This policy explains how TheWorkoutBox collects, uses, stores, and protects your personal data, and describes your rights under the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and other applicable data protection laws.
The data controller responsible for your personal data is:
We process your personal data only where we have a valid legal basis:
| Data / Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Contract — necessary to provide the service you signed up for |
| Workout tracking, training plans, scores | Contract — core functionality of the platform |
| Processing subscription and plan payments | Contract — necessary to fulfil your purchase |
| Transactional emails (activation, receipts) | Contract — necessary to operate your account |
| Platform security, fraud prevention | Legitimate Interest — protecting users and the platform |
| Platform improvement and analytics | Legitimate Interest — improving our service |
| Marketing or optional communications | Consent — only if you have explicitly opted in |
| Compliance with legal obligations | Legal Obligation — e.g. tax records, law enforcement requests |
Your information is used exclusively to:
We keep your data only as long as necessary:
We do not sell your data. We share it only with the following processors who are contractually bound to protect it and may only use it on our instructions:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, subscription management | EU / USA — covered by Standard Contractual Clauses (SCCs) |
| Hosting provider | Server infrastructure and database hosting | European Union |
| Email provider | Transactional emails (account activation, notifications) | EU or SCC-covered |
In addition, your data may be disclosed to public authorities when required by law or to protect our legal rights. When you share content publicly (public workouts, scores), that content is visible to other platform users per your settings.
Our servers are located in the European Union. Some of our third-party processors (notably Stripe) may process data in the United States. Where this occurs, transfers are covered by the EU Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives equivalent protection to that required under GDPR.
We implement industry-standard security measures:
All data encrypted in transit (TLS) and at rest
Hosted on secure infrastructure within the EU
Strict access controls and authentication required
Continuous security monitoring and patching
As a data subject you have the following rights. To exercise any of them, contact us at team@theworkoutbox.com. We will respond within 30 days.
We use only strictly necessary cookies to maintain your session and remember your preferences (e.g. authentication token, theme). We do not use tracking, advertising, or analytics cookies. No cookie consent banner is required for strictly necessary cookies, but you can clear or block cookies via your browser settings — this may affect your ability to stay logged in.
Our service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact us immediately at team@theworkoutbox.com and we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on the platform at least 14 days before changes take effect. The version date at the top of this page always reflects the most recent revision. Continued use of the service after changes take effect constitutes acceptance of the updated policy.