Privacy Policy

Introduction. This Privacy Policy explains how The Nomad Legion (the operator of thenomadlegion.com, referred to as “we” or “us”) collects, uses, and protects your personal data when you use our website or services. We are committed to safeguarding your privacy in compliance with the European Union’s General Data Protection Regulation (GDPR) and applicable Polish data protection laws, including the Personal Data Protection Act of 10 May 2018. By using our website or providing your information, you agree to the practices described in this Policy.

Personal Data We Collect

Information You Provide. We collect personal data that you voluntarily provide through forms on our site (for example, when booking our sports program or contacting us). This may include your name, email address, phone number, and any other information you choose to give us. For instance, when you fill out a booking or inquiry form, we will ask for contact details (such as your full name, email, and telephone number) so we can process your registration and communicate with you. If you sign up for our program or services, we may also collect information necessary to fulfill our contract with you (e.g. scheduling preferences or relevant health information you voluntarily provide). We will not collect sensitive personal data (such as health or biometric data) unless it is necessary for the services and you have explicitly provided it with consent.

Information Collected Automatically. When you visit thenomadlegion.com, certain data is collected automatically through cookies and similar tracking technologies (explained below). This includes technical data such as your IP address, browser type, device information, and usage data about how you interact with our site (pages visited, time spent, clicks, etc.). For example, we use Google Analytics to gather website usage statistics; Google may collect information about your device, IP address (which we anonymize where possible), pages you visit, and actions you take on the site. This usage data is generally aggregated and does not directly identify you, but it may be considered personal data under GDPR (e.g., IP addresses or unique IDs in cookies can be personal data). We also use cookies to remember your preferences and to enable certain features (see Cookies section below).

Children’s Data. Our website and services are not directed to children under the age of 16, and we do not knowingly collect personal data from minors. If you are under 16, please do not submit any personal information. If we learn that we have inadvertently collected personal data from a child, we will delete it. Parents or guardians who believe we might have information about a minor can contact us to request deletion.

Purposes and Legal Bases for Data Processing

We only process your personal data when we have a valid legal reason (legal basis) under GDPR. Depending on the context, we rely on one or more of the following bases:

• To Provide Our Services (Performance of a Contract): When you book or purchase our offline sports program, we process your personal data to register you, manage your enrollment, and deliver the program you requested. This includes using your contact details to communicate about schedules, program updates, and any pre- or post-program instructions. Such processing is necessary for the performance of a contract with you or to take pre-contractual steps at your request. In other words, we need this information to fulfill our agreement with you (e.g. to reserve your spot, provide the training, and respond to your requests). If you refuse to provide required data, we may not be able to offer the service.
• To Communicate and Respond to Inquiries (Contract or Legitimate Interest): If you contact us with questions or requests (for example, via our contact form or email), we will use your provided information to respond and provide support. This may be done as a pre-contractual step (if you’re inquiring before booking) or under our legitimate interest in providing good customer service. Our legitimate interest in this case is to ensure we address your questions and build a relationship with prospective or current clients in a way that you would reasonably expect and that does not override your privacy rights.
• Email Marketing (Consent): With your explicit consent, we will use your name and email address to send you marketing communications, such as newsletters, promotions, updates about new programs or events, or other content related to The Nomad Legion. You will receive such marketing emails only if you have opted in (for example, by ticking a box on our booking form agreeing to receive news, or by subscribing via our website). The legal basis for this is your consent under GDPR Article 6(1)(a). You are free to withdraw your consent at any time (see “Your Rights” below), and every marketing email we send will include an unsubscribe link to opt out of future emails. We will not send you unsolicited marketing messages if you have not agreed to them. (Note: If you are an existing customer, in some cases we may be permitted by law to send you information about similar services under a “soft opt-in” basis; however, we will always honor opt-out requests.)
• Personalized Advertising (Consent): We use cookies and third-party trackers to provide personalized advertising, meaning you might see ads for our services on other websites (so-called re-targeting or interest-based advertising). This involves processing online identifiers and browsing behavior. We rely on your consent for using advertising cookies and processing for targeted ads, as these are not strictly necessary for our site’s core functionality. When you first visit our site, you will be presented with a cookie consent banner where you can accept or decline non-essential cookies. We only activate analytics or advertising cookies after you have given consent. (See Cookies and Tracking Technologies below for details on how these work and how you can control them.)
• Analytics and Improvements (Consent or Legitimate Interest): We process data about how users use our site (via Google Analytics and similar tools) to understand traffic, usage patterns, and to improve our website and services. We will obtain your consent for analytics cookies unless such processing is strictly necessary or we rely on a permissible legitimate interest. In limited cases, we might analyze user data under our legitimate interest to improve our service quality and user experience, but we will do so in a privacy-conscious way (often using aggregated or anonymized data) and only if this does not override your rights and freedoms. You have the option to disable analytics cookies as described below.
• Scheduling and Program Management: We may use third-party scheduling tools (like Calendly) to organize calls or appointments (for example, an initial consultation or “alignment interview”). If you schedule a call through such a tool, we will process your name and email to arrange the meeting. The legal basis is your consent and the necessity to take steps at your request prior to entering a contract (if the call is part of signing up) or our legitimate interest in streamlining scheduling. (See Third-Party Services for more about Calendly.)
• Compliance with Legal Obligations: We also process personal data when necessary to comply with our legal obligations. For example, financial and transaction records must be kept for accounting and tax purposes. Under Polish law, we are required to retain certain accounting documents for a minimum period (the Polish Accounting Act mandates keeping accounting records for at least 5 years). Likewise, if we issue invoices or receipts, we may need to retain your name and transaction details for the period required by tax law. Processing for these purposes is based on GDPR Article 6(1)(c) (compliance with a legal obligation). We may also process data when we are required by other laws or authorities, or to fulfill mandatory reporting obligations.
• Legitimate Interests: In certain cases, we may process your data for our legitimate interests (GDPR Article 6(1)(f)), provided such interests are not overridden by your rights. Examples include: ensuring IT and network security (e.g., using data like IP addresses to monitor for malicious activity), preventing fraud or misuse of our services, enforcing our terms and protecting our legal rights, or minor direct marketing to existing customers (as permitted by law). If we rely on legitimate interest, we will conduct a balancing test to ensure our interest is not outweighed by your privacy rights. You have the right to object to processing based on legitimate interests (see Your Rights below).

