Privacy policy

Last updated: 15. jan. 2026

1. Introduction

Pallas Health ApS ("we", "us", "our", "the Company") operates the Pallas mobile application (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

Data Controller:

  • Legal Entity Name: Pallas Health ApS

  • CVR: 46151739

  • Registered Address: Odinshoejvej 2, 3140 Aalsgaarde

  • Country: Denmark

  • Contact Email: hello@pallasapp.com

  • Website: https://pallasapp.com

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

  • Email address

  • Authentication credentials (stored securely via third-party authentication providers)

  • Account creation date and terms acceptance timestamp

2.2 Profile Information

  • Gender

  • Date of birth

  • Height (in centimeters)

  • Weight (in kilograms)

  • Activity level

  • Fitness experience level

  • Training location preference (gym or home)

  • Coach preference (Bruce or Nora)

  • Timezone and locale settings

2.3 Health and Fitness Data (Special Category Data)

  • Workout plans and exercise routines

  • Workout session data (exercises performed, sets, reps, weights)

  • Workout logs and progress tracking

  • Weight tracking and body measurements

  • Step count data (if you grant permission to access Apple Health)

  • Fitness goals and targets

2.4 Nutrition Data

  • Meal plans and recipes

  • Meal logs and dietary preferences

  • Shopping lists

  • Nutritional information and macro tracking

2.5 Progress Data

  • Weight check-ins and progress tracking

  • Weekly progress updates

  • Fitness achievements

2.6 Technical Information

  • Device information

  • App usage data

  • Error logs (for troubleshooting purposes)

3. Legal Basis for Processing (GDPR Article 6 & 9)

We process your personal data based on the following legal grounds under GDPR:

3.1 Contract Performance (Article 6(1)(b))

We process your data to fulfill our contract with you and provide the core functionality of the Service, including:

  • Account creation and management

  • Delivery of personalized workout plans

  • Provision of meal recommendations

  • Progress tracking and analytics

3.2 Explicit Consent (Article 6(1)(a) and Article 9(2)(a))

We process health-related data (special category data under GDPR Article 9) only with your explicit consent, which you provide:

  • During onboarding when you accept our Terms and Conditions and Privacy Policy

  • When you enable Apple Health integration

  • When you provide health and fitness information

You may withdraw this consent at any time by:

  • Disabling Apple Health access in your device settings

  • Deleting your account through the app settings

  • Contacting us at hello@pallasapp.com

Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

3.3 Legitimate Interests (Article 6(1)(f))

We process data for our legitimate interests, including:

  • Service improvement and development

  • Security and fraud prevention

  • Analytics and performance monitoring

  • Customer support

We ensure these interests do not override your fundamental rights and freedoms.

3.4 Legal Obligations (Article 6(1)(c))

We process data where required to comply with applicable laws, including:

  • Tax and accounting requirements

  • Legal proceedings and regulatory compliance

  • Terms and conditions enforcement

4. How We Use Your Information

We use the collected information for the following purposes:

  • Service Provision: To provide, maintain, and improve our fitness and nutrition services

  • Personalization: To create personalized workout plans and meal recommendations based on your profile using automated processing (see Section 11)

  • Progress Tracking: To track your fitness progress and provide insights

  • Account Management: To manage your account and authenticate your identity

  • Communication: To respond to your inquiries and provide customer support

  • Legal Compliance: To comply with legal obligations and enforce our Terms and Conditions

5. Data Storage and Security

5.1 Data Storage

Your data is stored securely using Supabase, a third-party cloud database service. All data is stored in encrypted databases with the following security measures:

  • Data encryption at rest and in transit (AES-256 encryption)

  • Secure authentication and authorization

  • Regular security audits and updates

  • Access controls and authentication requirements

5.2 Data Location

Your data is stored on Supabase's servers, which may be located outside your country of residence or outside the European Economic Area (EEA).

5.3 International Data Transfers (GDPR Compliant)

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:

  • Standard Contractual Clauses (SCCs): We have executed the European Commission's Standard Contractual Clauses with our service providers to ensure adequate protection of your data

  • Adequacy Decisions: Where applicable, transfers are made to countries with an adequacy decision by the European Commission

  • Additional Safeguards: We implement additional technical and organizational measures to protect your data during international transfers

By using our Service, you acknowledge that your data may be transferred to and processed in countries outside the EEA, subject to the safeguards described above.

