Privacy Policy
Privacy Policy of 2FLOW
Last update: 20/08/2025 – Version 03.25
1. Who we are and contact details
This Privacy Policy describes how ToSwim899 S.r.l. Società Benefit, located at Corso Castelfidardo 30/A, 10129 Turin (TO), Italy, VAT No. 12220540012 (“ToSwim”, “we”), collects, uses, stores and protects the personal data of users who use:
• the mobile application 2FLOW (“App”),
• the website www.toswim.io (“Site”),
• services connected to third-party devices, such as the EEG Muse device.
For any questions or to exercise your rights: privacy@toswim.io
2. Scope of application
This Privacy Policy applies to all users of the App and Site (athletes, coaches, teams, ambassadors, visitors). It does not apply to third-party services (e.g., Muse, external websites) which have their own privacy policies.
3. Types of data collected
| Data Category | Main Use | Retention Period | Legal Basis |
|---|---|---|---|
| Registration Data (name, surname, email, date of birth, gender, password) |
Account creation and management, access to services | Until account deletion or 24 months of inactivity | Contract |
| Usage Data (saved routines, preferences, in-app interactions) |
Content personalization and usage statistics | 24 months | Consent |
| EEG Data (brainwaves via Muse, pseudonymized) |
Personalized feedback, mental training | 12 months (extendable with consent for research) | Explicit Consent |
| AI Data (analysis and suggestions from algorithms) |
Exercises, assessments, personalized routines | 12 months | Consent |
| Technical Data (IP, device ID, logs, crash reports) |
Security, technical maintenance, app improvement | 12 months | Legitimate Interest |
| Marketing Data (communication preferences, newsletters, push) |
Sending personalized communications | Until withdrawal of consent | Consent |
| Contractual/Legal Data | Tax and legal obligations | According to law (10 years for invoices) | Legal Obligation |
4. Data Collection Methods
Data is collected through:
Direct input by the user (e.g., registration, self-assessment)
Bluetooth connection with the Muse device
Automatic collection (e.g., logs, technical data)
Third-party services (e.g., AI analysis via OpenAI)
5. Purposes and Legal Bases
| Purpose | Legal Basis |
|---|---|
| Service provision | Contract |
| Personalization and analysis | Consent |
| Security and improvement | Legitimate interest |
| Marketing and community | Separate consent |
| Legal obligations | Legal requirement |
6. Use of EEG Data
EEG data is not considered health data, but rather bioelectrical parameters.
It is encrypted and pseudonymized before being shared with technology partners.
It is used to generate personalized feedback and routines (e.g., for focus, calm, resilience).
7. International Data Transfers
Data may be processed in:
EU
USA
UK
Latin America
Safeguards include:
Standard Contractual Clauses (SCCs) of the European Commission
Technical protections (encryption, pseudonymization)
Regular audits of suppliers
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account Data | Until voluntary deletion or after 24 months of inactivity |
| EEG Data | 12 months (extendable with explicit consent) |
| Technical/Log Data | 12 months |
| Marketing Data | Until withdrawal of consent |
| Legal/Contractual Data | According to applicable law (e.g., 10 years for invoices) |
Deletion requests: via email to 2flow@toswim.io, processed within 30 days.
9. Sharing with Third Parties
No data is sold.
Data may be shared with:
Technical providers (e.g., cloud, hosting, AI platforms)
Business partners (only with user consent)
Legal consultants (if required by law)
10. User Rights
Users have the right to:
Access, correct, and delete their data
Restrict or object to data processing
Receive their data in a portable format
Withdraw consent at any time
Additional Rights by Region:
USA (CCPA/CPRA): Right to opt-out of data sale, non-discrimination
Brazil (LGPD): Right to anonymization, review of automated decisions
UK (UK GDPR): Same rights as under EU GDPR
11. Minors
The app is not intended for children under 16 without explicit parental consent.
12. Security and Risk Management
Measures include:
Data minimization: only necessary data is collected
Encryption: data encrypted in transit and at rest
Pseudonymization: EEG/AI data without direct identifiers
Restricted access: only authorized staff can access personal data
Periodic audits: regular checks on security systems
Breach Policy
In the event of a data breach:
The Supervisory Authority will be notified within 72 hours
Affected users will be informed without undue delay
Corrective actions will be taken immediately
13. Cookies
The site uses technical, analytics, and marketing cookies
Users can manage cookie preferences via:
Cookie banner
Browser settings
14. Policy Changes
This Policy may be updated periodically.
In case of major changes, users will be notified via:
App
Website
Email
15. Contacts
Email: privacy@toswim.io
Supervisory Authority: Garante Privacy (Italy)
International users: May contact their local authority (e.g., ICO UK, CCPA USA, ANPD Brazil)
ToSwim is for those who see swimming as a journey of growth, seeking balance, awareness, and strength every day.
- Contact Us
- About Us
- Our Blog
- Our Team
- Inclusive Academy
- Privacy Policy
- Cookie
Get In Touch
© TOSWIM899 S.R.L. SOCIETA’ BENEFIT | Corso Castelfidardo, 30/A – Torino
- Mail: toswimmer@toswim.io
- Partita IVA 12220540012 | REA TO-1273910TOSWIM® Registered Trademark.