Legal
Privacy Policy
Audience: EU / Portugal consumer app (students, instructors, studios). Supervisory authority: Comissão Nacional de Proteção de Dados (CNPD), Portugal.
1. Who we are
Student Body, Lda. (“Student Body”, “we”, “us”), NIPC 519312708, registered at Rua de Santos Pousada 826, 4000-485 Porto, Portugal, is the controller of the personal data processed through studentbody.pt, app.studentbody.pt, and the Student Body mobile apps (the “Service”).
Contact for any privacy matter or to exercise your rights: hello@studentbody.pt. We have not appointed a Data Protection Officer.
2. The personal data we collect
We collect data you give us, data generated as you use the Service, and a small amount of technical data:
- Identity & contact — name / display name, email address, phone number (if you provide it, e.g. at a walk-in check-in), profile photo, bio, and your chosen public handle.
- Account & authentication — your account identifier and login metadata (authentication is handled by our provider Supabase; we never see your password).
- Location — the city/country and, if you use location features, the approximate coordinates derived from an address you enter, plus your chosen search radius.
- Profile & preferences — interests, languages, accessibility preferences, notification and schedule preferences, appearance settings.
- Bookings & activity — classes you book, attendance, waitlist entries, saved/followed classes, instructors and studios, streaks and milestones.
- Class check-in details — including optional injury notes and experience / “vibe” preferences you choose to share before a class (see §3).
- Content & social — class feedback and ratings (including private comments you leave), direct messages, connections/contacts, and any support messages you send us.
- Payment data — a payment-provider customer reference and the brand, last 4 digits and expiry of a saved card. We never store full card numbers — these are held by our payment processor, Stripe.
- Consent records — your acceptance of the Terms, marketing opt-in choice, and cookie/analytics consent, each with a timestamp (proof of consent).
- Technical & usage data — IP address and device/browser information used to keep the Service secure and working; and, only with your consent, product-analytics events about how you use the app (see §4).
3. How and why we use your data
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Create and run your account; let you book classes; take and refund payments; deliver messages, feedback and bookings | Contract — Art. 6(1)(b) |
| Keep the Service secure, prevent fraud and abuse, debug errors, and improve and develop features | Legitimate interests — Art. 6(1)(f) |
| Send you marketing / promotional emails | Consent — Art. 6(1)(a) (withdrawable any time) |
| Product analytics cookies / tracking | Consent — Art. 6(1)(a) (ePrivacy; via the cookie banner) |
| Keep invoices and accounting records; respond to lawful requests | Legal obligation — Art. 6(1)(c) |
| Process optional injury / health-adjacent check-in notes | Explicit consent — Art. 9(2)(a); collection is clearly optional |
We do not sell your personal data.
4. Cookies & analytics
- Strictly-necessary cookies keep you signed in and the Service secure. These are always on (no consent required).
- Error monitoring (Sentry, hosted in the EU data region) runs to keep the Service stable and secure. It is configured to collect no IP address or personal identifiers and is treated as strictly necessary.
- Analytics (PostHog, hosted in the EU) helps us understand usage. It runs only after you accept via our cookie banner, and sets no cookie before then. You can accept, reject, or change your choice at any time.