5.4 Security Measures

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Secure authentication protocols

  • Encrypted data transmission (HTTPS/TLS)

  • Access controls and authentication requirements

  • Regular security monitoring and incident response procedures

  • Data minimization and purpose limitation

6. Third-Party Services

We use the following third-party services that may collect, process, or store your information:

6.1 Supabase

  • Purpose: Database hosting, authentication, and cloud storage

  • Data Processed: All user data, including profile, workout, meal, and progress data

  • Privacy Policy: https://supabase.com/privacy

  • Location: Data may be stored on servers located in various regions (see Section 5.3 for transfer safeguards)

  • Data Processing Agreement: We have executed a Data Processing Agreement (DPA) with Supabase in compliance with GDPR Article 28

6.2 Apple Sign In

  • Purpose: User authentication

  • Data Processed: Email address and Apple ID (if provided)

  • Privacy Policy: https://www.apple.com/privacy/

  • Note: We do not receive your full Apple ID or password. Processing is based on your consent.

6.3 Google Sign In

  • Purpose: User authentication

  • Data Processed: Email address and basic profile information

  • Privacy Policy: https://policies.google.com/privacy

  • Note: We only receive information you authorize Google to share. Processing is based on your consent.

6.4 Apple HealthKit

  • Purpose: Access to step count data (optional)

  • Data Processed: Step count information from your Apple Health app

  • Privacy Policy: https://www.apple.com/privacy/

  • Legal Basis: Explicit consent (you grant permission through iOS settings)

  • Note: Health data is only accessed with your explicit permission and is used solely for fitness tracking within the app. You can revoke this permission at any time in your iOS settings.

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • Service Providers: With third-party service providers (like Supabase) who assist in operating our Service, subject to confidentiality agreements and Data Processing Agreements compliant with GDPR Article 28

  • Legal Requirements: When required by law or to respond to legal process, including court orders and government requests

  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users and opportunity to delete data)

  • With Your Explicit Consent: When you explicitly authorize us to share your information

8. Automated Decision-Making and Profiling

Pallas uses automated processing, including AI-based systems and algorithms, to analyze your user-provided data and generate personalized fitness and nutrition recommendations. This includes:

  • Profiling: Creating user profiles based on your fitness goals, activity level, and preferences

  • Automated Recommendations: Generating personalized workout plans and meal suggestions using automated logic

  • Progress Analysis: Analyzing your fitness progress and providing insights

Important: These automated processes do not produce legal effects or similarly significant effects on you. The recommendations are suggestions that you can accept, modify, or reject at any time.

Your Rights: You have the right to:

  • Understand how recommendations are generated

  • Request human review of automated decisions

  • Challenge automated recommendations

  • Opt out of certain profiling activities (where technically feasible)

To exercise these rights, please contact us at hello@pallasapp.com.

9. Your Rights and Choices (GDPR)

If you are located in the European Economic Area (EEA) or are otherwise subject to GDPR, you have the following rights:

9.1 Right of Access (Article 15)

Request access to your personal data and receive a copy of the data we hold about you.

9.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete data.

9.3 Right to Erasure ("Right to be Forgotten") (Article 17)

Request deletion of your account and associated data, subject to legal retention requirements.

9.4 Right to Restrict Processing (Article 18)

Request restriction of processing in certain circumstances.

9.5 Right to Data Portability (Article 20)

Request a copy of your data in a structured, commonly used, and machine-readable format.

9.6 Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent (Article 7(3))

Withdraw consent for data processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

9.8 Right to Lodge a Complaint (Article 77)

Lodge a complaint with your local data protection authority if you believe we have violated your rights.

To exercise these rights, please contact us at hello@pallasapp.com or use the account deletion feature in the app settings. We will respond to your request within one month (or inform you if an extension is needed).

10. Data Retention

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy. Specifically:

  • Active Accounts: Data is retained while your account is active and for a reasonable period thereafter

  • Deleted Accounts: Upon account deletion, we will delete your personal data within 30 days, except where we are required to retain it for:

    • Legal obligations (e.g., tax records)

    • Legitimate business interests (e.g., fraud prevention)

    • Dispute resolution

  • Legal Requirements: Some data may be retained longer if required by law or for legitimate business purposes, but no longer than necessary

11. Children's Privacy

Our Service is not intended for users under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe we have collected information from a child under 18, please contact us immediately at hello@pallasapp.com, and we will delete such information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page

  • Updating the "Last Updated" date

  • Notifying you through the app or via email (for material changes)

  • Requiring renewed consent where required by law (e.g., for material changes to health data processing)

Your continued use of the Service after such changes constitutes acceptance of the updated Privacy Policy, except where renewed explicit consent is required.

13. Contact Us

If you have any questions about this Privacy Policy, our data practices, or to exercise your rights, please contact us at:

Email: hello@pallasapp.com
Website: https://pallasapp.com
Address: Odinshoevej 2, 3140 Aalsgaarde Denmark

14. Supervisory Authority

If you are located in the EEA and believe we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority. For Denmark, this is:

Datatilsynet (Danish Data Protection Agency)