Privacy Policy

Application “Do Life”

Last updated: 1 May 2026 — Version 1.0

This Privacy Policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) and Italian Legislative Decree no. 196/2003 (the “Italian Data Protection Code”), as amended by Legislative Decree no. 101/2018, as well as the guidelines and provisions issued by the Italian Data Protection Authority (“Garante per la protezione dei dati personali”). The English version is provided for convenience; in case of conflict the Italian version prevails.

Privacy at a Glance

Who: [INSERT LEGAL ENTITY], based in Italy, is the Data Controller.
What: account info, profile, content you create, health & wellness data (only with your explicit consent), technical and usage data, payment data.
Why: to operate the App, keep it secure, support you, comply with the law, and — with your consent — personalise content and send marketing.
Sharing: only with vetted service providers (cloud, analytics, payments, support) acting as Data Processors. We never sell your data.
Your rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent, complaint to the Garante.
Contact: privacy@dolife.ai

Introduction

This Privacy Policy describes how [INSERT LEGAL ENTITY] (“Do Life”, “we”, “us” or the “Controller”) collects, uses, stores and protects the personal data of users (“you” or the “User”) of the “Do Life” mobile application (the “App”), the related website and any connected services (collectively, the “Services”).

Please read this Policy carefully before providing any personal data, registering or using the Services. By using the Services you confirm that you have read this Policy. Where required by law, separate consent will be requested.

1. Data Controller

The Data Controller, pursuant to Articles 4(7) and 24 GDPR, is:

Name: [INSERT LEGAL ENTITY]

Registered office: [INSERT FULL ADDRESS], Italy

VAT / Tax ID: [INSERT VAT / CF]

PEC (certified email): [INSERT PEC]

Email: privacy@dolife.ai

Phone: [INSERT PHONE]

2. Data Protection Officer (DPO)

Where appointed under Article 37 GDPR, the Controller has designated a Data Protection Officer. You may contact the DPO at any time about the processing of your personal data and the exercise of your rights:

Name: [INSERT DPO NAME OR “Not appointed”]

Email: dpo@dolife.ai

PEC: [INSERT DPO PEC]

If a DPO is not appointed under Article 37 GDPR, all privacy-related communications should be addressed directly to the Controller at the contacts above.

3. Personal Data We Process

3.1 Data you provide voluntarily

Account & registration data: first name, last name, email, password (stored encrypted/hashed), date of birth, gender, language and country.
Profile data: profile picture, bio, personal preferences, wellness goals, habits, routines and activities you set up.
User-generated content: notes, journal entries, comments, reviews, photos, audio, video uploaded to the App.
Communications: support requests, feedback and any other messages you send us.
Payment data: only as needed to manage subscriptions or in-app purchases, processed by third-party providers (Apple App Store, Google Play, Stripe). We do not store full card details.

3.2 Special categories of data (Article 9 GDPR)

The App may process — strictly subject to your prior, explicit and freely given consent — data concerning your health, physical condition, sport activity, nutrition, sleep, mood, mental wellbeing and other sensitive information.

Such data fall within the “special categories of personal data” under Article 9 GDPR and are processed only on the basis of your explicit consent (Art. 9(2)(a) GDPR), which you may withdraw at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3.3 Data collected automatically

Usage data: screens visited, features used, session duration, frequency of access, navigation paths, events and clicks.
Technical & device data: device model, operating system and version, device identifiers (IDFA, AAID), App version, language, time zone.
Connection data: IP address, access logs, request date/time, ISP information.
Geolocation data: approximate or precise location (GPS, Wi-Fi or mobile networks), only if you have expressly authorised the App to access it.
Crash & diagnostic data: anonymous or pseudonymous information about App malfunctions.
Cookies & similar technologies: used on the website and, where applicable, on certain App components — see the Cookies section.

3.4 Data from third parties

If you choose to register or sign in via Single Sign-On services (e.g. Apple ID, Google, Facebook), we will receive from those providers the data necessary to authenticate you (e.g. name, email, unique identifier), in line with the privacy settings you have configured on the relevant service.

If you connect third-party devices or services to the App (e.g. Apple HealthKit, Google Fit, smartwatches, fitness trackers), we will receive the health and activity data made available by those services, strictly within the scope of the permissions you have granted.

4. Purposes of Processing & Legal Bases

Personal data are processed for the purposes listed below, based on the legal grounds set out in Article 6 (and, where relevant, Article 9) GDPR.

