Privacy Policy
Effective Date: 10/03/2026
Chamelix ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software-as-a-service (SaaS) platform ("Platform"). By accessing or using the Platform, you agree to this Privacy Policy.
Data Controller
The Chamelix Platform is operated by ArizenLab S.r.l.s., registered office at Via Padova 20, 36010 Zanè (VI), Italia, VAT 04578500243.
ArizenLab S.r.l.s. acts as the data controller for Platform-account data and for the purposes described in this policy. For membership-registration data and the medical/fitness certificates managed on behalf of a sports organization, the organization is the data controller and ArizenLab S.r.l.s. acts as a data processor (Art. 28 GDPR; see the DPA page).
For any request regarding your personal data, contact us at app@chamelix.it.
Information We Collect
We collect information from you in two primary ways: information you provide to us and information we collect automatically.
Information You Provide
- Account Information: When you create an account, we collect your name and email address. During onboarding we also require a phone number to send appointment reminders and operational notices. Profile picture remains optional.
- User Content: This includes any information you choose to share on the Platform, such as reviews, posts, and messages.
- Additional Information: Depending on the features you use, you may provide other details related to your activities or services on the Platform.
Information We Collect Automatically
- Usage Data: We may automatically collect information about how you access and use the Platform, including your IP address, browser type and version, device type and operating system, pages visited, time spent on each page, search queries, and preferences.
- Cookies and Tracking Technologies: We use cookies and similar tracking technologies to collect and store information about your usage of the Platform. This helps us improve your experience, analyze how the Platform is used, and personalize content.
How We Use Your Information
We use the collected information for various purposes, including:
- Providing and Maintaining the Platform: To operate and maintain the Platform, create and manage user accounts, facilitate interactions and communication, and provide customer support.
- Personalizing Your Experience: To tailor the Platform to your preferences and provide relevant content and recommendations.
- Improving the Platform: To analyze usage trends, identify areas for improvement, and develop new features.
- Marketing and Communications: To send you updates, newsletters, and promotional content, if you have opted in to receive them.
- Legal Compliance: To comply with applicable laws and regulations, and to respond to legal requests.
How We Share Your Information
We may share your information with the following third parties:
- Service Providers: We may share your information with third-party service providers who assist us in providing and maintaining the Platform, such as payment processors, data analytics providers, and customer support platforms. We have contracts with these providers requiring them to protect your information.
- Other Users: Depending on the Platform's functionality, other users may view your public profile or interact with you.
- Legal Authorities: We may disclose your information to legal authorities if required by law or in response to valid legal requests.
- Business Transfers: In the event of a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different Privacy Policy.
Roles and Data Protection Responsibilities
Depending on the context, data protection roles are distributed as follows:
- Sports center (organization): data controller for membership registration (tesseramento) data handled for that center, including certificate checks and center-specific acceptance records.
- Chamelix: data processor for those center-managed processing activities, acting on documented instructions.
- Chamelix as independent controller: for account management, authentication, platform security, platform operations, service reliability, and Chamelix direct communications/marketing (where applicable).
Sports Membership and Health Certificate Data
For sports organizations, the platform can manage health certificate data as special category data under applicable law.
When this module is used, we process:
- the certificate file, stored in private storage;
- the certificate type (for example competitive or non-competitive);
- the certificate expiry date;
- minimal technical information needed for management and traceability (for example who uploaded the document and a record of relevant operations).
What we do not do on certificate files:
- no OCR extraction of medical content;
- no automated medical analysis or profiling;
- no enrichment of medical data beyond what is needed for compliance workflow.
Technical and Organizational Security Measures
We take appropriate technical and organizational measures to protect your information from unauthorized access, use, or disclosure. These include:
- Role-based access control: access to data is restricted based on role and organization membership.
- Private document storage: certificates are kept in non-public areas that cannot be accessed without authorization.
- Time-limited file access: documents are downloaded through time-limited links, not permanent public addresses.
- Logging of relevant operations: significant activities on membership and certificates are recorded for accountability purposes.
- Deletion and retention procedures: we apply defined procedures for the deletion and retention of data.
Data Retention
We retain personal data for the time needed to provide the service and to comply with legal obligations.
For medical sports certificates:
- we keep only the most recent certificates needed to manage the membership;
- expired or no longer necessary certificates are deleted through periodic procedures, typically within about 90 days of expiry;
- limited technical backup or disaster-recovery windows may still apply, as described in the following section.
Backups and Deletion Recovery
When you or your organization delete a document or account, we remove the corresponding records from the active system and the associated files from our storage. However, you should be aware that:
- Cloud storage soft-delete: our file storage provider keeps a deleted object recoverable for a limited soft-delete / object-recovery window (for certificate files this window may be up to 7 days, subject to provider configuration) before it is permanently purged. During this window the file is not accessible through the Platform, but it could be restored by the storage provider in a recovery scenario.
- Database backups: our database provider retains point-in-time backups for a bounded period. Deleted personal data may persist inside those backups until the backup window rolls over, after which it is no longer recoverable.
These windows exist for security, accountability, and disaster-recovery purposes. After they elapse, the data is no longer recoverable. If you need the exact, currently-configured windows for a data-subject request, contact us using the details below.
Your Privacy Rights and Request Routing
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal information:
- Right of Access: You have the right to request access to your personal information.
- Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal information.
- Right to Erasure: You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Restriction of Processing: You have the right to request restriction of processing of your personal information.
- Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format.
- Right to Object: You have the right to object to the processing of your personal information for certain purposes.
To exercise these rights, contact us using the details below. To speed up handling, requests should be routed as follows:
- Requests about center membership registration data (including certificate data and center-specific acceptance events): route to the relevant sports center (controller).
- Requests about platform account data and Chamelix services (login, profile, platform security/operations, and Chamelix direct marketing): route to Chamelix.
If a request is sent to the wrong party, we will support correct routing where possible.
Data Deletion
We provide several ways for you to manage and delete your data:
- Platform Deletion: You can manage your account settings to delete specific data or disconnect integrations, if applicable.
- Automatic Deletion: We support automated mechanisms to handle data deletion requests when permissions are revoked through third-party tools.
- Manual Requests: You can request data deletion by contacting us via our support channels or email.
Legal Compliance
We operate in compliance with the General Data Protection Regulation (GDPR). We process your data based on your consent or other legal bases where applicable. We inform all users of their rights under the GDPR and provide mechanisms for exercising those rights.
To ensure the lawful and secure processing of personal data, we have implemented the following measures:
- Data Processing Addendum (DPA): We have signed agreements with our data processors to ensure compliance with GDPR requirements.
- Transfer Impact Assessment (TIA): We conduct assessments to mitigate risks associated with data transfers, ensuring compliance with GDPR requirements.
Children's Privacy
Personal data of minors can be processed only when entered by a parent or legal guardian acting for the minor. Direct self-registration by users under 18 is not allowed under our terms.
At sign-up we require a declaration that the person registering is either an adult or a parent/legal guardian. Sports centers remain responsible for verifying eligibility and legal basis in their own registration workflows.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the Effective Date. You are advised to review this Privacy Policy periodically for any changes.
Contact Us
If you have any questions or concerns about this Privacy Policy, please contact us at:
Email: app@chamelix.it
Address: Chamelix, Via Padova 20, 36010 Zanè (VI), Italia
By using our Platform, you acknowledge that you have read and understood this Privacy Policy.