Alphatek AS
Privacy Notice
Last updated: June 2026
Alphatek AS (“Alphatek”, “we”, “us”, or “our”) develops and provides the Alphatek performance measurement platform.
This Privacy Notice explains how we process personal data when our platform is used by fitness centres, clinics, and their end users.
1. Roles and Responsibilities
1.1 Primary Processing
When our platform is used by a fitness centre or clinic, that organisation acts as the Data Controller for personal data processed in connection with training, rehabilitation, and testing.
In this context, Alphatek acts as a Data Processor and processes personal data solely on documented instructions from the customer in accordance with a Data Processing Agreement (DPA).
Individuals using the platform through a fitness centre or clinic should refer to that organisation’s own privacy notice for information about primary processing of their personal data.
When the platform is operated by Alphatek personnel on our premises or on the premises of a third party that does not have an agreement with Alphatek, we act as an independent Data Controller and the sections below will apply.
1.2 Secondary Processing for Product Improvement
Alphatek may process pseudonymised data derived from platform usage for the following independent purposes:
-
Product development and improvement
-
Algorithm training and validation
-
Statistical analysis and benchmarking
-
Quality assurance
-
Research and development
For such processing, Alphatek acts as an independent Data Controller.
2. Categories of Data
Depending on the use case, data processed by Alphatek may include:
-
Age
-
Height and weight
-
Gender
-
Strength and balance metrics
-
Functional performance metrics
-
Test results and scores
-
Time-series performance data
Direct identifiers, such as name, email address, or phone number, are not included in Alphatek’s AI training environment.
In clinical settings, performance and rehabilitation data may qualify as health data under GDPR Article 9. Such data is subject to enhanced safeguards as described in Section 4.
3. Legal Basis
3.1 Primary Processing
The legal basis for primary processing is determined by the relevant fitness centre or clinic acting as Data Controller.
3.2 Secondary Processing (Alphatek as Independent Controller)
For fitness-related secondary processing:
GDPR Article 6(1)(f) – Legitimate Interests. Alphatek has a legitimate commercial and technological interest in improving the accuracy, safety, and reliability of its platform. This interest has been assessed against the rights and freedoms of data subjects and found not to be overridden, given the pseudonymisation and technical safeguards applied. A full Legitimate Interests Assessment is available upon request.
For clinic- and health-related secondary processing:
GDPR Article 9(2)(j) – Scientific research and statistical purposes, together with Article 89 safeguards (see Section 4). Clinics acting as primary Data Controllers are responsible for ensuring that any applicable conditions under national law are satisfied before personal data is made available for secondary processing.
4. Pseudonymisation and Article 89 Safeguards
Before any secondary processing, the following safeguards are applied:
-
Direct identifiers are removed from all datasets
-
Unique cryptographically generated tokens replace identifiable references
-
Mapping keys are stored separately in a secured, access-controlled environment
-
Access to mapping keys is strictly restricted and logged
-
Encryption is applied in transit and at rest
-
Data minimisation is applied: only data necessary for the stated purpose is retained
-
K-anonymity thresholds are applied where appropriate to reduce re-identification risk
Alphatek does not attempt to re-identify pseudonymised data and prohibits re-identification as a matter of policy and contractual obligation on all personnel and sub-processors with access to such data.
5. Automated Processing and Individual Decision-Making
Certain features of the Alphatek platform use algorithm-assisted analysis to generate population-referenced performance insights for use by clinicians and fitness professionals.
These features are designed as clinical assessment support tools. Outputs are intended to inform professional judgement and do not constitute autonomous decisions producing legal or similarly significant effects on individuals within the meaning of GDPR Article 22.
Alphatek continues to monitor the development of AI-assisted features to ensure compliance with Article 22 and applicable guidance. If the nature of any feature changes such that Article 22 applies, this Notice will be updated accordingly and appropriate safeguards implemented.
6. Aggregated and Benchmark Data
Alphatek may generate aggregated statistical insights, benchmarks, and industry reports derived from platform usage. Such outputs:
-
Do not identify individuals
-
Do not identify specific customers
-
Constitute anonymous data and are not personal data within the meaning of the GDPR
Aggregated, anonymous statistical outputs may be used or licensed for lawful business purposes.
Alphatek does not sell, license, or otherwise commercialise personal data or pseudonymised data. Only outputs that have been rendered fully anonymous and non-personal may be commercialised.
7. Data Sharing
Alphatek does not sell identifiable personal data.
Aggregated, anonymised statistical outputs may be shared or licensed to third parties as described in Section 6.
Personal data processed in Alphatek’s capacity as Data Processor is not shared except in accordance with documented Controller instructions or applicable legal obligations.
Where sub-processors are engaged, Alphatek ensures equivalent data protection obligations are contractually imposed. A list of current sub-processors is available upon request.
8. Data Retention
8.1 As Data Processor
Retention is governed by the customer’s agreement and DPA. Alphatek will delete or return personal data within 90 days of termination of the relevant agreement, with backup systems cleared within 180 days, unless legal retention obligations apply.
8.2 As Independent Controller (Secondary Processing)
Pseudonymised datasets used for product development and algorithm training are retained for the following indicative periods:
-
Algorithm training and validation datasets: up to 5 years from the date of pseudonymisation, subject to periodic necessity review
-
Benchmarking and statistical datasets: up to 5 years from generation
-
Quality assurance records: up to 5 years
Retention periods are reviewed annually. Data is deleted or further anonymised when it is no longer necessary for the stated purpose.
9. Data Subject Rights
9.1 Where Alphatek Acts as Data Processor
Requests relating to personal data processed on behalf of a fitness centre or clinic must be directed to that organisation. Alphatek will assist the relevant Controller in responding as required under GDPR Article 28.
9.2 Where Alphatek Acts as Independent Controller
Data subjects may exercise the following rights in relation to secondary processing by contacting Alphatek directly:
-
Right of access (Article 15)
-
Right to rectification (Article 16)
-
Right to erasure (Article 17), where applicable
-
Right to restriction of processing (Article 18)
-
Right to object (Article 21), including to processing based on legitimate interests
Contact: privacy@alphatek.no
You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at any time: www.datatilsynet.no.
10. Security
Alphatek implements appropriate technical and organisational measures in accordance with GDPR Article 32, including:
-
Encryption in transit and at rest
-
Role-based access control and strong authentication
-
Logging and monitoring
-
Segregation of pseudonymisation mapping keys
-
Incident response and personal data breach procedures
-
Regular vulnerability assessments and security testing
11. International Transfers
Processing primarily occurs within the EU/EEA. Where personal data is transferred outside the EU/EEA, Alphatek ensures compliance with GDPR Chapter V through appropriate safeguards including Standard Contractual Clauses or adequacy decisions.
12. Changes to This Notice
Alphatek may update this Privacy Notice from time to time. Material changes will be communicated to relevant customers via the platform or by direct notification.
The current version will always be available at https://www.alphatek.no/privacy-policy, and the date of last update is shown at the top of this document.
13. Contact Information
Alphatek AS
Andreas Harestads vei 30
4070 Randaberg, Norway
Email: contact@alphatek.ai
Supervisory Authority:
Norwegian Data Protection Authority (Datatilsynet)
www.datatilsynet.no