GDPR Compliance
Last updated: March 25, 2026
Your Rights at a Glance
- • You have the right to access, correct, and delete your personal data
- • You can request a portable copy of your data at any time
- • You may object to or restrict processing of your data
- • You can withdraw consent at any time without affecting prior processing
- • You have the right to lodge a complaint with a supervisory authority
1. Our Commitment
BuildTeam Inc., operating as Flowtropy is committed to complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We process personal data lawfully, fairly, and transparently, and only for specified, explicit, and legitimate purposes.
2. Controller and Processor Roles
Flowtropy acts as a data processor on behalf of fitness studios (the data controllers) that use our platform to manage their members, bookings, and operations. When you sign up as a member of a studio, the studio is the data controller for your membership data, and Flowtropy processes that data on their behalf.
For platform-level data (your account, authentication, and direct interactions withFlowtropy), we act as the data controller.
If your request relates to your relationship with a specific studio, that studio may be the right first point of contact. If your request relates to your account with us, platform security, billing, or a direct interaction with Flowtropy, please contact us through our contact form.
3. Lawful Basis for Processing
We process your personal data based on one or more of the following legal bases:
| Legal Basis | Examples |
|---|---|
| Contract Performance | Processing bookings, managing subscriptions, providing class schedules |
| Consent | Marketing emails, push notifications, health data integration, community features |
| Legitimate Interest | Platform security, fraud prevention, analytics, service improvements |
| Legal Obligation | Tax records, financial reporting, responding to legal requests |
4. Your Rights Under GDPR
4.1 Right of Access
You have the right to request a copy of the personal data we hold about you. You can access most of your data directly through your account settings. For a complete data export, please use our contact form.
4.2 Right to Rectification
You can update your personal information at any time through your account settings (profile, contact details, preferences). If you cannot correct the data yourself, contact us and we will update it within 30 days.
4.3 Right to Erasure
You have the right to request deletion of your personal data. When you delete your account, we immediately anonymize all personally identifiable information (name, email, phone, avatar). Anonymized data retained for aggregate analytics cannot be linked back to you. See our deletion request form for help.
4.4 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Contact us to request a data export, and we will provide your data in JSON or CSV format within 30 days.
4.5 Right to Restrict Processing
You can request that we restrict processing of your personal data in certain circumstances — for example, while we verify the accuracy of your data following a rectification request.
4.6 Right to Object
You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You can always object to direct marketing — use the unsubscribe link in any email or update your notification preferences in settings.
4.7 Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing prior to withdrawal. You can withdraw consent by adjusting settings (notifications, marketing) or by contacting us.
5. Data We Collect
For a detailed breakdown of the personal data we collect, how we use it, and how long we retain it, please refer to our Privacy Policy. In summary, we collect:
- Account data — name, email, phone, profile photo
- Usage data — bookings, check-ins, feedback, messages
- Health data — only if you connect a wearable device (opt-in)
- Payment data — processed by Stripe; we do not store card numbers
- Technical data — IP address, browser type, device info (for security and analytics)
6. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected. When you delete your account:
- Personal data is anonymized immediately
- Active subscriptions are cancelled immediately
- Backup data is purged within 90 days
- Financial records required by law are retained for the legally required period (typically 7 years)
7. International Data Transfers
Our servers are located in the United States (Google Cloud Platform). If you are located in the European Economic Area (EEA), UK, or Switzerland, your data is transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and additional security measures to ensure adequate protection of your data during transfer.
8. Privacy Team Contact
For GDPR-related inquiries, data access requests, or to exercise any of your rights, contact our Privacy Team:
Contact: Contact Form
Entity: BuildTeam Inc.
Address: 262 Chapman Rd, Ste 240, Newark, DE 19702
We will respond to all requests within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
9. Supervisory Authority
If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU/EEA supervisory authorities can be found on the European Data Protection Board website.
10. Sub-Processors
Our current third-party sub-processors include the following providers used to deliver our Services:
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure, storage, database | US |
| Stripe | Payment processing | US |
| Firebase (Google) | Push notifications | US |
| OpenAI | AI features (feedback analysis, content generation) | US |
| Twilio / SendGrid | SMS and email delivery | US |
11. Changes to This Policy
We may update this GDPR page as our practices or legal requirements change. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top reflects the most recent revision.