No Automated Decision-Making: We do not make any decisions based solely on automated processing — including profiling — that have legal or similarly significant effects on you. In other words, you will not be subject to a computerized decision that affects your rights or access to our services without human involvement. All important decisions regarding your participation in our program (such as acceptance into the program) involve human evaluation. If this changes in the future, we will inform you and ensure compliance with GDPR Article 22, including your right not to be subject to such decisions.

Note: We will not use the personal data we collect for purposes that are incompatible with those described above. If we intend to process your data for a new purpose, we will update this Privacy Policy or seek your consent as required. In particular, we do not use the data you provide for any marketing or advertising unless you have given consent, since such use is not necessary for the performance of our contract with you. We also do not sell or rent your personal data to third parties.

Cookies and Tracking Technologies

What Are Cookies? Cookies are small text files stored on your device (computer, smartphone, etc.) when you visit a website. They allow the website to recognize your device and store certain information about your preferences or past actions. We use cookies and similar technologies (like web beacons or pixels) to ensure our site works properly, to analyze our traffic, and to provide personalized content and ads.

Types of Cookies We Use:

• Essential Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. For example, they may be required to remember your session login or preferences. Without these, some parts of our site (like account login or form submissions) may not work correctly. We do not require your consent to use essential cookies, as they are needed for the service you request.
• Analytics Cookies: We use analytics cookies to collect information about how visitors use our site. For instance, we use Google Analytics (a web analytics service provided by Google) to collect anonymized statistics on site usage. These cookies gather data such as pages visited, time on site, browser type, and referring pages. The information from these cookies helps us understand user interactions and improve our website’s design and content. Google Analytics may set its own cookies to track user interactions. We have configured Google Analytics in privacy-friendly ways, such as enabling IP address anonymization, meaning that Google truncates/anonymizes the last octet of your IP address within the EU. Google’s cookies may assign a unique identifier to your browser, but they do not personally identify you to us. The data collected via Google Analytics is transmitted to Google’s servers (which could be outside the EU, e.g., in the USA – see Data Transfers below) for processing of analytics reports.
• Advertising Cookies: Our site uses cookies from third-party advertising platforms to manage and display personalized advertisements for our programs. This means that with your consent, third parties like Google or Facebook may set tracking technologies on your device during your visit, which enable them to recognize your browser and collect data about your visit to our site and other sites. For example, we may use Google Ads (or similar ad networks) and the associated cookies to show you ads about The Nomad Legion on other websites you visit. These advertising cookies and pixels collect information like which pages you viewed on our site and your interactions, and they use this to infer your interests so that the ads you see elsewhere are more relevant. Personalized advertising cookies allow for the creation of profiles of your browsing behavior. We only use these cookies if you have given consent via our cookie banner. (If you do not consent, you will still see ads, but they will not be tailored using your data from our site.)
• Social Media and Other Third-Party Plugins: Our website does not extensively use social media plugins, but we may include links to our social profiles (e.g. an Instagram or Facebook link). These do not set cookies by themselves unless clicked. If in the future we embed content that does, we will update our cookie disclosures accordingly.

Cookie Consent and Management: When you first visit our site (and periodically thereafter), you will see a cookie consent notice. You can choose to accept or reject non-essential cookies (analytics and advertising). Your choice will be remembered by a cookie that lasts for a certain period, after which we may ask again. If you opt in, cookies will be placed as described; if you opt out, we will not set those cookies and will disable the associated tools (for example, Google Analytics will not collect data, and advertising trackers will be inactive). You can also manage or delete cookies at any time through your browser settings. Most web browsers allow you to block or delete cookies – refer to your browser’s help section for instructions. Please note, if you clear cookies or use a different browser/device, you may need to set your preferences again.

