THE BALANCE SPACE

Privacy Policy

Effective from: 1 March 2026 · Last updated: 1 March 2026

§ 1. Data Controller

The controller of personal data is Aliaksei Lapuka, conducting business activity under the business name Aliaksei Lapuka, ul. Augustyna Szamarzewskiego 21/2, 60-514 Poznań, NIP: 7831854033, REGON: 521561577 (hereinafter: the "Controller").

Contact the Controller: thebalancespacehq@gmail.com.

§ 2. Scope of Processed Data

The Controller processes the following personal data of Users:

  • Identification data: first name, surname (optional at registration, required when purchasing a Pass).
  • Contact data: mobile phone number or e-mail address — required for registration and identity verification (OTP).
  • Transaction data: information on purchases, payments, bookings, and service usage history.
  • Technical data: IP address, device type, operating system, application version — collected automatically for diagnostic purposes.
  • Preferences: preferred language, notification settings, class preferences.

§ 3. Purposes and Legal Bases for Processing

Personal data is processed for the following purposes:

a) Provision of services (Art. 6(1)(b) GDPR)

  • Creation and management of the User Account.
  • Processing of Class bookings.
  • Handling of payments and Pass purchases.
  • Service-related communications (confirmations, reminders).

b) Legal obligations (Art. 6(1)(c) GDPR)

  • Maintaining accounting and tax documentation.
  • Fulfilling obligations under the Polish Act on Consumer Rights (Ustawa o prawach konsumenta).

c) Legitimate interests of the Controller (Art. 6(1)(f) GDPR)

  • Ensuring the security and proper functioning of the Platform.
  • Analysing Platform usage to improve service quality.
  • Pursuing or defending against legal claims.

§ 4. Data Recipients

Personal data may be disclosed to the following categories of recipients:

  • PayNow (mBank S.A.) — payment operator, to the extent necessary for processing payment transactions.
  • Brevo (Sendinblue GmbH) — transactional e-mail and SMS service provider, based in the European Union (France).
  • Cloudflare, Inc. — internet infrastructure provider (CDN, DNS), based in the USA, on the basis of Standard Contractual Clauses (SCC).
  • Hetzner Online GmbH — hosting service provider, based in Germany.
  • Google LLC (Firebase Cloud Messaging) — push notification service provider, based in the USA, on the basis of Standard Contractual Clauses (SCC).

§ 5. Data Transfers Outside the EEA

Certain personal data may be transferred to third countries (USA) in connection with the use of Cloudflare and Google services. Such transfers are carried out on the basis of:

  • Standard Contractual Clauses (SCC) approved by the European Commission.
  • Additional security measures, such as encryption of data in transit and at rest.

§ 6. Data Retention Period

  • Account data: for the entire duration of the active Account and 30 days after its deletion (recovery period).
  • Transaction data: for a period of 5 years from the end of the tax year in which the transaction was made (tax obligations).
  • Technical data (logs): for a period of 90 days.
  • Data for pursuing claims: for the limitation period for claims (up to 6 years).

§ 7. User Rights

Every User has the right to:

  • Access their personal data (Art. 15 GDPR).
  • Rectification of inaccurate data (Art. 16 GDPR).
  • Erasure of data — the "right to be forgotten" (Art. 17 GDPR).
  • Restriction of processing (Art. 18 GDPR).
  • Data portability (Art. 20 GDPR).
  • Object to processing (Art. 21 GDPR).
  • Lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

To exercise your rights, please contact the Controller: thebalancespacehq@gmail.com.

§ 8. Cookies

The thebalance.space website uses only strictly necessary technical cookies required for the proper functioning of the website. We do not use analytical or marketing cookies.

The The Balance Space mobile application does not use cookies.

§ 9. Data Security

The Controller implements appropriate technical and organisational measures to protect personal data, including:

  • Data transmission encryption (TLS/SSL).
  • Encryption of sensitive data in the database.
  • JWT token-based authentication with a limited validity period.
  • Regular software updates and security monitoring.
  • Access controls for IT systems.

§ 10. Changes to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy. Users will be notified of material changes through the Platform. The current version of the Privacy Policy is always available at: thebalance.space/en/privacy.