.png){kind=small}
+123456789265
Privacy Policy
Last updated: 10 May 2026
Effective from: [EFFECTIVE DATE]
This Privacy Policy explains how [YOUR LEGAL NAME], an individual sole trader (egyéni vállalkozó) registered in Hungary (registration number [REGISTRATION NUMBER], address [YOUR ADDRESS]), trading as GG’S — Grind & Growth Society (“GG’S”, “we”, “us”, “our”) collects, uses, shares and protects your personal data when you use the GG’S mobile application, the website at [YOUR WEBSITE], and any related services (together, the “Service”).
We are the data controller for the personal data described in this Policy, within the meaning of the EU General Data Protection Regulation (GDPR) and Hungarian Act CXII of 2011 on Informational Self-Determination and Freedom of Information.
For any privacy question, contact us at [YOUR EMAIL].
1. Summary
-
We never sell your data and we don’t run advertising on the Service.
In short:
-
We collect only what we need to run a small, members-only fitness community.
-
We use a small number of trusted sub-processors (Supabase, Stripe, Strava, Google, Apple) and we tell you who they are below.
-
You can read, correct, export and delete your data at any time. The full Delete-Account flow is available in Profile → Settings.
2. Who can use the Service
The Service is for adults aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.
3. What we collect
3.1 Information you give us
Category
Examples
Account data
Full name, email address, password (hashed), profile photo
Membership data
Subscription status, founding-member flag, member-since date, your chosen calendar accent colour
Payment data
Stripe customer ID. We do not receive or store full card numbers; payment details are handled directly by Stripe (or Apple/Google for in-app purchases).
Activity data
Which sessions you tap “I’M IN” on, your registrations, your activity log entries
Chat content
Messages you post in the in-app community chat
3.2 Information collected automatically
Category
Examples
Device & technical
Device model and OS version (via Capacitor / native APIs), app version, language
Authentication metadata
Sign-in timestamps, IP address at time of sign-in (held by Supabase Auth for security)
Diagnostic logs
Crash reports, error logs (kept short-term to fix bugs)
We do not use third-party analytics or advertising SDKs (no Google Analytics, no Facebook Pixel, no AppsFlyer, etc.).
3.3 Information from third-party integrations (only if you connect them)
Integration
What we receive
What we write
Strava
Your Strava athlete ID, recent activities (type, distance, duration, time)
Optionally, activities you complete in GG’S sessions
Google Calendar
Permission to add events to your calendar
Sessions you join, with title, time and location
Apple Calendar (via Capacitor)
Permission to add events to your device calendar
Sessions you join, with title, time and location
You authorise these integrations explicitly, and you can disconnect them at any time from your profile or from the third party itself.
4. Why we use your data and the legal basis
Purpose
Legal basis (GDPR Art. 6)
Create and operate your account; deliver the Service
Contract (Art. 6(1)(b))
Process your subscription, take payment, manage refunds
Contract + legal obligation (tax/accounting, Art. 6(1)(b)/(c))
Show you who is attending sessions and run the community chat
Contract
Send you transactional notifications (e.g. session reminders, account or payment changes)
Contract
Connect to Strava / Google Calendar / Apple Calendar
Consent that you give when authorising the integration (Art. 6(1)(a)) — withdrawable any time
Keep the Service safe, secure, free of abuse, and debug bugs
Legitimate interests (Art. 6(1)(f))
Comply with Hungarian and EU law (e.g. tax, accounting, responding to lawful requests)
Legal obligation (Art. 6(1)(c))
We do not use your data for automated decision-making or profiling that produces legal effects on you.
5. Who we share your data with
We only share data with the parties below, and only for the purposes described.
5.1 Sub-processors
Provider
What they do for us
Where the data is hosted
Supabase, Inc. (and its EU sub-processors)
Database, authentication, file storage (avatars), realtime chat backend
EU region (Frankfurt) — see Supabase’s DPA
Stripe Payments Europe, Ltd.
Web subscription payments and billing
EU + USA (transfer protected by Standard Contractual Clauses)
Strava, Inc.
Activity sync (only if you connect)
USA (transfer protected by Standard Contractual Clauses)
Google LLC
Sign-in with Google; Google Calendar integration (only if you connect)
EU + USA
Apple Inc.
App Store distribution and in-app purchases (iOS); Apple Calendar via the device’s native calendar store
EU + USA
Hosting provider for the website ([HOSTING PROVIDER])
Static hosting of [YOUR WEBSITE]
[REGION]
We have data processing agreements in place with each sub-processor that handles personal data on our behalf.
