Privacy Policy
Weight Management System 4.0
Table of Contents
- Introduction & Scope
- Data Controller Information
- Categories of Personal Data Collected
- Purposes of Processing & Legal Basis
- Special Category Data (Health Data)
- Data Retention Periods
- Sharing & Disclosure of Personal Data
- International & Cross-Border Data Transfers
- Your Rights as a Data Subject
- Automated Decision-Making & Profiling
- Cookies & Tracking Technologies
- Children’s Privacy
- Security Measures
- Updates to This Privacy Policy
- How to Contact Us & Lodge a Complaint
Introduction & Scope
Welcome to Weight Management System 4.0 (hereinafter “the Platform,” “we,” “us,” or “our”), an online coaching platform offering personalised weight management services, nutritional guidance, and health tracking tools to users worldwide, including users located in the European Union and the European Economic Area.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use our Platform, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, “GDPR”), in particular Articles 13 and 14 thereof.
This Policy applies to all personal data collected:
- Directly from you when you register, use our services, or contact us (Article 13 GDPR); and
- Indirectly from third-party sources, such as healthcare providers, fitness applications, or public databases (Article 14 GDPR).
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please do not use our services.
1Data Controller Information
For the purposes of the GDPR, the entity responsible for your personal data — the Data Controller — is:
Data Controller
Company: Weight Management System 4.0 Co., Ltd.
Address: 99 Lang Ha, Dong Da, Hanoi, Vietnam
Registration: Business Registration No. ., issued by ., Vietnam
Email: info@24k.agency
Phone: +84 93 253 8888
Website: https://24k.agency
1.1 EU Representative (Article 27 GDPR) Required for Non-EU Controllers
As a company established outside the EU that offers services to individuals in the EU, we have appointed an EU Representative pursuant to Article 27 GDPR:
EU Representative
Name:.
Address:.
Email: info@24k.agency
Phone:.
1.2 Data Protection Officer (DPO)
We have appointed a Data Protection Officer (DPO) to oversee compliance with applicable data protection laws:
Data Protection Officer
Name: Pham Minh Huy
Email: info@24k.agency
Postal: 99 Lang Ha, Dong Da, Hanoi, Vietnam
2Categories of Personal Data Collected
2.1 Data You Provide Directly Art. 13 GDPR
| Category | Examples of Data | Mandatory / Optional |
|---|---|---|
| Identity Data | Full name, date of birth, gender | Mandatory |
| Contact Data | Email address, phone number, country of residence | Mandatory (email); Optional (phone) |
| Health & Body Data Special Category | Body weight, height, BMI, target weight, dietary restrictions, physical activity level | Mandatory for core services |
| Account Credentials | Username, hashed password | Mandatory |
| Progress & Coaching Data | Weight logs, meal plans, exercise records, coach messages, progress photos (if uploaded) | Optional |
| Payment Data | Billing name, country, last 4 digits of card (processed by payment processor) | Mandatory for paid tiers |
| Communication Data | Customer support messages, survey responses, feedback | Optional |
2.2 Data Collected Automatically Art. 13 GDPR
| Category | Examples of Data |
|---|---|
| Usage Data | Pages visited, features used, session duration, click patterns |
| Device & Technical Data | IP address, browser type, operating system, device identifiers |
| Location Data | Country-level location derived from IP address |
| Cookie Data | Session cookies, analytics cookies (see Section 10) |
2.3 Data Received from Third Parties Art. 14 GDPR
Where applicable, we may receive personal data from the following sources:
- Fitness & Health Apps: Data from connected applications (e.g., Apple Health, Google Fit) if you grant integration permissions;
- Social Login Providers: Basic profile data (name, email) from Google or Apple if you use social sign-in;
- Payment Processors: Transaction status and billing verification data;
- Healthcare Referral Partners: Referral information, if your healthcare provider recommended our platform.
3Purposes of Processing & Legal Basis
We process your personal data only for specific, explicit, and legitimate purposes. The table below details each processing activity, its purpose, and the corresponding legal basis under Article 6 GDPR.
| Purpose of Processing | Description | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Account Registration & Authentication | Creating and managing your user account, verifying identity, enabling login | Art. 6(1)(b) – Contractual necessity |
| Service Delivery | Providing personalised coaching, weight tracking, meal plans, and progress analysis | Art. 6(1)(b) – Contractual necessity |
| Health Programme Personalisation | Tailoring recommendations based on your health and weight data | Art. 6(1)(a) – Explicit consent; Art. 9(2)(a) – for health data |
| Payment Processing | Billing for premium subscriptions, issuing invoices, processing refunds | Art. 6(1)(b) – Contractual necessity |
| Customer Support | Responding to enquiries, resolving complaints, providing technical assistance | Art. 6(1)(b) – Contractual necessity; Art. 6(1)(f) – Legitimate interests |
| Safety & Medical Alerts | Detecting anomalies in health data that may indicate a medical risk | Art. 6(1)(d) – Vital interests; Art. 9(2)(c) – for health data |
| Analytics & Platform Improvement | Aggregated, anonymised analysis to improve features and user experience | Art. 6(1)(f) – Legitimate interests |
| Marketing & Newsletters | Sending promotional emails, product updates (opt-in only) | Art. 6(1)(a) – Consent |
| Legal Compliance | Complying with tax, accounting, and regulatory obligations | Art. 6(1)(c) – Legal obligation |
4Special Category Data (Health Data)
We process this data exclusively on the basis of your explicit consent (Article 9(2)(a) GDPR), obtained at the point of registration. You may withdraw this consent at any time; however, withdrawal will prevent us from providing personalised coaching services.