5. Who we share your data with (sub-processors)
We share data only with service providers (“processors”) acting on our instructions under data-processing agreements, each only as needed for its function:
| Provider | What it does for us | Where processed / transfer mechanism |
|---|---|---|
| Supabase | Authentication & primary database | Hosted in the EU (AWS eu-central-1, Frankfurt). Supabase, Inc. is US-incorporated; DPA + EU Standard Contractual Clauses. |
| Amazon Web Services | Cloud infrastructure, queues, media/file storage | Hosted in the EU (eu-west-3, Paris). Contracted via AWS EMEA SARL (Luxembourg); DPA. |
| Fly.io | Application / API hosting | Processing in the EU region (Paris, cdg). US-incorporated; EU–US Data Privacy Framework + DPA. |
| Vercel | Web app hosting | Vercel, Inc. (US). EU–US Data Privacy Framework / SCCs. |
| Stripe | Payment processing | Contracted via Stripe Payments Europe, Ltd (Ireland, EU); limited onward transfer to Stripe, Inc. (US) under SCCs. |
| Brevo (Sendinblue) | Transactional & marketing email | EU company (France); data hosted in the EU (France/Germany). |
| PostHog | Product analytics (with consent) | Hosted in the EU (EU Cloud, Frankfurt). US-incorporated; DPA. |
| Sentry | Error monitoring (no end-user PII) | Organisation data region set to the EU. US-incorporated; DPA. |
| Mapbox | Address geocoding / maps | Mapbox, Inc. (US); processes data in the US. EU–US Data Privacy Framework-certified + SCCs. |
If you connect a third-party booking system (e.g. Acuity, BSport, YOGO) as an instructor or studio, we exchange the data needed to sync your classes with that provider, which acts as its own controller.
6. International transfers
Most of your personal data is stored and processed within the European Economic Area: our database (Supabase, Frankfurt), infrastructure and queues (AWS, Paris), application hosting (Fly.io, Paris), product analytics (PostHog, EU), error monitoring (Sentry, EU) and email (Brevo, EU) all process data in the EU.
Several of these providers are nonetheless incorporated in the United States (Supabase, Fly.io, Vercel, PostHog, Sentry). Storing data in an EU region does not, by itself, rule out the possibility that a US parent company could be subject to a US legal request. A small number of providers additionally process data outside the EEA: Mapbox processes geocoding requests in the United States, and Stripe makes limited onward transfers to its US entity.
For every transfer that leaves the EEA — and as a supplementary safeguard for EU-resident data held by US-incorporated providers — we rely on an appropriate mechanism under Chapter V GDPR: the EU Standard Contractual Clauses and/or the provider’s certification under the EU–US Data Privacy Framework, with supplementary measures where needed. You can request details of the safeguard for a specific provider at hello@studentbody.pt.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account & profile, activity, content | While your account is active. When you delete your account, we irreversibly erase or anonymise your personal data (see §8). |
| Messages, feedback, support tickets | With your account, then erased on deletion. |
| Payment, invoicing & accounting records | Retained for the period required by applicable Portuguese tax, accounting, and commercial laws — generally at least 10 years from the end of the calendar year to which they relate. |
| Payment-provider event logs | 90 days |
| Marketing consent records | Kept as proof of consent for the period necessary to demonstrate compliance. |
| Analytics data | Per your consent; cleared if you withdraw consent. |
8. Your rights
You can, at any time: access your data, rectify it, erase it, restrict or object to processing, obtain it in a portable format (portability), and withdraw consent (without affecting processing done before withdrawal).
We have built self-service tools for the two most common requests, in Settings → Account:
- Download my data — a structured (JSON) copy of your personal data (access & portability).
- Delete my account — permanently erases your personal data across our systems and our processors.
You can also edit your profile directly (rectification) and change marketing/cookie consent in settings. For any other request, email hello@studentbody.pt; we respond within one month (Art. 12(3)).
9. Automated decisions & profiling
We use your activity to personalise recommendations and rankings (e.g. classes you might like). This is profiling in the ordinary sense, but we do not make decisions about you that are solely automated and produce legal or similarly significant effects within the meaning of Art. 22.
10. Children
The Service is intended for users aged 16 and over (the age of digital consent in Portugal). We do not knowingly collect data from children under 16; if you believe a child has used the Service, contact us and we will delete the account.
11. Security
We protect your data with encryption in transit, application-level encryption of sensitive fields, access controls, and reputable infrastructure providers. No system is perfectly secure, but we work to protect your data and will notify you and the CNPD of a breach where the law requires.
12. Complaints
You have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD) (www.cnpd.pt), without prejudice to any other administrative or judicial remedy.
13. Changes
We may update this Policy. The current version is always the one published here; we will flag material changes.