automated means. If you object to profiling, you may opt out via account settings or contact contact@openswim.fr with the subject line “Request Human Review of Profiling.”

 

5. HOW WE SHARE YOUR PERSONAL INFORMATION

Transparency about data sharing is essential to your understanding of how your information is used. OpenSwim shares personal information only when necessary to provide our services, comply with legal obligations, or pursue legitimate interests that are balanced carefully against your privacy rights. This section details every category of recipient that may receive your data, the legal basis for each sharing, and your rights regarding those disclosures.

5.1 Categories of Recipients

We share your personal information with the following categories of recipients. Each recipient category is subject to contractual obligations regarding data protection and use restrictions:

Service Providers & Processors:

• Eastern Peak: Backend development, maintenance, and technical support
• Lunabee: Frontend development and app maintenance
• Chat GPT / Claude: AI and machine learning services for personalized training features (planned)
• Google Firebase: Cloud hosting, real-time database, Firebase Analytics, and push notification infrastructure (FCM)
• Brevo, formerly Sendinblue: Email delivery and marketing automation (data processor acting on our instructions)
• Sentry: Crash and error monitoring, performance tracking
• Airbridge: Mobile attribution and marketing analytics
• Meta / Facebook: SDK functionality, Facebook Login, and retargeting ads outside the app
• RevenueCat: In-app purchase and subscription management 
• Njuko: Event registration and payment processing for swimming events
• Apple & Google: Payment processing for in-app purchases (note: we do not receive or process your payment card details; Apple and Google handle all payment information)

For each service provider, we maintain contractual arrangements requiring them to: process data only as instructed, maintain appropriate security safeguards, assist with your data rights requests, delete or return data upon contract termination, and notify us of any breaches.

Third-Party Fitness & Health Apps (at your direction): 

When you authorize integration with Strava, Garmin Connect, Apple Health, COROS, Suunto or Polar, we share your OpenSwim workout data with those platforms, and we receive data from them. These integrations are governed by those third parties’ privacy policies. You control which integrations are active and can disconnect at any time in your app settings. The data received is not shared or processed by any third parties, including the use of third-party AI or data processing services.

Community & Public Features: 

Please note that all Users who use the App are displayed on the Leaderboard, and you generally cannot opt out of appearing on the Leaderboard. By using the App, you acknowledge and consent to your username and swimming statistics being visible to other Users through the Leaderboard. While this is a default feature of the App, users located in the European Union and the United Kingdom may request removal from the Leaderboard by contacting us by email. We will assess and process such requests in accordance with our obligations under applicable data protection laws, including GDPR Article 21

If you set your profile to public or semi-public, the following information is visible to other OpenSwim users:

• Profile name, profile picture, location (city)
• Public activities, performance metrics, and achievements
• Comments, messages, and group/event participation
• Followers and following list

Legal Requirements & Law Enforcement:

• Government or law enforcement agencies (upon valid legal process, subpoena, or court order)
• Compliance with data privacy authority investigations or data protection authority requests
• Fraud investigations or to protect OpenSwim against legal liability

Business Transfer: 

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice of any such change and any choices you may have.

Auditors & Consultants:

• External auditors (for financial and compliance audits)
• Legal and compliance consultants
• Data protection consultants and DPA advisors

These recipients are contractually bound to confidentiality and use data only for their specified purpose.

5.2 Sharing of Special Categories & Sensitive Information

Your health data (workout metrics, heart rate, calories) and precise geolocation are shared only with:

• Service providers under contractual arrangements (Google Firebase, Eastern Peak, Brevo) with technical and organizational safeguards
• Third-party health apps (Strava, Garmin, Apple, COROS, Suunto, Polar) at your explicit authorization
• Law enforcement (only upon valid legal process)

We do not sell or share health data or precise geolocation for marketing or profit purposes.

5.3 Sale or Sharing of Personal Information (CCPA/CPRA Disclosure)

For California and other U.S. state privacy law purposes: We do not “sell” your personal information as defined by CCPA §1798.100 (exchange for monetary consideration).