Third-Party Cookie Policies: The cookies and trackers used for analytics and advertising are provided by third parties, which have their own privacy policies. For example, Google’s privacy policy can be found at policies.google.com/privacy, and it explains how Google uses information from sites that use its services. We encourage you to review such policies of any third-party services (see next section for a list of key third-party services we use).

Opt-Out Options: In addition to using our website’s consent tools, you can opt out of certain cookie-based tracking by third parties. For example, to opt out of Google Analytics, you can install the Google Analytics opt-out browser add-on. To opt out of personalized Google ads, you can adjust your ad settings via Google Ads Settings. There is also an industry-wide opt-out site for interest-based ads at www.aboutads.info (for US-based tools) or www.youronlinechoices.eu (for EU). Keep in mind that opting out through these mechanisms often relies on cookies; if you clear your cookies, you may need to opt out again.

Note on Do Not Track: Our site currently does not respond to “Do Not Track” signals from web browsers. If you have disabled cookies entirely in your browser, our site will still function, but the non-essential features described (analytics, personalized ads) will not run.

Use of Third-Party Services (and International Data Transfers)

We utilize several trusted third-party service providers to operate our website and deliver our services. These third parties process personal data on our behalf for specific purposes, as described below. Whenever we share your data with third-party processors, we ensure it is done securely and only to the extent necessary. We also sign appropriate Data Processing Agreements with them to safeguard your information, and we review their privacy and security practices for GDPR compliance. Some of these providers are located outside the European Economic Area (EEA), so international data transfers may occur – we address how those are handled with adequate safeguards in this section.

The key third-party services we use include:

• Website Hosting and IT Providers: Our website may be hosted on servers provided by third-party hosting companies. These providers store the website and its data (including potentially your data) on their servers. We ensure any hosting provider we use has appropriate security and is GDPR-compliant. (As of now, our site host is located in the EEA or in a country with adequate data protection laws; if we ever use a host outside the EEA, we will ensure legal transfer mechanisms like Standard Contractual Clauses are in place.)
• Google Analytics (Analytics Provider): We use Google Analytics, a web analytics service by Google LLC. Google acts as a data processor, collecting usage data (as described in Cookies section) and providing us aggregated reports. Google may process this data on servers in the United States. Data Transfers: Google LLC is based in the USA, which is considered a “third country” under GDPR. However, Google has taken steps to comply with EU data transfer requirements. Google LLC has certified its compliance with the EU-U.S. Data Privacy Framework (DPF), which means that personal data transferred to Google in the U.S. is deemed adequately protected under EU law. Additionally, Google commits to the European Commission’s Standard Contractual Clauses (SCCs) as needed for data transfers not covered by an adequacy decision. These are legal safeguards to ensure your data receives the same level of protection as in the EU. In practice, this means that analytics data might be transmitted to Google’s U.S. servers, but Google is contractually bound to protect that data and has additional measures in place. We have also configured Google Analytics to enhance privacy (e.g., IP anonymization). For more information on Google’s data practices, you can refer to Google’s Privacy Policy and Google’s Analytics Data Safeguards documentation.
• Calendly (Scheduling Service): We use Calendly (Calendly, LLC) to manage appointment bookings and calls (such as initial consultation scheduling). If you choose to book a call or appointment through a Calendly link on our site, you will be asked to provide details like your name, email, and preferred time. Calendly will collect this information on our behalf to arrange the meeting. Data Transfers: Calendly is a U.S.-based service provider. Data submitted via the Calendly scheduling form (which may include personal data) is stored on Calendly’s servers, which are hosted in the United States. This means your data is transferred outside the EU. Calendly has committed to GDPR compliance and utilizes measures such as Standard Contractual Clauses in its Data Processing Addendum to lawfully transfer and protect EU personal data. By scheduling through Calendly, you consent to this transfer. If you prefer not to use Calendly, you may contact us directly via email to set up appointments.
• Customer Relationship Management (CRM) System: To keep track of our client and prospect communications, we use a CRM platform. This system stores contact information (like your name, email, phone) and records of interactions (e.g., notes from calls, status of your program enrollment). The CRM helps us manage our relationship with you, follow up as needed, and provide personalized service. Our CRM provider acts under our instructions and is not allowed to use your data for their own purposes. (For transparency, our CRM might be a cloud-based service such as HubSpot, Salesforce, or a similar European alternative – we will update the specific provider if needed.) Data Transfers: If our chosen CRM provider stores data outside the EEA, we will ensure appropriate safeguards. For example, many CRM vendors in the U.S. have adopted the EU-U.S. Data Privacy Framework or sign SCCs to legitimize EU data transfers. We will only use CRM providers that meet European data protection standards. Your data in the CRM is accessible only to our authorized staff and is protected by authentication and encryption.
• Email Marketing Platforms: We use third-party email delivery services to send out our newsletters and marketing emails. Specifically, we may use Mailchimp (provided by The Rocket Science Group LLC, based in the USA) or Brevo (formerly Sendinblue, based in France) as our email marketing platform. When you subscribe to our mailing list or opt in to marketing, your name and email address are stored in the chosen platform to manage subscriptions and send emails. These platforms act as data processors, only using your data to send emails we author and for list management.
  • Mailchimp: If we use Mailchimp, note that it is a U.S.-based service. However, Mailchimp is certified under the EU-U.S. Data Privacy Framework, which permits transfers of EU personal data to the U.S. for certified companies. Mailchimp also includes EU Standard Contractual Clauses in its terms as an additional safeguard. This means that your email and any other info we store there are protected and the transfer to the U.S. is legally compliant. Mailchimp has robust security and will not use your data except as we direct.
  • Brevo: If we use Brevo (Sendinblue), your data is stored within the European Union. Brevo’s hosting servers and databases are located in the EU, which means your data would not leave European jurisdiction when we use Brevo. Brevo is fully GDPR-compliant and subject to EU/France data protection law.
  • Regardless of the provider, you can unsubscribe from our marketing emails at any time by clicking the “unsubscribe” link in the footer of any email or by contacting us. When you unsubscribe, we will remove or suppress your contact details from the mailing list (though we may keep a record of your request to ensure we honor it).
• Advertising and Analytics Partners: As mentioned, for advertising we might use platforms like Google Ads or Facebook Ads. These companies may receive some data from our site via cookies or pixels (for example, a Facebook Pixel could track that you visited a certain page). Any such data sharing is based on your cookie consent. These companies act as independent controllers of the data they collect through their scripts on our site, but we ensure any integration is done in line with GDPR (e.g., Facebook’s tools include features to limit or anonymize data). If data is transferred to the US (which is likely for companies like Google and Facebook), those companies either participate in the Data Privacy Framework or use SCCs or other safeguards as well. You can manage your preferences for these in our cookie settings or through the opt-outs described above.

