Skip to main content

Legal

Privacy Policy

Effective date: May 12, 2026

GripFlow (“we”, “us”, or “our”) is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven).

1. Data Controller

The data controller for your personal data is:

GripFlow

Denmark

Email: albertomangas2@gmail.com

2. What Data We Collect

We collect only the data necessary to provide our service:

  • Account data: name, email address, password (hashed), gym name.
  • Gym & member data: member profiles, belt ranks, class schedules, attendance records — data you enter into GripFlow about your gym.
  • Health & injury data: injury records and time-off information that coaches may optionally record for members. This is special category data under Art. 9 GDPR — see Section 7a below.
  • Billing data: subscription plan, payment history. Card details are processed by Stripe and never stored on our servers.
  • Usage data: pages visited, features used, session timestamps — collected to improve the product.
  • Waitlist/contact data: email address if you sign up for our waitlist or send us a message.
  • Technical data: IP address, browser type, device type — collected automatically via server logs.

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the GripFlow service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): improving the product, preventing fraud, and sending service-related communications.
  • Consent (Art. 6(1)(a) GDPR): marketing emails and waitlist notifications — you can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR): retaining billing records as required by Danish accounting law.

4. How We Use Your Data

  • To create and manage your account and gym.
  • To process subscription payments via Stripe.
  • To send transactional emails (account confirmation, billing receipts, feature updates).
  • To respond to contact form messages and support requests.
  • To analyse usage patterns and improve GripFlow (aggregated, anonymised where possible).
  • To comply with legal obligations.

We do not sell your data. We do not use it for advertising.

5. Data Sharing

We share data only with the following third-party processors, all under GDPR-compliant data processing agreements:

  • Supabase — database and authentication hosting (EU servers available).
  • Stripe— payment processing. Governed by Stripe's own Privacy Policy.
  • Resend — transactional email delivery.
  • Vercel — hosting and infrastructure.
  • Sentry — error monitoring (anonymised stack traces).

We may disclose data if required by Danish law or a court order.

6. Data Retention

  • Account data: retained for the duration of your subscription plus 30 days after cancellation, then deleted on request.
  • Billing records: retained for 5 years as required by the Danish Bookkeeping Act (Bogføringsloven).
  • Waitlist emails: retained until you unsubscribe or request deletion.
  • Contact messages: retained for 12 months then deleted.
  • Server logs: retained for 90 days.

7. Cookies

GripFlow uses strictly necessary cookies for authentication and session management. If you consent, we also use Vercel Analytics cookies to improve the product. We do not use advertising or tracking cookies. For a full list of cookies and to manage your preferences, see our Cookie Policy.

7a. Special Category Data (Health Information)

GripFlow allows coaches to optionally record injury and time-off information about gym members. This constitutes health data and is classified as special category data under Art. 9 GDPR. The legal basis for processing this data is the explicit or implicit consent of the member within the gym management relationship (Art. 9(2)(a) GDPR). Gym owners and coaches are responsible for obtaining appropriate consent from their members before recording health-related information in GripFlow.

8. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — request deletion of your personal data where no legal retention obligation applies.
  • Restriction — ask us to pause processing while a complaint is investigated.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — at any time for processing based on consent, without affecting prior processing.

To exercise any of these rights, use our data rights form or email albertomangas2@gmail.com. We will respond within 30 days.

9. Complaints

If you believe we have mishandled your personal data, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Datatilsynet

Carl Jacobsens Vej 35, 2500 Valby, Denmark

Website: datatilsynet.dk

Phone: +45 33 19 32 00

10. Security

We implement industry-standard security measures including encrypted connections (TLS), hashed passwords, and access controls. No system is 100% secure — if you suspect a breach, contact us immediately at albertomangas2@gmail.com.

11. Changes to This Policy

We may update this policy. Material changes will be communicated by email or by a prominent notice on the site at least 14 days before taking effect. The “Effective date” at the top reflects the most recent revision.

12. Contact

For any privacy-related questions: albertomangas2@gmail.com or use our contact form.