We partner with third-party advertising and analytics providers, such as Meta and Airbridge, to help us understand how you use our services and to deliver advertisements tailored to your interests. These partners may collect identifiers from your device to facilitate these services. While we do not sell your personal information for monetary compensation, we do use it for these targeted advertising purposes. You can control or opt-out of this tracking through your device settings (such as Apple’s App Tracking Transparency feature) or through your browser’s ad-tracking controls.

We do disclose your personal information for “business purposes” (CCPA §1798.140(d)) to the following categories: 

• Service providers under contract (for analytics, email delivery, cloud services, customer support)
• Third-party fitness integrations (at your authorization)
• Aggregated, de-identified usage statistics (for research and improvement)

If our sale or sharing practices change in the future, we will update this Privacy Policy, provide prominent notice, and implement opt-out mechanisms including a “Do Not Sell or Share My Personal Information” link.

 

6. COOKIES, SDKs, AND SIMILAR TECHNOLOGIES

Our App and Website use cookies, SDKs, and similar tracking technologies to provide, analyze, and improve your experience. These technologies help us understand how you use OpenSwim, remember your preferences, prevent fraud, and deliver targeted advertisements. This section explains what these technologies are, how we use them, and how you can control their use. We are committed to transparency regarding tracking and are striving to implement additional consent management tools to give you granular control over which technologies collect your data.

6.1 Cookies & Web Tracking

Cookies are small data files stored on your device that help us provide and improve the OpenSwim experience. We use different types of cookies for different purposes, and we categorize them based on whether they are essential (required for the service to function) or optional (used to improve your experience and track usage):

Essential Cookies:

• laravel_session: Server-side session management required for authentication (expires at end of session)
• XSRF-TOKEN: CSRF protection via Laravel Sanctum, required for security (expires at end of session)
• locale: Stores your preferred language and regional settings (functional/essential)
• OAuth WebView session cookies: Secure cookies created during authentication with Strava, Garmin, Coros, Suunto and Polar (expires at end of session)

Website Cookies (openswim.com):

• Session and security cookies for form protection
• Google/Firebase Analytics (usage tracking)
• Meta Pixel (advertising retargeting)

For website cookies, we use both strictly necessary cookies (no consent required) and optional cookies (requiring consent; you can opt out via browser settings or cookie banners).

6.2 Mobile SDKs & In-App Tracking

Our App includes the following SDKs and libraries:

SDK	Provider	Purpose	Data Collected	Essential/Optional
Firebase Analytics	Google (US)	Usage analytics, event tracking	Event data (sign_in, program_start, workout_done, race_reported), user ID, device info	Optional
Firebase Messaging	Google (US)	Push notifications	FCM device token, message interactions	Optional
Firebase Remote Config	Google (US)	Feature flags, app version checks	App version/build, config parameters	Essential
Firebase Dynamic Links / In-App Messaging	Google (US)	Deep linking, in-app promotions	Link data, impression tracking	Optional
Facebook SDK	Meta (US)	Facebook login, auto app events	Facebook app ID, event data, IDFA/GAID	Login: Essential; Auto events: Optional
Airbridge	Airbridge (US)	Mobile attribution, marketing analytics	Event data, IDFA/GAID, install source	Optional
Sentry	Sentry (US)	Crash/error monitoring	User ID, email, name, error logs, stack traces, device context	Essential
Google Sign-In	Google (US)	Google authentication	Google auth credentials	Essential (if user chooses)
Brevo	Brevo (France)	Email delivery, marketing automation	Email address, engagement tracking	Essential (transactional); Optional (marketing)
RevenueCat	RevenueCat (US)	In-app purchases (planned)	Purchase events, subscription status, user ID	Essential (when implemented)

Opt-Out Mechanisms:

• Push notifications: Opt out in App Settings > Preferences > Notifications
• Device-Level Tracking Controls (e.g., iOS ATT): Apple displays a system prompt requesting permission to track you across apps and websites. If you deny this request, your IDFA is not shared with our analytics and advertising SDKs. You can manage this at any time via iOS Settings > Privacy > Tracking. Android users can similarly manage advertising IDs in their device settings.
• Third-party fitness integrations: Disconnect in App Settings > Connected Apps. This revokes access and removes stored OAuth cookies on our backend.
• Analytics and marketing consent management: We rely on your consent to utilize non-essential analytics and marketing SDKs where required by applicable law. You can currently control these data flows via the device-level settings mentioned above.

