Who we are (the data controller)
fitfinder is operated by FitFinder Ltd, a company registered in Ireland. References to “we”, “us”, and “our” in this policy mean FitFinder Ltd as the data controller of your personal data under the EU General Data Protection Regulation (GDPR).
You can contact us at privacy@fitfinder.ie for any privacy-related matter.
What we collect, why, and our lawful basis
We only collect what we need to run the service. For each category below we name the GDPR Article 6 lawful basis we rely on.
| Data | Why | Lawful basis |
|---|---|---|
| Name, email, password hash | Create and authenticate your account | Contract (Art 6(1)(b)) |
| Booking history, attendance, waivers | Deliver class bookings; legal/tax retention | Contract + Legal obligation (Art 6(1)(b), 6(1)(c)) |
| Stripe customer & payment intent IDs | Process payments; refunds; chargebacks | Contract + Legal obligation |
| Reviews you publish | Help other members choose studios | Legitimate interest (Art 6(1)(f)) |
| Marketing opt-in flag | Send marketing emails if you opt in | Consent (Art 6(1)(a)) |
| “Mood search” queries | Match your natural-language query to classes (processed by Anthropic) | Legitimate interest |
| IP address, basic device info | Rate limiting; security monitoring | Legitimate interest |
Who we share your data with
We use a small number of trusted sub-processors to run fitfinder. Each is bound by a Data Processing Agreement (DPA) requiring at least the same protections we apply.
| Sub-processor | Purpose | Region / safeguard |
|---|---|---|
| Supabase | Database, authentication, file storage | EU-West (Ireland) hosting; DPA + SCCs |
| Stripe | Payment processing, payouts, fraud detection | Ireland + EU + US; DPA + SCCs + DPF |
| Vercel | Hosting and request logging | US; DPA + SCCs + DPF |
| Resend | Transactional email delivery | US; DPA + SCCs + DPF |
| Anthropic | AI processing of “mood search” queries | US; DPA + SCCs (no training on your data) |
We also share booking details (your name, the class you booked, the time) with the studio you book with, so they know who to expect.
We don't sell your data to anyone. Ever.
International data transfers
Our database and authentication run in the EU (Ireland). Some sub-processors (Stripe, Vercel, Resend, Anthropic) operate in the United States. Where data is transferred outside the EEA we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where available, the EU-US Data Privacy Framework (DPF). Copies of the SCCs we rely on are available on request.
How long we keep your data
- Account data (name, email, profile): for as long as your account is active; removed within 30 days of account deletion.
- Booking and payment records: 7 years from the booking date, to meet Irish Revenue retention requirements for financial records.
- Class attendance records: 2 years.
- Marketing opt-in record: until you unsubscribe, plus a short audit trail of the change.
- “Mood search” queries: cached for up to 90 days to speed up repeat searches; deleted thereafter. Not used to train AI models.
- Server logs and security records: up to 90 days.
Your rights under GDPR
You have the right to:
- Accessthe personal data we hold about you (Article 15) — use the “Export my data” button in your account settings, or email privacy@fitfinder.ie.
- Rectify inaccurate data (Article 16) — edit most fields in your account; for anything else email us.
- Eraseyour data / be forgotten (Article 17) — use the “Delete my account” button. Note: certain financial records are retained for 7 years under Irish tax law and cannot be deleted on request.
- Restrict or object to processing (Articles 18, 21) — email us.
- Port your data to another service (Article 20) — the export download is in JSON.
- Withdraw consent at any time (for the marketing flag) — toggle it in your account or click the unsubscribe link in any marketing email.
If you believe we've handled your data unlawfully, you have the right to lodge a complaint with the Irish Data Protection Commission at dataprotection.ie. We'd appreciate the chance to address your concern first, but it's your right either way.
Automated decisions and AI
Our “mood search” feature sends your natural- language query to Anthropic's Claude API, which returns matching activity categories. No decision about your account is automated — the AI only suggests classes; you choose whether to book. Anthropic does not train its models on your data under our commercial DPA.
Cookies
We use a small number of cookies, all strictly necessary or first-party:
- Auth session cookies (Supabase) — keep you signed in.
- Cookie consent cookie— remembers your banner choice so we don't ask twice.
- CSRF token — protects form submissions.
We don't run third-party advertising or behavioural- tracking cookies. If we ever add analytics, we'll ask for consent first.
Children
fitfinder is intended for adults (16+ under Irish GDPR implementation). We don't knowingly collect data from anyone under 16. If you believe a child has created an account, email privacy@fitfinder.ie and we'll remove it.
Security
We encrypt personal data in transit (HTTPS/TLS) and at rest. Access to production data is limited to named staff with multi-factor authentication. Database row-level security ensures users can only read their own records by default. We maintain a 72-hour breach response procedure aligned with GDPR Article 33.
Changes to this policy
We'll update this page when our practices change. If the change is material we'll notify you by email before it takes effect. The “Last updated” date at the top always reflects the current version.
Contact
Privacy questions, requests, or complaints: privacy@fitfinder.ie. We'll respond within 30 days, the GDPR statutory deadline.
See also our Terms of Service.