Privacy Policy

1. Who we are

Poppy Mroz Fitness ("we", "us"), KBO 1034.172.923, operates the coaching platform at poppymrozfitness.com. We are responsible for the personal data you provide when using this service.

2. What data we collect

We collect only what is necessary to provide the service:

• Email address — used for login and invitations
• Display name — shown to your coach or athletes
• Role — coach or athlete
• Workout and training data — sets, reps, weights, dates you enter yourself
• Coach notes — private notes a coach writes about an athlete

We do not collect payment information, location data, or any data from third parties.

3. Why we process your data

Legal basis: contract performance (Article 6(1)(b) GDPR) — we need your data to provide the coaching platform service you signed up for.

4. How we store your data

Your data is stored in a secure PostgreSQL database hosted on Supabase (EU West region). Passwords are hashed using bcrypt and never stored in plain text. Data is transmitted over HTTPS.

5. Who we share your data with

We use the following sub-processors:

• Supabase — database hosting (EU)
• Railway — backend hosting (EU)
• Vercel — frontend hosting
• Resend — transactional email delivery
• OpenAI — AI program generation (workout context only, not personal identifiers)

We do not sell your data to any third parties.

6. Your rights

Under GDPR you have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and all associated data (via Settings → Delete account)
• Withdraw consent at any time
• Data portability — contact us to request an export

7. Data retention

Your data is retained for as long as your account is active. When you delete your account, all personal data is permanently removed within 24 hours.

8. Contact

For any privacy-related questions or data requests, contact us at: paulamroz1974@gmail.com