EPC Portal

Privacy Policy

Version 1.0 — last updated: April 7, 2026

Wersja polska (Polish version)

1. Data Controller

The controller of your personal data is Damian Mazurek, operating under the business name Damian Mazurek IoTdev, Tax ID (NIP): 7352656720, REGON: 120916513, address: Handlowka 58, 37-123 Handlowka, Poland (hereinafter: “Controller” or “we”).

Data protection contact: privacy@eliteperformancecollective.com

2. Definitions

  • Platform — the EPC Portal web application available at portal.eliteperformancecollective.com.
  • User — a natural person who holds an account on the Platform and is at least 18 years old.
  • Health Data — data relating to the User’s physical or mental health, including data from WHOOP and Oura Ring devices, constituting a special category of personal data under Art. 9 of the GDPR.
  • AI Assistant (Stefan) — an automated system based on large language models (LLM) that supports Users on the Platform.
  • Processor — an entity that processes personal data on behalf of the Controller under a data processing agreement (Art. 28 GDPR).
  • GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

3. What Data We Collect

3.1. Identity and Contact Data

During registration and use of the Platform we collect:

  • name, email address, password (stored in hashed form),
  • display name, avatar (profile picture), biography,
  • company name, position, location, industry, years of experience,
  • LinkedIn profile URL and website URL.

Required: Name and email address are required to create an account (contractual requirement). Other profile data is optional.

3.2. Onboarding Data (My Mission)

During onboarding we collect answers about your mission, goals, challenges, allies, transformation vision, and legacy. This data is used to personalize your experience on the Platform, including through the AI Assistant.

Required: Optional. You may skip answers during onboarding.

3.3. Health Data (Special Category — Art. 9 GDPR)

If you voluntarily connect a wearable device (WHOOP, Oura Ring, Garmin, or Ultrahuman Ring), we collect the following data:

  • Sleep: duration, sleep stages (REM, deep, light), sleep efficiency, respiratory rate, sleep consistency.
  • Recovery: recovery score, heart rate variability (HRV), resting heart rate, blood oxygen saturation (SpO2), skin temperature.
  • Physical Activity: workout type, duration, strain, average and maximum heart rate, calories burned.
  • Physiological Cycle: daily strain, energy expenditure.
  • Additional metrics (device-dependent): Body Battery (Garmin), stress level (Garmin), metabolic score (Ultrahuman).

Required: Entirely voluntary. The Platform works fully without connecting a device. Connection requires your explicit, separate consent for processing health data (Art. 9(2)(a) GDPR).

Withdrawal of consent: You may withdraw consent at any time by disconnecting the device in Settings → Wearable Integrations. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3.4. Data Processed by the AI Assistant (Stefan)

The AI Assistant has access to the following data for response personalization:

  • your profile (name, company, position, industry, experience),
  • onboarding answers (My Mission),
  • active habits and streaks,
  • health data from WHOOP/Oura (if connected),
  • conversation history with the AI Assistant,
  • workbook answers,
  • information about your group (Trio),
  • documents you uploaded to the AI Assistant.

This data is sent to Google Gemini API to generate responses. Google processes this data solely for the purpose of fulfilling the request and does not use it to train its AI models (per Google Cloud Data Processing Terms).

3.5. Social Data

  • posts, comments, likes, saved content,
  • private messages (DMs) and group conversations,
  • group (Trio) membership,
  • poll votes,
  • uploaded images, GIFs, and attachments,
  • leaderboard position and XP points (visible to other Users).

3.6. Educational Data

  • course and module progress,
  • quiz answers and results,
  • workbook answers,
  • unlocked achievements and experience level (XP).

3.7. Technical and Log Data

  • IP address (for security and rate limiting purposes),
  • login date and time,
  • browser and device information (user-agent).

3.8. Payment Data

Payments are processed by an external provider (EasyCart). We do not store payment card data. We only receive: subscription ID, payment status, subscription plan, and billing period end date.

4. Purposes and Legal Bases for Processing

PurposeLegal BasisRetention Period
Account creation and managementArt. 6(1)(b) GDPR (performance of a contract)Until account deletion + 30 days
Platform services (feed, habits, gamification, rankings)Art. 6(1)(b) GDPR (performance of a contract)Duration of the contract
Health data processing (WHOOP, Oura)Art. 9(2)(a) GDPR (explicit consent)Until consent withdrawal or device disconnection + 30 days
AI Assistant personalization (Stefan) — conversationsArt. 6(1)(b) GDPR (contract — AI is part of the service)Until conversation or account deletion
Proactive AI messages (Stefan Ally)Art. 6(1)(a) GDPR (consent)Until consent withdrawal
Document vectorization (RAG)Art. 6(1)(a) GDPR (consent — by uploading a document)Until document deletion by the User
Billing and subscriptionsArt. 6(1)(b) (contract) and (c) (legal obligation)5 years from end of fiscal year (tax regulations)
Security and abuse prevention (IP logging, rate limiting)Art. 6(1)(f) GDPR — legitimate interest of the Controller in protecting the Platform and its Users from abuseMax. 12 months

5. Data Recipients — Processors

Your data may be shared with the following categories of recipients. We have entered into a data processing agreement (DPA) with each processor in accordance with Art. 28 GDPR. Your data is not sold or shared with third parties for marketing purposes.

