← Back to Olivio Labs

Privacy Policy

Last updated: 30 June 2026

1.Who we are

Olivio Labs, LLC ("Olivio", "we", "us") provides an AI marketing service for boutique fitness studios. We operate from Madrid, Spain. This policy explains how we handle personal data and applies to our website, oliviolabs.com, and to the services we provide to fitness studios (our "customers"). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Spain's Organic Law 3/2018 (LOPDGDD).

2.Our role: controller and processor

We act in two capacities, depending on the data:

  • As a processor — when we handle data belonging to a customer studio's account, including the data the studio connects from its Instagram / Facebook account and from its booking / scheduling system. The studio is the controller of that data; we process it only on the studio's documented instructions, under the Data Processing Agreement between us.
  • As a controller — when we handle data we collect directly, such as visitors to our website, people who contact us, and the administrators who use our dashboard, where we determine the purposes and means of processing.

3.Data we process

As processor, on behalf of a customer studio:

  • Instagram / Facebook data — profile and account information; media and posts (captions, media, timestamps); insights (reach, impressions, engagement, follower / audience data); comments; linked Facebook Page data; business / account metadata.
  • Booking / scheduling data from the studio's system — member names, contact details, attendance and booking history, and purchase history.

As controller, collected directly:

  • Account and contact data — name, email, and the studio you represent.
  • Website usage data — IP address, device / browser information, and pages visited, collected via cookies (see our Cookie Policy).

4.Source

Instagram / Facebook data is obtained from Meta's Graph APIs with the account owner's authorization; booking data is obtained from the studio's booking system on the studio's instructions; website and account data is collected directly from you.

5.Why we process it

  • To deliver the service to the studio — generate content recommendations, engagement and audience insights, and draft campaign messaging for the studio's review and approval.
  • To operate, secure, and improve our website and service.
  • To respond to enquiries and provide support.
  • To send service communications and, with consent, marketing about Olivio's own service.

We do not sell personal data, and we do not use customer data for advertising or to build cross-client profiles.

6.Legal basis

  • Processor processing — carried out only on the studio's documented instructions under Article 28 GDPR. The studio, as controller, holds the legal basis for the underlying processing (generally legitimate interests, Article 6(1)(f), or consent, Article 6(1)(a)).
  • Our own processing — performance of a contract (Article 6(1)(b)) for accounts and service delivery; legitimate interests (Article 6(1)(f)) for security, improvement, and marketing of our own service; consent (Article 6(1)(a)) for non-essential cookies and marketing where required; and legal obligation (Article 6(1)(c)) where applicable.

7.Children

Our service is provided to fitness studios as businesses and is not directed to children. In line with Spanish data protection law (LOPDGDD), the age of digital consent in Spain is 14, and we do not knowingly process the personal data of children under 14. If you believe a minor's data has been provided to us without an appropriate legal basis, contact us and we will take appropriate steps.

8.Storage and security

Member personal data is stored in our Supabase database, hosted within the European Union (EU-West, Ireland). Our application runs on Railway hosting infrastructure (EU-West). Data is encrypted in transit and at rest, access is restricted on a need-to-know basis, and access is logged.

9.International data transfers

Some providers we use are established in the United States, and Olivio Labs, LLC is a US-incorporated entity, so data may be transferred to or accessed from outside the European Economic Area (EEA). Where that happens, we rely on the European Commission's Standard Contractual Clauses (SCCs) as our transfer basis. The main transfer of member data outside the EEA is to our US-based AI gateway (OpenRouter) and the AI model providers behind it. Certain US sub-processors (such as Google and Meta) also maintain their own EU–US Data Privacy Framework (DPF) certifications, which cover the transfers to them.

10.Sub-processors

We share data only with the sub-processors needed to run the service, each under a data processing agreement.

  • Supabase, Inc. (US company; member data hosted in the EU) — application database and authentication; the system of record for member personal data.
  • Railway Corp. (US company; EU-West hosting) — application hosting and infrastructure.
  • Meta Platforms, Inc. / WhatsApp (US) — source of Instagram / Facebook data and the WhatsApp message-delivery channel.
  • OpenRouter, Inc. (US) — AI gateway; routes prompts (member context only, never phone or email) to the model providers below.
  • Anthropic, Google, and OpenAI (US) — AI model providers for language-model inference, accessed through the OpenRouter gateway.
  • Google LLC — Google Fonts (US) — webfonts displayed on our dashboard; receives the visitor's IP address when a page loads.
  • The studio's booking / scheduling provider, as configured by the studio (the studio selects and controls this system).

11.Retention

We keep personal data only as long as needed for the purposes above. Customer data is deleted within 30 days of the end of the studio's service agreement or a verified deletion request, whichever is first. Our own records are kept for the periods required by applicable law.

12.Your rights

Under the GDPR you have the right to: access your data and receive a copy; rectification; erasure (the "right to be forgotten"); restriction of processing; data portability; objection (including an absolute right to object to direct marketing); and not to be subject to decisions based solely on automated processing. Where processing is based on consent, you may withdraw it at any time.

We use AI to generate recommendations and draft content, but these are suggestions: the studio reviews and approves all communications before anything is sent, so we do not make decisions producing legal or similarly significant effects based solely on automated processing.

Where the studio is the controller, you can exercise these rights through the studio, or directly with us; we will act in coordination with the controller. To request deletion, see our Data Deletion Instructions.

13.Supervisory authority

You have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD — www.aepd.es), or with the supervisory authority where you live.

14.Changes to this policy

We may update this policy from time to time. We will post the updated version on this page and revise the date above.

15.Contact

Data and privacy requests: privacy@oliviolabs.com.