Purpose	Categories of data	Legal basis	Retention
a) Registration, authentication and account management	Identification & contact data, credentials	Performance of contract — Art. 6(1)(b) GDPR	Account lifetime + 24 months
b) Providing App functionality (habit tracking, goals, statistics)	Profile data, user content, usage data	Performance of contract — Art. 6(1)(b) GDPR	Account lifetime + 24 months
c) Processing of health & wellbeing data	Special categories (Art. 9 GDPR)	Explicit consent — Art. 9(2)(a) GDPR	Until consent is withdrawn
d) Customer support and request management	Contact data, content of communications	Contract & legitimate interest — Art. 6(1)(b)(f) GDPR	24 months from case closure
e) Security, fraud and abuse prevention, App integrity	Technical data, logs, connection data	Legitimate interest — Art. 6(1)(f) GDPR	Up to 12 months
f) Compliance with legal obligations (tax, accounting, security)	Account data, payment data, logs	Legal obligation — Art. 6(1)(c) GDPR	10 years (Art. 2220 Italian Civil Code) or other statutory term
g) Aggregated statistics and analytics on the App	Usage data, aggregated/pseudonymous	Legitimate interest — Art. 6(1)(f) GDPR	26 months (analytics)
h) Direct marketing for similar products via email (“soft spam”)	Email	Legitimate interest, subject to opt-out — Art. 130(4) Italian DP Code	Until you object
i) Marketing, newsletters, commercial profiling	Contact data, usage data, preferences	Consent — Art. 6(1)(a) GDPR	24 months from last interaction or until consent is withdrawn
j) Sharing with third parties for their own marketing	Contact and profile data	Specific, separate consent — Art. 6(1)(a) GDPR	24 months or until withdrawal
k) Establishment, exercise or defence of legal claims	All relevant categories	Legitimate interest — Art. 6(1)(f) GDPR	Applicable statute of limitations

Providing data for purposes (a)–(g) is necessary to deliver the Services: failing to do so may prevent the App and Services from working properly or being available.

Providing data for purposes (h)–(j) is always optional: refusal does not affect access to the Services.

5. How We Process Data

We process personal data using automated tools and, to a limited extent, manual means, in accordance with the principles of lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity and confidentiality (Art. 5 GDPR).

We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR), including:

encryption of data in transit (TLS 1.2 or higher) and at rest, where technically feasible;
pseudonymisation and minimisation of data;
access controls based on the “least privilege” principle and multi-factor authentication for authorised personnel;
audit logs, monitoring and anomaly detection;
backup, business continuity and disaster recovery procedures;
regular training of personnel authorised to process data;
vendor due diligence and oversight of external processors;
Data Protection Impact Assessments (DPIAs) where required under Art. 35 GDPR.

6. Retention

Personal data are kept only for as long as strictly necessary to achieve the purposes for which they were collected, in accordance with the periods set out in the table at Section 4. Once those periods expire, data are deleted or irreversibly anonymised, except where retention is required by law, for tax, defence in legal proceedings or public security purposes.

You can request deletion of your account at any time: in such case, your data will be deleted or anonymised within 30 days, save for the legal retention obligations.

7. Recipients of Your Data

For the purposes set out above, your personal data may be disclosed, strictly within the necessary limits, to the following categories of recipients:

authorised personnel of the Controller (employees, collaborators), bound by confidentiality and instructed pursuant to Art. 29 GDPR and Art. 2-quaterdecies of the Italian DP Code;
cloud, hosting, storage and IT infrastructure providers (e.g. Amazon Web Services, Google Cloud Platform, Microsoft Azure);
analytics and statistics providers (e.g. Google Analytics for Firebase, Mixpanel, Amplitude);
crash reporting and monitoring providers (e.g. Firebase Crashlytics, Sentry);
push notification providers (e.g. Firebase Cloud Messaging, Apple Push Notification Service);
payment service providers (e.g. Apple App Store, Google Play, Stripe, PayPal);
customer support & CRM tools (e.g. Intercom, Zendesk, HubSpot);
email and marketing providers (e.g. SendGrid, Mailchimp, Brevo);
professional advisors, accountants, lawyers, auditors;
judicial, public-security or other competent public authorities, where required by law.

Parties processing data on the Controller's behalf are appointed as Data Processors under Art. 28 GDPR through a binding contract. The up-to-date list of Processors is available on request at the contacts in Section 1.

Personal data are not subject to dissemination.

8. International Transfers

Some of the providers listed in Section 7 may be based in, or process data from, countries outside the European Economic Area (EEA), including the United States.

In such cases, we ensure that transfers comply with Articles 44–49 GDPR, on the basis of:

adequacy decisions adopted by the European Commission (e.g. the EU–US Data Privacy Framework for certified providers);
Standard Contractual Clauses (“SCCs”) approved by Commission Decision 2021/914;
supplementary measures (encryption, pseudonymisation, access controls) where required following a Transfer Impact Assessment (“TIA”);
Binding Corporate Rules (“BCRs”), where applicable.

You may request a copy of the safeguards in place from the Controller at the contacts in Section 1.

