Privacy Policy

The data controller for your personal data is Diego Calatayud García (Tax ID: [NIF: completar]), with address at [Dirección: completar], operating under the trade name FitAxion.

For any data-protection inquiry, write to legal@fitaxion.com.

We are not currently required to appoint a Data Protection Officer (DPO) due to the processing volume. If we exceed the threshold or take on large-scale sensitive processing, we will appoint one and publish their details here.

Depending on user role, we process:

Coach account:

• Identification: first name, last name, email, phone (optional), avatar.
• Account: hashed password (bcrypt), preferences, language, timezone.
• Billing (when subscribing to a paid plan): tax name, tax ID, address, payment history. Processed via our payments provider (Stripe). Fitaxion only retains the customer ID and references.
• Usage: activity logs, login records, login IP (for security), product events.
• Professional (optional): bio, specialties, certifications you choose to publish on your profile.

Athlete account (special category):

• Identification: first name, last name, email, phone (optional), avatar.
• Health-related data (GDPR Art. 9): weight, height, body composition (% body fat, lean mass), perimeters, optional progress photos, goals, declared injuries, food intolerances and dietary restrictions.
• Physical activity data: assigned plans, training logs (weight, reps, RIR/RPE), adherence, streaks, nutrition logs.
• Communications: messages with the Coach and attached files.
• Usage: same as Coach account.

Website visitors (no account): basic browsing data collected via strictly necessary cookies and, with your consent, aggregate analytics.

3.1. Service provision (account management, plan assignment, chat, calendar, training logs, support).

• Legal basis: contract performance (GDPR art. 6.1.b) and, for Athlete health data, explicit consent (GDPR art. 9.2.a) collected on accepting the Coach's invitation.
• Retention: while the account is active. After deletion, data is removed or anonymized within 30 days, except where law requires retention.

3.2. Billing and accounting obligations

• Legal basis: legal obligation (GDPR art. 6.1.c — Spanish General Tax Law, Code of Commerce).
• Retention: 6 years from invoice issuance (Code of Commerce art. 30) and 4 fiscal years (General Tax Law art. 66).

3.3. Service communications (email verification, appointment reminders, weekly digests, adherence alerts).

• Legal basis: contract performance (essential) or legitimate interest (informational digests), with easy opt-out from the preferences panel.
• Retention: while the account is active.

3.4. Marketing communications (newsletter, feature announcements).

• Legal basis: consent (GDPR art. 6.1.a), revocable at any time.
• Retention: until you withdraw consent.

3.5. Product improvement and fraud prevention (aggregate analytics, anomalous use detection).

• Legal basis: legitimate interest (GDPR art. 6.1.f). Balancing test available on request.
• Retention: aggregate anonymized metrics retained indefinitely; identifying data deleted on account closure.

To deliver the service, Fitaxion shares certain personal data with the following processors, all bound by data-processing agreements (GDPR art. 28):

• Google Cloud Platform (Google Ireland Ltd. + Google LLC) — application hosting (Cloud Run) and file storage (Cloud Storage). Servers primarily in the EU (europe-west1). International transfers to the U.S. covered by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs).
• Neon, Inc. — PostgreSQL database hosting. EU region when available. SCCs in place.
• Resend, Inc. — transactional email delivery (verification, password reset, reminders). SCCs in place.
• Sentry (Functional Software, Inc.) — error monitoring. Configured to minimize PII with sensitive data scrubbing. SCCs in place.
• Jitsi (8x8.vc) — video calls. Only when you schedule a “video” appointment. The room is generated on the fly and is not recorded by default. Audiovisual data does not pass through Fitaxion servers.
• Stripe Payments Europe Ltd. (when payments are enabled) — payment processing. PCI-DSS Level 1 compliant.
• Plausible / PostHog (when enabled) — website analytics for the public site. Plausible is privacy-first and uses no cookies; PostHog would be configured with IP anonymization and cookie preference compliance.

This list is updated when a provider is added or changed. The current list is always available on this page and, on request, we can provide details of each engagement.

Disclosures to third parties: we do not sell or share your personal data with third parties for commercial purposes. We only disclose data to authorities when legally required.

Some of our processors (Google Cloud, Sentry, Stripe) have parent companies or sub-processors in the U.S. Transfers are made under:

• The EU-U.S. Data Privacy Framework adequacy decision by the European Commission (July 2023), where the recipient is certified.
• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), with supplementary technical and organizational measures (encryption in transit and at rest, data minimization, access controls).

At any time, free of charge and without justification, you can exercise the following rights:

• Access: know what data we hold about you.
• Rectification: correct inaccurate data.
• Erasure (“right to be forgotten”): delete your data when no longer necessary.
• Restriction: ask us to limit use while we review a request.
• Objection: object to processing based on legitimate interest.
• Portability: receive your data in a structured format (JSON or CSV).
• Withdrawal of consent: for consent-based processing, without retroactive effect.
• Not be subject to automated decisions: Fitaxion does not make automated decisions with legal effects on the user.

How to exercise them? Write to legal@fitaxion.com stating the right exercised. We will respond within 30 days. To verify your identity we may request an ID document.

If you believe we have infringed your rights, you may file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

We apply reasonable technical and organizational measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest (AES-256 at storage level).
• Password hashing with bcrypt (factor 12). We never store passwords in clear text.
• Short-lived access tokens (15 min) and HttpOnly + SameSite=Lax refresh-token cookies with rotation.
• Encrypted daily automatic backups, retained for 30 days.
• Role-based access control, least-privilege principle.
• Continuous monitoring and alerts on anomalous activity. Breach notification within 72h to the AEPD as required by GDPR.

Fitaxion does not allow accounts for minors under 14 (Spanish LOPDGDD art. 7). For Athletes between 14 and 17, the Coach must verify their legal guardians' authorization before inviting them to the platform.

We may update this policy to reflect legal changes, new services or improved transparency. Substantial modifications will be communicated by email at least 15 days in advance.