Last updated: February 25, 2026
At TheBJJ.app, we believe your training data is yours and yours alone. We are committed to protecting your privacy and being transparent about how we handle your information. This Privacy Policy explains what data we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR).
The data controller responsible for your personal data is TheBJJ.app, operated by an individual entrepreneur based in Spain.
Legal name: [REPLACE WITH LEGAL NAME / AUTONOMO NAME]
Trade name: TheBJJ.app
Email: gldev@tuta.io
Postal address: [REPLACE WITH FULL POSTAL ADDRESS], Spain
Tax/registration ID (if applicable): [REPLACE WITH NIF/CIF OR "N/A"]
Replace bracketed placeholders before public launch so this section fully satisfies GDPR Art. 13(1)(a).
When you create an account, we collect:
To provide you with BJJ insights, we store the data you choose to input:
This data is voluntarily provided by you and is essential for the app's core functionality.
Partner data notice: If you store data about training partners, you are responsible for ensuring they are aware that you are recording this information in your private training log.
For security and app functionality, we automatically collect:
We use your data exclusively for the following purposes:
What We DON'T Do
We do not sell, rent, or share your personal data with third parties for marketing purposes. Your training data is never used for advertising or sold to data brokers.
Under GDPR, we process your personal data based on:
We do not sell your data. We only share data with:
We use the following providers to operate the service. The table includes what data each provider receives and the transfer safeguards used.
| Provider | Country | Data Received | Transfer Safeguard | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Germany / Finland (EU) | Application data, backups, infrastructure logs | EU-only hosting for core infrastructure (no Chapter V transfer for this processing) | Available on request |
| Resend, Inc. | United States | Email address, first name, transactional email metadata | EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses (SCCs) | View DPA |
| Paddle.com Market Limited | United Kingdom / United States | Billing identity and transaction metadata; card data is processed directly by Paddle | UK adequacy decision for UK transfers plus contractual safeguards (including SCCs where required) for onward transfers | Available on request |
| Simple Analytics B.V. | Netherlands (EU) | Cookieless aggregated page usage and referrer data | EU processing; no advertising cookies or ad-tech identifiers | View DPA |
We maintain processor agreements with our service providers and review provider transfer mechanisms periodically.
Note on Payment Data: Paddle acts as Merchant of Record and independent data controller for payment card details, billing address, and payment transaction records. TheBJJ.app does not receive or store full payment card data.
We may disclose your data if required by law, court order, or to protect our legal rights.
We apply the following retention periods:
| Data Category | Retention Period |
|---|---|
| Account & profile data | Until account deletion |
| Training data (techniques, sessions, goals, partners) | Until account deletion |
| Login sessions (IP address, user agent) | 60 days, auto-purged |
| Subscription and billing records | Until account deletion (subject to legal/tax obligations) |
| Application backups | Up to 30 days after deletion |
| Email delivery logs (Resend) | Per Resend retention policy |
As a user in the EU, you have the following rights:
Right to Access (Art. 15)
You can request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
You can correct any inaccurate or incomplete data in your account settings.
Right to Erasure (Art. 17)
You can request deletion of your account and all associated data at any time.
Right to Data Portability (Art. 20)
You can export your data in a machine-readable format to transfer to another service.
Right to Object (Art. 21)
You can object to processing based on legitimate interests.
Right to Restrict Processing (Art. 18)
You can request that we limit how we use your data in certain circumstances.
Right to Lodge a Complaint
You can file a complaint with your local data protection authority.
To exercise any of these rights, contact us at gldev@tuta.io. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. If your main residence is in Spain, the competent authority is Agencia Espanola de Proteccion de Datos (AEPD): https://www.aepd.es. You may also contact the supervisory authority in your EU/EEA country of residence.
We use essential cookies only to keep you logged in and ensure the app functions properly:
We do not use third-party tracking cookies or advertising cookies.
We implement industry-standard measures to protect your data:
No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
Your data is primarily stored in the EU (Hetzner infrastructure in Germany/Finland). Some providers process limited personal data outside the EU/EEA:
You can request more information about the specific transfer safeguards by contacting gldev@tuta.io.
Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at gldev@tuta.io.
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
Your continued use of the service after changes become effective constitutes your acceptance of the updated policy.
If you have any questions about this Privacy Policy or how we handle your data:
Email: gldev@tuta.io
Data Protection Officer: gldev@tuta.io
At TheBJJ.app, your privacy is paramount. We:
Your training journey is personal. We're here to help you improve, not to monetize your data.