We commit to minimizing the data shared with third parties and to working only with those that uphold strong privacy standards. We do not sell your personal data to any third party. The third parties we use are service providers selected to assist us in running our business (often called “processors” under GDPR terminology). They are contractually bound to protect your data and use it only for the specific services they provide to us. We remain responsible for the handling of your personal information by these providers.

International Transfers: Whenever we transfer (or allow access to) your personal data outside the EU/EEA – whether to our company’s affiliates or to service providers – we will ensure an adequate level of protection. This can be achieved through: (i) an adequacy decision by the European Commission (for example, transfers to countries that are officially recognized as having strong data protection laws, or to U.S. companies certified under the EU-U.S. DPF are allowed); (ii) standard contractual clauses (SCCs) adopted by the European Commission, which legally bind the recipient to protect the data; (iii) any other mechanism approved under GDPR (such as Binding Corporate Rules, if applicable). In addition, where required, we will assess the risk associated with the transfer and implement supplementary measures (such as encryption in transit and at rest, access controls, etc.) to ensure that the data remains secure. You can contact us (see Contact Us section) if you have questions about our international data transfer arrangements or want to obtain a copy of the relevant safeguards in place.

Email Marketing and Your Choices

As noted, we may send you email communications about our programs, events, or content that may interest you — but only if you have given consent to receive such emails. This section provides more detail on how we handle marketing communications and how you can manage your preferences:

