Caliplaces is a free mobile app for iOS and Android that helps you find calisthenics parks, outdoor workout spots, and street workout events near you. Browse 25,000+ parks worldwide, read community reviews, and join events.

How many calisthenics parks are on Caliplaces?

Caliplaces features over 25,000 calisthenics parks and outdoor workout spots worldwide, with new locations added by the community every day.

Is Caliplaces free to use?

Yes, Caliplaces is free to download and use. A premium subscription is available at $3.99/month or $39.99/year for advanced features, with a free 30-day trial and no credit card required.

What platforms is Caliplaces available on?

Caliplaces is available on both iOS (App Store) and Android (Google Play Store). You can download it for free on either platform.

Can I find calisthenics events on Caliplaces?

Yes, Caliplaces features over 100 calisthenics and street workout events worldwide. You can browse upcoming events, get event details, and join the community at local competitions and meetups.

Privacy Policy

Name: Caliplaces
Rating: 4.7 (5000 reviews)
Author: Caliplaces s.r.o.

Effective Date: April 8, 2026

Last Updated: April 8, 2026

Caliplaces s.r.o. ("we," "us," "our," or "Caliplaces") is committed to protecting your privacy and ensuring you have a positive experience on our websites (caliplaces.com and caliplaces.app) and mobile application (collectively, the "Service"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have concerning your information.

We comply with the General Data Protection Regulation (GDPR), the Czech Act No. 110/2019 Coll. on the Protection of Personal Data, the UK General Data Protection Regulation, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the Brazilian General Data Protection Law (LGPD), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable data protection laws across all jurisdictions where we operate.

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@caliplaces.com or legal@caliplaces.com.

1. Data Controller Information

Caliplaces is the data controller responsible for your personal data. Our details are:

Company Name: Caliplaces s.r.o.

Jurisdiction: Czechia

Company Registration Number (IČO): 23311207

Tax Identification Number (DIČ): CZ23311207

Registered Address: Uralská 689/7, Bubeneč (Praha 6), 160 00 Praha

Supervisory Authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Czech Data Protection Authority

2. Data Protection Officer & Contact Information

If you have any questions, requests, or complaints regarding this Privacy Policy or our processing of your personal data:

Privacy & Legal Team:

Email: privacy@caliplaces.com

Email: legal@caliplaces.com

Response Time: We aim to respond to all inquiries within 30 days.

Note: For Data Subject Access Requests (DSARs) and other formal requests under GDPR Art. 15-22, please include "GDPR Request" in your subject line.

3. What Personal Data We Collect

3.1 Information You Provide Directly

Data Category	Specific Data Points
Account Registration	Email address, full name, profile picture, date of birth (optional), phone number (optional), preferred language, password hash (via Clerk)
Profile & Preferences	Bio, fitness level, interests, location preferences, availability, trainer specialization (if applicable), certifications, rates/pricing
Booking & Session Data	Booked session details, session date/time, location, duration, trainer/trainee information, session notes, cancellation reasons
Payment Information	Payment method details (tokenized via Stripe/Stripe Connect), billing address, invoice history, subscription status (via RevenueCat)
Messaging & Communication	Messages between users, chat history, feedback/reviews, ratings, support inquiries, push notification preferences
Identity & Verification	Government-issued ID (optional for trainers), tax information for trainers, business registration details (for trainers)
Location Data	Precise GPS coordinates (via expo-location), background location tracking (optional, with permission), address/venue information from Mapbox/Google Maps
Media & Files	Profile photos, session photos (optional), workout videos, certification documents (for trainers), progress photos (optional)

3.2 Information Collected Automatically

Data Category	Specific Data Points
Device Information	Device type, OS version, app version, unique device identifier, mobile network information
Usage & Analytics	Pages visited, features used, session duration, click patterns, search queries, feature interactions (via PostHog)
Performance & Crash Data	App crashes, error logs, performance metrics, stack traces (via Sentry)
Network Data	IP address, browser/app user agent, referrer URL, connection type
Cookies & Tracking	Session cookies, analytics cookies, preference cookies, third-party tracking identifiers
Inferred Data	Derived insights about interests, location patterns, usage behavior, predictive analytics

3.3 Information from Third Parties

Clerk: Authentication provider shares email, name, profile picture, phone number, and authentication events
Stripe & Stripe Connect: Payment processor shares transaction history, payment status, and verification information for trainers
RevenueCat: In-app subscription service shares subscription status, renewal dates, and app usage metrics
Mapbox & Google Maps: Location service shares geocoded address information, place names, and routing data
Social Networks: If you link your profile (optional), we receive basic public profile information
Other Users: Reviews, ratings, and messages from other Caliplaces users
Third-Party APIs: Weather API for session location context; TripAdvisor integration (optional) for trainer recommendations

