Privacy Policy

1. Data We Collect

We collect the following categories of personal data:

• Account information: Name, email address, and profile photo (avatar) that you provide during registration or profile setup.
• Attendance data: Check-in history, timestamps, and check-in method (NFC or QR). This data powers your streak tracking, belt progression, and gym attendance analytics.
• NFC tag identifiers: When you check in via NFC, the tag's unique identifier is processed and stored exclusively as a SHA-256 cryptographic hash. We never store raw NFC tag identifiers.
• Push notification tokens: Device-specific tokens generated by the operating system to deliver notifications such as streak reminders and class alerts.
• Device information: Device type, operating system version, and app version, collected for crash reporting and compatibility purposes.

2. How We Use Your Data

We use your personal data for the following purposes:

• Attendance tracking: Recording and displaying your gym check-ins, training streaks, and class history.
• Belt progression: Calculating and displaying your progress toward belt promotions based on attendance milestones.
• Gym administration: Enabling gym owners and coaches to view aggregated attendance analytics, manage members, and monitor gym activity.
• Notifications: Sending streak reminders, class alerts, subscription reminders, and milestone celebrations.
• Service improvement: Diagnosing crashes, analyzing usage patterns, and improving app performance.

3. Lawful Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Performance of a contract: Processing your attendance data is necessary to provide the streqo service you signed up for.
• Legitimate interests: Crash reporting and service improvement, where such processing does not override your fundamental rights and freedoms.
• Consent: Push notifications are sent only with your explicit permission, which you can revoke at any time through your device settings or the app's notification preferences.

4. Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted storage, secure authentication (PKCE flow), and strict access controls.

5. Third-Party Services

We share data with the following third-party service providers, solely for the purposes described:

• Supabase (database and authentication) — Stores your account information, attendance data, and gym configuration. Supabase is SOC 2 Type II compliant.
• Expo (push notifications) — Receives your push notification token to deliver notifications to your device. No personal data beyond the token is shared.
• Sentry (crash reporting) — Receives anonymized crash reports and device information to help us diagnose and fix issues. No personally identifiable information is intentionally sent to Sentry.

We do not sell, trade, or rent your personal data to any third party.

6. Data Retention

Your personal data is maintained for as long as your account is active. When you delete your account through the in-app account deletion feature:

• Your profile data (name, email, avatar) is immediately anonymized.
• Your push notification tokens are permanently deleted.
• Your check-in history is retained in anonymized form for gym statistical records, but is no longer linked to your identity.
• An audit log entry is created with only a cryptographic hash of your user ID for compliance purposes.

7. Your Rights Under GDPR

As a user in the European Union, you have the following rights regarding your personal data:

• Right of access: You can view all your personal data directly within the app (profile screen and check-in history).
• Right to rectification: You can update your display name and avatar at any time through the app's profile screen.
• Right to erasure: You can delete your account at any time using the in-app "Delete Account" feature, which anonymizes your data as described in Section 6.
• Right to data portability: You may request a copy of your personal data in a structured, machine-readable format by contacting us at the email address below.
• Right to restriction of processing: You may request that we limit how we process your data under certain circumstances.
• Right to object: You may object to the processing of your data based on our legitimate interests.
• Right to withdraw consent: Where processing is based on consent (e.g., push notifications), you can withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@streqo.com. We will respond to your request within 30 days as required by GDPR.

You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) if you believe your data protection rights have been violated.

8. Children's Privacy

streqo is not designed for or directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the app or by other appropriate means. The "Last updated" date at the top of this page reflects when the policy was most recently revised.

10. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at:

Email: hello@streqo.com