BoxMate
Start Free Trial

Privacy Policy

Last updated: March 16, 2026

1. Data Controller

The data controller for this service is CodeView, Lda, a company registered in Portugal. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.

2. Data We Collect

We collect and process the following categories of personal data:

Account Information

  • Email address (required for authentication)
  • First name and last name
  • Phone number (optional)
  • Date of birth (optional)
  • Profile photo (optional)
  • Language preference

Fitness Data

  • Workout scores and personal records
  • Class booking and attendance history
  • Weight and height (optional, for workout tracking)

Technical Data

  • Device push notification tokens (for Expo Push Notifications)
  • Authentication tokens and session data
  • IP address and browser/device information (collected automatically)

3. Legal Basis for Processing

We process your data based on the following legal grounds under Article 6 of the GDPR:

  • Contract performance — to provide the Service you signed up for (account management, class bookings, workout tracking)
  • Legitimate interest — to improve our Service, prevent fraud, and ensure security
  • Consent — for optional features such as push notifications and marketing communications
  • Legal obligation — to comply with tax, accounting, and other legal requirements

4. How We Use Your Data

  • To create and manage your account
  • To enable class scheduling, booking, and attendance tracking
  • To display workout scores and community leaderboards within your box
  • To send push notifications about class reminders, booking confirmations, and box updates
  • To process membership payments via Stripe and MB WAY
  • To provide box owners with aggregated analytics and reports
  • To maintain the security and integrity of the Service

5. Data Sharing and Third Parties

We share your data with the following third-party service providers, who act as data processors:

Supabase (database and authentication)

Stores account data, profiles, bookings, and workout data. Servers located in the EU. Supabase is GDPR-compliant.

Stripe (payment processing)

Processes membership payments. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.

Expo (push notifications)

Delivers push notifications to your device. Only your device token and notification content are shared.

Vercel (web hosting)

Hosts the web application. May process IP addresses and request metadata.

We do not sell your personal data. We do not share your data with third parties for marketing purposes. Your data within a box is visible to the owner and coaches of that box as necessary to operate the gym.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes (e.g., payment records for tax compliance, retained for up to 10 years as required by Portuguese law).

7. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of your personal data
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure — request deletion of your data ("right to be forgotten")
  • Right to restrict processing — limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — withdraw consent at any time (e.g., push notifications)

To exercise any of these rights, contact us at privacy@box-mate.com. We will respond within 30 days as required by the GDPR. You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD — Comissão Nacional de Proteção de Dados).

8. International Data Transfers

Your data is primarily stored within the European Union (Supabase EU region). Where data is transferred outside the EEA (e.g., Expo push notification servers in the US), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS/SSL), encrypted storage, row-level security policies in our database, secure authentication with password hashing, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If a box owner creates an account for a minor, they must have verifiable parental consent. If we learn that we have collected data from a child under 16 without consent, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.

12. Contact

For privacy-related inquiries or to exercise your data rights:

CodeView, Lda
Email: privacy@box-mate.com