4. Purposes and Legal Bases for Processing

Under GDPR Article 6, we process your personal data on one or more of the following legal bases:

A. Contract (Art. 6(1)(b) GDPR)

Processing is necessary to perform the service agreement with you:

Creating and maintaining your account
Processing bookings and session reservations
Facilitating payments and payouts (Stripe, RevenueCat)
Enabling real-time messaging between users (Pusher)
Delivering session notifications and updates
Providing customer support and resolving disputes
Issuing invoices and maintaining tax records

B. Legal Obligation (Art. 6(1)(c) GDPR)

We are required by law to process your data:

Maintaining accounting records (Czech Act No. 480/2004 Coll.)
Tax compliance and reporting (Czech tax law)
Anti-money laundering (AML) verification for high-value transactions
Digital Services Act (DSA) compliance for EU traders (record-keeping, identity verification)
Payment processor obligations (PSD2 for EEA)
Responding to lawful government requests and legal proceedings

C. Legitimate Interests (Art. 6(1)(f) GDPR)

We process data to pursue our or your legitimate interests:

Fraud Prevention & Security: Detecting and preventing unauthorized access, payment fraud, booking fraud, and platform abuse
Service Improvement: Analyzing usage patterns, A/B testing, feature optimization, performance monitoring (PostHog, Sentry)
Platform Safety: Enforcing Terms of Service, preventing harassment, maintaining community standards
Business Analytics: Understanding market trends, trainer demand, user preferences, financial forecasting
Marketing & Engagement: Sending service announcements, promotional content (if opted in), re-engagement campaigns
Technical Operations: System administration, backup, disaster recovery, load balancing
Balancing Test: These interests do not override your fundamental rights, and you retain the right to object (Art. 21 GDPR)

D. Consent (Art. 6(1)(a) GDPR)

Where consent is required, we collect explicit opt-in:

Non-essential cookies and tracking technologies (analytics, session replay)
Push notifications (beyond transactional notifications)
Marketing emails and promotional communications
Background location tracking (beyond one-time session location)
Session recording and feature flag testing (PostHog)
Sharing data with third-party integrations (TripAdvisor, social networks)

5. Detailed Data Flow Tables

5.1 User Authentication & Account Data

Data Category	Specific Data	Purpose	Legal Basis	Retention
Authentication	Email, password hash, session tokens	Account access, security	Contract (Art. 6(1)(b))	Duration of account + 7 years (AML)
Profile Information	Name, profile picture, bio, fitness level	Account creation, profile display	Contract (Art. 6(1)(b))	Duration of account
Contact Details	Email, phone number, address	Service delivery, notifications, contact	Contract (Art. 6(1)(b))	Duration of account
Account History	Login timestamps, account changes, activity log	Security, fraud detection, audit	Legitimate Interest (Art. 6(1)(f))	3 years

5.2 Booking & Session Data

Data Category	Specific Data	Purpose	Legal Basis	Retention
Session Booking	Trainer ID, trainee ID, date, time, duration, location, price	Session management, scheduling, confirmation	Contract (Art. 6(1)(b))	3 years (dispute resolution)
Session Location	GPS coordinates, address, venue name, maps data	Location mapping, route optimization, session context	Contract (Art. 6(1)(b))	Duration of booking + 30 days
Session Notes & Progress	Exercise details, reps, sets, notes, performance data	Training progress tracking, record-keeping	Contract (Art. 6(1)(b))	Duration of booking relationship + 1 year
Cancellations & Disputes	Cancellation reason, timestamp, refund status, dispute notes	Dispute resolution, refund processing, fraud detection	Contract (Art. 6(1)(b)) / Legitimate Interest (Art. 6(1)(f))	3 years

5.3 Payment & Financial Data

Data Category	Specific Data	Purpose	Legal Basis	Retention
Payment Method	Card token (via Stripe), billing address, cardholder name	Processing payments, refunds	Contract (Art. 6(1)(b))	Until account deletion (payment processor stores tokens)
Transaction History	Amount, date, payment status, transaction ID, invoice number	Accounting, billing, dispute resolution	Contract (Art. 6(1)(b)) / Legal Obligation (Art. 6(1)(c))	7 years (Czech tax law)
Subscription Status (RevenueCat)	Subscription tier, renewal date, auto-renewal status, cancellation date	Subscription management, access control	Contract (Art. 6(1)(b))	Duration of subscription + 1 year
Trainer Payouts (Stripe Connect)	Bank account details, tax ID, commission calculations, payout history	Trainer compensation, AML verification, tax reporting	Contract (Art. 6(1)(b)) / Legal Obligation (Art. 6(1)(c))	7 years (tax records)
AML & KYC Data	Government ID (for verification), verification status, risk assessment	Anti-money laundering compliance, fraud prevention	Legal Obligation (Art. 6(1)(c))	7 years