• Opt-In Consent: When you provide us with your email (for example, via a booking form or a newsletter sign-up form), you will have the opportunity to opt in to marketing emails. We might present this as a checkbox like “I would like to receive updates and offers from The Nomad Legion.” This checkbox is unticked by default, meaning you must actively choose it. We use a double opt-in process in some cases: after you sign up, we may send a confirmation email asking you to click a link to verify your subscription. This extra step ensures that the email address owner indeed wants to join the list, which is recommended for compliance and trust. (Not every case will use double opt-in, depending on local requirements, but we adhere to it where required or beneficial.)
• Content of Emails: Our marketing emails will primarily relate to The Nomad Legion offerings — for example, announcements of upcoming program dates in Warsaw or other cities, fitness and training tips, success stories from our program, exclusive events for subscribers, or special promotions/discounts. We will not overload your inbox; typically, you can expect periodic newsletters or announcements (e.g. a few times a month or as relevant). Every email will clearly state who it’s from and what it’s about.
• Unsubscribe at Any Time: If you no longer wish to receive marketing emails, you can unsubscribe at any time. To do so, click the “Unsubscribe” or “Manage Preferences” link included in the footer of every marketing email. Alternatively, you may contact us directly (via email) and request to be removed, and we will manually remove you from the list. Once you unsubscribe, we will stop sending you marketing communications. (Please note it might take a few days to process the removal, so you might receive one last email if it was already scheduled, but we aim to comply promptly.)
• Scope of Consent: Opting out of marketing emails will not affect transactional or service-related emails which we may still send if you are enrolled in our program or otherwise engaged with us. For example, if you are currently in the 12-week program, we will still email you regarding your schedule, progress, billing receipts, or any important information related to your participation – those are not marketing messages but rather essential communications. Similarly, if you send us an inquiry, we will reply to you via email even if you had unsubscribed from newsletters, because responding to you is necessary in that context. We separate our marketing list from operational communications.
• Third-Party Marketing: We will not share your contact details with third-party companies for their marketing purposes without your explicit consent. (We currently have no plans to do this at all.) Any emails you get that appear to be from a partner will actually be sent by us (we might include partner content, but your data is not handed over). If in the future we ever contemplate a joint marketing campaign with a partner that involves data sharing, we will ask for your consent explicitly.
• Email Service Providers: As described in the Third-Party section, we use platforms like Mailchimp or Brevo to send emails. Those platforms store your email and allow us to design and send messages efficiently. They also provide statistics on email open rates and clicks, which we may use to gauge the effectiveness of our communications. For example, we can see if an email was delivered, if it was opened, or if links were clicked, in aggregate. This helps us tailor our content. However, these platforms do not “own” your data – we control it, and they process it for us under strict terms.
• Lawful Basis for Email Marketing: The primary legal ground is consent (GDPR Art. 6(1)(a)) as mentioned. In some situations, if you became our customer (e.g., completed the program) we might rely on legitimate interest to send you marketing about similar services, as allowed by certain regulations, but we will always provide a clear opt-out and honor your choice. European e-Privacy laws require opt-in consent for e-mail marketing in most cases, which is why our default approach is to ask for your consent first.
• Protection of Email Lists: We treat our subscriber list with confidentiality. Only authorized personnel at The Nomad Legion have access to it, and solely through the secure interface of our email service provider. We do not disclose the list or any individual’s email address publicly. In the event we switch email providers or transfer the list, we will ensure the new provider has equal or stronger privacy protections.

By staying on our mailing list, you acknowledge that you are okay with receiving our updates. If that changes, just let us know by unsubscribing or contacting us, and we’ll ensure you are not contacted for marketing again.

Data Retention: How Long We Keep Your Data

We will not retain your personal data for longer than is necessary to fulfill the purposes we collected it for, unless a longer retention period is required or permitted by law. In practice, this means:

• Account and Booking Information: If you register or book a program with us, we will keep your personal details for as long as you remain an active client. Once you have completed the program or your relationship with us ends, we will retain relevant data for a period of time in case you return or in case of any follow-up needs. Typically, we might retain client records for a few years after the last interaction (for example, 2–3 years) to maintain continuity if you decide to rejoin or have questions, and to inform you of future opportunities (if you have consented to marketing). However, if you request deletion of your data (and we have no legal basis to keep it), we will remove it sooner (see Your Rights below).
• Prospective Clients/Inquiries: If you contacted us but did not ultimately enroll in our program, we may keep your contact information and inquiry details for a shorter period. For instance, if you reach out for information and we respond, we might keep that correspondence for up to 1 year in case you follow up or decide to join later. This is based on our legitimate interest to understand our interactions and potentially improve our outreach. We will delete it sooner upon request.
• Marketing Subscribers: We retain your email on our marketing list until you unsubscribe or until we learn that the address is no longer valid. If you unsubscribe, we will move your contact to a “do not email” status to ensure we don’t accidentally re-add you (we may keep minimal info like your email to fulfill your opt-out request). If emails to you bounce repeatedly, we may remove you from the list. We also perform periodic list clean-ups. Additionally, if we have had no engagement from you over an extended time (e.g., you haven’t opened any emails in 2 years), we might remove your data proactively as part of good data hygiene.
• Cookie Data: Information collected via cookies and similar tech is retained according to the cookie’s lifespan or until you delete the cookies. For example, Google Analytics data is retained for a certain period (we have control in GA settings to choose how long user-level data is kept; currently, we might set it to 14 months or less, after which it’s automatically deleted by Google). Advertising cookies have varying lifespans (some only last the session, others may last up to 90 days or more). You can clear these at any time in your browser, which effectively deletes the data from your device. Data stored by third parties (like Google or Facebook) via cookies on our site is subject to their retention policies, but they generally do not keep personal data longer than necessary for the purpose, and often aggregate it.
• Financial and Transaction Records: As a business, we have legal obligations to keep certain data. For instance, if you made a payment to us (say the €4000 program fee), we must retain records of that transaction for accounting and tax purposes. Under Polish accounting and tax regulations, we typically must keep invoice data for five years from the end of the financial year in which the transaction occurred. Therefore, even if you request deletion of your personal data, we may need to retain information like your name on an invoice, amount paid, and date, until that five-year period passes (or whatever period is mandated by current law). Such data will be stored securely and used only for those compliance purposes.
• Legal Compliance and Protection: We may also retain data for longer if needed to establish, exercise, or defend legal claims. For example, if a dispute arises or we believe there is a prospect of litigation, we will keep relevant information until the matter is resolved and no further appeal is possible. Similarly, server logs and security records might be kept slightly longer than usual if they are being reviewed for security incidents.
• Deletion and Anonymization: When your personal data is no longer needed for any of the above purposes, we will either delete it or anonymize it. Anonymization is a process of altering data so that it can no longer be associated with you (irreversibly). We may choose to anonymize certain data for statistical or research purposes — for example, to keep metrics on how many people completed our program or general performance improvements, but without identifying individuals. Once data is anonymized, it is no longer personal data and we may retain it indefinitely since it poses no risk to your privacy.
• Regular Reviews: We have internal policies that define retention periods for different categories of data. We periodically review the data we hold and erase or anonymize that which we no longer need. Our goal is to adhere to the GDPR’s storage limitation principle, which says personal data must not be kept longer than necessary for the purposes for which it was collected.

