Legal

Privacy Policy

Last updated: April 16, 2026 · Terms of Service

Your Privacy at a Glance

  • ✓ We collect only what we need to provide the Service
  • ✓ We never sell your personal data to third parties
  • ✓ You can request deletion of your data at any time
  • ✓ We are GDPR-compliant for EU/EEA users
  • ✓ We use cookies only for authentication and analytics

1. Who We Are

WODBuilders ("we," "us," or "our") operates the fitness platform at https://wodbuilders.com. For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, we act as the data controller for personal data collected through our Service.

For any privacy-related questions or requests, contact our privacy team at: privacy@wodbuilders.com

2. Data We Collect

We collect the following categories of personal data:

2.1 Data You Provide Directly

  • Account data: Email address, display name, password (stored as a secure hash via Supabase Auth)
  • Profile preferences: Fitness level (beginner/intermediate/advanced), available equipment, display name
  • Payment data: Billing information processed and stored by Stripe. We never store full card numbers.
  • Saved workouts: WODs you choose to bookmark or save to your account
  • Communications: Emails or messages you send to our support team

2.2 Data Collected Automatically

  • Usage data: Pages visited, WODs generated, filters used, session duration
  • Device data: Browser type and version, operating system, screen resolution
  • IP address: Used for fraud prevention and approximate geolocation (country/region level)
  • Cookies and session tokens: Used for authentication and to maintain your session

2.3 Data from Third Parties

  • Google OAuth: If you sign in with Google, we receive your name, email, and profile picture from Google
  • Stripe: We receive confirmation of payment status and subscription state from Stripe

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

PurposeLegal Basis (GDPR)
Create and manage your accountContract performance (Art. 6(1)(b))
Process payments and manage subscriptionsContract performance (Art. 6(1)(b))
Personalize workout generation to your preferencesContract performance (Art. 6(1)(b))
Send transactional emails (receipts, confirmations)Contract performance (Art. 6(1)(b))
Enforce usage limits (free vs. paid tiers)Legitimate interests (Art. 6(1)(f))
Analytics and product improvementLegitimate interests (Art. 6(1)(f))
Prevent fraud and abuseLegitimate interests (Art. 6(1)(f))
Comply with legal obligationsLegal obligation (Art. 6(1)(c))
Send marketing emails (if opted in)Consent (Art. 6(1)(a))

4. Cookies and Tracking

We use the following types of cookies and tracking technologies:

4.1 Strictly Necessary

Session cookies set by Supabase Auth to keep you logged in. These are essential to the Service and cannot be disabled. They expire when you log out or after a defined period.

4.2 Analytics (PostHog)

We use PostHog to understand how users interact with WODBuilders (e.g., which filters are used, how many WODs are generated). PostHog may set persistent cookies. Data is processed under our legitimate interests in improving the Service. You can opt out at any time by contacting us.

4.3 Session Storage

For unauthenticated visitors, we store a generation counter in browser sessionStorage to enforce the 1 WOD/session limit. This data never leaves your device and is cleared when you close your browser tab.

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

  • Supabase (Supabase Inc., USA) — database, authentication, and file storage. Data is stored in the EU region where selected. Supabase is GDPR-compliant.Privacy policy ↗
  • Stripe (Stripe Inc., USA) — payment processing. Stripe is PCI DSS Level 1 compliant.Privacy policy ↗
  • PostHog (PostHog Inc., USA) — product analytics.Privacy policy ↗
  • Vercel (Vercel Inc., USA) — hosting and edge infrastructure. Processes request logs temporarily.Privacy policy ↗

All third-party processors have signed Data Processing Agreements (DPAs) where required by GDPR. International transfers to the USA are covered by Standard Contractual Clauses (SCCs).

We may also disclose data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of WODBuilders or others.

6. Data Retention

We retain your personal data for as long as necessary to provide the Service:

  • Account data: Until you delete your account, plus up to 30 days for backup recovery
  • Billing records: 7 years (tax and legal obligation)
  • Usage/analytics data: 12 months, then aggregated and anonymized
  • Support communications: 2 years from last contact
  • Server logs: 30 days

7. Your Rights (GDPR & CCPA)

Depending on your location, you have the following rights regarding your personal data:

EU/EEA Users (GDPR)

  • Right of access (Art. 15): Request a copy of all data we hold about you
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
  • Right to restriction (Art. 18): Restrict processing of your data in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time
  • Right to lodge a complaint: With your national data protection authority

California Residents (CCPA)

  • Right to know what personal information is collected and how it is used
  • Right to delete personal information (with certain exceptions)
  • Right to opt out of the sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising your CCPA rights

To exercise any of these rights, email privacy@wodbuilders.com. We will respond within 30 days. We may need to verify your identity before processing requests.

8. Data Security

We implement technical and organizational measures to protect your personal data, including:

  • All data in transit is encrypted using TLS 1.2+
  • Passwords are hashed using bcrypt via Supabase Auth
  • Row-Level Security (RLS) is enabled on all database tables
  • Access to production systems is limited to authorized personnel
  • Payment card data is never stored on our servers (handled entirely by Stripe)

No system is 100% secure. If we become aware of a data breach that affects your rights, we will notify you as required by applicable law (within 72 hours under GDPR where required).

9. Children's Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@wodbuilders.com and we will delete it promptly.

10. Links to Third-Party Sites

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by posting the new policy on this page with an updated "Last updated" date and, where appropriate, by email notification. Your continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact & Data Protection Officer

For any privacy-related questions, data subject requests, or concerns:

WODBuilders — Privacy Team

Email: privacy@wodbuilders.com

Website: https://wodbuilders.com

Response time: within 30 days (GDPR requests within 30 days per Art. 12)

Terms of ServicePricingHome