Légal
Privacy Policy
Version 1.0 — Effective from 1 April 2026
Built To Protect (hereinafter "Deep", "we" or "the Company") is deeply committed to protecting the privacy and personal data of its users.
This Privacy Policy describes how Deep collects, uses, retains and protects your personal data when you use the Deep mobile application and the website https://www.builtbydeep.com (collectively, "the Service").
It has been drafted in compliance with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and the amended French Data Protection Act (Loi Informatique et Libertés).
Article 1 — Data Controller
The data controller for your personal data is:
Built To Protect
SAS with share capital of €1,000
1651 Avenue de la Pompignane, 34000 MONTPELLIER, FRANCE
SIREN: 994 313 146
Contact: hello@builtbydeep.com
Article 2 — Core Principles
- Lawfulness, fairness, transparency: data processed transparently on a valid legal basis
- Purpose limitation: collected for specified, explicit and legitimate purposes
- Data minimisation: only data strictly necessary for the purposes is collected
- Accuracy: reasonable measures to ensure data accuracy
- Storage limitation: not kept longer than necessary
- Integrity and confidentiality: protected by appropriate security measures
- Accountability: Deep can demonstrate compliance with the GDPR
Article 3 — Data Collected
3.1 Account and identification data
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account creation and management, communications | Performance of contract (Art. 6(1)(b) GDPR) |
| Password (hashed, never in plain text) | Account security | Performance of contract |
| First name / Last name (if provided) | Personalisation | Performance of contract |
| Date of birth / age | Age verification | Legal obligation (Art. 6(1)(c)) |
3.2 Athletic profile and performance data
| Data | Purpose | Legal basis |
|---|---|---|
| Sports practised, training frequency | Generating the personalised programme | Performance of contract |
| Performance level, athletic goals | Programme personalisation | Performance of contract |
| Self-assessment of limiting factors on reference exercises (declared athletic performance data, not classifiable as health data) | Identifying functional imbalances, personalisation | Performance of contract |
| Movement analysis results | Generating the profile and programme | Performance of contract + Consent |
| Training history and progress | Session tracking, service improvement | Legitimate interest (Art. 6(1)(f)) |
3.3 Test videos — 100% on-device processing
Video analysis is performed by a tool built into the application, running entirely on your device. Deep has no access to your videos: they never leave your device, are not transmitted to our servers or any third party, and are not stored in Deep's cloud.
The results of the analysis (imbalance profile, generated programmes) are athletic performance data stored in your account. They cannot be used to reconstruct your original video.
Technical note: this "on-device" architecture was deliberately chosen to maximise your privacy. Deep is not the data controller for the processing of your videos at this stage under the GDPR.
3.4 Payment data
Payment data is processed directly by Apple (App Store), Google (Google Play) or Stripe (website) and is never stored by Deep. Only billing information (amount, date, transaction reference) is retained to meet our legal obligations.
3.5 Browsing and usage data
| Data | Purpose | Legal basis |
|---|---|---|
| IP address | Security, fraud prevention | Legitimate interest |
| Browsing data (pages visited, duration) | Service improvement, analytics | Consent (cookies) or Legitimate interest |
| Device information (model, OS, app version) | Debugging, compatibility | Legitimate interest |
| Mobile advertising identifiers (IDFA/GAID) | Only with ATT consent / opt-in | Consent |
Article 4 — Retention Periods
| Data type | Retention period |
|---|---|
| Active account data | Duration of use + 3 years after deactivation |
| Athletic profile and analysis results | Duration of use + 3 years |
| Billing data | 10 years (statutory accounting obligation) |
| Connection logs | 12 months (statutory obligation) |
| Analytics cookie data | Maximum 13 months (CNIL recommendation) |
Article 5 — Recipients of Your Data
5.1 Internal staff
Deep team members who need access in the course of their duties.
5.2 Sub-processors
| Provider | Country | Purpose | Safeguards |
|---|---|---|---|
| Google Ireland Limited (Firebase / GCP) | Ireland | Application and data hosting | EU Standard Contractual Clauses |
| Apple Inc. (App Store) | United States | iOS distribution and in-app payments | Standard Contractual Clauses |
| Google LLC (Google Play) | United States | Android distribution and in-app payments | Standard Contractual Clauses |
| Stripe | United States | Website payment processing | PCI-DSS, Standard Contractual Clauses |
| PostHog (EU Cloud) | Germany | Analytics (app and website) | Consent / Standard Contractual Clauses |
| Brevo (Sendinblue) | France | Transactional email delivery | Standard Contractual Clauses |
Full list available on request: hello@builtbydeep.com.