If you have specific questions about how long we keep a certain type of data, feel free to contact us. In summary, we strive to store your personal data for the shortest time possible that fulfills our obligations and purposes commission.europa.eu , and no longer. We also take steps to keep the data accurate and up-to-date during the retention period, and to securely destroy or erase it once retention is no longer justified.

How We Protect Your Data (Security Measures)

We take the security of your personal data seriously and have implemented appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures are designed to provide a level of security appropriate to the risk of our data processing activities (considering the sensitivity of the personal data and the potential harm from any breach). Our security practices include:

• Encryption: Whenever personal data is transmitted, especially sensitive or confidential information, we use encryption protocols (such as HTTPS/TLS for data in transit). You can verify that our website connection is secure by looking for “https://” and a padlock icon in your browser’s address bar when submitting forms. We also encourage the use of encrypted channels for communication when possible. For data at rest, our databases and systems employ encryption or hashing for certain types of data (for example, passwords are stored in encrypted form, never in plain text).
• Access Control: Access to personal data within our organization is restricted on a need-to-know basis. Only authorized personnel (such as program administrators, coaches, or support staff who need the information to perform their duties) can access your data, and each such person is bound by confidentiality obligations. We implement user access controls, meaning each staff member has unique login credentials, and access rights are limited to what they need. We also use two-factor authentication and strong password policies for our internal systems to prevent unauthorized login.
• Secure Data Storage: We store data with reputable data center providers or cloud services that have strong security standards. Our servers and cloud services are protected by firewalls, intrusion detection systems, and monitoring. We regularly update and patch our software to address security vulnerabilities. Backups of data are performed regularly and stored securely (with the same protections as live data). In the event of any physical or technical incident (like hardware failure), we have procedures to restore access to personal data in a timely manner.
• Employee Training and Policies: We ensure that everyone on The Nomad Legion team who handles personal data is trained in data protection best practices. We have a data protection policy in place and conduct periodic training or awareness sessions so that staff understand the importance of protecting personal data and the specific procedures they must follow. For example, employees are instructed on identifying and avoiding phishing attempts, securing their devices, and reporting any suspicious activities.
• Third-Party Due Diligence: As mentioned, we carefully select third-party processors with strong security track records. We review their certifications and compliance (e.g., many have SOC 2, ISO 27001, or similar security certifications). Our Data Processing Agreements with them include commitments to implement adequate security measures. We monitor their performance and require notification of any data breaches or incidents that could affect your data.
• Regular Audits and Testing: We periodically review our security measures and may conduct audits or assessments (internally or with external experts) to test the effectiveness of our safeguards. This includes keeping up with evolving threats and adapting our measures accordingly. For example, we may perform penetration testing on our website to find and fix vulnerabilities. We also maintain logs of access and changes to data, which help in monitoring for any unauthorized activities.
• Data Breach Response: Despite our best efforts, no method of transmission or storage is 100% secure. In the unlikely event of a data breach (an incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data), we have a response plan in place. We will promptly investigate and take steps to mitigate any harm. If the breach is likely to result in a high risk to your rights and freedoms, we will inform you and the relevant supervisory authority (such as UODO in Poland) without undue delay, as required by GDPR. We will provide information on the nature of the breach, its impact, and the measures we have taken or will take to address it.

Ultimately, we strive to protect your data with the same diligence and care as we would our own sensitive information. However, it’s also important for you to play a role in keeping your data secure. Please use strong, unique passwords for any account you create on our site (if applicable), and do not share your login credentials. Be aware that The Nomad Legion will never ask you for your password via email or phone. If you suspect any unauthorized access or encounter any security issues on our site, notify us immediately.

