Privacy Policy

Last updated: May 22, 2026

1. Data controller

The controller responsible for processing your personal data is:

  • Entity: Pedro Serra Comas
  • Tax ID: 43171443Y
  • Address: Carrer Ric 85, 07420 Sa Pobla, Illes Balears, Spain
  • Contact email: hola@spotfitr.com

2. Data we collect

Depending on how you use Spotfitr, we process the following categories of data:

  • Account data: name, email address, hashed password, preferred language.
  • Usage data: sessions created, bookings made, limits configured, trainer-client relationships.
  • Billing data (Pro trainers only): handled directly by Stripe; we only store the customer identifier and subscription status.
  • Google Calendar data (optional): encrypted OAuth access and refresh tokens, used to create and sync session events in your calendar. We do not read your existing calendar; we only write Spotfitr events.
  • Technical data: IP address, device type, browser, access logs.
  • Analytics data: anonymized product-usage events, only if you accept analytics cookies.

3. Purposes

  • Provide the booking and client management service for trainers.
  • Manage your account, authentication, and invitations.
  • Process payments and Pro subscriptions.
  • Send necessary transactional emails (email verification, password reset, booking confirmations).
  • Sync sessions and bookings with Google Calendar, only if you explicitly connect this integration from settings.
  • Comply with legal, tax, and accounting obligations.
  • Improve the product and detect errors (aggregated or anonymized data only).

4. Legal basis

Each purpose has a lawful basis under Art. 6 GDPR:

  • Performance of a contract (Art. 6.1.b): delivering the service, account management, payments, transactional communications.
  • Legal obligation (Art. 6.1.c): invoicing, accounting, tax compliance.
  • Legitimate interest (Art. 6.1.f): service security, fraud detection, product improvement with aggregated data.
  • Consent (Art. 6.1.a): analytics cookies, promotional communications, and Google Calendar sync (granular opt-in; revocable at any time from settings).

5. Data retention

We keep your data while your account is active. After cancellation, data is deleted within 30 days, except for data we must retain by law (e.g. invoices: 6 years under Spanish tax law).

6. Processors

We rely on the following providers acting as data processors:

  • Stripe Payments Europe Ltd. (Ireland) — Payment and subscription processing.
  • Resend, Inc. (USA) — Transactional email delivery. Transfer covered by standard contractual clauses.
  • Google LLC — OAuth authentication (only if you choose to sign in with Google) and Google Calendar API (only if you connect the calendar integration; we use the calendar.events scope exclusively to create, update, and delete Spotfitr events in your calendar).
  • Functional Software, Inc. dba Sentry — Error logging. Transfer covered by standard contractual clauses.
  • PostHog, Inc. (EU host) — Product analytics, only if you accept analytics cookies.
  • DigitalOcean, LLC (USA) — Service hosting. Transfer covered by standard contractual clauses.

7. International transfers

Some processors (Stripe, Resend, Sentry) may handle data outside the European Economic Area. In such cases, the transfer relies on standard contractual clauses approved by the European Commission or equivalent adequacy decisions.

8. Your rights

You can exercise the following rights by writing to hola@spotfitr.com:

  • Access — obtain a copy of the data we process about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — delete your data when you stop using the service.
  • Objection — object to processing based on legitimate interest.
  • Restriction — restrict processing under certain circumstances.
  • Portability — receive your data in a structured, readable format.
  • Withdraw consent — when processing is based on your consent.

We will respond within one month of receiving your request.

9. Complaints

If you believe the processing of your data does not comply with applicable law, you can file a complaint with the Spanish Data Protection Agency (aepd.es).

10. Cookies

We use cookies strictly necessary for the service (session, authentication) and analytics cookies that only activate if you accept. You can manage your preferences at any time from the cookie banner.

11. Changes to this policy

We may update this policy to reflect changes in the service or applicable law. We will notify you by email if the change significantly affects your rights.

Cookie preferences

We use essential cookies to keep the site running and, with your consent, analytics cookies to improve the product. Privacy Policy