Privacy Policy

This Privacy Policy explains how we collect, use, disclose and protect personal data when you use MyBJJStory (the “Service”). It has been written to comply with the EU General Data Protection Regulation (GDPR) and the UK GDPR. Terms in bold have the meaning given in Article 4 GDPR.

1. Data controller

MyBJJStory is operated by the MyBJJStory project based in Norway. We act as the data controller for personal data processed through the Service. You can reach our privacy contact at contact@mybjjstory.com.

2. What personal data we collect

We collect only the data needed to run the Service. The categories we process are:

• Profile data: email address, display name, optional avatar image, belt rank, academy affiliation, bio and language preference.
• Training data: training session logs, techniques drilled, gradings, competition results and sparring records you create.
• Health-related data: injury records (body part, severity, impact on training), body metrics (weight, flexibility, strength ratings you self-report) and belt assessments. This is special category data under Article 9 GDPR and is processed only with your explicit consent, which you can withdraw at any time.
• Media: photos and videos you upload, stored in Supabase Storage.
• Social content: posts, comments, reactions, follows and thread messages.
• Technical data: IP address (transiently, for authentication and abuse prevention), browser and device information, and push subscription tokens if you have opted in to push notifications.
• Consent logs: time-stamped records of consent you give or withdraw, kept to satisfy our accountability duty under Article 7(1) GDPR.

3. Why we process it (legal basis)

• Performance of a contract (Art. 6(1)(b) GDPR): to create your account, deliver the core features of the Service and provide support.
• Consent (Art. 6(1)(a) GDPR): for optional features such as push notifications, marketing-style communications and any future analytics cookies. For injury and other health data we rely on your explicit consent under Art. 9(2)(a) GDPR.
• Legitimate interests (Art. 6(1)(f) GDPR): to keep the Service secure, prevent abuse, debug errors and protect our users. We have balanced this against your rights and believe the processing is proportionate; contact us if you disagree.
• Legal obligation (Art. 6(1)(c) GDPR): where we must keep records to comply with applicable law.

You may withdraw any consent at any time; see section 7.

4. Who we share it with

We do not sell personal data. We share it only with the sub-processors below, each under a written data processing agreement in accordance with Article 28 GDPR.

• Supabase (Supabase Inc.): database, authentication and storage. Primary region North EU (Stockholm, Sweden — EEA). Privacy notice.
• Vercel Inc.: application hosting and edge delivery. Privacy notice.
• Google Ireland Ltd.: sign-in via Google OAuth. Google receives your name, email and avatar when you authenticate. Privacy notice.
• Sentry (Functional Software Inc.): error logging. Receives technical error traces without personal content. Privacy notice.
• Strava Inc. (optional): if you connect a Strava account, we import activities you have authorised. Privacy notice.
• Garmin International Inc. (optional, planned): if you connect a Garmin account once the integration is enabled, we import workout and health data you authorise. Data is transferred to the United States under SCCs. Privacy notice.
• Resend (Resend, Inc.): delivery of administrative and moderation-related email (abuse reports, admin replies to feedback). Supabase Auth handles user-facing authentication emails (sign-up, password reset, magic link) through its default mail infrastructure or, where configured, through Resend as the delivery provider. Privacy notice.

We may also disclose personal data when required by law, a court order or a lawful request from a public authority, or to protect our rights and safety.

5. International transfers

Primary data storage is in the EEA (Supabase, North EU region, Stockholm, Sweden). Some sub-processors (for example Vercel, Sentry, Strava and Resend) are established in the United States or route data through the US. Where transfers outside the EEA are necessary, we rely on the European Commission’s Standard Contractual Clauses (SCCs, 2021/914) or, where applicable, the EU-US Data Privacy Framework adequacy decision, supplemented by technical measures such as encryption in transit and at rest and PII scrubbing for error telemetry. We maintain a Transfer Impact Assessment for each US sub-processor. You can request a copy of the safeguards we rely on by emailing the address in section 13.

6. How long we keep it

• Active accounts: for as long as your account is active.
• Deleted accounts: when you delete your account, personal data is removed from production systems immediately and purged from backups within 30 days.
• Inactive accounts: accounts with no sign-in for 24 months receive a warning email. After 36 months of inactivity the account is deleted automatically.
• Consent logs: while your account is active, each consent event is stored with timestamp, consent type, version, IP address and user-agent (retained for up to 12 months from the event for security and audit). On account deletion the IP and user-agent columns are stripped and the remaining anonymised record is retained for up to 3 years to evidence compliance with Art. 7(1) GDPR.
• Security logs: kept for up to 90 days for abuse prevention and incident response.

7. Your rights under GDPR

You have the right to:

• access the personal data we hold about you (Art. 15);
• have inaccurate data rectified (Art. 16);
• have your data erased, subject to legal exceptions (Art. 17);
• restrict processing in defined circumstances (Art. 18);
• receive your data in a machine-readable format and port it (Art. 20);
• object to processing based on legitimate interests, including profiling (Art. 21);
• withdraw any consent at any time without affecting prior lawful processing (Art. 7(3)).

To exercise these rights, email contact@mybjjstory.com. We will respond within one month of receiving your request. Where a request is complex or we receive a high volume, we may extend this by up to two further months under Art. 12(3) GDPR, and we will explain the reason within the first month.

We do not use automated decision-making that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR.

You also have the right to lodge a complaint with a supervisory authority. If you live in the EEA you can contact your national data protection authority (a list is maintained by the European Data Protection Board). For the United Kingdom, the competent authority is the Information Commissioner’s Office (ICO). For Norway, the lead authority is Datatilsynet, which also acts as our lead supervisory authority for cross-border EEA matters.

8. Visibility of your profile

Your training log is private by default. You decide what is shared with the community, and your profile is hidden unless you choose to make it public.

If you enable both public profile and allow search indexing, your display name, avatar and belt rank may appear in the member list of the academy you have marked as primary, which can be indexed by search engines. You can disable indexing or make your profile private again at any time via Settings.

9. Children

The Service is intended for users aged 16 years or over. Under Article 8 GDPR the age at which a child can give valid consent to information society services varies between 13 and 16 across EU Member States. To stay on the safe side of the strictest national rule, we set the minimum age at 16.

If you are the parent or legal guardian of a user aged 13 to 15 and wish to authorise or confirm consent on their behalf under Art. 8(2) GDPR, email contact@mybjjstory.com and we will verify the request and assist with the account set-up.

We do not knowingly collect personal data from children under 13 under any circumstances. If we learn that we hold such data we will delete the account and associated data without undue delay. If you believe a child under 13 has created an account, please contact contact@mybjjstory.com.

10. Security

We apply appropriate technical and organisational measures in line with Article 32 GDPR: transport encryption (TLS) for all traffic, encryption at rest for database and storage, row-level security policies on every table, least-privilege access for maintainers and audit logs for administrative actions. No method of transmission or storage is perfectly secure. Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk, we will also notify affected users without undue delay (Art. 34).

11. Cookies

For detail on the cookies and similar technologies we use, see our Cookie Policy.

12. Changes to this policy

We may update this Privacy Policy. Material changes will be announced in the app or by email before they take effect. The “last updated” date at the top of this page always reflects the current version. Continued use of the Service after the effective date constitutes acknowledgement of the revised policy.

13. Contact

Questions about this policy, or to exercise any right listed in section 7, email contact@mybjjstory.com.