Privacy Policy
Last updated: June 2026. This English text is provided for information only; the German version is legally binding.
1. Controller
Ernest Gaigulo, STRONGFIT Gym (sole trader), Gräfstraße 113, 81241 München · +49 (0) 176 60937184 · info@strongfitgym.de. No data protection officer is required (Art. 37 GDPR); enquiries go directly to the email above.
2. Principles
We process personal data only as necessary to provide a functional website and our services, generally on consent. Legal bases: Art. 6(1)(a)(b)(c)(f) and Art. 9(2)(a). Data is erased once the purpose lapses, subject to statutory retention (§ 257 HGB, § 147 AO).
3. Hosting (Hetzner)
Hosted with Hetzner Online GmbH, Gunzenhausen, Germany (Nuremberg data centre). Standard server log files are recorded for secure, stable operation only; Art. 6(1)(f). An Art. 28 data processing agreement is in place; processing takes place exclusively within the EU/EEA.
4. Consent management (Cookiebot)
We use Cookiebot by Usercentrics A/S, Copenhagen, Denmark (Art. 28 DPA in place). A consent banner appears on first visit (Necessary, Statistics, Marketing); your choice is stored in the CookieConsent cookie (12 months) and can be withdrawn or changed at any time via the cookie settings. Legal basis: Art. 6(1)(c) together with Art. 7.
5. Contact form
We collect name, email address and your message. To prevent spam and abuse your IP address is stored only as a salted cryptographic hash (never in clear text). Used solely to handle your enquiry; the notification email is sent via Brevo (section 8). Legal basis: Art. 6(1)(b) and (f). Retention: 180 days after handling, subject to statutory periods.
6. Analytics (Google Analytics 4)
Only with your consent via the banner we use Google Analytics 4 by Google Ireland Limited, Dublin 4 (parent: Google LLC, USA). An Art. 28 DPA is in place (Google Ads Data Processing Terms; third-country transfers safeguarded by the EU-US Data Privacy Framework / standard contractual clauses). We use Google Consent Mode: no analytics cookies and no transfer without consent; IP processing is truncated. US transfer to Google LLC under the EU-US DPF. Legal basis: Art. 6(1)(a); withdraw any time via the cookie settings. Privacy: https://policies.google.com/privacy
7. Marketing (Meta Pixel)
Only on Marketing consent the Meta Pixel of Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland is active. Purposes: PageView reach measurement of our Facebook/Instagram ads and Lead conversion tracking via our forms. For measurement/analysis Meta Ireland is our processor (Business Tools Terms with the Meta Data Processing Terms); for collecting and transmitting event data we and Meta Ireland are joint controllers (Art. 26 GDPR). US transfer to Meta Platforms, Inc. under the EU-US DPF (plus SCCs). Legal basis: Art. 6(1)(a); withdraw via the cookie settings. Meta privacy: https://www.facebook.com/about/privacy/
8. Newsletter (Brevo)
(Applies once the newsletter sign-up is live.) Sent via Brevo (Sendinblue SAS, Paris, France), EU-based. Collected: email (required), name (optional), sign-up time and IP (consent record). Double opt-in. Unsubscribe any time via the link in every email. Legal basis: Art. 6(1)(a). Retention: until unsubscribe; logs up to 3 years. Art. 28 DPA in place (incl. EU SCCs for any sub-processor transfers).
9. Class booking (Eversports)
Our group-training page embeds a widget of Eversport GmbH, Jakov-Lind-Straße 13, 1020 Vienna, Austria, to display the schedule and book classes. An Art. 28 DPA (AVV) is in place. Loading transmits technical connection data (IP, browser); a booking processes booking data (name, email, possibly payment data). Eversports is EU-based (Austria), but processing partly also takes place in the USA and Canada; an adequate level of protection is ensured by European Commission adequacy decisions (Art. 45 GDPR; Canada and the EU-US DPF). Legal basis: Art. 6(1)(f) display and (b) booking. Privacy: https://www.eversports.com/datenschutz
10. Appointment booking (TidyCal)
For individual and consultation appointments we link to the booking tool of Sumo Group Inc. (d/b/a "TidyCal"), 1305 E. 6th St #3, Austin, TX 78702, USA. The tool is not embedded on our website — it opens only when you actively click the booking button, in a new tab on tidycal.com. Only then is data transmitted to TidyCal: technical connection data (IP, browser) and, for a booking, the booking details (name, email, appointment details). As TidyCal is US-based this involves a third-country transfer to the USA; the specific safeguard (standard contractual clauses or the EU-US Data Privacy Framework) is currently under review. Legal basis: Art. 6(1)(b) (booking / pre-contractual measures) and (f) (providing the booking function). DPA: https://tidycal.com/dpa
11. Google Reviews
Customer reviews may be displayed, provided by Google Ireland Limited, Dublin 4 (parent: Google LLC, USA). Where reviews are rendered server-side, no data is transmitted to Google on page load. Where embedded content loads client-side, IP and device information are transmitted to Google; US transfer under the EU-US DPF. Legal basis: Art. 6(1)(f). Privacy: https://policies.google.com/privacy
12. Error monitoring (Sentry)
To ensure stable operation and diagnose errors we use Sentry (Functional Software, Inc., EU region). Technical error data is processed (e.g. URL, browser type, time, error details). Collection of personal data is disabled (no PII); sensitive fields are scrubbed server-side. A signed Art. 28 DPA is in place (EU-region storage; any third-country transfers safeguarded by the EU-US DPF and SCCs). Legal basis: Art. 6(1)(f).
13. Payments (Stripe / PayPal)
For paid bookings and memberships we use Stripe Payments Europe Ltd. (Dublin, Ireland) and PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg). PayPal is currently embedded technically via Stripe. On payment, the relevant data (name, email, payment method, amount) is transmitted directly to the respective provider, which processes it as an independent controller under its own terms. Card data is never stored on our servers (Stripe: SAQ A). Any third-country transfers occur under the respective safeguards (EU SCCs or the EU-US DPF). Legal basis: Art. 6(1)(b) and (f). Privacy: https://stripe.com/privacy · https://www.paypal.com/de/legalhub/privacy-full
14. Your rights
Access (Art. 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), and withdrawal of consent with future effect (Art. 7(3); cookie consents via the cookie settings). Right to complain (Art. 77): Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach, poststelle@lda.bayern.de, https://www.lda.bayern.de
15. Privacy contact
Ernest Gaigulo — STRONGFIT Gym, