My AlvoTriX 🛒 Get AlvoTriX

GDPR Compliance

Last updated: March 14, 2026

1. GDPR Overview

The General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — is the European Union's comprehensive data protection law that governs how personal data of individuals within the EU and EEA is collected, processed, stored, and transferred. The GDPR establishes fundamental rights for data subjects and imposes strict obligations on organizations that handle personal data.

At AlvoTriX, we are deeply committed to GDPR compliance across every aspect of our service. Because our platform processes sensitive biometric data — including heart rate, SpO2, skin temperature, sleep patterns, and location — we hold ourselves to the highest standards of data protection. This GDPR Compliance page details how we meet and exceed our obligations under the Regulation, and how you can exercise your rights as a data subject.

This document should be read in conjunction with our Privacy Policy and Terms & Conditions. Where there is any conflict between these documents regarding GDPR compliance, this GDPR Compliance page shall prevail.

2. Data Controller Information

Your personal data is controlled by the following entity, which serves as the sole data controller:

EntityJurisdictionRole
Rolaxit Innovation LTD
Company No. 15822417
20 Wenlock Road, London, N1 7GU, England		England and Wales (UK)Sole data controller, technology operations, platform development, AI processing, data security, GDPR contact point

Rolaxit Innovation LTD is the sole data controller and is responsible for all aspects of GDPR compliance, including technology operations, platform development, AI processing, data security, serving as the contact point for all data subject access requests (DSARs), payment processing coordination, and customer support. Rolaxit Innovation LTD bears full responsibility for data breach notification (Art. 33-34) and DPIA compliance (Art. 35). You may exercise your data protection rights by contacting privacy@alvotrix.com for fastest response.

Data Protection Officer (DPO): You may contact our DPO for any privacy-related inquiry, data subject access request, complaint, or question about this GDPR Compliance document at: privacy@alvotrix.com

3. Data We Process

AlvoTriX processes the following categories of personal data in the course of providing our safety monitoring service:

CategoryData TypesLawful Basis
Account DataFull name, email address, phone number, password (bcrypt hashed), payment details (processed via Stripe — we do not store card numbers)Contract (Art. 6(1)(b))
Wearer ProfilesWearer name, age, gender, health conditions (optional), relationship to Guardian account holderContract (Art. 6(1)(b)), Consent (Art. 6(1)(a))
Biometric Data (Special Category)Heart rate (HR), heart rate variability (HRV), blood oxygen saturation (SpO2), skin temperature, step count, calories burned, sleep stages and duration, raw accelerometer data, raw gyroscope dataExplicit Consent (Art. 9(2)(a))
Location DataGPS coordinates (real-time and historical), geofence zone definitions, geofence entry/exit eventsConsent (Art. 6(1)(a))
Ambient DataAmbient noise level in decibels (dB) — no audio content is recorded, stored, or transmitted at any timeConsent (Art. 6(1)(a))
Usage DataDashboard interactions, AI chat conversation logs, generated health and safety reports, alert history and acknowledgementsContract (Art. 6(1)(b))
Technical DataIP address, browser type and version, device type, operating system, cookies, referrer URL, page view timestampsLegitimate Interest (Art. 6(1)(f)), Consent for cookies

Important: Biometric data constitutes special category data under GDPR Article 9. We process this data exclusively under Article 9(2)(a) — your explicit, informed, freely given, specific, and unambiguous consent, obtained through a separate affirmative action during account setup.

4. Lawful Basis for Processing

Under GDPR Article 6(1), we rely on the following lawful bases for processing your personal data:

  • Consent — Art. 6(1)(a): Processing of biometric data, location tracking, ambient noise monitoring, marketing communications, cookie-based analytics (Google Analytics, Facebook Pixel), and AI profiling. Consent is obtained through clear, affirmative actions and may be withdrawn at any time without affecting the lawfulness of prior processing.
  • Contract Performance — Art. 6(1)(b): Processing necessary to deliver the AlvoTriX monitoring service you have subscribed to, including account management, wearer profile configuration, dashboard delivery, report generation, alert transmission, and customer support.
  • Legitimate Interest — Art. 6(1)(f): Processing necessary for fraud prevention, platform security, intrusion detection, service improvement through anonymized analytics, and ensuring network and information security. We have conducted balancing tests to ensure our interests do not override your fundamental rights.
  • Legal Obligation — Art. 6(1)(c): Processing required to comply with applicable laws, including UK tax law, anti-money laundering regulations, and responding to lawful requests from competent authorities.

Special Category Data (Art. 9): For biometric data — which constitutes special category data concerning health — we rely on Article 9(2)(a): explicit consent. This consent is collected separately from general terms acceptance, through a dedicated consent screen that clearly explains what biometric data is collected, how it is processed by our AI, and how long it is retained. You may withdraw this consent at any time via your dashboard or by contacting privacy@alvotrix.com.

Additional GDPR Compliance

AlvoTriX additionally complies with the following GDPR provisions:

  • Article 12 — Transparent Communication: All information about data processing is provided in clear, plain language, accessible free of charge.
  • Article 13 — Information at Collection: Required information is provided at the point of data collection through our app consent screens and this GDPR page.
  • Article 14 — Information Not Obtained from Data Subject: Where data is collected from a Wearer's device rather than directly from the Guardian, we ensure the Guardian receives all required information within one month.
  • Article 19 — Notification Obligation: We inform all recipients of any rectification, erasure, or restriction of your data, unless impossible or disproportionately effortful.
  • Article 25 — Data Protection by Design and Default: Privacy-protective measures are built into our platform architecture, including encryption by default, data minimization, purpose limitation, and privacy-respecting default settings.
  • Article 28 — Processor Obligations: All sub-processors operate under Data Processing Agreements (DPAs) that ensure GDPR-equivalent protections.
  • Article 30 — Records of Processing Activities: We maintain comprehensive records of all processing activities as required.
  • Article 37-39 — Data Protection Officer: Our DPO operates independently, reports to the highest management level, and can be contacted at privacy@alvotrix.com. The DPO is designated pursuant to Article 37(1)(b) and (c) given our large-scale processing of special category data and systematic monitoring.
  • Article 46 — Appropriate Safeguards for Transfers: International data transfers rely on Standard Contractual Clauses (Commission Decision 2021/914) and UK IDTAs, supplemented by Transfer Impact Assessments (TIAs) conducted for each third-country recipient.

5. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data. AlvoTriX is committed to facilitating the exercise of all these rights without undue delay:

  • Right of Access (Art. 15): You have the right to obtain confirmation as to whether we process your personal data, and if so, to receive a copy of that data along with information about the purposes of processing, categories of data, recipients, retention periods, and the source of the data. We provide data in machine-readable formats (JSON, CSV).
  • Right to Rectification (Art. 16): You have the right to have inaccurate personal data corrected without undue delay. You may also request completion of incomplete data, including by means of a supplementary statement.
  • Right to Erasure (Art. 17): You have the right to request the deletion of your personal data when: the data is no longer necessary for its original purpose, you withdraw consent, you object to processing, the data was unlawfully processed, or erasure is required by law. See Section 7 for our deletion procedures.
  • Right to Restriction of Processing (Art. 18): You have the right to restrict processing when: you contest the accuracy of the data (for a period allowing verification), the processing is unlawful but you prefer restriction to erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification.
  • Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller without hindrance. This applies to data processed based on consent or contract and carried out by automated means.
  • Right to Object (Art. 21): You have the right to object to processing based on legitimate interest (Art. 6(1)(f)) or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately and without exception.
  • Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. See Section 6 for details on our AI processing and your specific rights.
  • Right to Withdraw Consent: Where processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a)), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. You can withdraw consent via your dashboard settings or by emailing our DPO.

How to exercise your rights: Email privacy@alvotrix.com with your request. We will acknowledge receipt within 48 hours and provide a substantive response within 30 calendar days (extendable by two further months for complex requests, with notification). Identity verification is required. No fee is charged for exercising your data subject rights. A reasonable administrative fee may be charged only for requests that are manifestly unfounded or excessive, in accordance with Article 12(5). We will inform you of any fee before processing the request.

6. AI Profiling & Automated Decision-Making

AlvoTriX employs artificial intelligence and machine learning algorithms to analyze biometric data patterns collected from wearable devices. This constitutes automated processing including profiling under GDPR Article 22. We are transparent about how our AI works and your rights in relation to it.

