Privacy Policy

BodyLytics (“we”, “us”, “our”) operates the website bodylytics.coach and associated online learning services. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our services, in compliance with the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 on the Protection of Personal Data (LOPDGDD).

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our services.

The data controller responsible for your personal data is BodyLytics, operating from Badalona, Spain. For any questions or requests regarding your data, contact us at: privacy@bodylytics.coach

We collect the following categories of personal data:

• Account Data: Name, email address, password (encrypted), phone number, country, and profile photo when you create an account.
• Payment Data: Payment details are processed securely by our payment processor, Stripe. We do not store your full card number on our servers.
• Usage Data: Course progress, study session times, lesson completions, community posts, and interactions with our platform.
• Technical Data: IP address, browser type, device information, and cookies (see our Cookie section below).
• Communication Data: Messages sent through our support system, community forums, and live chat.

We process your personal data for the following purposes:

• Providing and managing your account and course access
• Processing payments and issuing certificates of completion
• Communicating with you about your courses, updates, and support requests
• Sending marketing communications (only with your explicit consent)
• Improving our services through analytics and usage patterns
• Ensuring security and preventing fraud
• Complying with legal obligations

We process your personal data on the following legal bases under GDPR Article 6:

• Contract Performance: To provide our services and fulfill our obligations to you as a student.
• Legitimate Interest: For analytics, service improvement, and security purposes.
• Consent: For marketing communications and optional analytics cookies.
• Legal Obligation: To comply with applicable laws and regulations.

We use the following third-party services that may process your data:

• Supabase (database and authentication) — Data stored on servers within the EU/EEA.
• Stripe (payment processing) — PCI DSS compliant. See Stripe Privacy Policy.
• Hostinger (website hosting) — Hosting infrastructure.
• Resend (email delivery) — For transactional and marketing emails.

We ensure that all third-party processors have appropriate data processing agreements in place and maintain adequate data protection standards.

Our website uses the following types of cookies:

• Essential Cookies: Required for authentication, security, and basic site functionality. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors use our site. These are only activated with your consent.

You can manage your cookie preferences at any time through the cookie consent banner or by clearing cookies in your browser settings.

We retain your personal data for as long as your account is active or as needed to provide you services. If you request account deletion, we will erase your personal data within 30 days, except where we are legally required to retain certain records (e.g., payment records for tax purposes may be kept for up to 6 years).

You have the following rights regarding your personal data:

• Right of Access: Request a copy of the data we hold about you.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure: Request deletion of your data (“right to be forgotten”).
• Right to Restriction: Request that we limit how we process your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to the processing of your data for certain purposes.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@bodylytics.coach. We will respond within 30 days as required by GDPR.

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS/SSL), encrypted password storage, row-level security policies on our database, and regular security reviews.

Your data is primarily stored and processed within the EU/EEA. Where data is transferred outside the EEA (e.g., to US-based service providers), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or the service provider's participation in an adequacy framework.

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a new “Last updated” date. Continued use of our services after changes constitutes acceptance of the updated policy.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: privacy@bodylytics.coach
• Website: bodylytics.coach