Privacy Policy

We take the protection of your personal data seriously. This policy describes what we process on buildscore.fit, why, and on which legal basis under the EU General Data Protection Regulation (GDPR).

1. Data Controller

2. What we process

2.1 Server logs

Our hosting provider Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) automatically records server logs on each request: IP address (truncated where possible), date/time, URL, referrer, browser, OS, language. Required for delivery and security. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Retention: up to 30 days. Transfer to the US on the basis of EU Standard Contractual Clauses.

2.2 Quiz data

When you complete the BuildScore quiz we process your self-reported fitness profile (goal, obstacle, level, training days, equipment, diet, sleep, timeline, commitment) and your biometric inputs (sex, age, weight, height) to calculate your personalized plan. Legal basis: Art. 6(1)(b) GDPR (contract / pre-contractual measures).

2.3 Newsletter signup

We use a double opt-in process. After you submit your email, we send a confirmation link. Your subscription only activates after you click it. We process: first name, email, locale, confirmation status. Legal basis: Art. 6(1)(a) GDPR (consent). Revoke any time via the one-click unsubscribe link in every email.

2.4 Purchase

Payments are processed exclusively by Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Dublin 2, Ireland). We never see your card or bank details. Stripe processes your payment data under its own privacy policy. We receive only a transaction ID, your email, and a success confirmation. Legal basis: Art. 6(1)(b) GDPR (contract).

3. Service providers (data processors)

3.1 Supabase (database)

Supabase, Inc. (970 Toa Payoh N, #07-04, Singapore 318992) — EU region hosting. Stores quiz responses, profile data, plan, newsletter status. Transfer to third countries on the basis of EU Standard Contractual Clauses. Legal basis: Art. 6(1)(b) GDPR with Art. 28 GDPR (data processing agreement).

3.2 Resend (email)

Resend Inc. (2261 Market Street #5039, San Francisco, CA 94114, USA). Delivers confirmation, welcome and follow-up emails. Transfer to the US on the basis of EU Standard Contractual Clauses. Resend logs delivery status, bounces and opens. Legal basis: Art. 6(1)(a) and (b) GDPR.

3.3 Stripe (payments)

See 2.4. Location: Ireland (EU). Legal basis: Art. 6(1)(b) GDPR.

3.4 Plausible (analytics)

Plausible Insights OÜ (Västriku tn 2, 50403 Tartu, Estonia). Privacy-first analytics: no cookies, no personal data, no IP retention. GDPR-compliant and hosted in the EU. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in anonymous aggregate analytics).

4. Retention

• Server logs: up to 30 days
• Quiz and profile data: while your subscription is active, or until unsubscribe + 30 days for abuse protection
• Payment data (our side — transaction ID + entitlement only): 10 years per German tax law (§147 AO)

5. Your rights

You have the following GDPR rights:

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17)
• Restriction (Art. 18)
• Data portability (Art. 20)
• Objection (Art. 21)
• Withdraw consent (Art. 7(3))
• Complaint to a supervisory authority (Art. 77) — ours: Hamburg Commissioner for Data Protection and Freedom of Information, datenschutz-hamburg.de

Exercise any right informally by emailing hello@buildscore.fit.

6. Cookies and tracking

We set no tracking cookies. Technically necessary cookies are only set where strictly required (e.g. during Stripe checkout). Plausible is cookie-free, so no analytics consent banner is needed.

7. Minors

This service is intended for users aged 16 and above. Under-16 users may only use it with parental or guardian consent.

8. Updates

We update this policy when our technical setup or legal requirements change. The date at the top reflects the current version.