1. Introduction
This Privacy Policy explains how changr.eu ("we", "us", "our") collects and processes personal data when you use our website and services, including our AI coaching service "Hugo." This policy is governed by the EU General Data Protection Regulation (GDPR) and the EU AI Act (Regulation (EU) 2024/1689).
By interacting with Hugo via WhatsApp or our web interface, you acknowledge the use of artificial intelligence and the processing of data as described herein.
2. Data Controller and DPO
The data controller for changr.eu is the entity operating the service.
Data Protection Officer (DPO): Eran Goldman‑Malka
Contact: eran@goldmanmalka.com
3. Data We Collect
We process the following categories of personal data:
- Contact Data: Name, email, and phone number (primarily via WhatsApp).
- Usage Data: IP addresses (anonymized), browser type, and interaction logs via self-hosted Matomo.
- AI Input/Content: Text prompts, questions, and feedback.
- Health & Biometric Data: Images of food or physical activity which may indirectly reveal health data or biometric identifiers.
- Communication Metadata: Timestamps and message status provided via WhatsApp (Meta).
4. AI Systems and the EU AI Act
Hugo is a General Purpose AI (GPAI) system. Under the EU AI Act, we provide the following disclosures:
- Transparency: You are interacting with an AI. Hugo's responses are synthetic and generated by models such as GPT-4o, Gemini, or self-hosted alternatives.
- No Medical Advice: Hugo is a life coach and personal trainer. It is not a medical device. AI-generated outputs should not be treated as professional medical diagnosis or treatment.
- Human-in-the-Loop: Users have the right to request human intervention regarding any automated decision that significantly impacts them.
- Training Disclosure: We do not use your personal conversation history or uploaded images to train third-party foundation models (like OpenAI or Google) for their own purposes.
5. Image Processing and Explicit Consent
Processing images (e.g., food logs or fitness progress) may involve Special Categories of Data (Art. 9 GDPR).
- Explicit Consent: By uploading an image to Hugo, you provide explicit consent for the AI to analyze the contents for nutritional or fitness purposes.
- Biometric Safeguards: We do not use images for the purpose of unique identification (facial recognition). If a face is detected, we prioritize data minimization and do not store biometric templates.
6. Purposes and Legal Bases
| Purpose |
Legal Basis (GDPR) |
| Providing Coaching & AI responses |
Performance of a Contract (Art. 6.1.b) |
| Processing Health/Image Data |
Explicit Consent (Art. 9.2.a) |
| WhatsApp Communication |
Legitimate Interest / Consent (Art. 6.1.f/a) |
| Web Analytics (Matomo) |
Legitimate Interest (Anonymized) |
7. Data Recipients and International Transfers
We share data with:
- AI Providers: OpenAI, Google, Perplexity (Processing only; no training).
- Messaging: WhatsApp (Meta Platforms Ireland Ltd).
- Hosting: EU-based secure cloud infrastructure.
International Transfers: Transfers to providers outside the EEA (e.g., US-based AI) are protected by Standard Contractual Clauses (SCCs) and enhanced technical safeguards to ensure a level of protection equivalent to the GDPR.
8. Data Retention
- Conversation Logs: Retained for the duration of your active relationship with Hugo plus 2 years for coaching continuity, unless deletion is requested.
- Images: Deleted after analysis is complete, unless saved by the user to their personal progress gallery.
- Analytics: Matomo data is anonymized immediately and stored for 12 months.
9. Your Rights
You have the right to:
- Access & Portability: Request a copy of your chat history.
- Rectification: Correct any data Hugo has misinterpreted.
- Erasure: "Right to be Forgotten."
- Object to AI Processing: Withdraw consent for AI analysis at any time.
- Human Review: Request that a human coach review an AI output.
To exercise these rights, contact eran@goldmanmalka.com.
10. Security
We utilize end-to-end encryption where available (WhatsApp), data encryption at rest, and strict access controls to ensure Hugo remains a safe space for your personal growth.