5.4 Location & Mapping Data

Data Category	Specific Data	Purpose	Legal Basis	Retention
Precise Location (expo-location)	Latitude, longitude, accuracy, altitude, heading, speed	Session location mapping, trainer discovery	Contract (Art. 6(1)(b))	Duration of session + 30 days
Background Location (optional)	Periodic GPS updates during active sessions	Real-time trainer location, session tracking (with explicit permission)	Consent (Art. 6(1)(a))	During active session only
Trainer Profile Location	Service areas, primary training locations	Trainer discoverability, service area filtering	Contract (Art. 6(1)(b))	Duration of trainer profile
Geocoding & Reverse Geocoding	Address, place names, venue details (via Mapbox/Google)	Location display, session context, search functionality	Contract (Art. 6(1)(b))	As long as associated session/profile exists
Location History	Aggregated session locations over time	Analytics, area-based insights, trainer demand mapping	Legitimate Interest (Art. 6(1)(f))	1 year (anonymized thereafter)

5.5 Communications & Messaging Data

Data Category	Specific Data	Purpose	Legal Basis	Retention
Direct Messages (Pusher)	Message content, timestamps, sender/recipient IDs, message status	User-to-user communication, session coordination	Contract (Art. 6(1)(b))	6 months after account deletion or conversation end
Push Notifications	Device tokens, notification send logs, delivery status, engagement metrics	Sending notifications, tracking delivery	Contract (Art. 6(1)(b)) / Consent (Art. 6(1)(a))	30 days (for delivery logs)
Email Communications (Resend)	Email addresses, email content, delivery status, open rates, click data	Service notifications, marketing, updates (with consent)	Contract (Art. 6(1)(b)) / Consent (Art. 6(1)(a))	2 years (transactional), 1 year (marketing)
Ratings & Reviews	Rating score, review text, timestamp, reviewer ID, response from rated party	Trainer/trainee reputation, service quality feedback	Contract (Art. 6(1)(b)) / Legitimate Interest (Art. 6(1)(f))	5 years (for dispute resolution and platform integrity)
Support Tickets	Issue description, support correspondence, attachments, resolution status	Customer support, dispute resolution, quality improvement	Contract (Art. 6(1)(b)) / Legitimate Interest (Art. 6(1)(f))	3 years (dispute resolution threshold)

5.6 Analytics, Usage & Performance Data

Data Category	Specific Data	Purpose	Legal Basis	Retention
Event Analytics (PostHog - EU)	Feature usage, page views, button clicks, session flow, user actions, experiment assignments	Product analytics, feature optimization, A/B testing, user journey understanding	Legitimate Interest (Art. 6(1)(f))	1 year (aggregated data retained longer)
Session Replay (PostHog)	Screen recording, mouse movements, keyboard input, scroll position, form interactions	Debugging, UX research, performance optimization (only with explicit consent)	Consent (Art. 6(1)(a))	30 days
Feature Flags (PostHog)	Assigned feature variants, experimental groups, rollout status	Controlled feature rollout, A/B testing, gradual release	Legitimate Interest (Art. 6(1)(f))	Duration of feature experiment + 30 days
Crash Reports (Sentry)	Error stack traces, device info, OS version, app version, user ID (hashed)	Bug identification, app stability monitoring, performance optimization	Legitimate Interest (Art. 6(1)(f))	90 days
Device & Network Metadata	Device type, OS, app version, IP address, connection type, browser/app user agent	Compatibility tracking, performance analysis, fraud detection	Legitimate Interest (Art. 6(1)(f))	1 year

6. Recipients and Data Sharing

Your personal data may be shared with the following categories of recipients:

6.1 Service Providers (Sub-Processors)

We share data with the following third-party service providers who process data on our behalf under Data Processing Agreements (DPAs):

Clerk (Authentication): Email, name, phone number, profile picture, authentication events
Stripe & Stripe Connect (Payments): Payment information, transaction history, payout details, trainer identity verification
RevenueCat (Subscriptions): Subscription status, renewal dates, app usage metrics, iOS/Android receipt data
PostHog (Analytics - EU Instance): Event data, user IDs (anonymized), session information, feature flag assignments, device metadata
Sentry (Error Monitoring): Crash reports, error stack traces, device information, app version
Pusher (Real-time Messaging - EU Cluster): Message content, user IDs, connection metadata, delivery logs
Mapbox & Google Maps (Location Services): GPS coordinates, addresses, venue information, geocoding requests
Expo Notifications & Firebase Cloud Messaging: Device tokens, notification content, delivery status
Resend (Email Service): Email addresses, email templates, send/open/click logs
Cloudflare R2 (File Storage): File uploads, user-uploaded images and documents
Tolgee (Translation Management): No user personal data; only translation strings and application content
Vercel (Hosting - Frontend): No user personal data stored; server logs may contain IP addresses and user agents
Weather API (Optional): Location data to provide session-relevant weather information
TripAdvisor (Optional Integration): Trainer details for third-party recommendations (only if explicitly enabled)

6.2 Other Users on Caliplaces

When you use our Service, certain information is visible to other users:

Public Profile Information: Your name, profile picture, trainer specialization (if applicable), bio, ratings, and reviews are visible to all users
Ratings & Reviews: Your reviews of trainers and reviews left about you are visible to other users, associated with your name
Trainer Profiles: For trainers, service areas, experience level, certifications, and rates are public
Messaging: Direct messages are only visible to the sender and recipient
Location During Booking: The general session location is shared with the other party (trainer/trainee) for coordination

6.3 Trainers as Data Processors

When you book a session with a trainer, you are sharing personal information with that trainer. Trainers are data processors under Art. 28 GDPR and are bound by our Data Processing Agreement to use your data only for delivering the training service. See Section 16 for more details.

6.4 Legal Authorities & Compliance

We may disclose your personal data when required by law or in response to:

Court orders or legal proceedings
Requests from law enforcement agencies
Compliance with tax authorities (Czech, EU, and other relevant jurisdictions)
Regulatory investigations by data protection authorities
Anti-money laundering (AML) compliance obligations
DSA (Digital Services Act) compliance for EU traders

We will only disclose the minimum necessary data and will notify you of such disclosures unless legally prohibited from doing so.

6.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction. We will provide you with notice of any such change and any choices you may have regarding your data.

7. Sub-Processors List

The following is a comprehensive list of all sub-processors who have access to personal data:

Sub-Processor	Category	Purpose	Location	Data Agreement
Clerk	Authentication	User authentication, identity management	USA (SOC 2)	DPA + SCCs
Stripe, Inc.	Payment Processing	Payment processing, payout management	USA (SOC 2, PCI DSS Level 1)	DPA + SCCs
Stripe Connect	Trainer Payouts	Trainer compensation, identity verification	USA (SOC 2, PCI DSS Level 1)	DPA + SCCs
RevenueCat, Inc.	Subscription Management	In-app subscription processing, renewal management	USA (SOC 2 Type II)	DPA + SCCs
PostHog, Inc.	Analytics (EU Instance)	Event tracking, feature flags, session replay	EU (eu.i.posthog.com)	DPA
Sentry.io	Error Monitoring	Crash reporting, error tracking	USA (SOC 2 Type II)	DPA + SCCs
Pusher Limited	Real-time Messaging	User-to-user messaging, real-time updates (EU cluster)	EU (UK-based, EU infrastructure)	DPA
Mapbox, Inc.	Location Services	Maps, geocoding, location display	USA (SOC 2)	DPA + SCCs
Google Maps / Google Cloud	Location Services	Maps, geocoding, reverse geocoding	USA (Google Cloud)	DPA + SCCs
Expo (Expo Notifications)	Push Notifications	Push notification delivery	USA	DPA + SCCs
Google Firebase Cloud Messaging	Push Notifications	Push notification delivery (Android)	USA (Google Cloud)	DPA + SCCs
Resend	Email Service	Transactional and marketing emails	USA	DPA + SCCs
Cloudflare, Inc.	File Storage (R2)	File uploads, user images, documents	EU	DPA + SCCs
Vercel Inc.	Hosting	Website hosting and deployment	USA (with EU edge)	DPA + SCCs
Tolgee, s.r.o.	Translation Management	Application content translation (no user personal data)	Czech Republic	N/A - no personal data
Weather API (Optional)	Weather Data	Location-based weather information	Varies (check documentation)	DPA (if used)
TripAdvisor (Optional)	Third-party Integration	Trainer recommendations and reviews (if enabled)	USA	DPA + SCCs (if used)

Note: All sub-processors listed above have executed Data Processing Agreements (DPAs) with Caliplaces. For sub-processors located outside the EEA, Standard Contractual Clauses (SCCs) are in place to ensure adequate safeguards (see Section 9).

8. Data Retention Periods

We retain your personal data only as long as necessary to provide the Service, comply with legal obligations, and resolve disputes. Below are our standard retention periods by data category:

Account & Authentication Data

Retention: Duration of account + 7 years for AML/tax compliance

Upon account deletion, we delete your account data within 30 days, except where retention is required by law.