- Health data is stored in encrypted form and accessible only to authorised coaching staff;
- Health data is never sold, rented, or shared with advertisers;
- Aggregated, anonymised health statistics may be used for platform research, but such data cannot be linked back to any individual.
5Data Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & Identity Data | Duration of account + 2 years after closure | Contractual necessity, legal obligations |
| Health & Body Data | Duration of active subscription + 12 months | Consent; deleted upon withdrawal |
| Payment Records | 7 years from transaction date | Tax and accounting obligations (Art. 6(1)(c)) |
| Usage & Analytics Data | 26 months (anonymised after 13 months) | Legitimate interests |
| Support Communications | 3 years from resolution | Legitimate interests (dispute resolution) |
| Marketing Consent Records | Until consent is withdrawn + 1 year | Compliance with consent obligations |
| Cookie Data | As specified in Cookie Policy (max. 13 months) | ePrivacy Directive / consent |
6Sharing & Disclosure of Personal Data
We do not sell your personal data. We may share your data with the following categories of recipients, strictly on a need-to-know basis and under binding contractual obligations:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Coaching Staff | Providing personalised coaching services | Confidentiality agreements, role-based access |
| Payment Processors (e.g., Stripe, PayPal) | Processing subscription payments | PCI-DSS compliant; Data Processing Agreement |
| Cloud Infrastructure (e.g., AWS, Google Cloud) | Hosting and data storage | Standard Contractual Clauses (SCCs) |
| Analytics Providers (e.g., Google Analytics) | Platform usage analytics | Data anonymisation; DPA in place |
| Email Service Providers | Transactional and marketing emails | Data Processing Agreement |
| Legal / Regulatory Authorities | Compliance with court orders or legal obligations | Only as required by applicable law |
7International & Cross-Border Data Transfers
As our Platform operates globally with servers that may be located outside the EU/EEA, your personal data may be transferred to countries that do not provide the same level of data protection as the EU.
In all such cases, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU);
- Adequacy Decisions where the recipient country has been recognised by the European Commission as providing adequate protection;
- Binding Corporate Rules (BCRs) where applicable within our group of companies.
You may request a copy of the applicable transfer safeguards by contacting us at info@24k.agency.
8Your Rights as a Data Subject
Under the GDPR, you have the following rights with respect to your personal data. We will respond to all verified requests within one (1) month (extendable by two months for complex requests).
Request a copy of all personal data we hold about you, along with information on how it is processed.
Request correction of inaccurate or incomplete personal data without undue delay.
Request deletion of your personal data (“right to be forgotten”) in certain circumstances.
Request that we restrict processing of your data while a dispute is being resolved.
Receive your personal data in a structured, machine-readable format (JSON/CSV) for transfer to another provider.
Object to processing based on legitimate interests or direct marketing at any time.
Withdraw consent for any processing activity based on consent, at any time, without affecting prior processing.
Lodge a complaint with your local EU supervisory authority if you believe your rights have been violated.
9Automated Decision-Making & Profiling
Our Platform uses automated processing (including AI-assisted recommendations) to generate personalised nutrition plans, fitness goals, and progress insights. This constitutes profiling within the meaning of Article 22 GDPR.
- Automated recommendations do not produce legal or similarly significant effects;
- All AI-generated plans are reviewed and approved by a certified human coach before delivery;
- You may opt out of profiling-based personalisation by contacting info@24k.agency.
10Cookies & Tracking Technologies
We use cookies and similar tracking technologies on our Platform. A separate Cookie Policy details all cookies used, their purposes, and your consent options. Below is a summary:
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Session management, security, login persistence | No (legitimate interest) |
| Functional | Language preferences, UI settings | No (legitimate interest) |
| Analytics | Google Analytics — anonymised usage statistics | Yes (opt-in) |
| Marketing | Retargeting, conversion tracking | Yes (opt-in) |
You may manage your cookie preferences at any time via the Cookie Settings link in the website footer.
11Children’s Privacy
Our Platform is intended for users aged 18 and over. We do not knowingly collect personal data from children under the age of 16 (or the applicable age of digital consent in your Member State, which may be lower).
If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete such data immediately. If you believe we hold data from a child, please contact info@24k.agency.
12Security Measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure:
- Encryption: AES-256 encryption at rest; TLS 1.3 in transit;
- Access Controls: Role-based access; multi-factor authentication for staff;
- Regular Audits: Periodic security assessments and penetration testing;
- Incident Response: Data breach notification to supervisory authorities within 72 hours (Art. 33 GDPR); affected users notified without undue delay where high risk (Art. 34 GDPR);
- Data Minimisation: We collect and retain only what is strictly necessary.
13Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or platform features. We will notify you of material changes by:
- Posting the updated Policy on this page with a revised “Effective Date”;
- Sending an email notification to your registered account address for significant changes;
- Displaying an in-app banner for 30 days following material updates.
Continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy.
14How to Contact Us & Lodge a Complaint
For any questions, concerns, or requests relating to this Privacy Policy or our data processing activities, please contact us:
Privacy Enquiries
Email: info@24k.agency
DPO Email: info@24k.agency
Post: 99 Lang Ha, Dong Da, Hanoi, Vietnam — marked “Privacy / GDPR”
Response Time: Within 72 hours for general queries; 30 days for formal GDPR requests
Supervisory Authority Complaints
If you are located in the EU/EEA and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority:
- Germany: BfDI — www.bfdi.bund.de
- France: CNIL — www.cnil.fr
- Netherlands: AP — www.autoriteitpersoonsgegevens.nl
- All EU authorities: European Data Protection Board directory