Wiso
For Students
For Coaches
Personal trainerNutritionistCoachView all
For AffiliatesCoachesProducts
LoginSign up
Start free

Privacy Policy

Last updated: 10 April 2026 · Version 2026-04-10

GDPR — EU 2016/679LGPD — Lei 13.709/2018CCPA — Cal. Civil Code § 1798

This Policy is available in Portuguese at wiso.pro/pt/privacy. The binding version is English where required by applicable law.

1. Data Controller

Wiso, a platform operated under a legal structure being established in Portugal, is the data controller for personal data processed through the Wiso platform.

Data Protection Officer (DPO) / Encarregado LGPD:

privacy@wiso.pro

You may write in Portuguese, English, or Spanish. We respond within 15 business days (GDPR Art. 12(3)) / 15 days (LGPD Art. 19).

Status of the controlling entity: Wiso is not yet incorporated as a formal legal entity. While incorporation is being finalized, the de facto controller is the founder (natural person responsible) residing in Portugal, reachable at dpo@wiso.pro. A formal EU representative under GDPR Art. 27 is not currently required because the controller is physically established within EU territory. Brazilian Representative (LGPD Art. 65): same contact. We will update this policy with at least 30 days' notice once the legal entity is incorporated.

2. Data We Collect

Account & Identity

Full name, e-mail address, phone number, date of birth, profile photo, country, city.

⚠️ Special-Category / Sensitive Health Data

Body weight, height, body-fat percentage, injuries, dietary restrictions, fitness goals, training history, and nutrition plans. Under GDPR this is special-category data (Art. 9); under LGPD it is sensitive data (Art. 11). We process it only on the basis of your explicit consent and to perform the fitness and nutrition services you request.

Professional Data (Coaches / Professionals / Nutritionists)

Profession, declared professional license number (CREF, CRN, IPDJ, NASM, etc.), biography, and service area.

Affiliate Data

Display name, primary channel, channel URL, traffic source, country, and Stripe account for commission payouts.

Financial Data

Payment processing is handled by Stripe, Inc. Card payments are processed in hosted Stripe checkout pages. We store subscription and transaction references, but full card data does not touch our servers.

Usage & Technical Data

IP address, browser/device, pages visited, features used, timestamps. Used for security, fraud prevention, and platform improvement.

Consent Records

Timestamp and version of your acceptance of these Terms and Privacy Policy at account creation — kept as a legal audit trail.

3. Legal Basis for Processing

Processing ActivityGDPR Basis (Art. 6 / 9)LGPD Basis (Art. 7 / 11)
Providing fitness & nutrition servicesContract (Art. 6(1)(b))Contract (Art. 7, V)
Processing health dataExplicit consent (Art. 9(2)(a))Explicit consent (Art. 11, I)
AI plan personalisationConsent + contractConsent + contract
Marketing communicationsConsent (Art. 6(1)(a))Consent (Art. 7, I)
Fraud prevention & securityLegitimate interest (Art. 6(1)(f))Legitimate interest (Art. 7, IX)
Legal & fiscal obligationsLegal obligation (Art. 6(1)(c))Legal obligation (Art. 7, II)
Affiliate commission payoutsContract (Art. 6(1)(b))Contract (Art. 7, V)

California residents: Wiso does not sell or share personal information for cross-context behavioural advertising under the CCPA/CPRA.

4. How We Share Data

We do not sell your personal data. We share it only with:

  • Your assigned Coach / Personal Professional / Nutritionist: if you subscribe to a professional's plan, authorized professionals linked to your active service (coach, personal professional, nutritionist) receive access to your profile, goals, training history, active workout, and nutrition data strictly on a need-to-know basis to deliver and review your protocol with clinical accuracy. They act as independent data processors under our Professional Code of Conduct.
  • Stripe, Inc. (USA): payment processing. Transfer to the USA is covered by Stripe's Standard Contractual Clauses (SCCs) under GDPR and its privacy framework under LGPD.
  • Cloud infrastructure providers (Supabase, Vercel, Upstash): Supabase (managed Postgres, auth and storage, EU/EEA), Vercel (web app hosting, US) and Upstash (Redis cache and rate-limit, US). All operate under Data Processing Agreements (DPAs) with GDPR/LGPD-equivalent safeguards.
  • AI model providers (OpenAI, Anthropic, Google Gemini): your health profile data is sent to generate personalised plans after you accept the AI-specific terms. These providers are contractually forbidden from using your data to train their models, and we keep the draft encrypted (AES-256-GCM) for at most 7 days.
  • Competent authorities: when required by applicable law, court order, or regulatory request.
  • Successors: in the event of a merger, acquisition, or asset transfer, your data may be transferred to the acquiring entity under equivalent protections. You will be notified in advance.
  • Transactional email (Resend): Resend (US) delivers transactional emails (verification, notifications, invoices). Only your email, name and the message body are processed — never health data.
  • Observability (Sentry): Sentry (US) collects technical errors and performance data to keep the platform stable. We configure PII scrubbing (no email, no IP, no health data) before any event leaves our backend.

5. International Data Transfers

Wiso is established in Portugal (EU). Data may be transferred to processors outside the EEA (e.g. Stripe in the USA, OpenAI in the USA). All such transfers are safeguarded by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
  • Adequacy decisions where applicable (e.g. EU–US Data Privacy Framework).
  • For transfers from Brazil, equivalent safeguards under LGPD Art. 33.