Session & Booking Data

Retention: 3 years for dispute resolution

Booking records are retained for 3 years to resolve disputes, refund claims, and chargebacks.

Payment & Financial Data

Retention: 7 years

Transaction records are retained for 7 years under Czech tax law and AML regulations.

Location Data

Retention: 30 days for active sessions; background location deleted upon session end

Precise location during sessions is deleted 30 days after session completion. Background location is deleted immediately after session ends.

Messages & Communications

Retention: 6 months after conversation end or account deletion

Direct messages are retained for 6 months after the last message in a conversation or account deletion.

Ratings & Reviews

Retention: 5 years

Reviews are retained for 5 years to maintain platform integrity and enable dispute resolution.

Analytics & Behavioral Data

Retention: 1 year (aggregated data retained longer)

Event-level analytics are retained for 1 year. Aggregated, anonymized insights are retained indefinitely.

Crash & Error Logs

Retention: 90 days

Error logs and crash reports are retained for 90 days for debugging and performance analysis.

Support & Dispute Records

Retention: 3 years

Support tickets and correspondence are retained for 3 years for dispute resolution and service improvement.

Deletion Process: When data retention periods expire, we use technical and organizational measures to permanently delete or irreversibly anonymize the data. In some cases, we may retain pseudonymized or aggregated data that cannot identify you. If you request data deletion under GDPR Art. 17 (Right to Erasure), we will process your request as described in Section 10.

9. International Data Transfers

9.1 Overview

Caliplaces is an EU-based company incorporated in Czechia. However, some of our sub-processors are located in the United States and other jurisdictions outside the European Economic Area (EEA). These jurisdictions may not have data protection laws equivalent to the GDPR. To ensure your data is adequately protected, we have implemented legal mechanisms described below.

9.2 Standard Contractual Clauses (SCCs)

For data transfers outside the EEA/UK, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission under Commission Decision 2021/914. These clauses are incorporated into Data Processing Agreements (DPAs) with all our US-based sub-processors, including:

Clerk (Authentication)
Stripe & Stripe Connect (Payments)
RevenueCat (Subscriptions)
Sentry (Error Monitoring)
Mapbox (Maps)
Google Cloud (Google Maps, Firebase)
Expo (Notifications)
Resend (Email)
Cloudflare (File Storage)
Vercel (Hosting)

9.3 Supplementary Safeguards

In addition to SCCs, we have implemented supplementary technical and organizational measures to protect against unlawful government access in third countries:

Data Minimization: We only transfer the minimum personal data necessary to provide the Service
Encryption in Transit: All data transfers use TLS/SSL encryption (HTTPS)
Encryption at Rest: Sensitive data (payments, messages) is encrypted at rest where applicable
Sub-processor Audits: We verify our sub-processors' security certifications (SOC 2, ISO 27001) annually
Data Processing Agreements: All SCCs include mandatory provisions regarding government access and our right to challenge unlawful requests
Transparency Reports: We track government data requests and publish transparency reports when legally permitted

9.4 EU-to-UK Transfers

For transfers to the United Kingdom, which is not part of the EEA, we rely on SCCs and the UK Government's adequacy decision under UK GDPR. UK-based sub-processors (e.g., Pusher) benefit from strong data protection laws aligned with GDPR.

9.5 Your Rights Regarding International Transfers

You have the right to request information about international transfers of your personal data and the safeguards in place. You may also object to transfers of your data outside the EEA. To exercise these rights, contact us at privacy@caliplaces.com.

9.6 Relevant Legal Framework

GDPR Chapter V (Articles 44-50): International transfers
Commission Decision 2021/914: Adequacy of standard contractual clauses
CJEU Judgment in Schrems II (C-311/18): Requirements for supplementary safeguards
UK GDPR Chapter V: UK transfer mechanisms
UK Government Adequacy Decisions: For third-country transfers

10. Your Data Subject Rights

Under GDPR Articles 15-22 and similar laws in other jurisdictions, you have the following rights regarding your personal data:

Art. 15 GDPR: Right of Access (Subject Access Request)

You have the right to request access to your personal data that we hold, including a copy in machine-readable format.

How to exercise: Email privacy@caliplaces.com with the subject "GDPR Art. 15 Request"

Response time: 30 days (may be extended by 60 days for complex requests)

Art. 16 GDPR: Right to Rectification

You have the right to correct inaccurate or incomplete personal data. You can update your profile information directly through the Service, or request our assistance.

