Privacy Policy
Version 1.0 · 11 July 2026
1. General Provisions
This Privacy Policy (hereinafter — the "Policy") defines the procedure for processing and protecting the personal data of users and has been developed in accordance with the Law of the Republic of Belarus No. 99-Z of 07.05.2021 "On the Protection of Personal Data" (hereinafter — "Law No. 99-Z") and other legislative acts of the Republic of Belarus.
The personal data operator is Legka LLC, a limited liability company registered in the Republic of Belarus (BIN [BIN], registered address: [registered address], director [director name]) (hereinafter — the "Operator", "we").
For all matters related to the processing of personal data, and for submitting requests by personal data subjects, the following email address is used: pd@legka.by.
The Policy applies to the website legka.by (hereinafter — the "Website") and the mobile application "Legka" (hereinafter — the "Application"), jointly referred to as the "Service".
The Service is intended for persons who have reached the age of 18. By using the Service, registering an account, and providing your data, you confirm that you have reached the age of 18, that you have read this Policy, and that you consent to the processing of your personal data on the terms set out herein. If you do not agree with the Policy, do not use the Service.
The applicable law is the law of the Republic of Belarus. If versions of the Policy exist in different languages, the Russian-language version shall prevail.
2. Principles of Personal Data Processing
When processing personal data, the Operator is guided by the following principles:
- •lawfulness and fairness — processing is carried out on a lawful basis and in good faith;
- •purpose limitation — data is processed only for stated, specific, and predefined purposes and is not used for purposes incompatible with them;
- •proportionality and minimization — only the amount of data necessary to achieve the processing purposes is processed;
- •transparency — the subject is informed about the processing of their data;
- •accuracy — measures are taken to ensure that the processed data is accurate and, where necessary, kept up to date;
- •storage limitation — data is stored no longer than required by the processing purposes or the legislation;
- •security assurance — organizational and technical measures ensuring data security are applied.
3. What Personal Data We Process
Depending on how you use the Service, we may process the following categories of personal data:
- •account data — name, email address (also used for sign-in via a one-time code), as well as identifiers obtained when signing in via Apple or Google;
- •health and lifestyle data — weight, body measurements, the set goal, eating habits, food diary, meal photographs, voice notes, physical activity data;
- •correspondence and inquiries — messages in the chat with the trainer, support inquiries, and related information;
- •payment data — information necessary to pay for the subscription; payment transactions are processed by payment systems, and we do not store full bank card details;
- •technical data — device information, IP address, cookies, web analytics data on interaction with the Service.
4. Special Personal Data Concerning Health (Art. 5 of Law No. 99-Z)
Part of the processed data (weight, body measurements, eating habits, food diary, meal photographs, activity data) constitutes special personal data concerning health. Such data is processed only with your separate explicit consent, which you provide when using the relevant features of the Service.
The Service is of an informational and reference nature and is not medical. It is not intended for making diagnoses, prescribing treatment, or replacing a doctor's consultation. The Service's recommendations are not medical recommendations.
5. Purposes of Personal Data Processing
We process personal data for the following purposes:
- •creating a personal nutrition plan and calculating target indicators;
- •recognizing and logging consumed food (from photographs, voice, and text entries);
- •ensuring the operation of the Service, creating and maintaining an account, authenticating the user;
- •processing payment and arranging, renewing, and accounting for the subscription;
- •communication with the trainer and support, handling inquiries;
- •web analytics, assessing usability, and improving the Service;
- •error monitoring and ensuring the stable operation of the Service;
- •fulfilling the requirements of the legislation of the Republic of Belarus.
6. Legal Grounds for Processing
Personal data is processed on the following legal grounds:
- •your consent, including separate consent — for the processing of special health data and for the cross-border transfer of data;
- •the necessity of performing a contract to which you are a party (in particular, the contract for the provision of the Service and subscription);
- •the necessity of fulfilling obligations imposed on the Operator by the legislation.
Providing consent is voluntary. You have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.
7. Automated Processing
Personal data is processed both with and without the use of automation tools.
The Operator does not make decisions with respect to a personal data subject that produce legal consequences for them or otherwise significantly affect their rights and legitimate interests solely on the basis of automated processing of personal data.