You may request a copy of the applicable safeguards by writing to privacy@wiso.pro.

6. Cookies & Tracking

Strictly necessary

Session token, CSRF token, language preference. Cannot be disabled — required for the platform to function.

Functional

Remember your locale and theme preference. No tracking.

Analytics (optional)

Anonymised usage metrics to improve the platform. Analytics stays disabled until you opt in through the cookie banner or cookie settings, and you can withdraw consent later.

You can withdraw consent for optional cookies at any time via the cookie settings link in the footer. Withdrawing consent does not affect the lawfulness of prior processing.

7. Data Retention

Data CategoryRetention Period
Account & health dataHeld while account is active; deleted within 30 days of account deletion request.
Fiscal / billing records7 years (Portugal legal requirement) / 5 years (Brazil legal requirement).
Server access logs6 months (Brazil: Marco Civil da Internet, Art. 15); 12 months (EU: ePrivacy Directive).
Consent audit records5 years from last interaction (legal obligation to demonstrate compliance).
Affiliate commission records7 years (tax and accounting obligations).

8. Your Rights

Depending on your country, you have the following rights:

Access (GDPR Art. 15 / LGPD Art. 18, I)

Obtain a copy of your personal data in a machine-readable format.

Rectification (GDPR Art. 16 / LGPD Art. 18, III)

Correct inaccurate or incomplete data.

Erasure / Deletion (GDPR Art. 17 / LGPD Art. 18, VI)

Delete your account and data. Available in Settings → Danger Zone.

Restriction (GDPR Art. 18)

Restrict processing in specific circumstances (EU users).

Portability (GDPR Art. 20 / LGPD Art. 18, V)

Receive your data in a structured, interoperable format.

Objection (GDPR Art. 21 / LGPD Art. 18, II)

Object to processing based on legitimate interest.

Withdraw consent

Withdraw consent at any time without affecting prior lawful processing.

Lodge a complaint

File a complaint with your supervisory authority: ANPD (Brazil), national DPA (EU/EEA).

Non-discrimination (CCPA § 1798.125)

California residents: we will not discriminate against you for exercising your privacy rights.

Know / Opt-out of Sale (CCPA § 1798.100)

We do not sell or share personal data. No opt-out required, but you may request confirmation.

To exercise your rights, go to Settings → Danger Zone or contact: privacy@wiso.pro. We respond within 15 business days (GDPR / LGPD) or 45 days (CCPA, extendable once).

EU users may also contact their national Data Protection Authority. Brazilian users may contact the ANPD at gov.br/anpd.

9. Health Data & Artificial Intelligence

How AI uses your health data

  • Your body metrics, goals and restrictions are sent to audited AI models (Google Gemini, OpenAI, Anthropic) only during this generation, with AES-256 encryption in transit and at rest.
  • AI providers are contractually prohibited from using your data to train their own models.
  • All AI-generated plans are labelled as such on the platform. The draft expires within 7 days if you do not save it.
  • AI-generated content is not a substitute for medical, nutritional, or physical-education advice. Always consult a qualified professional.
  • You can withdraw health-data consent in Settings at any time. This stops new AI processing based on that data and limits AI personalisation features until consent is granted again.

10. Security Measures

We implement technical and organisational measures including: TLS encryption in transit, bcrypt password hashing, role-based access control, regular security audits, and incident response procedures.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected users without undue delay (GDPR Art. 34 / LGPD Art. 48).

11. Children's Privacy

Wiso is not directed at children under 16 (EU) / 13 (USA) / 18 (Brazil for certain health data). We do not knowingly collect data from minors. If you believe a child has provided data, contact privacy@wiso.pro and we will delete it promptly.

12. Affiliate Programme Data

Affiliates provide professional and payment data (channel URL, Stripe account) to receive commissions. This data is processed on the basis of contract performance and retained for the applicable fiscal period (7 years, Portugal; 5 years, Brazil). Affiliate referral links use a 30-day attribution cookie that is strictly necessary for commission tracking — no cross-site tracking is performed.

13. Changes to This Policy

We may update this Policy periodically. We will notify you by e-mail or in-app notification at least:

  • 15 days in advance for routine updates (Brazil / LGPD).
  • 30 days in advance for material changes affecting EU users (GDPR / DSA).

Continued use of the platform after the effective date constitutes acceptance of the updated Policy. The version date at the top of this page always reflects the current version.

14. Contact & Complaints

DPO / Data Protection Officer:

privacy@wiso.pro

Wiso · Portugal · wiso.pro


If you are not satisfied with our response, you have the right to lodge a complaint with:

  • EU / Portugal: CNPD — Comissão Nacional de Proteção de Dados (cnpd.pt)
  • Brazil: ANPD — Autoridade Nacional de Proteção de Dados (gov.br/anpd)
  • California: California Privacy Protection Agency (cppa.ca.gov)

Platform

  • For Students
  • For Coaches
  • For Personal Trainers
  • For Nutritionists
  • For Coaches
  • For Affiliates
  • Pricing
  • Comparisons

Company

  • About us
  • FAQ

Legal

  • Privacy
  • Terms
  • Do Not Sell My Info (CCPA)
  • Subprocessors
  • Data Protection Officerdpo@wiso.pro

Contact

  • contato@wiso.pro
GDPR & LGPD compliantSecure payment · Stripe7-day free trialCancel anytime
Wiso© 2026 Wiso. All rights reserved.