Privacy Policy

The controller of the data collected through this website (wod-manager.com), the admin dashboard (app.wod-manager.com) and the WOD Manager Android and iOS mobile apps is:

We are not required to appoint a Data Protection Officer (DPO) given our current volume, but the email above is the single point of contact for any data-related matter.

WOD Manager acts in two distinct roles depending on the data:

• Data controller with respect to the data of those who hire our service (the owners or managers of a CrossFit box), the navigation data of this public website and the data of those who contact us through our channels.
• Data processor with respect to the personal data of the members of each box uploaded to the platform. In this case, the box itself is the controller, and our processing is limited to what is set out in the Data Processing Agreement (DPA) you accept when you sign up. You can read it at /legal/dpa.

The categories of data we process vary depending on your relationship with us:

Each purpose relies on a different legal basis under Art. 6 GDPR. These are the main ones:

We keep personal data only for as long as strictly necessary for each purpose, with the following indicative periods:

• Account data: for as long as the contractual relationship lasts. After cancellation, for 30 days (grace period to reactivate). Then they are anonymized or deleted, unless retention is legally required.
• Tax and billing data: 6 years (Art. 30 Spanish Commercial Code) or the equivalent legal period in your country. Spain's tax authority (AEAT) specifically requires retention of VERI*FACTU invoices for this period.
• Contract data: 5 years after termination (Art. 1964 Spanish Civil Code).
• Technical and security logs: 12 months max.
• Marketing data (if you gave consent): until you revoke consent.
• Cookies: as detailed in the Cookies Policy.

When data is no longer needed, it is deleted or anonymized. Effective deletion takes into account the technical timeframe for backups (up to 35 additional days).

To deliver the service we rely on technology providers acting as processors. With all of them we have an Art. 28 GDPR contract and, where applicable, Standard Contractual Clauses approved by the European Commission (Decision 2021/914).

Additionally, pursuant to legal obligation, we may share data with:

• Spanish Tax Agency (AEAT) for VERI*FACTU compliance.
• Colombian Tax and Customs Office (DIAN) for electronic invoicing.
• Courts, tribunals and law enforcement when legally required.

We do not transfer personal data to third parties for commercial purposes. We do not sell your data.

Some of our processors are headquartered or have servers outside the European Economic Area (EEA), mainly in the United States. These transfers are made with the following safeguards:

• Standard Contractual Clauses approved by the European Commission (Decision 2021/914) signed with each processor.
• EU-US Data Privacy Framework: the main providers (Google, Stripe, Vercel) are certified, under the Adequacy Decision of July 10, 2023.
• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or higher).
• Role-based access control with auditing and access logging at the infrastructure providers.

You can obtain a copy of the specific safeguards by writing to hello@wod-manager.com.

Under Arts. 15 to 22 GDPR, you may exercise the following rights at any time:

• Access: know what data we hold about you and obtain a copy.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data when no longer necessary.
• Restriction of processing: have us stop processing your data while a controversy about accuracy or lawfulness is resolved.
• Objection: object to processing based on legitimate interest or to commercial communications.
• Portability: receive your data in a structured, commonly used format (JSON) for transmission to another controller.
• Automated decisions: not be subject to individual decisions based solely on automated processing. WOD Manager does not make such decisions about data subjects.
• Withdraw consent at any time where consent is the basis for processing.

How to exercise them:

• Directly from the app: Profile → Privacy has a button to download all your data and another to request account deletion.
• Or by writing to hello@wod-manager.com from the email address associated with your account, indicating the right you wish to exercise. We will respond within one month, extendable to two months for complexity or volume, notifying you in advance.

If you believe your right has not been properly handled, you may file a complaint with the Spanish Data Protection Agency (AEPD), headquartered at C/ Jorge Juan 6, 28001 Madrid, or through their electronic office: sedeagpd.gob.es.

We apply appropriate technical and organizational measures to ensure the security of your data:

• Encryption in transit (HTTPS / TLS) and at rest (AES-256).
• Strong authentication via Firebase Authentication, role-based access control and Firestore security rules.
• Automatic daily encrypted backups retained for 30 days.
• Access logging and security event monitoring.
• Servers in data centers certified ISO 27001 and SOC 2 Type II (Google Cloud Platform).
• Documented procedure for security breach notification to the AEPD within 72 hours under Art. 33 GDPR, and to affected data subjects where the risk is high (Art. 34 GDPR).

No system is absolutely secure. If you spot a potential vulnerability, please disclose it responsibly to hello@wod-manager.com.

The Service is not directed at children under 14. If you are under that age, do not provide us your data. Where a box signs up a minor (for example, for kids' classes), it must do so with the express consent of the holder of parental authority or guardianship, under Art. 7 LOPDGDD. The box is responsible for collecting and retaining such consent.

We may update this Privacy Policy to reflect legal or service changes. Any significant change will be notified at least 30 days in advance via the email associated with your account and with a prominent in-app notice. The current version and its update date will always appear at the top of this document.

For any inquiry about this policy or the processing of your data: