Last updated: January 11, 2026

This Privacy Policy explains how TrainerStudio ("TrainerStudio," "we," "us," or "our") collects, uses, discloses, and protects your personal data when you use our services.

1. Data Controller

The data controller responsible for your personal data is TrainerStudio, a company registered in Spain.

Email: info@trainerstudio.io
General inquiries: info@trainerstudio.io

2. Scope of This Policy

This Privacy Policy applies to:

Visitors to trainerstudio.com and all subdomains
Users of our web application
Users of our mobile applications (iOS and Android)
Trial users and paying subscribers
End Users (fitness clients) who access the platform through a Trainer's account

3. Personal Data We Collect

3.1 Data Provided Directly by Trainers

Account Data: Name, email address, phone number, password (encrypted), profile picture
Business Data: Business name, logo, professional certifications
Payment Data: Credit/debit card information (processed by Stripe), billing address
Billing Data: Company name, tax identification number, invoice address

3.2 Data Provided by End Users (Fitness Clients)

Profile Data: Name, email, profile picture, date of birth
Health and Fitness Data: Weight, height, body measurements, fitness goals, workout logs, progress photos
Communication Data: Messages exchanged with trainers through the platform

3.3 Data Collected Automatically

Device Data: Device type, operating system, browser type, unique device identifiers
Usage Data: Pages visited, features used, actions taken, time spent, crash reports
Log Data: IP address, access times, referring URLs, error logs
Location Data: General geographic location derived from IP address (not precise GPS)

3.4 Data from Third-Party Sources

Account information from OAuth providers (Google, Apple) if you choose to sign in with these services
Payment transaction data from Stripe

4. Legal Bases for Processing (GDPR)

We process personal data under the following legal bases:

Purpose	Legal Basis
Providing the Service	Contract performance (Art. 6(1)(b) GDPR)
Processing payments	Contract performance
Customer support	Contract performance / Legitimate interest
Service improvement and analytics	Legitimate interest (Art. 6(1)(f) GDPR)
Security and fraud prevention	Legitimate interest
Marketing communications	Consent (Art. 6(1)(a) GDPR)
Legal compliance and tax records	Legal obligation (Art. 6(1)(c) GDPR)
Processing health/fitness data	Explicit consent (Art. 9(2)(a) GDPR)

5. How We Use Your Data

Service Provision: To create and manage accounts, provide platform features, and facilitate trainer-client interactions
Payments: To process subscriptions, generate invoices, and manage billing
Communication: To send transactional emails, notifications, and respond to support requests
Service Improvement: To analyze usage patterns, fix bugs, and develop new features
Security: To detect, prevent, and respond to security threats, fraud, and abuse
Legal Compliance: To comply with applicable laws, regulations, and legal processes
Marketing: To send promotional communications (only with your consent)

6. Data Sharing and Sub-processors

We share personal data with the following categories of recipients:

6.1 Sub-processors

Provider	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting and infrastructure	EU (Frankfurt)
MongoDB Atlas	Database hosting	EU
Stripe	Payment processing	US (with EU SCCs)
Firebase (Google)	Authentication, push notifications	EU
Vercel	Web hosting	Global (CDN)
Postmark	Transactional email	US (with EU SCCs)
Sentry	Error monitoring	US (with EU SCCs)

6.2 Other Disclosures

We may also disclose data:

To comply with legal obligations or valid legal processes
To protect the rights, safety, or property of TrainerStudio, our users, or the public
In connection with a merger, acquisition, or sale of assets (with prior notice)
With your explicit consent

7. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:

Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection
Standard Contractual Clauses (SCCs): EU-approved contractual terms with data importers
Supplementary Measures: Additional technical and organizational safeguards where necessary

You may request a copy of the relevant transfer mechanisms by contacting info@trainerstudio.io.

8. Data Retention

We retain personal data for the following periods:

Data Category	Retention Period
Account data	Duration of account + 30 days after deletion request
Billing and tax records	10 years (legal requirement in Spain)
Customer support communications	3 years after resolution
Usage logs and analytics	26 months
Marketing consent records	Duration of consent + 3 years
Security logs	12 months

After the retention period, data is either anonymized or securely deleted.

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

Category	Purpose	Consent Required
Strictly Necessary	Essential for service operation (authentication, security)	No
Functional	Remembering preferences, language settings	No
Analytics	Understanding usage patterns, improving service	Yes
Marketing	Measuring ad effectiveness, retargeting	Yes

9.2 Managing Cookies

You can manage cookie preferences through our cookie consent banner or your browser settings. Blocking certain cookies may affect service functionality.

10. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15): Request a copy of your personal data we hold
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
Right to Restriction (Art. 18): Request limitation of processing in certain circumstances
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent
Right Not to Be Subject to Automated Decisions (Art. 22): Not be subject to decisions based solely on automated processing with legal effects

10.1 How to Exercise Your Rights

To exercise any of these rights, contact us at info@trainerstudio.io with:

Your full name and email associated with your account
The specific right you wish to exercise
Any additional information to help us locate your data

We will respond within one month. This period may be extended by two months for complex requests, with prior notice.

10.2 Right to Lodge a Complaint

If you believe your rights have been violated, you may lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es or your local supervisory authority.

11. End User (Fitness Client) Data

TrainerStudio processes End User data on behalf of Trainers (who are the Data Controllers for their clients). Regarding End User data:

TrainerStudio acts as Data Processor under the Trainer's instructions
Trainers are responsible for providing privacy notices to their clients
Trainers are responsible for obtaining necessary consents from their clients
End Users should direct data subject requests to their Trainer
TrainerStudio will assist Trainers in responding to End User requests

12. Special Categories of Data

The Service may process health-related data (weight, body measurements, fitness progress). This constitutes "special category data" under GDPR. We process such data only:

With explicit consent from the data subject
For the specific purpose of providing fitness management services
With enhanced security measures including encryption

13. Automated Decision-Making

TrainerStudio does not engage in automated decision-making or profiling that produces legal effects or significantly affects you. Analytics and recommendations within the Service are aids for human decision-making by Trainers.

14. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete such data promptly.

Trainers who work with minors are responsible for obtaining appropriate parental consent before adding minor clients to the platform.

15. Data Security

We implement comprehensive security measures including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Secure authentication with support for multi-factor authentication
Regular security assessments and penetration testing
Access controls and principle of least privilege
Employee security training and confidentiality agreements
Incident response and breach notification procedures
Regular backups with tested recovery procedures

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours
Notify affected individuals without undue delay if the breach is likely to result in high risk
Document the breach and remediation measures taken

17. Links to External Websites

The Service may contain links to third-party websites. TrainerStudio is not responsible for the privacy practices of external websites. We encourage you to review the privacy policies of any third-party sites you visit.

18. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

Email notification to registered users
Prominent notice on our website
In-app notification

We will provide at least 30 days' notice before material changes take effect. The "Last updated" date at the top indicates when the policy was last revised.

19. Contact Us

For privacy-related inquiries:

Privacy inquiries: info@trainerstudio.io
General inquiries: info@trainerstudio.io
Data subject requests: info@trainerstudio.io