6.3 Global Privacy Control (GPC) & Do Not Track (DNT)

We do not currently respond to Global Privacy Control (GPC) or Do Not Track (DNT) signals in browsers or apps. However, you can control your privacy preferences directly through:

• App Settings (push notifications, connected accounts)
• iOS App Tracking Transparency prompt (IDFA sharing)
• Your web browser privacy settings

We are evaluating the technical implementation of GPC and DNT signal support and will update this section when available.

6.4 Third-Party Analytics & Social Media Pixels

• Meta / Facebook: We use Meta advertising tools to run retargeting ads outside the App. Meta may receive your IDFA/GAID (subject to ATT consent), app usage events, and conversion data. You can manage Meta ad preferences at facebook.com/adpreferences.
• Firebase Analytics: Linked to Google Analytics for analyzing app event data, user behavior, and feature adoption. Data is aggregated and used to improve the App.
• Airbridge: Used for mobile app attribution — identifying how users discover and install OpenSwim. Collects install source, IDFA/GAID, and conversion events.

 

7. INTERNATIONAL DATA TRANSFERS

OpenSwim operates globally and engages service providers in multiple jurisdictions. This section explains how we manage the transfer of your personal information across international borders and what protections we have implemented to ensure your data remains protected even when transferred outside the European Union. We take international data transfers very seriously and have implemented multiple legal mechanisms to ensure adequate protection.

7.1 Data Location & Transfer Mechanisms

General Principle: 

We store and process data in the European Union and, when necessary, transfer data to the United States, and other countries for service delivery, analytics, and legal compliance. Any international transfers are conducted in strict accordance with applicable data protection laws and use approved transfer mechanisms.

Specific Mechanisms:

For EEA/UK to US Transfers:

• We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Article 46.2(c) and UK GDPR Article 46.2(a)
• For UK data: We use the UK International Data Transfer Agreement (UK IDTA) or UK addendum to SCCs as required by UK GDPR Schedule 1, Part 1
• We implement technical and organizational safeguards for international transfers, including data minimization, encryption (in transit and at rest), and access controls

For Other Non-Adequate Jurisdictions: We rely on appropriate safeguards, including binding corporate rules (if applicable), your explicit consent, and derogations for contract performance or legal necessity.

7.2 Risk of Transfers to the United States

You acknowledge that the United States does not have a blanket adequacy decision from the European Commission for all data transfers and that U.S. law enforcement may seek access to data stored in the U.S. under legislation such as FISA or Executive Orders. While we implement safeguards, we cannot guarantee protection equivalent to EU law. By using OpenSwim, you consent to such transfers subject to the legal mechanisms described above.

7.3 Third-Party Integrations & Your Control

When you authorize third-party fitness app integrations (Strava, Garmin, Apple Health, COROS, Suunto, Polar), your data flows directly to those platforms according to their respective privacy policies and terms of service. You control these integrations and can disconnect at any time. We are not responsible for their data handling, but we maintain contractual arrangements where possible.

7.4 User Rights Regarding Transfers

If you are in the EEA/UK, you have the right to contact us with concerns regarding international transfers and request further information about applicable safeguards ta. Please contact us (contact@openswim.fr) to discuss alternatives or request a data transfer limitation.

 

8. HOW LONG WE KEEP YOUR INFORMATION

We retain personal information for as long as necessary to: provide the App and fulfill your requests, comply with legal, regulatory, or tax obligations, resolve disputes and enforce our agreements, and protect against fraud, security threats, and abuse. Data retention is carefully managed to balance your privacy interests with legitimate business needs and legal requirements. This approach ensures we do not retain your information longer than necessary while maintaining sufficient records to meet legal obligations and protect your interests and ours.