8. Recipients and Authorized Persons
To provide services and ensure the operation of the Service, we may engage authorized persons (processors) and transfer data to recipients:
- •a hosting provider in the Republic of Belarus — hosting of the Website;
- •an infrastructure provider in the Russian Federation (Selectel) — hosting of the server side of the Application, the database, and files, including photographs;
- •Yandex Metrika (Russian Federation) — web analytics;
- •the Unisender email service (legal entities in the Republic of Belarus and the Russian Federation) — sending service and informational messages;
- •the bePaid payment gateway (Republic of Belarus) — processing payments on the Website;
- •Apple Inc. and Google LLC — application stores, as well as sign-in and payment via the respective platforms.
Error monitoring is provided by the Operator's own means (self-hosted) and is not a third-party processor.
Telegram is not our authorized person. It is an independent third-party communication channel that you use at your own choice (chat with the trainer); Telegram's own policy applies to such a channel. We store the content of the correspondence on our servers as our own data.
Umbrella clause. The Operator has the right to engage third-party service providers (authorized persons) to process personal data on the Operator's instructions; such processing may be carried out, including outside the Republic of Belarus, on the basis of the subject's consent and/or the necessity of performing a contract with them.
9. Cross-Border Transfer of Personal Data
The server side of the Application, the database, and files are hosted on servers in the Russian Federation (Selectel), and therefore, when using the Application, a cross-border transfer of personal data to the Russian Federation is carried out. The Russian Federation, being a member state of the Eurasian Economic Union, ensures an adequate level of protection of the rights of personal data subjects.
Other data processing by engaged third-party service providers may be carried out outside the Republic of Belarus on the basis of your consent and/or the necessity of performing a contract with you.
10. Storage Periods
We store personal data no longer than necessary for the processing purposes or required by the legislation:
- •account and profile data — until the account is deleted, but no longer than 3 years from the moment of the last activity;
- •web analytics data and IP addresses — up to 1 year;
- •payment and accounting information — for the periods established by tax and accounting legislation (up to 10 years).
After the account is deleted, the data is erased, except for information subject to mandatory storage in accordance with the legislation.
11. Rights of the Personal Data Subject
In accordance with Law No. 99-Z, you have the right to:
- •demand amendments to incomplete, outdated, or inaccurate personal data — reviewed within 15 calendar days;
- •receive information concerning the processing of your personal data — provided within 5 business days;
- •once per calendar year, receive free of charge information about the provision of your personal data to third parties — within 15 calendar days;
- •demand the deletion of personal data, the cessation of its processing — within 15 calendar days;
- •withdraw previously given consent to processing — within 15 calendar days;
- •appeal the actions (inaction) and decisions of the Operator to the National Center for Personal Data Protection of the Republic of Belarus.
Procedure for exercising rights. To exercise your rights, send an application to pd@legka.by or in written form. The application must contain: surname, own name, patronymic (if any); contact details (email address and/or postal address, telephone number); the substance of the request; information allowing your identity to be confirmed (including identifying you as a personal data subject).
Limitation. Withdrawal of consent and/or a demand for data deletion do not entail the cessation of processing carried out on another legal ground (performance of a contract, requirement of the legislation).
12. Responsible Person
The Operator's authorized person is responsible for organizing internal control over the processing of personal data.
Inquiries on matters of the processing and protection of personal data are sent to: pd@legka.by.
13. Protection of Personal Data
The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, dissemination, as well as from other unlawful actions.
Among the applied measures:
- •differentiation and accounting of access rights to personal data;
- •encryption of data transmission channels;
- •protection against unauthorized access to information systems;
- •training and informing personnel who have access to data;
- •procedures for responding to information security incidents.
14. Incident Notification
Upon detecting a breach of personal data security, the Operator notifies the National Center for Personal Data Protection of the Republic of Belarus in the manner and within the time limits established by the legislation, and takes measures to eliminate the breach and minimize its consequences.
15. Cookies
The Website uses cookies and similar technologies. The procedure for their use, their composition, and purposes are described in a separate Cookie Policy.
16. Changes to the Policy
The Operator has the right to make changes to this Policy. The new version is published on the Website and enters into force from the moment of its posting, unless otherwise specified in the version itself.
If the changes significantly affect the procedure for processing personal data, the Operator requests the subject's consent again.