5.2 Other community members
The following information is visible to other signed-in GG’S members:
-
Your name, profile photo and member-since date;
-
Whether you are attending a given session (“People going” avatars);
-
Messages you post in the community chat.
Nothing else is shared with other members.
5.3 Authorities
We will disclose personal data if compelled to by Hungarian or EU law, a court order, or an otherwise lawful request from a public authority.
5.4 Business transfers
If we ever sell, merge or restructure the GG’S business, your data may be transferred to the new entity. We will notify you in advance.
We do not sell or rent your personal data and we do not share it for cross-context behavioural advertising.
6. International data transfers
Some of our sub-processors are based outside the EEA (notably in the United States). When personal data leaves the EEA we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework, supplemented with appropriate technical measures (e.g. encryption in transit and at rest).
You can request a copy of the SCCs by emailing [YOUR EMAIL].
7. How long we keep your data
Data
Retention
Account & profile
While your account is active. Deleted within 30 days of account deletion.
Chat messages
While your account is active, or until you delete each message. Deleted from the visible thread within 30 days of account deletion.
Event registrations & activity log
While your account is active. Deleted within 30 days of account deletion.
Payment records (invoices, receipts)
8 years after the calendar year of issue, as required by Hungarian Accounting Act (Act C of 2000), even after account deletion.
Authentication logs (IP, sign-in times)
Up to 90 days, as held by Supabase Auth.
Backups
Up to 30 days after deletion, on a rolling basis, for disaster recovery.
8. Your rights under GDPR
You have the right to:
-
Access the personal data we hold about you;
-
Rectify inaccurate data (you can edit your name from Profile → Settings);
-
Erase your data (“right to be forgotten”) — use Profile → Settings → Delete account for an immediate hard delete, or email us;
-
Restrict or object to certain processing;
-
Data portability — receive your data in a structured, machine-readable format;
-
Withdraw consent at any time, where processing is based on consent (e.g. integrations);
-
Lodge a complaint with the Hungarian Data Protection Authority:
-
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
-
1055 Budapest, Falk Miksa utca 9-11.
-
Web: https://www.naih.hu
-
Phone: +36 1 391 1400
To exercise any of these rights, contact us at [YOUR EMAIL]. We will respond within 30 days.
9. Cookies and local storage
The web app uses local storage in your browser to keep you signed in (Supabase auth tokens) and to remember small UI preferences (e.g. whether you have completed the walkthrough). It does not use tracking cookies or third-party advertising cookies.
The mobile app uses the device’s secure storage for the same purpose.
10. Push notifications
If you opt in, we send transactional push notifications such as session reminders or chat mentions through Apple Push Notification service (iOS) and Firebase Cloud Messaging (Android). You can disable notifications at any time in your device settings.
11. Security
We protect your data with industry-standard measures:
-
All data in transit is encrypted via TLS;
-
All data at rest in Supabase is encrypted;
-
Passwords are stored hashed (not in plaintext);
-
Access to production systems is limited and protected by multi-factor authentication;
-
Row-level security policies enforce that you can only see and modify your own data.
No system is perfectly secure. If we ever experience a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the NAIH within 72 hours, in accordance with GDPR Art. 33–34.
12. Children
The Service is not directed at children under 18. We do not knowingly collect data from anyone under that age. If you become aware that a child has provided personal data without their parent’s consent, please contact us and we will delete it.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The date at the top of this Policy will always reflect the most recent version.
14. Apple-specific privacy disclosures
For App Store submission (“App Privacy” labels), the data we collect maps to the following Apple categories:
Apple category
Type
Linked to user?
Used for tracking?
Contact info
Name, email
Yes
No
Identifiers
User ID (Supabase auth UID)
Yes
No
Financial info
Subscription status, Stripe customer ID (no card data)
Yes
No
User content
Chat messages, avatar photo
Yes
No
Health & fitness
Strava activity data (only if connected)
Yes
No
Usage data
Event registrations, attendance
Yes
No
Diagnostics
Crash logs
No
No
We do not use any data for tracking across other companies’ apps or websites.
15. Contact
-
Email: [YOUR EMAIL]
-
Address: [YOUR ADDRESS]
-
Hungarian DPA (NAIH): https://www.naih.hu
Note: This document is provided as a comprehensive starting point tailored to the GG’S app and its actual data flows. It is not legal advice. Before publishing, please have a Hungarian-qualified lawyer or DPO review it, confirm the placeholders, the retention periods, and the sub-processor list against your final production setup, and verify the Apple “App Privacy” mapping matches what you declare in App Store Connect.
Grind & Growth Society
Budapest · Est. 2026