Your Rights Under GDPR

As an individual (“data subject”) in the European Union (or in jurisdictions with similar privacy laws), you have a number of rights regarding your personal data that we hold. We are committed to respecting these rights and facilitating your exercise of them. Below, we outline these key rights and how you can use them:

• Right to Be Informed: You have the right to be given clear, transparent information about how we process your personal data. This Privacy Policy is intended to fulfill that right by informing you about what data we collect, how we use it, who we share it with, etc. We aim to be transparent and concise in communicating these practices.
• Right of Access: You have the right to request a copy of the personal data we hold about you, as well as to obtain supplementary information relating to our processing (as provided by Article 15 GDPR). This is sometimes called a Data Subject Access Request. Upon verification of your identity, we will provide you with a copy of the data concerning you that we process, in a commonly used format, along with details on the purposes of processing, the categories of data, the recipients, retention periods, and the safeguards in place (most of which are also outlined in this Policy). You can exercise this right by contacting us (see Contact Us section). We will respond within one month of receiving your request, unless the request is particularly complex (in which case we may extend the time by up to two further months, but we will inform you of this extension within the first month). There is generally no fee for this service, but we reserve the right to charge a reasonable fee or refuse if requests are manifestly unfounded or excessive/repetitive (we would provide justification in such cases).
• Right to Rectification: It is important to us that your information is accurate and up-to-date. If you discover that the personal data we have about you is incorrect or incomplete, you have the right to request that we correct (rectify) it. For example, if your contact number has changed or we misspelled your name, let us know and we will update our records. We will act on correction requests promptly, usually within one month.
• Right to Erasure: Also known as the “right to be forgotten,” this right allows you to ask us to delete or remove your personal data in certain circumstances. You can request erasure, for instance, if: the data is no longer necessary for the purposes it was collected; you have withdrawn consent and no other legal basis for processing applies; you have objected to processing (see the right to object below) and we have no overriding legitimate grounds to continue; or if you believe we processed your data unlawfully or must erase it to comply with a legal obligation. Where our processing is based on your consent, we will honor your request to delete that data. However, please note that the right to erasure is not absolute. We may not be able to delete data that we are required to keep by law (e.g., as noted, we cannot erase certain transactional records before the retention period ends) or data needed for legal claims. We will inform you if that is the case. For example, under Polish law, we must retain certain accounting records for 5 years; therefore, if you asked us to erase financial transaction data earlier, we might decline but would restrict its use to compliance only. If we have made your data public (unlikely in our context), we would also take reasonable steps to inform other controllers processing that data to fulfill your erasure request. We will confirm once we have erased the requested information.
• Right to Restrict Processing: You have the right to ask us to limit or “freeze” the processing of your personal data in certain situations. This means we would store your data but temporarily not use or share it until the restriction is lifted. You can request restriction if: you contest the accuracy of the data (we’ll restrict until we verify or correct it); or you object to our processing (we’ll restrict while we consider your objection request); or if the processing is unlawful but you prefer restriction over deletion; or if we no longer need the data but you need us to keep it for establishing, exercising, or defending a legal claim. For instance, if you contest a charge and we’re in dispute, you could request we pause other processing of your data. When processing is restricted, we will not use the data except to store it and for certain exempt purposes (like legal claims, protecting others’ rights, or with your consent). We will let you know when a restriction is lifted.
• Right to Data Portability: For data that you have provided to us, you have the right to get it from us in a structured, commonly used, machine-readable format and/or to have us transmit it to another controller where technically feasible. This right only applies to personal data processed by automated means, and where the processing is based on your consent or on a contract. In practice, this would cover things like the data you gave us when signing up, if processed electronically. If you want to port your data (for example, transfer your information to another fitness service), we will supply a CSV or similar file containing your basic personal data and any other data that you provided that we have in our databases, or we may directly transfer it to another service at your direction if possible. Note this is not an absolute right and does not apply to data inferred or derived by us (like internal analytics). It also should not adversely affect others’ rights (so we won’t include other individuals’ data in a port).
• Right to Object: You have the right to object to certain types of processing of your personal data on grounds relating to your particular situation uodo.gov.pl . The most significant example is direct marketing – you can object at any time to processing of your personal data for direct marketing purposes, and if you do, we will stop such processing immediately (there is no discretion here, it’s an absolute right). This includes profiling related to direct marketing. For example, if you no longer want to receive marketing emails or see targeted ads from us, you can object (though the easier way is to unsubscribe or decline cookies, as described above). We will then ensure we no longer process your data for marketing. Besides marketing, you can also object to processing based on our legitimate interests. In such cases, we will review the objection and unless we have compelling legitimate grounds that override your interests, rights, and freedoms, or if we need to continue processing for legal claims, we will cease the processing in question. You may, for instance, object to data analysis we perform under legitimate interest – if your rights outweigh our reasons, we will stop. To exercise this right, you can contact us and explain your objection. As a tip from the Polish authority: it is often effective to first raise your objection directly with us (the controller) for things like marketing, rather than immediately lodging a complaint – and we do encourage you to talk to us, we will honor your rights.
• Right not to be subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects on you, unless it is necessary for a contract, authorized by law, or based on your explicit consent (and even in those cases, you have safeguards like the right to human intervention). As stated, The Nomad Legion does not engage in such automated decision-making. We do not, for example, have an algorithm that decides if you are accepted into the program without human review, nor do we automatically cut off services based on data without human judgment. If this policy changes in the future, we will update you and ensure compliance (including providing you the right to have decisions reviewed by a human).
• Right to Withdraw Consent: Where we rely on your consent to process data, you have the right to withdraw that consent at any time. This typically applies to optional processing like marketing emails or certain cookies. You can withdraw consent by updating your preferences (e.g., unsubscribing from emails or declining cookies) or by contacting us and stating that you withdraw consent for a particular processing. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal. For example, if you gave consent for marketing and we sent emails, that was lawful; but after you withdraw, we will stop. If you withdraw consent for a cookie, we will disable it going forward (you may need to clear existing cookies from your browser as well).
• Right to Lodge a Complaint with a Supervisory Authority: If you believe that we have not handled your personal data properly or have infringed your rights under data protection laws, you have the right to file a complaint with a data protection supervisory authority. In Poland, that is the President of the Personal Data Protection Office (in Polish: Prezes Urzędu Ochrony Danych Osobowych, often abbreviated UODO). The contact details for the Polish supervisory authority are: Address – ul. Stawki 2, 00-193 Warsaw, Poland; Phone – +48 606-950-000; Email – kancelaria@uodo.gov.pl. You can find more information on how to lodge a complaint on the UODO’s official website. If you reside in another EU country, you may contact your local supervisory authority instead. We would, however, appreciate the chance to address your concerns before you approach the authorities – so please consider reaching out to us first, and we will do our best to resolve the issue.