5.3 Transfers outside the EU
Governed by Standard Contractual Clauses approved by the European Commission or EU adequacy decisions.
5.4 Competent authorities
We may disclose your data to competent authorities (CNIL, judicial authorities) when required by law.
5.5 No sale of data
Deep does not sell, rent or transfer your personal data to third parties for commercial or advertising purposes.
Article 6 — Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): obtain a copy of your data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): request deletion of your data
- Right to restriction (Art. 18): limit processing in certain cases
- Right to data portability (Art. 20): receive your data in a structured format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent: for consent-based processing
To exercise your rights: hello@builtbydeep.com or by post to Built To Protect, Att: Data Protection Officer, 1651 Avenue de la Pompignane, 34000 MONTPELLIER, FRANCE. We will respond within 30 days.
You also have the right to lodge a complaint with the CNIL (French Data Protection Authority) — 3 Place de Fontenoy, 75334 PARIS CEDEX 07 — https://www.cnil.fr.
Article 7 — Data Security
- Encryption of data in transit (TLS/HTTPS)
- Encryption of sensitive data at rest
- Access restricted on a least-privilege basis
- Multi-factor authentication for internal systems
- Backup and data recovery procedures
- Staff training on data protection
In the event of a breach likely to result in a risk to your rights and freedoms, Deep will notify the CNIL within 72 hours.
Article 8 — Minors
The Service is intended for persons aged 18 or over. Deep does not knowingly collect data from minors. Contact: hello@builtbydeep.com.
Article 9 — Cookies and Trackers
Cookies may be placed on your device when you browse the website. See our Cookie Policy. The mobile app may use technical identifiers; iOS users are subject to Apple's ATT framework.
Article 10 — Rights Outside the European Union
10.1 California residents — CCPA/CPRA
This section applies to residents of California (United States), pursuant to the CCPA as amended by the CPRA (effective 1 January 2023).
A. Categories of personal information collected
| CCPA category | Examples at Deep | Collected |
|---|---|---|
| Identifiers | Email, account ID, IP address, IDFA/GAID | Yes |
| Internet / network activity | Pages visited, duration, interactions | Yes |
| Commercial information | Subscription, transaction history | Yes |
| Inferences | Imbalance profile, personalised programme | Yes |
| Sensitive Personal Information (SPI) | Athletic self-assessment with physical references | Yes — see B |
| Photos / Videos | Movement test videos | Not collected — on-device only |
B. Sensitive Personal Information (SPI)
Responses describing physical limiting factors may qualify as SPI under the CPRA. Deep uses them solely to personalise your athletic programme. You have the right to limit their use to purposes strictly necessary to provide the service.
C. Your CCPA/CPRA rights
| Right | What it means |
|---|---|
| Right to Know | Which data was collected, used or shared over the past 12 months |
| Right to Delete | Deletion of your data (subject to legal exceptions) |
| Right to Correct | Correction of inaccurate data |
| Right to Opt-Out of Sale/Sharing | Deep does not sell your data. You may object to analytical sharing |
| Right to Limit Use of SPI | Limit SPI use to purposes strictly necessary for the service |
| Right to Non-Discrimination | No penalty for exercising your rights |
D. Do Not Sell or Share My Personal Information
Deep does not sell your personal data. To opt out of analytical sharing, email hello@builtbydeep.com — Subject: Do Not Share — California. We will respond within 45 days.
10.2 Canadian residents
Canadian residents have rights under PIPEDA and applicable provincial laws. Contact: hello@builtbydeep.com.
Article 11 — Changes to this Policy
In the event of a material change, we will notify you by email and/or in-app notification at least 15 days before it takes effect.
Article 12 — Contact
- Email: hello@builtbydeep.com
- Post: Built To Protect, Att: Data Protection Officer, 1651 Avenue de la Pompignane, 34000 MONTPELLIER, FRANCE
Last updated: 1 April 2026 — Built To Protect, SIREN 994 313 146