8.1 Retention Schedule

Active Account Data: 

Retained while your account is active. Upon account closure, all personal information is deleted automatically, except where retention is required for legal, security, backup, dispute-resolution, or other disclosed purposes..

Workout & Activity Data: 

Retained indefinitely while your account is active. Upon account closure, personal identifiers are removed; anonymized workout logs (date, distance, duration, metrics) are retained indefinitely for aggregate analytics.

Third-Party Integration Data: 

Synced data from Strava, Garmin, Apple, COROS, Suunto and Polar is retained according to your third-party accounts’ retention policies. You control syncing and can disable at any time.

Support & Communication Data: 

Customer support emails and correspondence are retained indefinitely (up to a maximum of 6 years after account closure, after which it will be deleted or anonymized) for dispute resolution and service improvement.

Technical & Analytics Data:

• Sentry crash logs and error reports: per Sentry’s retention policy (typically 90 days)
• Firebase Analytics logs: 2 to 14 months per Google Firebase console settings
• Airbridge attribution data: per Airbridge’s retention policy

Cookie Data:

• Session cookies (laravel_session, XSRF-TOKEN): deleted at end of session
• Locale cookie: persistent until manually cleared
• OAuth WebView cookies: related session tokens are revoked and associated server-side session data is cleared when you disconnect the integration

Backup & Archive Data: 

DigitalOcean automatic database backups plus 30-day retention on QA server via custom backup script. Backup data is purged on a rolling basis.

8.2 Right to Deletion

You have the right to request deletion of your personal information, subject to legal exceptions. Please see Section 10 (Your Privacy Rights) for exercise instructions. Note that:

• Deletion of your account in App Settings will initiate automatic deletion of personal data
• Anonymized and aggregated data may be retained indefinitely
• Support emails are retained for legal and dispute resolution purposes
• Backup data may persist for up to 30 days after deletion from active systems
• Some data may be retained where required by law (tax, fraud prevention)

 

9. HOW WE PROTECT YOUR INFORMATION

We maintain reasonable and appropriate security measures to protect your personal information against unauthorized access, alteration, disclosure, and destruction. Security is a critical priority for OpenSwim, and we implement a multi-layered approach combining technical safeguards, organizational procedures, and vendor management practices to ensure your data remains confidential and secure throughout its lifecycle with us.

9.1 Technical Safeguards

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest on our servers
• Secure Servers: Hosted on Google Firebase infrastructure with industry-standard security
• Access Controls: Role-based access controls limit employee access to personal data on a need-to-know basis
• Authentication: Multi-factor authentication available for account security
• API Security: Rate limiting, CORS protection, CSRF tokens (Laravel Sanctum XSRF-TOKEN)

9.2 Organizational Safeguards

• Security Policies: Data handling policies, incident response procedures 
• Vendor Management: Contractual requirements for service providers
• Data Minimization: We limit collection and retention to what is necessary for stated purposes
• Confidentiality: All staff and vendors are bound by confidentiality obligations

9.3 Limitations & Incident Response

No Absolute Guarantee: 

While we implement security best practices, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security, and you use the App at your own risk.

Breach Detection: 

We monitor for breaches using Sentry (application errors and exceptions), server logs (Nginx/Apache for suspicious activity), and Laravel application logs.

Breach Notification: 

If we experience a data breach that compromises your personal information, we will notify you and relevant authorities as required by GDPR (Art. 33-34), UK GDPR, French CNIL regulations, and applicable U.S. state breach notification laws within the required timeframe (typically 72 hours for GDPR).

 

10. YOUR PRIVACY RIGHTS

Your privacy rights depend on your jurisdiction. This section describes your rights under GDPR/UK GDPR (EEA/UK residents), U.S. state privacy laws (U.S. residents), and how to exercise them. OpenSwim is committed to honoring your privacy rights and providing you with meaningful control over your personal information. The rights outlined in this section are not mere suggestions but legal entitlements that we respect and enforce. We have implemented processes and systems to facilitate the exercise of these rights, and we handle all requests with diligence and care to ensure your rights are protected.

10.1 Privacy Rights for EEA/UK Residents

If you are located in the European Union, United Kingdom, or any jurisdiction subject to GDPR or similar laws, you have the following rights. These rights are fundamental to data protection law and reflect the principle that individuals should have meaningful control over their personal information. OpenSwim recognizes and respects these rights fully, and we have implemented procedures to respond to requests promptly and fairly. Each right is described in detail below with specific instructions on how to exercise it.

A. Right of Access 

You have the right to request access to the personal information we hold about you, including: what data we collect and why, who has access to your data, how long we retain it, and your rights regarding your data.

How to Exercise: 

Send a written request to contact@openswim.fr with the subject line “Data Access Request”. We will provide your data in a structured, commonly used, and machine-readable format (CSV or JSON) within 30 days.

B. Right to Rectification 

You have the right to request correction of inaccurate or incomplete personal information.

How to Exercise: 

Update your profile information directly in App Settings. For data we cannot correct within the App, submit a request to contact@openswim.fr with the subject line “Data Correction Request”. We will correct information within 30 days.

C. Right to Erasure / “Right to Be Forgotten” 

You have the right to request deletion of your personal information, subject to legal exceptions (tax/accounting obligations, legal claims, fraud prevention).

How to Exercise: 

Submit a written request to contact@openswim.fr with the subject line “Data Deletion Request”. Include details of what data you wish deleted. We will delete information within 30 days, unless we must retain it due to legal obligations or legitimate purposes. Note: Deletion of your account in App Settings will initiate an account closure process. Personal data will be deleted automatically, except as required by law.

D. Right to Restrict Processing 

You have the right to request that we limit processing of your data (e.g., suspend marketing, analytics) while you dispute accuracy or lodge a complaint.

How to Exercise: 

Submit a written request to contact@openswim.fr with the subject line “Data Processing Restriction Request”. Specify the restriction you seek. We will honor restrictions within 30 days, except where processing is necessary for service delivery or legal compliance.

E. Right to Data Portability 

You have the right to receive a copy of your personal information in a structured, commonly used, machine-readable format and to transmit it to another controller.

How to Exercise: 

Submit a request to contact@openswim.fr with the subject line “Data Portability Request”. We will provide an export (CSV, JSON) of your account data, workout records, and profile information within 30 days. We will also facilitate direct transfer to another service upon request, where technically feasible and legally required.

F. Right to Object 

You have the right to object to processing of your personal information on grounds of legitimate interests, including for direct marketing.

How to Exercise:

• For Marketing: Opt out via email preferences in your account settings, or click “Unsubscribe” in marketing emails, or contact contact@openswim.fr
• For Other Processing: Submit a written objection to contact@openswim.fr with the subject line “Objection to Processing”, specifying the processing you object to and your reasons. We will cease processing within 30 days unless we demonstrate compelling legitimate interests or legal obligations.

G. Right to Human Review of Automated Decision-Making 

If we make a decision based solely on automated processing that produces legal or similarly significant effects, you have the right to: obtain human review by a company representative, express your views on the decision, and request manual reconsideration.

How to Exercise: 

Contact contact@openswim.fr with the subject line “Request for Human Review”. Specify the automated decision. Note: OpenSwim does not currently employ automated decision-making with legal/significant effects; this right will apply when AI training plan features are launched.

H. Right to Lodge a Complaint with a Supervisory Authority

If you believe we have violated your data protection rights, you may lodge a complaint with your national data protection authority:

• France (CNIL): Commission Nationale de l’Informatique et des Libertés. Website: www.cnil.fr. Email: plaintes@cnil.fr. Postal: CNIL, 3 Place de Fontenoy, 75007 Paris, France.
• United Kingdom (ICO): Information Commissioner’s Office. Website: www.ico.org.uk. Email: icocasework@ico.org.uk. Postal: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK.
• Other EU Member States: See https://edpb.europa.eu/about-edpb/about-edpb/members_en for links to national authorities.