How to exercise: Update your profile directly in the app/website, or email privacy@caliplaces.com

Art. 17 GDPR: Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, dispute resolution, fraud prevention).

What we delete: Account profile, messages, session notes, location history (after retention period)

What we retain: Transaction records (7 years - tax law), booking history (3 years - dispute resolution)

How to exercise: Email privacy@caliplaces.com with the subject "GDPR Art. 17 Request"

Response time: 30 days

Art. 18 GDPR: Right to Restrict Processing

You have the right to restrict processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data, or while you object to processing).

How to exercise: Email privacy@caliplaces.com with the subject "GDPR Art. 18 Request"

Response time: 30 days

Art. 20 GDPR: Right to Data Portability

You have the right to receive your personal data in a structured, commonly-used, machine-readable format and transmit it to another service provider.

Format: JSON, CSV, or similar standard format

How to exercise: Email privacy@caliplaces.com with the subject "GDPR Art. 20 Request"

Response time: 30 days

Art. 21 GDPR: Right to Object

You have the right to object to processing of your personal data for legitimate interests, marketing, and profiling purposes.

What you can object to:

Marketing communications (you can unsubscribe from email marketing via the link in emails)
Analytics and behavior tracking (PostHog, session replay)
Profiling for legitimate business interests
Automated decision-making (see Section 11)

How to exercise: Email privacy@caliplaces.com with the subject "GDPR Art. 21 Request"

Response time: 30 days

Art. 22 GDPR: Right Against Automated Decision-Making

You have the right not to be subject to automated decision-making that produces legal or similarly significant effects. See Section 11 for details on our automated processing.

Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with your supervisory authority:

For EEA residents: Úřad pro ochranu osobních údajů (ÚOOÚ), Czech Republic: www.uoou.cz

For UK residents: Information Commissioner's Office (ICO): www.ico.org.uk

For other jurisdictions: Your local data protection authority

How to Submit Requests: All data subject access requests should be submitted in writing to privacy@caliplaces.com. Please include sufficient information for us to identify you (e.g., email address, account ID). We may request additional information to verify your identity for security purposes.

No Charge: We will not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive. We will inform you of any fees before processing your request.

11. Automated Decision-Making

Caliplaces employs automated decision-making and profiling in the following contexts, as permitted under GDPR Article 22:

11.1 Fraud Detection

We use automated tools to detect fraudulent activity, including:

Detection of suspicious payment patterns or unusually high transaction volumes
Identification of potentially fraudulent bookings or account creation
Automated flagging of accounts for manual review if fraud risk is detected

Legal Basis: Legitimate Interest (Art. 6(1)(f)) and Contract (Art. 6(1)(b)) - fraud prevention is necessary to protect the Service and other users.

Your Rights: If your account is flagged or suspended due to automated fraud detection, we will review the decision manually and provide you with an explanation. You have the right to appeal such decisions by contacting us.

11.2 Trainer Recommendations & Matching

We use algorithms to recommend trainers based on:

Your search history and filters
Trainer ratings and availability
Location proximity
Your fitness preferences and interests
Similar users' booking patterns

Legal Basis: Legitimate Interest (Art. 6(1)(f)) and Contract (Art. 6(1)(b)) - recommendations improve your Service experience.

Your Rights: You can view, filter, and override recommendations. You are not required to book the recommended trainers.

11.3 Dynamic Pricing & Surge Pricing

We may use automated systems to adjust pricing based on demand, supply, and market conditions. This does not include price discrimination based on protected characteristics.

Legal Basis: Legitimate Interest (Art. 6(1)(f)) - pricing optimization benefits both users and trainers.

Your Rights: Pricing is transparent when you book. You are not obligated to accept adjusted prices.

11.4 Feature Flags & A/B Testing

We may automatically assign you to experimental feature groups to test new features and optimize the Service. You may be assigned different features than other users.

Legal Basis: Legitimate Interest (Art. 6(1)(f)) and Consent (Art. 6(1)(a)) for non-essential testing.

Your Rights: You can opt out of non-critical testing. You have the right to know which experiments you're participating in.

11.5 No Significant Legal or Contractual Effects

Our automated decision-making does not result in decisions that have significant legal or contractual effects on you, except for fraud prevention (which may suspend your account pending manual review). You have the right to challenge any automated decision by contacting us at privacy@caliplaces.com.

11.6 Right to Human Review

You have the right to request human review of any automated decision that affects you. We will provide a meaningful explanation of our decision and allow you to contest it.