To exercise any of your rights, you can contact us via the methods given in the Contact Us section below. We may need to verify your identity (to ensure we don’t give your data to someone else), which might involve asking for some additional information or identification. We will respond to your requests as soon as possible, generally within one month. If for some reason we cannot fulfill your request (either due to legal exemption or if it’s unduly burdensome), we will explain our reasoning to you. Rest assured, we do not retaliate or deny service if you exercise your privacy rights – you have the rights and we support them fully.

These rights are provided by GDPR and relevant Polish law, and our aim is to make it easy and clear for you to use them.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please do not hesitate to contact us. We are here to help and address any issues you may have.

• Data Controller: The entity responsible for processing your data (the data controller) is Nomad Legion, Inc., doing business as The Nomad Legion. We are based in Warsaw, Poland, and operate the website thenomadlegion.com. (Nomad Legion, Inc. is a company registered in the United States, but for the purposes of GDPR we have a presence in Poland through our operations.)
• Email: You can reach our team at info@thenomadlegion.com for any privacy-related inquiries or to exercise your rights. This is our designated email for privacy matters. We monitor this inbox and will typically respond within a few business days.
• Postal Mail: If you prefer to send us a letter, you may mail it to our Warsaw office at: The Nomad Legion – Privacy Team, ul. [Your Street] 123, 00-000 Warsaw, Poland. (Please replace [Your Street] 123, 00-000 with the actual street address and postal code once finalized – this is a placeholder address for now.) Sending a request by mail might take longer for us to receive and respond, so email is usually faster.
• Telephone: At this time, we handle privacy requests primarily in writing (email or mail) to ensure clear communication and record-keeping. If you would like to speak by phone, you can email us your number and a time to reach you, and we will do our best to call you. Our general contact number is [+48 XXX-XXX-XXX] (placeholder), but for detailed privacy requests we may still ask you to confirm in writing.
• Data Protection Officer: Given the scale and nature of our activities, we are not legally required to appoint a formal Data Protection Officer (DPO) under GDPR. However, we have a dedicated privacy lead on our team who oversees compliance. If you wish to specifically direct a query to our privacy lead, please indicate that in your communication, and it will be forwarded appropriately.

We kindly ask that you clearly state the nature of your request when contacting us. For example, if you are making an access request, let us know what information you are seeking. If you are lodging a complaint or have a concern, please provide as much detail as possible so we can address it effectively. All legitimate requests will be handled free of charge (unless they are excessive as noted, but we have not ever charged a fee so far).

If you contact us to exercise a right, we may keep that correspondence as part of our records (including your request and our response). This helps us demonstrate compliance and manage your preferences properly.

Your feedback matters. Privacy is a continuous journey, and we welcome any feedback on this Policy or our practices. If anything is unclear or if you have suggestions for improvement, we’d love to hear from you. Our aim is to ensure you feel safe and informed when sharing your data with us.

Lastly, if after contacting us you feel that we have not adequately resolved your issue, remember that you can reach out to the Polish supervisory authority (UODO) or your local data protection authority. But we genuinely hope to address your needs directly and maintain your trust.

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will notify users by posting a prominent notice on our website or by other appropriate means. The “last updated” date at the top of this Policy indicates when the latest changes were made.

Any changes will become effective when the revised Policy is posted on our website. In some cases (for example, if we plan to process your data for a new purpose requiring your consent), we may seek your consent or give you a choice before the change is effective.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or services after any update constitutes your acknowledgment of the Policy as modified.

Thank you for reading our Privacy Policy. We value your privacy and strive to be transparent about our data practices. If you have any questions or concerns, please contact us at info@thenomadlegion.com.

By using thenomadlegion.com or engaging with our services, you acknowledge that you have read and understood this Privacy Policy. We appreciate your trust in The Nomad Legion and are committed to safeguarding your personal data as you embark on your journey with us.