I. Post-Mortem Data Rights (French Law)

Under French law, your heirs may, after your death, contact us to: request access to certain accounts and messages for archival or memorial purposes, and request deletion of your account.

How to Exercise: 

Submit a request with proof of authorization (death certificate, executor documentation) to contact@openswim.fr.

J. Right to Withdraw Consent

Where processing is based on your consent (push notifications, precise geolocation, health profiling, marketing emails), you may withdraw consent at any time via account settings, by clicking “Unsubscribe” in marketing emails, or by contacting contact@openswim.fr. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.2 Privacy Rights for U.S. State Residents

If you are a resident of California, Colorado, Connecticut, Utah, Virginia, Texas, or another U.S. state with applicable privacy laws, you may have certain rights regarding your personal information under those laws, depending on how those laws apply to OpenSwim and your relationship with us. These rights may include, for example, rights to access, delete, correct, or limit certain uses of your personal information, subject to applicable exceptions and limitations. OpenSwim is committed to respecting privacy rights and, where applicable, facilitating requests in accordance with relevant U.S. state privacy laws.

A. Right to Know (Access)

You may have the right  to request what personal information we collect, use, disclose, and retain about you over the preceding 12 months.

Categories of PI Collected: 

Identifiers, internet activity, geolocation, health information, inferences (planned), commercial information (purchases/subscriptions).

Sources: 

Directly from you (registration, profile), automatically from device (analytics, cookies, SDKs), from third parties (fitness apps, service providers).

Purposes: 

Contract performance, analytics, personalization, fraud prevention, legal compliance, marketing.

Categories Disclosed/Shared: 

Service providers, third-party fitness apps, law enforcement (upon legal process), aggregated/de-identified data.

How to Exercise: 

Submit a request to contact@openswim.fr with the subject line “Right to Know Request”. Provide sufficient information to verify your identity (name, email, account ID). We will provide your personal information within 45 days in a portable, machine-readable format.

B. Right to Delete

You may have the right  to request deletion of personal information we have collected from you, subject to limited exceptions (legal obligations, fraud prevention, service delivery obligations).

How to Exercise: 

Submit a request to contact@openswim.fr with the subject line “Right to Delete Request”. We will delete your information within 45 days, except: information retained for legal/tax obligations, information necessary to complete transactions you initiated, information retained for fraud, abuse, or security prevention, and aggregated or de-identified data (not linked to you).

C. Right to Correct

You may have the right  to request correction of inaccurate personal information we maintain about you.

How to Exercise: 

Update your profile in App Settings, or submit a request to contact@openswim.fr with the subject line “Right to Correct Request”. We will correct information within 45 days.

D. Right to Opt-Out of Sale & Sharing

You may have the right to direct us not to sell or share your personal information. While we do not sell personal information for monetary compensation, we engage in “sharing” (as defined under applicable laws) of personal information with third-party advertising partners for the purpose of cross-context behavioral advertising and performance attribution.

How to Exercise: 

Submit an opt-out request to contact@openswim.fr with the subject line “Opt-Out Request”. We will process and confirm the opt-out request within 15 days.

E. Right to Limit Use of Sensitive Personal Information (CPRA)

If we collect sensitive personal information (health data, precise geolocation), You may have the right  to limit our use of such information to what is necessary to provide the services you request.

Categories of Sensitive PI Collected: 

Health information (workout metrics, heart rate, calories) and precise geolocation (during workouts, if location permission granted).

How to Exercise: 

Submit a request to contact@openswim.fr with the subject line “Limit Sensitive PI Request”. Specify which sensitive PI uses you wish to limit. We will comply within 45 days and will use sensitive PI only for disclosed service purposes.

F. Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. Specifically, we will not: deny goods or services, charge different prices or rates, provide different quality of service, or retaliate or penalize you.

G. Authorized Agent (Minors & Power of Attorney)

If you are a minor (under 18 in some states, under 13 in others), or if you appoint an authorized agent, they may submit privacy requests on your behalf. Authorized agents must provide proof of authority (legal documentation, power of attorney), provide their own identity verification, and submit requests in writing to contact@openswim.fr with the subject line “[Authorized Agent] Privacy Request.” We will verify the agent’s authority before processing the request.