9. Automated Decisions & Profiling

The Controller may use profiling tools (Art. 22 GDPR) to personalise content, recommendations and notifications based on your habits, goals and activity. Profiling that is not strictly necessary to provide the Service is performed only on the basis of your consent.

We do not carry out solely automated decision-making that produces legal effects on you or similarly significantly affects you.

10. Your Rights (Articles 15–22 GDPR)

You may exercise the following rights at any time:

Right of access (Art. 15): obtain confirmation of the processing and a copy of your data;
Right to rectification (Art. 16): correct inaccurate data or complete incomplete data;
Right to erasure — “right to be forgotten” (Art. 17) in the cases provided for by law;
Right to restriction of processing (Art. 18) in the cases provided for by law;
Right to data portability (Art. 20): receive in a structured, commonly used and machine-readable format the data you provided, and transmit it to another controller;
Right to object (Art. 21) at any time to processing based on legitimate interest or for direct marketing;
Right not to be subject to a decision based solely on automated processing (Art. 22);
Right to withdraw consent (Art. 7(3)) at any time, without affecting the lawfulness of prior processing.

To exercise your rights, you can write to us:

by email: privacy@dolife.ai;
by PEC: [INSERT PEC];
by post: [INSERT POSTAL ADDRESS];
or via the “Privacy” section inside the App.

We will reply without undue delay and in any case within 30 days of receipt, extendable by a further 60 days where necessary due to complexity (Art. 12(3) GDPR). Exercising your rights is free of charge, except for manifestly unfounded or excessive requests.

11. Right to Lodge a Complaint with the Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Italian Data Protection Authority (Art. 77 GDPR; Art. 141 Italian DP Code):

Garante per la protezione dei dati personali

Address: Piazza Venezia 11 — 00187 Rome (RM), Italy

Phone: (+39) 06 69677 1

Fax: (+39) 06 69677 3785

Email: garante@gpdp.it

PEC: protocollo@pec.gpdp.it

Website: www.garanteprivacy.it

You may also lodge a complaint with the supervisory authority of the EU Member State of your habitual residence, place of work or place of the alleged infringement.

12. Minors

The App is not intended for users under 14 years of age. Pursuant to Article 8 GDPR and Article 2-quinquies of the Italian DP Code, processing of a child's personal data in Italy is lawful from age 14; below that age, processing is lawful only with the consent of the holder of parental responsibility, and within the scope of such consent.

The Controller takes reasonable measures, considering available technology, to verify that consent is given by the holder of parental responsibility. If we become aware that we have inadvertently collected data from a child under 14 without proper consent, we will delete it without undue delay.

13. Cookies & Similar Tracking Technologies

The website and certain App components may use cookies and similar technologies (SDKs, pixels, web beacons, device identifiers) for technical, statistical and — subject to your consent — profiling and marketing purposes.

For full details on the type, purpose, duration and management of cookies, please see the Cookie Policy available at [INSERT URL] and in the App settings. You can change or withdraw your consent at any time via the cookie banner or the in-App privacy preferences.

Processing complies with the Italian Data Protection Authority's Guidelines of 10 June 2021 (Provision no. 231) on cookies and other tracking tools.

14. Data Security & Breach Notification

We implement all technical and organisational measures necessary to prevent loss, unauthorised access, destruction or alteration of personal data. In the event of a personal data breach likely to result in a risk to users' rights and freedoms, we will:

notify the Italian Data Protection Authority within 72 hours of becoming aware of the breach (Art. 33 GDPR);
communicate the breach to affected users, where required by Art. 34 GDPR, in a clear and timely manner.

15. Third-Party Plugins & Services

The App and/or website may integrate plugins, share buttons and services provided by third parties (e.g. Apple, Google, Meta/Facebook, X/Twitter, Instagram, TikTok). Such parties act as independent data controllers for the data they collect through their own services: please consult their privacy policies.

16. Joint Controllership (where applicable)

Where the Controller jointly determines the purposes and means of processing with other parties, a joint controllership arrangement under Art. 26 GDPR will be put in place; its essential terms will be made available to you.

17. Changes to this Policy

We may update this Policy at any time to reflect legal, technical or operational changes. The current version is always available within the App and on our website, with the date of the latest update. In case of material changes, we will notify you by email or via in-App notice.

18. Governing Law & Jurisdiction

This Policy is governed by Italian law and EU law. For any dispute concerning the processing of personal data, the courts of [INSERT CITY], Italy, shall have exclusive jurisdiction, without prejudice to any non-derogable consumer forum.

19. Contact

For any question, request or report concerning this Policy or the processing of personal data:

Privacy email: privacy@dolife.ai

DPO email: dpo@dolife.ai

PEC: [INSERT PEC]

Postal address: [INSERT POSTAL ADDRESS]