📡
Server unreachable
We couldn't reach the server.
Check your connection and try again.
Privacy Policy
Last updated: May 29, 2026  ·  Version 1.1
Your Privacy Matters

This policy explains how TheWorkoutBox collects, uses, stores, and protects your personal data, and describes your rights under the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and other applicable data protection laws.


Data Controller

The data controller responsible for your personal data is:

TheWorkoutBox
Email: team@theworkoutbox.com
For all data protection enquiries, please use the email above with the subject line "Data Protection Request".

Information We Collect
  • Account Information: Email address, display name, and password (stored as a cryptographic hash — never in plain text)
  • Workout & Training Data: Training sessions, exercises, scores, progress logs, and training plan content you create or interact with
  • Usage Information: Pages visited and features used, solely to maintain and improve the platform
  • Payment Information: Subscription and purchase records (plan name, amount, date). Card details are processed exclusively by Stripe — we never store them.
  • Communications: Emails you send us or transactional emails we send you (account activation, notifications)

Legal Basis for Processing (Art. 6 GDPR)

We process your personal data only where we have a valid legal basis:

Data / Purpose Legal Basis
Account creation and authentication Contract — necessary to provide the service you signed up for
Workout tracking, training plans, scores Contract — core functionality of the platform
Processing subscription and plan payments Contract — necessary to fulfil your purchase
Transactional emails (activation, receipts) Contract — necessary to operate your account
Platform security, fraud prevention Legitimate Interest — protecting users and the platform
Platform improvement and analytics Legitimate Interest — improving our service
Marketing or optional communications Consent — only if you have explicitly opted in
Compliance with legal obligations Legal Obligation — e.g. tax records, law enforcement requests

How We Use Your Data
We NEVER sell, share, or rent your personal data to third parties for marketing purposes.

Your information is used exclusively to:

  • Provide and maintain our workout tracking services
  • Process payments and send account notifications
  • Improve our platform and develop new features
  • Provide customer support
  • Protect against fraudulent or illegal activity

Data Retention

We keep your data only as long as necessary:

  • Active account data — retained for the lifetime of your account
  • After account deletion — personal data (email, name, password) is deleted within 30 days. Anonymised workout data (scores with no personal identifier) may be retained for platform statistics.
  • Payment records — kept for 7 years to comply with tax and accounting legal obligations, even after account deletion
  • Support emails — retained for 2 years from last contact

Data Sharing & Third-Party Processors

We do not sell your data. We share it only with the following processors who are contractually bound to protect it and may only use it on our instructions:

Processor Purpose Location
Stripe Payment processing, subscription management EU / USA — covered by Standard Contractual Clauses (SCCs)
Hosting provider Server infrastructure and database hosting European Union
Email provider Transactional emails (account activation, notifications) EU or SCC-covered

In addition, your data may be disclosed to public authorities when required by law or to protect our legal rights. When you share content publicly (public workouts, scores), that content is visible to other platform users per your settings.


International Data Transfers

Our servers are located in the European Union. Some of our third-party processors (notably Stripe) may process data in the United States. Where this occurs, transfers are covered by the EU Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives equivalent protection to that required under GDPR.


Data Security

We implement industry-standard security measures:

Encryption

All data encrypted in transit (TLS) and at rest

EU Servers

Hosted on secure infrastructure within the EU

Access Control

Strict access controls and authentication required

Regular Updates

Continuous security monitoring and patching


Your Rights Under GDPR

As a data subject you have the following rights. To exercise any of them, contact us at team@theworkoutbox.com. We will respond within 30 days.

  • Right of Access (Art. 15): Obtain a copy of all personal data we hold about you
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your account and personal data ("right to be forgotten"), subject to legal retention obligations
  • Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format. Contact us to request an export.
  • Right to Restrict Processing (Art. 18): Ask us to suspend processing your data in certain circumstances (e.g. while you contest its accuracy)
  • Right to Object (Art. 21): Object to processing based on legitimate interest at any time. We will stop unless we have compelling legitimate grounds.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing
Right to lodge a complaint: If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your national data protection supervisory authority. In France: CNIL — cnil.fr. A full list of EU supervisory authorities is available at edpb.europa.eu.

Cookies

We use only strictly necessary cookies to maintain your session and remember your preferences (e.g. authentication token, theme). We do not use tracking, advertising, or analytics cookies. No cookie consent banner is required for strictly necessary cookies, but you can clear or block cookies via your browser settings — this may affect your ability to stay logged in.


Children's Privacy

Our service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact us immediately at team@theworkoutbox.com and we will delete it promptly.


Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on the platform at least 14 days before changes take effect. The version date at the top of this page always reflects the most recent revision. Continued use of the service after changes take effect constitutes acceptance of the updated policy.


Data protection questions or requests? Contact us at team@theworkoutbox.com with the subject line "Data Protection Request". We will respond within 30 days as required by GDPR Art. 12.