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (pixels, local storage, web beacons) on our website and app. These are categorized as follows:

12.1 Strictly Necessary Cookies

These cookies are essential for the functioning of the Service and cannot be disabled:

Session cookies for authentication and user login (Clerk)
CSRF protection tokens for security
Cookie consent preferences (remembering your choice)
Functional cookies for app state (cart, preferences)

Legal Basis: Necessity for Service provision (Art. 6(1)(b) GDPR, ePrivacy Directive)

12.2 Analytics Cookies

These cookies collect data about how you use the Service to improve performance and features:

PostHog: Event tracking, feature usage, session analytics (EU instance)
Google Analytics (if applicable): Aggregate usage patterns

Legal Basis: Consent (Art. 6(1)(a) GDPR) - you can opt out at any time

Opt-out: You can disable analytics tracking in your account preferences or via your browser's privacy settings

12.3 Session Replay Cookies

PostHog session replay captures screen recordings of your interactions to help us debug issues and improve UX. This is disabled by default and requires your explicit consent.

Legal Basis: Consent (Art. 6(1)(a) GDPR)

Opt-out: You can disable session replay in your privacy settings

Note: Session replay may capture sensitive information (passwords, payment details) if you enter them on our site. We recommend you do not enable session replay if you do not wish to share this information.

12.4 Marketing & Advertising Cookies

We do not currently use third-party advertising or marketing tracking cookies. Future marketing campaigns will include explicit consent mechanisms.

Legal Basis: Consent (Art. 6(1)(a) GDPR)

12.5 How to Control Cookies

You can control cookies through:

Caliplaces Account Settings: Privacy & cookies section
Browser Settings: Accept/reject cookies in your browser's privacy settings
Do Not Track (DNT): We honor DNT signals where applicable
Opting Out: Email privacy@caliplaces.com to opt out of specific tracking

Note: Disabling strictly necessary cookies may prevent the Service from functioning properly.

13. Data Security Measures

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

13.1 Encryption

In Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption (HTTPS)
At Rest: Sensitive data (passwords, payment tokens, messages) is encrypted at rest
End-to-End Encryption: Messages between users are encrypted using industry-standard protocols

13.2 Access Control

Role-based access control (RBAC) for staff accessing personal data
Multi-factor authentication (MFA) for administrative accounts
Principle of least privilege - staff only access data necessary for their role
Secure password policies and regular password rotation requirements

13.3 Data Minimization

We only collect and store the minimum personal data necessary
Tokenization of payment card data (Stripe handles card storage)
Hashing of passwords (never stored in plain text)
Regular data retention reviews to delete unnecessary data

13.4 Network Security

Firewalls and intrusion detection systems
DDoS protection and rate limiting
Regular security audits and penetration testing
Security monitoring and incident response procedures

13.5 Compliance Certifications

Sub-processors: Our providers maintain industry-standard certifications (SOC 2 Type II, ISO 27001, PCI DSS)
Caliplaces: We maintain GDPR compliance and conduct regular security assessments

13.6 Data Breach Notification

In the event of a confirmed data breach involving personal data, we will notify affected individuals and supervisory authorities within the timeframes required by law (typically 72 hours). You will receive notification via email and/or in-app notification with information about the nature of the breach, the data affected, and recommended protective actions.

13.7 Limitations of Security

While we implement extensive security measures, no system is completely secure. We cannot guarantee absolute security of your data. We encourage you to:

Use strong, unique passwords
Enable two-factor authentication on your account
Keep your device and browser updated
Report suspected security issues to privacy@caliplaces.com

14. Regional Rights and Notices

Depending on your location, you may have additional data protection rights under applicable laws. This section outlines region-specific rights and obligations.

14.1 European Economic Area (EEA) & UK

Applicable Law: GDPR, UK GDPR, ePrivacy Directive 2002/58/EC, Czech Act No. 110/2019 Coll.

Residents of the EEA and UK have full rights under GDPR and UK GDPR as described throughout this Privacy Policy, including:

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17)
Right to restrict processing (Art. 18)
Right to data portability (Art. 20)
Right to object (Art. 21)
Rights against automated decision-making (Art. 22)
Right to lodge a complaint with ÚOOÚ (EEA) or ICO (UK)

Supervisory Authorities:
EEA: Úřad pro ochranu osobních údajů (ÚOOÚ) - www.uoou.cz
UK: Information Commissioner's Office (ICO) - www.ico.org.uk

14.2 California (CCPA/CPRA)

Applicable Law: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

California residents have the following rights:

Right to Know: Request what personal information we collect, use, share, and sell
Right to Delete: Request deletion of personal information collected (subject to exceptions)
Right to Correct: Request correction of inaccurate information
Right to Opt-Out: Opt out of "sale" or "sharing" of personal information for targeted advertising
Right to Limit Use: Limit use of sensitive personal information
Right to Non-Discrimination: We do not discriminate against you for exercising CCPA rights

How to Exercise California Rights: Email privacy@caliplaces.com with the subject line "California Privacy Request"

Verification: We will verify your identity before processing your request. You may also authorize an agent to submit requests on your behalf.

