1. Who we are
UNBROKEN is a SaaS management platform for CrossFit, Hyrox, Weightlifting, Yoga and Pilates boxes. This policy explains how we collect, use and protect your personal data.
Service publisher: Dimitri Klopfstein, sole proprietor, registered with the French National Business Register under SIREN number 792 791 329 (SIRET 792 791 329 00016), registered office at 03 chemin du Presbytère, 31450 Donneville, France.
Contact: contact@unbrokenbox.app
2. Data collected and purposes
We only collect data necessary for the service to operate. Here is what, why, and on what legal basis:
| Email, name, password | Account creation and access | Contract performance |
| Box name, slug, branding (logo, color) | Box workspace configuration | Contract performance |
| Member data (first name, last name, email, photo, level, age) | Box community management by the owner | Owner's legitimate interest / Contract performance |
| Sports performance (scores, PRs, WODs) | Progress tracking and leaderboards | Contract performance |
| Payment data (card token, subscription ID) | Billing and subscription management | Contract performance |
| Email preferences (monthly recap opt-in) | Sending consented communications | Consent |
| Anonymous usage statistics (Plausible) | Audience measurement and service improvement | Legitimate interest |
| Technical and error logs | Security and debugging | Legitimate interest |
3. Data processors (GDPR article 28)
To provide the service, we use technical sub-processors. All are bound by a Data Processing Agreement (DPA) and provide GDPR-compliant security guarantees:
| Supabase | Database hosting, authentication, file storage | Germany (Frankfurt) - EU |
| Vercel | Application and cron jobs hosting | EU region configured |
| Lemon Squeezy | Payment and subscription processing | USA - Standard Contractual Clauses |
| Resend | Transactional emails and monthly recaps | USA - Standard Contractual Clauses |
| Plausible Analytics | Cookieless audience statistics | Germany - EU |
Transfers outside the EU (USA) are governed by the European Commission's Standard Contractual Clauses, which require processors to provide a level of protection equivalent to the GDPR.
4. Cookies and trackers
UNBROKEN uses only strictly necessary cookiesfor the service to operate (authentication session, theme preferences, etc.). No third-party tracking or advertising cookies are placed.
Our audience measurement tool Plausible Analytics is cookieless: it places no cookie or persistent identifier. No consent banner is therefore required under CNIL deliberation n° 2020-091.
5. Retention periods
| Active account (owner or coach) | Duration of the contract + 1 month |
| Member account | As long as the owner does not suspend the member |
| Data after account deletion | Immediate erasure (cascade DB) |
| Billing data | 10 years (legal accounting obligation) |
| Technical and audit logs | 12 months maximum |
| Supabase backups | 30 days, then automatic purge |
| Archived monthly recaps | 13 months (1 year + current month) |
6. Your rights
In accordance with the GDPR, you have the following rights regarding your personal data:
- Right of access (article 15): retrieve all your data from your dashboard via Settings > My account > My data > Download my data (JSON).
- Right of rectification (article 16): modify your box or profile information directly from the dashboard.
- Right of erasure (article 17): delete your account and all associated data from Settings > My account > Danger zone > Delete my account. The action is irreversible and propagates deletion across all your data.
- Right to portability (article 20): the exported JSON file is structured and usable by other services.
- Right to object (article 21): disable email communications (monthly recap) by unchecking the opt-in on each member's profile.
- Right to lodge a complaint with the CNIL (French data protection authority) if you believe your rights are not being respected.
For any question or to exercise a right, write to us at contact@unbrokenbox.app. We respond within 30 days maximum.
7. Security
We implement the following technical and organizational measures to protect your data:
- Communications encryption (HTTPS/TLS 1.3)
- Encryption at rest (Supabase)
- Strong authentication (bcrypt-hashed passwords, Google OAuth)
- Row Level Security (RLS) at the database level
- Daily automatic backups at Supabase EU
- Data access strictly limited to authorized personnel
8. Member data (owner role)
If you are an owner or coach of a box, you collect and process your members' data. In this regard, you are the data controller within the meaning of the GDPR for this data. UNBROKEN acts as a data processor within the meaning of article 28.
As an owner, you undertake to:
- Inform your members of the collection and processing of their data
- Obtain their consent for optional communications (monthly recap)
- Allow each member to exercise their rights (access, rectification, deletion) - UNBROKEN provides you with the necessary tools from the dashboard
- Suspend or delete a member who requests it
9. Changes
This policy may be updated. Significant changes will be notified by email to owners and displayed on this page with a new update date. Continued use of the service after notification constitutes acceptance of the new policy.