H. Appeal Process

If we deny your privacy request, You may have the right  to appeal our decision.

How to Appeal: 

1. Submit a written appeal to contact@openswim.fr with the subject line “Privacy Request Appeal”. 2. Specify the original request, our denial reason, and why you believe the denial was incorrect. 3. We will review your appeal and issue a final decision within 45 days. 4. You may also contact your state attorney general or file a complaint with your state’s privacy authority.

10.3 How to Exercise Your Rights

Submission Methods:

• Email: contact@openswim.fr (subject line should specify request type: “Data Access,” “Data Deletion,” “Data Correction,” “Limit Sensitive PI,” “Appeal,” etc.)
• In-App: Account Settings > Privacy (when available)
• Postal Mail: SSO Active, 12 rue Fernand Léger, 91440 Bures-sur-Yvette, France (marked “Privacy Request”)

Verification of Identity: 

To protect your privacy and security, we will verify your identity before processing privacy requests. We may ask for: your account email and username, last four digits of payment method (if applicable), and other information tied to your account.

Response Timelines:

• EEA/UK: We aim to respond within 30 days of receipt. Complex requests may be extended by 60 days with notice.
• U.S. States: We aim to respond within 45 days of receipt.

We will notify you in writing (email or in-app) of our decision, including any denial reasons and appeal options.

Assistive Technology: 

If you have accessibility needs, please inform us in your request, and we will provide your data in an accessible format.

Nothing in this section 10 is intended to state that any particular U.S. state privacy law currently applies to OpenSwim in all circumstances; rather, OpenSwim provides this notice to describe rights that may be available where applicable. 

 

11. CHILDREN’S PRIVACY

OPENSWIM IS INTENDED FOR USERS AGED 18 AND OLDER ONLY. We do not knowingly collect personal information from individuals under 18 years of age, in compliance with our Terms of Service and applicable law (including COPPA in the United States). Protecting children’s privacy is a fundamental principle that guides our operations. We take a proactive approach to preventing unauthorized access to our platform by minors and implement multiple safeguards to ensure compliance with applicable child protection laws in all jurisdictions where we operate.

What We Do:

• No Knowing Collection: We do not solicit or intentionally collect information from children under 18. Our Terms of Service (Section 4.4) require users to confirm they are 18 or older.
• Parental Safeguards: If a parent or guardian becomes aware that a minor has created an OpenSwim account, they should contact us immediately at contact@openswim.fr for account deletion.

If We Discover a Minor User: 

If we discover that a minor has created an account: 1. We will immediately suspend or delete the account. 2. We will delete all associated personal information within 30 days, subject to legal obligations. 3. We will attempt to notify the account holder or parent/guardian.

U.S. COPPA Compliance: 

OpenSwim does not knowingly collect, use, or disclose personal information from children under 13 years of age in the U.S., in compliance with the Children’s Online Privacy Protection Act (COPPA). If we discover a child under 13 has provided personal information, we will delete it and notify the child’s parent/guardian.

Questions About Child Privacy: 

If you are a parent or guardian concerned about your child’s data privacy on OpenSwim, please contact us at contact@openswim.fr with details, and we will address your concerns promptly.

 

12. AUTOMATED DECISION-MAKING AND PROFILING

This section addresses our use of artificial intelligence and automated decision-making systems. As AI technologies become more prevalent, transparency and user control are essential. OpenSwim is committed to using AI responsibly and ethically, with appropriate safeguards to protect your rights and interests.

Current Status: 

OpenSwim does not currently employ automated profiling or automated decision-making that produces legal or similarly significant effects.

