Privacy Policy

1. Who We Are

Aerivity is operated by Xharvoc Ltd., a company registered in England and Wales under company number 16590285, with its registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

For the purposes of the UK General Data Protection Regulation and, where applicable, the EU General Data Protection Regulation, Xharvoc Ltd. acts as the data controller for personal data collected through the Aerivity website, marketing pages, enquiries, demo requests, account registration, subscription management, billing administration, and business relationship management.

2. Controller and Processor Roles

Aerivity is used by clinics, practitioners, and performance-testing organisations to manage their own client, patient, prospect, appointment, reporting, and billing workflows.

Where a clinic or other customer uploads, imports, stores, or otherwise enters personal data relating to its own clients, patients, leads, or staff into Aerivity, that customer is typically the data controller for that information and Xharvoc Ltd. acts as a data processor, processing the data on the customer’s documented instructions and in accordance with the applicable contract or data processing terms.

This includes, where relevant, information such as client identity details, appointment information, physiological testing records, notes, communications, invoices, and reports created or managed by the clinic through the Aerivity platform.

Customers are responsible for ensuring that they have an appropriate lawful basis, and where required any additional condition under applicable data protection law, for collecting and using that data and for sharing it with Aerivity as their software provider.

3. Scope of This Policy

This Privacy Policy applies to:

• visitors to aerivity.com;
• people who contact Aerivity or request information, support, or demos;
• clinic owners, practitioners, staff, and team members who create or use Aerivity accounts;
• billing contacts and other business contacts associated with Aerivity customers; and
• certain technical and usage data generated through use of the website and platform.

Where another organisation, such as a clinic, controls the relevant personal data, that organisation’s own privacy notice will also apply to the extent required by law.

4. Personal Data We Collect

Depending on how Aerivity is used, the following categories of personal data may be collected and processed:

a) Information provided directly

• name, business name, job title, and role;
• work email address, telephone number, and postal address;
• account credentials and profile information, including profile photo where provided;
• enquiry details, support requests, demo requests, and communications;
• subscription, invoicing, and billing administration information.

b) Business and organisation information

• clinic or organisation name;
• branding assets;
• registered address, billing address, country, and tax or registration details where relevant;
• plan, subscription, and account configuration information.

c) Customer-controlled records entered into the platform

Where entered by Aerivity customers, the platform may process:

• names, dates of birth, and contact details;
• appointment and scheduling data;
• CRM and relationship notes;
• invoice and finance records;
• testing, reporting, and performance data, including VO₂ max, lactate, metabolic, heart-rate recovery, and similar measurements.

These records are generally processed by Xharvoc Ltd. as processor on behalf of the relevant customer.

d) Technical and usage information

• IP address;
• browser type and version;
• device and operating system information;
• language preferences;
• pages viewed, interactions, referrer data, timestamps, and similar diagnostic or analytics information.

e) Cookies and similar technologies

Aerivity may use cookies and similar technologies for functionality, analytics, security, and user experience purposes. Further information is available in the applicable Cookie Policy.

5. How Personal Data Is Used

Personal data may be processed in order to:

• provide, operate, and administer the Aerivity website and platform;
• create and manage accounts, organisations, permissions, and user access;
• deliver platform features such as testing workflows, reporting, scheduling, invoicing, CRM, and finance tools;
• respond to enquiries, support requests, and demo bookings;
• send service notices, operational messages, and product-related communications;
• manage subscriptions, billing, and contractual relationships;
• monitor, secure, maintain, debug, and improve the platform and website;
• investigate misuse, fraud, incidents, or security issues;
• comply with legal, regulatory, accounting, tax, and compliance obligations.

Where permitted by law, Aerivity may also send occasional business or product communications relevant to customers and prospective customers, subject to applicable opt-out rights.

6. Lawful Bases for Processing

Depending on the context, personal data is processed on one or more of the following lawful bases:

• Contract — where processing is necessary to provide the Aerivity service, administer an account, or take steps requested before entering into a contract;
• Legitimate interests — where processing is necessary for operating and improving the business, securing the platform, preventing fraud, responding to enquiries, managing customer relationships, and running Aerivity in a proportionate and responsible manner;
• Legal obligation — where processing is necessary to meet legal, accounting, tax, regulatory, or compliance requirements;
• Consent — where consent is used, such as for optional cookies, certain marketing communications, or specific optional features or integrations.

Where customer-controlled records include health-related or other sensitive personal data, the relevant customer is responsible for identifying the appropriate lawful basis and, where applicable, any additional condition required under data protection law for that processing.

7. Sharing of Personal Data

Personal data is not sold.

Personal data may be shared, where necessary, with:

• hosting, infrastructure, and database providers;
• email delivery and communications providers;
• payment processors and billing support providers;
• analytics, monitoring, and security providers;
• professional advisers such as legal, accounting, and compliance advisers;
• public authorities, regulators, courts, or law enforcement where disclosure is legally required or reasonably necessary to protect rights, safety, or legal interests.

All service providers are expected to process personal data only as permitted, apply appropriate security measures, and comply with applicable data protection requirements.

8. International Transfers

Some providers or support functions may operate outside the United Kingdom or the European Economic Area.

Where personal data is transferred internationally, appropriate safeguards are used where required, including mechanisms such as adequacy decisions, standard contractual clauses, the UK International Data Transfer Addendum, or other legally recognised transfer tools.

9. Retention

Personal data is retained only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide services, maintain business records, resolve disputes, enforce agreements, and comply with legal, tax, accounting, and regulatory obligations.

Where data is no longer required, it is deleted, anonymised, or otherwise securely disposed of as appropriate. Customer-controlled records are retained, exported, or deleted in accordance with the applicable customer relationship, platform settings, and the instructions of the relevant controller.

10. Security

Appropriate technical and organisational measures are used to help protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

These measures may include access controls, role-based permissions, encryption in transit, audit logging, environment separation, authentication controls, and regular review of systems and permissions. No online service can guarantee absolute security, but reasonable steps are taken to maintain and improve protections over time.

11. Your Rights

Subject to applicable law, individuals may have the right to:

• request access to personal data;
• request correction of inaccurate or incomplete data;
• request deletion in certain circumstances;
• request restriction of processing;
• object to certain processing;
• request portability of data provided by them;
• withdraw consent where processing is based on consent;
• lodge a complaint with the relevant supervisory authority, including the UK Information Commissioner’s Office.

Where Aerivity processes personal data on behalf of a clinic or other customer acting as controller, requests relating to that data should usually be directed to the relevant customer first. Xharvoc Ltd. will assist customers with such requests where required under applicable law and contract.

12. Contact

For privacy questions, data protection requests, or concerns relating to Aerivity, contact:

Email: [email protected]
Postal address: Xharvoc Ltd., 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

For broader corporate legal information, see the Xharvoc legal hub. You can also reach the Aerivity team via our contact page.