GDPR Compliance

Data Controller

SkyFlight d.o.o. headquartered in Zagreb, Ulica Tome Blažeka 14, is the data controller responsible for processing your personal data through our platform.

Data We Collect

We collect and process the following types of personal data:

• Personal identification information for clients (name, email)
• Health data related to physiotherapy exercises and rehabilitation
• Usage data and analytics from mobile application and web platform
• Heart rate and health metrics from connected smartwatches (Diamond package only)

Legal Basis for Processing

We process your data based on:

• Your explicit consent for processing health data
• Performance of contract for providing physiotherapy services
• Legitimate interests in improving our AI algorithms
• Legal obligations for maintaining medical records

Your Rights

Under GDPR, you have the following rights:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ('right to be forgotten')
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

Data Security

We implement appropriate technical and organizational measures including:

• End-to-end encryption for all health data
• Regular security audits and penetration testing
• Access controls and authentication protocols
• Secure data centers within the EU
• Employee training on data protection

Data Retention

We retain your data for as long as necessary to provide services and fulfill legal obligations. Medical records are kept for 10 years as required by Croatian law.

International Transfers

All data is stored and processed within the European Union. We do not transfer personal data outside the EU/EEA without appropriate safeguards.

Contact Data Protection Officer

For all questions regarding your data protection rights, contact our DPO at: legal@fitep.eu