How our AI processes data: Our AI system analyzes real-time and historical biometric data through 8 Safety Modules:

  • Fall Detector: Analyzes accelerometer and gyroscope data for sudden impact patterns consistent with falls.
  • Panic Button: Detects deliberate activation patterns from the wearable device for immediate SOS alerts.
  • HR Guardian: Monitors heart rate and HRV for abnormal cardiac patterns, bradycardia, tachycardia, and sustained anomalies.
  • Activity Anomaly: Detects unusual deviations from established activity baselines, including prolonged inactivity.
  • Anti-Bullying: Correlates elevated stress biometrics (HR spikes, HRV drops) with ambient noise levels and activity patterns.
  • Sleep Safety: Monitors SpO2, heart rate, and movement during sleep for apnea-like events and restless sleep patterns.
  • Health Crisis: Multi-sensor analysis for combined anomaly patterns that may indicate a medical emergency.
  • Geofence Guardian: Monitors GPS location against predefined safe zones and triggers alerts on boundary violations.

Risk Classification: The AI assigns risk severity levels (low, medium, high, critical) based on the analysis. Alerts are generated and sent to the designated Guardian based on the severity level and module-specific thresholds.

Your rights regarding AI decisions:

  • Human review: You may request human review of any automated assessment or alert generated by our AI.
  • Explanation: You have the right to obtain a meaningful explanation of the logic involved in any AI decision, including the data inputs, processing methodology, and how the conclusion was reached.
  • Objection: You may object to specific AI profiling activities at any time.
  • Module control: You may enable or disable individual Safety Modules at any time through your Guardian dashboard, giving you granular control over which AI analyses are performed.

Important clarification: All alerts and risk assessments generated by AlvoTriX AI are strictly informational. They do not constitute medical advice, diagnosis, or legally binding decisions. No automated decision made by our system produces legal effects concerning you or similarly significantly affects you. All alerts require human judgment and action by the Guardian.

EU AI Act Compliance: AlvoTriX's AI Safety Modules may constitute a high-risk AI system under the EU AI Act (Regulation 2024/1689), Annex III, given their application to health-related risk assessment of vulnerable populations. We are committed to meeting applicable requirements including risk management systems (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), and accuracy and robustness (Art. 15) as these obligations become enforceable.

7. Data Retention & Deletion

During active subscription: All personal and biometric data is retained on encrypted servers within the EU/EEA for the duration of your active subscription. Data is encrypted at rest (AES-256) and in transit (TLS 1.3).

After subscription cancellation: ALL data is retained for exactly 30 calendar days following cancellation to allow for potential reactivation. After this 30-day grace period, the following data is permanently and irreversibly deleted from all servers, databases, and backup systems: all biometric data (HR, HRV, SpO2, temperature, accelerometer, gyroscope), all GPS and location records, all AI-generated reports and health analyses, all chat conversation history, all alert history and acknowledgements, all wearer profiles and configurations, and all account information.

Immediate deletion on request: You may request immediate deletion of all your data at any time by emailing privacy@alvotrix.com. Immediate deletion requests are processed within 72 hours. This action is irreversible — once deletion is initiated, data cannot be recovered. A deletion confirmation certificate is available upon request, documenting the date, scope, and method of deletion.

Exceptions to deletion: Financial transaction records (invoices, payment confirmations) are retained for 7 years as required by UK Companies Act 2006. Anonymized, aggregated statistical data from which no individual can be identified may be retained indefinitely for service improvement purposes.

8. No Third-Party Data Sharing

AlvoTriX makes an ABSOLUTE commitment: we do NOT sell, rent, trade, license, or share your personal data or biometric data with any third party for their own purposes — under any circumstances, at any price, at any time. Your data exists solely for delivering the AlvoTriX safety monitoring service to you.

We engage the following sub-processors, each strictly limited to their operational purpose and bound by GDPR-compliant Data Processing Agreements (DPAs):

  • Stripe — Payment processing exclusively. Stripe processes payment card data under their own PCI DSS certification. Stripe never accesses biometric, location, or health data.
  • Cloud hosting provider — Data hosting infrastructure within the EU/EEA. All data encrypted at rest (AES-256) and in transit (TLS 1.3). Provider operates under strict DPA with audit rights.
  • SMS gateway provider — Emergency alert delivery only. Receives phone number and alert text. No biometric data, no data storage beyond delivery confirmation.
  • FormSubmit.co — Processing of contact form submissions from our website only.
  • Google Analytics — Website usage analytics with anonymized IP addresses (last octet masked). Deployed only with your explicit cookie consent. No biometric or account data shared.
  • Facebook/Meta Pixel — Marketing conversion analytics only, deployed exclusively with your explicit cookie consent. No biometric, health, or account data is shared with Meta.
  • Cookiebot — Cookie consent management platform. Manages consent records and cookie categorization.
  • ipapi.co (Kloudend, Inc.) — IP geolocation for language auto-detection. IP address only.
  • Google Fonts (Google LLC) — Font delivery. IP address transmitted on load.

We may disclose data when required by a valid court order, legal obligation, or competent regulatory authority. In such cases, we will notify you of the disclosure unless we are legally prohibited from doing so.

9. International Data Transfers

Primary storage: All personal and biometric data is stored on servers located within the EU/EEA. This is our default and preferred arrangement to ensure the highest level of GDPR protection.

Where data must be transferred outside the EU/EEA (for example, to sub-processors), we ensure adequate protection through the following mechanisms:

  • EU Standard Contractual Clauses (SCCs): Approved by the European Commission under Implementing Decision (EU) 2021/914, incorporated into all relevant sub-processor agreements.
  • UK International Data Transfer Agreements (IDTAs): For transfers involving UK personal data to countries without UK adequacy regulations, in compliance with UK GDPR and the Data Protection Act 2018.
  • Adequacy Decisions (Art. 45): Where the European Commission has determined that a third country provides an adequate level of data protection, transfers may rely on that adequacy decision.

Biometric data restriction: Biometric data (HR, HRV, SpO2, skin temperature, accelerometer, gyroscope, sleep data) is never transferred outside the EU/EEA under any circumstances. This is an absolute technical and contractual restriction that applies without exception.

10. Data Security Measures

AlvoTriX implements comprehensive technical and organizational measures to protect your personal data in accordance with GDPR Article 32:

  • Encryption in transit: All data transmissions use TLS 1.3 (Transport Layer Security), including device-to-cloud, API communications, and dashboard access.
  • Encryption at rest: All stored data is encrypted with AES-256 (Advanced Encryption Standard), including databases, backups, and log files.
  • Access controls: Role-Based Access Control (RBAC) ensures that employees and systems access only the minimum data necessary for their function. Multi-factor authentication is enforced for all administrative access.
  • Security audits: Regular internal and third-party security assessments, penetration testing, and vulnerability scanning.
  • Intrusion detection: Automated intrusion detection and prevention systems (IDS/IPS) monitor all infrastructure for unauthorized access attempts.
  • EU/EEA backups: All backup data is stored within the EU/EEA and is encrypted with the same standards as primary data.
  • Confidentiality agreements: All employees and contractors with data access have signed Non-Disclosure Agreements (NDAs) and are bound by strict confidentiality obligations.
  • Incident response: A documented incident response plan is maintained and tested, enabling rapid detection, containment, and notification in the event of a security incident.

11. Data Breach Notification

In the event of a personal data breach, AlvoTriX will comply fully with GDPR Articles 33 and 34:

  • Supervisory authority notification (Art. 33): We will notify the relevant supervisory authority (ICO) within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address and mitigate the breach.
  • Individual notification (Art. 34): Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay. The notification will use clear and plain language, describe the nature of the breach, provide the DPO contact details, describe the likely consequences, and outline the measures taken to address the breach and mitigate its effects.

We maintain a breach register documenting all personal data breaches, their effects, and remedial actions taken, regardless of whether notification to the supervisory authority was required.

12. Children's Data Protection

AlvoTriX is designed to monitor the safety of individuals of all ages, including children. We take the protection of children's data with the utmost seriousness and comply with the following legal frameworks:

  • GDPR Article 8: For information society services offered directly to a child, consent must be given or authorized by the holder of parental responsibility. We require verified parental or legal guardian consent before any child's data is processed.
  • UK Data Protection Act 2018, Section 9: In the UK, the age of digital consent is 13. For children under 13, parental consent is mandatory.
  • US COPPA (Children's Online Privacy Protection Act): For children under 13 in the United States, we obtain verifiable parental consent before collecting any personal information.
  • Brazilian LGPD Article 14: Processing of children's and adolescents' personal data is carried out with specific and prominent consent from at least one parent or legal guardian.

All child wearer profiles are created exclusively by a verified parent or legal guardian through the Guardian account. We do not knowingly collect data from children without verified parental consent. If we discover that data has been collected without proper authorization, it will be deleted immediately.

Age of digital consent varies by EU/EEA Member State under Article 8:

  • Age 16: Germany, Netherlands, Ireland, Luxembourg, Italy, Croatia, Lithuania.
  • Age 15: France, Czech Republic, Slovenia, Greece.
  • Age 14: Austria, Bulgaria, Cyprus, Hungary, Romania, Scotland.
  • Age 13: Belgium, Denmark, Estonia, Finland, Latvia, Malta, Poland, Portugal, Slovakia, Spain, Sweden, United Kingdom.

AlvoTriX applies the age threshold of the Wearer's country of residence. For all users under 18, parental or guardian consent is required for account creation.

UK Age Appropriate Design Code: For users under 18 in the United Kingdom, AlvoTriX implements the 15 standards of the ICO's Children's Code, including: best interests of the child assessment, age-appropriate application, transparency, data minimization, sharing limitations, geolocation restrictions, parental controls, profiling protections, default settings favouring privacy, and proactive data protection.

13. Data Protection Impact Assessment (DPIA)

In accordance with GDPR Article 35, AlvoTriX has conducted a comprehensive Data Protection Impact Assessment (DPIA) for its processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. Our DPIA covers:

  • Large-scale processing of special category biometric data (Art. 9)
  • Systematic monitoring of data subjects via wearable devices
  • Automated decision-making and AI profiling (Art. 22)
  • Processing of children's personal data
  • Location tracking and geofencing

The DPIA has identified risks and established appropriate mitigation measures, including data minimization, purpose limitation, encryption, access controls, and consent mechanisms. A summary of our DPIA findings is available upon request by contacting privacy@alvotrix.com. The full DPIA document is available to supervisory authorities upon request.

14. Cookies & ePrivacy Compliance

AlvoTriX uses cookies managed through Cookiebot (Consent ID: 682881ac-4051-48c2-b148-7960577dd716) in compliance with the ePrivacy Directive 2002/58/EC and its national implementations.

Our cookies are categorized as follows:

  • Necessary cookies: Essential for website functionality (session management, language preference, security tokens). These do not require consent under the ePrivacy Directive as they are strictly necessary for the service explicitly requested by the user.
  • Statistics cookies (Google Analytics): Used for anonymized website usage analysis with IP anonymization enabled. Deployed only after obtaining your explicit consent through the Cookiebot consent banner.
  • Marketing cookies (Facebook Pixel): Used for measuring advertising campaign effectiveness and conversion tracking. Deployed only after obtaining your explicit, specific consent. No biometric or health data is ever shared with advertising platforms.

You may manage your cookie preferences at any time via the "Cookie Settings" link in the footer of every page. Your consent preferences are stored by Cookiebot and respected across all AlvoTriX web properties.

15. Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. The relevant authorities for AlvoTriX include:

  • ICO (Information Commissioner's Office) — United Kingdom: ico.org.uk — Relevant for Rolaxit Innovation LTD and UK data subjects.
  • Other EU/EEA authorities: You may also lodge a complaint with the supervisory authority in your EU/EEA Member State of habitual residence, place of work, or place of the alleged infringement. This includes CNIL (France), BfDI (Germany), Garante (Italy), AEPD (Spain), AP (Netherlands), IMY (Sweden), UODO (Poland), CNPD (Portugal), and others.

EU Online Dispute Resolution: For disputes arising from online services, you may also use the European Commission's Online Dispute Resolution (ODR) platform: https://ec.europa.eu/consumers/odr

16. Contact Us

For any questions, concerns, or requests related to this GDPR Compliance document or your data protection rights:

Rolaxit Innovation LTD · England and Wales, United Kingdom
Data Protection Officer: privacy@alvotrix.com
Legal Department: legal@alvotrix.com
Website: www.alvotrix.com