This policy explains personal-data processing in the Trely mobile and web service under the GDPR and Slovak Act No. 18/2018. Cookies are covered here rather than in a separate policy.
1. Controller and scope
Rexly s. r. o. Registered office: Račianska 14350/64B, 831 03 Bratislava, Slovak Republic Company ID: 57 516 812 · Tax ID: 2122791220 · VAT ID: SK2122791220 Commercial Register of the Bratislava III Municipal Court, Section Sro, Insert No. 197507/B Email: support@trely.eu · privacy: privacy@trely.eu Web: https://trely.eu
The privacy contact is privacy@trely.eu. Rexly assessed GDPR Article 37 and, as of the effective date, is not required to appoint a data protection officer; this is reviewed regularly.
2. Our roles
Rexly is the controller for account, subscription, support, security and service-operation data. For client data entered by a trainer, physiotherapist or another professional, that professional is the controller and Rexly generally acts as processor under GDPR Article 28. The professional determines the purpose, legal basis and information supplied to clients.
3. Data we process
Identity and contact data; account, profile and subscription data; communications, chat and support; calendars, bookings, training and rehabilitation plans; height, weight, BMI, body measurements, goals, injuries, test results and progress; photos and files; IP address, device identifiers, logs, app and OS version; billing data, payment amount, status and identifier. Rexly does not see full payment-card numbers.
4. Purposes, legal bases and retention
Account and service: contract, while the account exists, then deletion or anonymisation generally within 30 days. When a client deletes their account, we promptly remove their access, contact and profile data, messages, progress photos, measurements, intake forms, private notes and client-specific training records; historical bookings, payments and operational audit records remain without the client’s original identity. Client data: on the professional user’s instructions. Support: contract or legitimate interest, 3 years. Accounting: legal obligation, 10 years. Subscriptions/payments: contract and fraud prevention, provider and statutory periods. Product analytics: legitimate interest in improving security and usability; we use a pseudonymous account identifier, role, app version, OS and feature-use data, not chat content, photos or health data. Operational logs: legitimate interest, 90 days; crash reports: 180 days. Backups rotate within 30 days.
5. Health data and photos
Height, weight, BMI, measurements, injuries, rehabilitation, tests and progress photos may be special-category data under GDPR Article 9. The professional obtains and records the appropriate basis, usually explicit consent under Article 9(2)(a). As processor, Rexly does not use this data for marketing, profiling or AI-model training. Photos in Supabase Storage are private and protected by authentication and access policies.
6. Recipients and transfers
Supabase (EEA, Frankfurt) – database, authentication and storage; RevenueCat – subscriptions; Apple and Google – distribution, purchases and push; Resend – email delivery processor; Expo – push infrastructure; Sentry – diagnostics; PostHog – product analytics; Vercel – web hosting. Stripe processes direct-payment data only if we explicitly enable that option in Trely. Transfers outside the EEA use GDPR Chapter V safeguards, especially the EU–US Data Privacy Framework or Standard Contractual Clauses. Advisers and public authorities may receive data where legally required.
7. Security and incidents
Measures include TLS, encryption at rest, least-privilege access, database access policies, monitoring, backups and security updates. As controller we report qualifying breaches to the authority generally within 72 hours and notify people where risk is high. As processor we notify the professional without undue delay.
8. Your rights and account deletion
You may request access, correction, deletion, restriction, portability, object, withdraw consent and complain. Email privacy@trely.eu; we normally respond within one month. For trainer-entered data, contact the trainer first. Cancelling a subscription does not delete an account. Delete in the app or email support@trely.eu. Trely does not make decisions under GDPR Article 22.
10. Changes, contact and authority
We provide appropriate notice of material changes. The current version is always available at trely.eu. Supervisory authority: Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, statny.dozor@pdp.gov.sk, +421 2 3231 3214, https://dataprotection.gov.sk.