Supervisor: California Attorney General - oag.ca.gov/privacy

14.3 Brazil (LGPD)

Applicable Law: Brazilian General Data Protection Law (Lei Geral de Proteção de Dados - LGPD)

Brazilian residents (including those outside Brazil) have rights similar to GDPR:

Right to access, rectify, and delete personal data
Right to data portability
Right to request anonymization or blocking of data
Right to lodge a complaint with Autoridade Nacional de Proteção de Dados (ANPD)

How to Exercise: Email privacy@caliplaces.com with the subject "LGPD Request"

Supervisor: ANPD (Autoridade Nacional de Proteção de Dados) - www.gov.br/cidadania

14.4 Canada (PIPEDA)

Applicable Law: Personal Information Protection and Electronic Documents Act (PIPEDA)

Canadian residents have the following rights:

Right to access personal information held by us
Right to request correction of inaccurate information
Right to know how we use and disclose your information
Right to lodge a complaint with the Privacy Commissioner of Canada

How to Exercise: Email privacy@caliplaces.com with the subject "PIPEDA Request"

Supervisor: Privacy Commissioner of Canada - www.priv.gc.ca

14.5 Other Jurisdictions

For residents of other jurisdictions with data protection laws, we will honor comparable rights where applicable. Please contact us at privacy@caliplaces.com to inquire about your specific rights.

15. Children's Privacy

15.1 Age Restrictions

Caliplaces is not intended for children under 18 years of age. We do not knowingly collect personal data from children under 18 without parental or legal guardian consent.

Users aged 13-17: Require verifiable parental consent to create an account (COPPA in the US, GDPR Art. 8 in the EU)
Users under 13: Not permitted to use the Service
Users 18+: Can use the Service independently

15.2 Parental Rights

If we discover we have collected data from a child without proper consent, we will delete such data promptly. Parents or legal guardians may:

Request access to their child's personal data
Request deletion of their child's account and data
Revoke consent for data collection

To exercise parental rights, contact us at privacy@caliplaces.com with proof of parental relationship.

15.3 Safety Measures for Young Users

Limited analytics tracking for users under 18
No marketing to users under 18 without explicit parental consent
Enhanced privacy protections for minors under GDPR Art. 8 and CCPA
Strict moderation of messaging and interactions

16. Trainers as Data Processors

16.1 Trainer Role & Status

Trainers on Caliplaces process personal data on our behalf under Data Processing Agreements (DPAs) in accordance with GDPR Article 28. Trainers are not independent data controllers but rather processors of trainee data.

16.2 Data Trainers May Access

When you book a session with a trainer, the trainer has access to:

Your name and profile picture
Your fitness level and goals
Session date, time, and location
Your contact information (phone number, email)
Communication history (messages)
Session notes and progress records
Health/fitness data you share (optional)

16.3 Trainer Obligations

All trainers must comply with:

Caliplaces Terms of Service and Data Processing Agreement
GDPR Articles 28-32 (processor obligations)
Confidentiality requirements - trainers must not share your data with third parties
Security requirements - trainers must protect your data from unauthorized access
Use limitation - trainers may only use your data to deliver training services
Data retention limits - trainers must delete your data upon request (subject to legal obligations)

16.4 Sub-Processing by Trainers

If a trainer uses third-party services to store or process your data (e.g., fitness tracking apps, payment processors), they must have a DPA in place with those services and obtain your consent for any non-essential sharing.

16.5 Your Rights Against Trainers

You have the right to:

Request your data from a trainer
Request deletion of your data from a trainer (subject to legal retention periods)
Report a trainer for data protection violations to privacy@caliplaces.com

Caliplaces Responsibility: While trainers are processors, Caliplaces retains ultimate responsibility for data protection. We implement technical and organizational controls to ensure trainers comply with data protection obligations and investigate complaints against trainers.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Post the updated policy on this page with the new "Effective Date"
Notify you via email if the changes are material
Obtain your explicit consent for changes that increase our use of your data or reduce your privacy protections

Effective Date of This Policy: April 8, 2026

Your continued use of the Service after changes become effective constitutes your acceptance of the updated Privacy Policy. If you disagree with the changes, you have the right to delete your account and stop using the Service.

Questions or Concerns?

If you have any questions about this Privacy Policy, our data practices, or your privacy rights, please contact us:

Email: privacy@caliplaces.com

Legal Email: legal@caliplaces.com

Response Time: We aim to respond within 30 days