Planned Development: 

We are developing AI-driven personalized training plans that will analyze your workout data, goals, and performance history to:

• Recommend training programs tailored to your fitness level and objectives
• Suggest workouts based on your historical preferences and performance
• Predict your fitness progress and set realistic training targets
• Generate personalized insights and analytics dashboards

How It Will Work: 

When you log workouts and set goals, our system will analyze patterns and fitness data to generate recommendations. This analysis will not result in a legal or similarly significant decision (such as account suspension or eligibility changes); rather, it is intended to personalize your experience. You will retain full control and may:

• Accept or reject any recommendation
• Modify your profile, goals, or preferences to change future recommendations
• Disable personalization features in account settings
• Request human review of any recommendation

Your Rights: 

You may have the right  to obtain a human explanation of any profiling decision and to contest the profiling. To request human review, contact contact@openswim.fr with the subject line “Request Human Review of Profiling.”

GDPR Art. 22 Compliance: 

Profiling recommendations will not constitute automated decision-making with legal/significant effects, as no binding decisions are made solely by automated means. However, if you object to profiling, you may opt out via account settings.

 

13. THIRD-PARTY LINKS AND SERVICES

The OpenSwim App and Website may contain links to external websites and services (fitness tracking platforms, social media, external trainers, event organizers, etc.). This Privacy Policy covers only OpenSwim and does not apply to third-party services. While we carefully select our integration partners and conduct due diligence on their privacy practices, we cannot control how third parties handle your personal information once it leaves our platform. We encourage you to review their privacy policies independently and exercise caution when sharing information with external services.

Your Responsibilities:

• Review Third-Party Policies: We encourage you to review the privacy policies of any third-party services before linking your accounts or providing information
• No Control Over Third Parties: We do not control third-party privacy practices and are not responsible for their data handling
• Integrations: When you authorize OpenSwim to integrate with Strava, Garmin, Apple, COROS, Suunto or Polar, your data is governed by those platforms’ privacy policies

Third-Party Fitness Integrations: 

OpenSwim explicitly supports integrations with: Strava, Garmin Connect, Apple Health & Apple Watch, COROS, Suunto and Polar.

When you authorize these integrations, you grant OpenSwim permission to: receive your fitness data from the third-party platform (via API), share your OpenSwim workout data with the third-party platform, and sync and display third-party data within OpenSwim.

You control integrations entirely: You can connect or disconnect integrations at any time in your App Settings. Disconnecting an integration will stop data syncing; previously synced data may remain in OpenSwim (you can request deletion separately).

Embedded Content: 

The App and Website may embed content (videos, images, promotional material) from third parties. Such embedded content may include tracking pixels, cookies, or scripts. We do not control third-party tracking; review their privacy policies as needed.

 

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Our commitment to transparency extends to how we communicate changes to this Privacy Policy. We understand that you need to understand how our practices may evolve, and we are committed to providing you with clear notice and, where required by law, obtaining your consent before material changes take effect. We will notify you of material changes by:

• Email Notification: Sending an email to your registered account address (if significant changes)
• In-App Notification: Displaying a prominent notification within the App
• Website/App Notice: Posting the updated policy on the App and Website with a clear “Last Updated” date
• User Consent (if required): Requesting your affirmative consent to material changes before your continued use of the App

Effective Date: 

The effective date of this Privacy Policy is listed at the top. If we make changes, we will update this date.

Your Rights Upon Changes: 

If you do not agree with material changes, you may discontinue your use of OpenSwim. Your continued use constitutes acceptance of updated terms.

 

15. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us using the methods provided below. We value your feedback and inquiries regarding privacy matters and are committed to responding promptly and thoroughly. Whether you have a question about how we handle your data, wish to exercise a privacy right, or want to report a concern, our team is ready to assist you. We have implemented procedures to ensure your inquiries are handled professionally and confidentially.

SSO Active (OpenSwim)

Email: 

contact@openswim.fr

Postal Address: 

12 rue Fernand Léger, 91440 Bures-sur-Yvette, France

Response Timelines:

• We will acknowledge your request within 5 business days
• We will provide a substantive response within 30 days (EEA/UK) or 45 days (U.S. states), or notify you of reasonable extensions

Data Protection Officer: 

SSO Active has determined that the appointment of a Data Protection Officer is not required under Article 37 GDPR at this time. For all privacy inquiries, please contact us at contact@openswim.fr.

***END OF PRIVACY POLICY***