Privacy Policy
Last updated: June 2026
1. Data Controller
The controller of the personal data collected through the ACES Activa application and its associated website is:
ACES Europe (European Capitals and Cities of Sport Federation) Company number: BE 0831.576.545 Registered office: Rond Point Robert Schuman 6, Box 5, 1040 Brussels, Belgium Telephone: +32 2 588 08 13 Data protection contact: redes@acesamerica.org
For any question regarding the processing of your personal data or the exercise of your rights, you may contact the controller at the email address above.
2. Principles and applicable law
ACES Europe processes users' personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection law. Processing is governed by the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
ACES Activa has been designed following a privacy-by-design and by-default approach: only the data necessary to provide the service is collected, and certain particularly sensitive data remains solely on the user's device, as detailed below.
3. What data we process and for what purpose
3.1 Account and identification data
- Data: email address, name or alias, city of residence and, optionally, profile photo.
- Purpose: to create and manage your account, enable sign-in and link you to your city within the ACES network.
- Legal basis: performance of the contract (provision of the service), Art. 6.1.b GDPR.
3.2 Physical profile data (optional)
- Data: sex, date of birth, height, weight and sporting goals, where the user chooses to provide them.
- Purpose: to personalise activity calculations (e.g. calorie estimation) and tailor the experience.
- Legal basis: user consent (Art. 6.1.a GDPR). This data is optional and not providing it does not prevent essential use of the app.
3.3 Health and physical activity data (special category)
- Data: health and activity metrics from the device platforms (Apple Health / Health Connect) or entered manually, such as steps, heart rate, calories, active minutes, weight, sleep or other physiological metrics; and the workouts the user records.
- On-device processing: this data is processed primarily on the user's own device.
- Data transmitted to our servers: only, and only if the user gives the corresponding consent, an aggregated daily summary of activity (e.g. daily totals) linked to their account, in order to show their progress and, where applicable, contribute to the aggregated civic statistics of their city.
- The GPS route of workouts is NEVER transmitted to our servers. The geographic track of each workout is stored solely on the user's device.
- Purpose: to show users their health and activity status, progress and readiness, and to enable participation in the app's civic features.
- Legal basis: the user's explicit consent for processing special-category data (Art. 9.2.a GDPR), obtained separately and on an informed basis. The user may withdraw this consent at any time.
3.4 Location data
- Data: GPS location during workout recording.
- Processing: location is used to trace the workout route and, through a local process on the device, to identify the city where the activity takes place. Geographic coordinates do not leave the device; only the name of the detected city may be transmitted to our servers, never the track or the coordinates.
- Purpose: to record the workout route for the user and enable city-linked civic features.
- Legal basis: user consent (Art. 6.1.a GDPR), requested through the operating-system permissions.
3.5 Civic participation and statistics data
- Data: event participation, associated city and contribution to aggregated statistics.
- Purpose: to show the sporting impact of cities in the ACES network and enable city-to-city comparisons. Publicly displayed statistics are aggregated and anonymised, and are only published when they exceed a minimum user threshold that prevents the identification of specific individuals.
- Legal basis: user consent for their data to contribute to civic statistics (Art. 6.1.a GDPR); ACES Europe's legitimate interest in promoting municipal sport with respect to already aggregated and anonymised data (Art. 6.1.f GDPR).
3.6 Technical data
- Data: minimal technical information necessary for the operation, security and stability of the service.
- Purpose: to ensure the correct and secure functioning of the app.
- Legal basis: ACES Europe's legitimate interest (Art. 6.1.f GDPR).
4. Children's data
ACES Activa may be used by minors within the framework of the sports programmes of ACES network cities. The processing of minors' data is governed by Article 8 GDPR and applicable national law.
In Spain, under Article 7 of Organic Law 3/2018, processing the data of minors under fourteen (14) years of age based on consent requires the consent of the holder of parental responsibility. In other countries, the minimum age may vary between 13 and 16 years as established by the relevant national legislation.
Where the user is a minor below the applicable age in their country, the verifiable consent of the holder of parental responsibility is required. ACES Europe takes reasonable measures to verify such consent in line with the state of the art. If it becomes aware that a minor's data has been collected without the required consent, ACES Europe will delete it.
5. Recipients of the data
Personal data is processed by ACES Europe and by service providers acting as data processors on behalf of ACES Europe, with whom the corresponding processing agreements under Article 28 GDPR have been signed. These providers include technology infrastructure services (data hosting and authentication) that operate under conditions ensuring an adequate level of protection.
Individual health data is not shared with third parties or used for advertising purposes. ACES Activa displays no invasive advertising and does not transfer personal data to advertisers.
Data may be disclosed to competent public authorities where there is a legal obligation to do so.
6. International transfers
Where processing involves the transfer of data outside the European Economic Area, ACES Europe will ensure that such transfer is carried out with the appropriate safeguards provided for in the GDPR, such as adequacy decisions or standard contractual clauses.
7. Retention period
Personal data will be retained while the user keeps their account active and, after closure, for the legally required periods to address possible liabilities. The user may request deletion of their account and data at any time. Data remaining on the user's device is deleted when the app is uninstalled or when deleted from within the app.
8. User rights
The user may exercise the following rights at any time:
- Access to their personal data.
- Rectification of inaccurate data.
- Erasure ("right to be forgotten").
- Restriction of processing.
- Objection to processing.
- Data portability.
- Withdrawal of consent given, without affecting the lawfulness of prior processing.
To exercise these rights, contact redes@acesamerica.org. The user also has the right to lodge a complaint with the competent supervisory authority (in Spain, the Spanish Data Protection Agency).
9. Changes to this policy
ACES Europe may update this Privacy Policy. Substantial changes will be communicated through the app or via the contact details provided.