5.1. AI Service Providers (Processor)

Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — provider of Google Gemini language models used by the AI Assistant (Stefan). Google processes data solely on our instructions and does not use it to train its own AI models.

5.2. Cloud Service Providers (Processors)

  • Google Cloud Platform (application hosting — Cloud Run, region europe-west1; Firebase Storage — AI memory storage, region US).
  • MongoDB, Inc. — MongoDB Atlas database (EU region, Frankfurt).

5.3. Health Integration Providers

  • WHOOP, Inc. (Boston, MA, USA) — independent data controller for data collected on the WHOOP device. Data is retrieved by us based on OAuth 2.0 authorization granted by the User. WHOOP also sends health data in real-time to our server via webhooks (secured with HMAC-SHA256 verification). Upon device disconnection, webhooks stop functioning and access tokens are immediately revoked.
  • Oura Health Oy (Oulu, Finland, EU) — independent data controller for data collected on the Oura Ring device. Data retrieved via OAuth 2.0 authorization.
  • Garmin Ltd. (Schaffhausen, Switzerland / Olathe, KS, USA) — independent data controller for data collected on Garmin devices. Data retrieved via OAuth 2.0 through the Garmin Connect API.
  • Ultrahuman Healthcare Pvt. Ltd. (Bengaluru, India) — independent data controller for data collected on the Ultrahuman Ring AIR device. Data retrieved via OAuth 2.0 through the Ultrahuman Partner API.

As independent controllers, the above providers process data on their devices according to their own privacy policies: WHOOP Privacy Policy, Oura Privacy Policy, Garmin Connect Privacy Policy, Ultrahuman Privacy Policy.

5.4. Payment Service Providers (Processor)

  • EasyCart — payment processor. We only share data necessary for transaction processing. EasyCart is an independent controller of payment card data.

6. International Data Transfers

Due to our use of Google (Gemini API, Firebase), WHOOP, Garmin, and Ultrahuman services, your data may be transferred to third countries (United States, India). These transfers are safeguarded by:

  • Standard Contractual Clauses (SCCs) approved by European Commission Implementing Decision 2021/914,
  • additional technical measures: encryption in transit (TLS 1.3) and at rest (AES-256),
  • additional organizational measures: DPAs with providers, minimization of data transferred.

7. Automated Decision-Making and Profiling

7.1. AI Assistant Profiling

The AI Assistant (Stefan) analyzes your data (profile, habits, health data, conversation history) to create a personalized conversation context and “memory”. This processing does not lead to decisions producing legal effects or significantly affecting you within the meaning of Art. 22(1) GDPR.

7.2. Automatic Habit Logging

Based on WHOOP/Oura data, the system automatically verifies habits (e.g., sleep ≥ 7h, workout ≥ 30 min) and awards XP points. You can disable this by disconnecting the device in Settings → Wearable Integrations.

7.3. Proactive Messages (Stefan Ally)

With your consent, the system automatically generates and sends you private messages based on analysis of your data. This constitutes profiling under Art. 4(4) GDPR, based on your consent (Art. 6(1)(a) GDPR).

8. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) — obtain information about and a copy of your processed data.
  • Right to rectification (Art. 16) — correct inaccurate data in Settings → Edit profile.
  • Right to erasure (Art. 17) — request data deletion (“right to be forgotten”). We delete data within 30 days, subject to the obligation to retain billing data for 5 years.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — receive your data in a structured format (JSON) via “Export my data” in Settings.
  • Right to object (Art. 21) — object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent (Art. 7(3)) — at any time for:
    • health data processing — Settings → Wearable Integrations → Disconnect,
    • proactive AI messages — Settings → Stefan Ally → disable toggle.
  • Right to lodge a complaint — with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

To exercise your rights, contact us: privacy@eliteperformancecollective.com. We will respond within 30 days.

9. Data Security

We apply the following security measures (Art. 32 GDPR):

  • encryption in transit (HTTPS/TLS 1.3),
  • password hashing (bcrypt),
  • httpOnly cookie-based sessions (BFF pattern),
  • HMAC-SHA256 verification for WHOOP webhooks,
  • rate limiting on authentication endpoints,
  • integration access tokens (WHOOP, Oura) are never exposed in API responses,
  • role-based access control (RBAC).

9.1. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the supervisory authority within 72 hours (Art. 33 GDPR). If the breach is likely to result in a high risk, we will also notify you without undue delay (Art. 34 GDPR).

10. Cookies and localStorage

  • epc-session — session cookie (httpOnly, secure) required for authentication. Expires at end of session.
  • epc-theme — theme preference (light/dark), stored in localStorage.

We do not use advertising, tracking, or analytics cookies.

11. Data Retention

  • Account data: until account deletion + 30 days.
  • Health data: until consent withdrawal (device disconnection) + 30 days. Access tokens are immediately revoked upon disconnection.
  • AI conversations: until manually deleted by the User or account deletion.
  • Posts and comments: until manually deleted or account deletion.
  • Billing data: 5 years from end of fiscal year (accounting regulations).
  • Security logs (IP): maximum 12 months.

12. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy. We will inform you of significant changes via email or Platform notification with 14 days’ notice.

13. Contact

  • Email: privacy@eliteperformancecollective.com
  • Address: Damian Mazurek IoTdev, Handlowka 58, 37-123 Handlowka, Poland
  • Tax ID (NIP): 7352656720, REGON: 120916513