Chamelix
  • Search
  • For Sport Centers

Privacy Policy

Effective Date: 10/03/2026

Chamelix ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software-as-a-service (SaaS) platform ("Platform"). By accessing or using the Platform, you agree to this Privacy Policy.

Information We Collect

We collect information from you in two primary ways: information you provide to us and information we collect automatically.

Information You Provide

  • Account Information: When you create an account, we collect your name and email address. During onboarding we also require a phone number to send appointment reminders and operational notices. Profile picture remains optional.
  • User Content: This includes any information you choose to share on the Platform, such as reviews, posts, and messages.
  • Additional Information: Depending on the features you use, you may provide other details related to your activities or services on the Platform.

Information We Collect Automatically

  • Usage Data: We may automatically collect information about how you access and use the Platform, including your IP address, browser type and version, device type and operating system, pages visited, time spent on each page, search queries, and preferences.
  • Cookies and Tracking Technologies: We use cookies and similar tracking technologies to collect and store information about your usage of the Platform. This helps us improve your experience, analyze how the Platform is used, and personalize content.

How We Use Your Information

We use the collected information for various purposes, including:

  • Providing and Maintaining the Platform: To operate and maintain the Platform, create and manage user accounts, facilitate interactions and communication, and provide customer support.
  • Personalizing Your Experience: To tailor the Platform to your preferences and provide relevant content and recommendations.
  • Improving the Platform: To analyze usage trends, identify areas for improvement, and develop new features.
  • Marketing and Communications: To send you updates, newsletters, and promotional content, if you have opted in to receive them.
  • Legal Compliance: To comply with applicable laws and regulations, and to respond to legal requests.

How We Share Your Information

We may share your information with the following third parties:

  • Service Providers: We may share your information with third-party service providers who assist us in providing and maintaining the Platform, such as payment processors, data analytics providers, and customer support platforms. We have contracts with these providers requiring them to protect your information.
  • Other Users: Depending on the Platform's functionality, other users may view your public profile or interact with you.
  • Legal Authorities: We may disclose your information to legal authorities if required by law or in response to valid legal requests.
  • Business Transfers: In the event of a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different Privacy Policy.

Roles and Data Protection Responsibilities

Depending on the context, data protection roles are distributed as follows:

  • Sports center (organization): data controller for membership registration (tesseramento) data handled for that center, including certificate checks and center-specific acceptance records.
  • Chamelix: data processor for those center-managed processing activities, acting on documented instructions.
  • Chamelix as independent controller: for account management, authentication, platform security, platform operations, service reliability, and Chamelix direct communications/marketing (where applicable).

Sports Membership and Health Certificate Data

For sports organizations, the platform can manage health certificate data as special category data under applicable law.

When this module is used, we store:

  • certificate file in private cloud storage;
  • certificate type (for example NON_AGONISTIC or AGONISTIC);
  • certificate expiry date (expiresAt);
  • related technical metadata required for compliance and traceability (for example upload actor and audit events).

What we do not do on certificate files:

  • no OCR extraction of medical content;
  • no automated medical analysis or profiling;
  • no enrichment of medical data beyond what is needed for compliance workflow.

Technical and Organizational Security Measures

We take reasonable measures to protect your information from unauthorized access, use, or disclosure. These measures include:

  • Private storage for certificates: certificate files are handled through private storage paths and are not exposed as public listing endpoints.
  • Short-lived signed URLs: certificate downloads are served via expiring signed URLs (short TTL), not permanent public links.
  • Organization-scoped authorization: manager/staff access is checked against organization membership and role.
  • Audit trail: membership registration and certificate operations are logged with append-only audit events for operational accountability.
  • Endpoint hardening: generic file endpoints block certificate paths and prevent existence leakage for protected files.

Data Retention

We retain personal data for the time needed to provide the service and to comply with legal obligations.

For sports certificate data, the current implementation follows this model:

  • the system keeps only the most recent certificate records required by the workflow (current and previous, per certificate type);
  • expired certificates are eligible for deletion 90 days after expiry;
  • automated cleanup is executed by a scheduled retention endpoint (cron);
  • infrastructure lifecycle rules on the storage prefix certifications/organizations/ are used only as a conservative backstop for orphaned files (not as the primary legal retention rule).

Your Privacy Rights and Request Routing

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal information:

  • Right of Access: You have the right to request access to your personal information.
  • Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal information.
  • Right to Erasure: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Restriction of Processing: You have the right to request restriction of processing of your personal information.
  • Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format.
  • Right to Object: You have the right to object to the processing of your personal information for certain purposes.

To exercise these rights, contact us using the details below. To speed up handling, requests should be routed as follows:

  • Requests about center membership registration data (including certificate data and center-specific acceptance events): route to the relevant sports center (controller).
  • Requests about platform account data and Chamelix services (login, profile, platform security/operations, and Chamelix direct marketing): route to Chamelix.

If a request is sent to the wrong party, we will support correct routing where possible.

Data Deletion

We provide several ways for you to manage and delete your data:

  • Platform Deletion: You can manage your account settings to delete specific data or disconnect integrations, if applicable.
  • Automatic Deletion: We support automated mechanisms to handle data deletion requests when permissions are revoked through third-party tools.
  • Manual Requests: You can request data deletion by contacting us via our support channels or email.

Legal Compliance

We operate in compliance with the General Data Protection Regulation (GDPR). We process your data based on your consent or other legal bases where applicable. We inform all users of their rights under the GDPR and provide mechanisms for exercising those rights.

To ensure the lawful and secure processing of personal data, we have implemented the following measures:

  • Data Processing Addendum (DPA): We have signed agreements with our data processors to ensure compliance with GDPR requirements.
  • Transfer Impact Assessment (TIA): We conduct assessments to mitigate risks associated with data transfers, ensuring compliance with GDPR requirements.

Children's Privacy

Personal data of minors can be processed only when entered by a parent or legal guardian acting for the minor. Direct self-registration by users under 18 is not allowed under our terms.

At sign-up we require a declaration that the person registering is either an adult or a parent/legal guardian. Sports centers remain responsible for verifying eligibility and legal basis in their own registration workflows.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the Effective Date. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at:

Email: app@chamelix.it

Address: Chamelix,

By using our Platform, you acknowledge that you have read and understood this Privacy Policy.

app@chamelix.it

© 2025-2026. All rights reserved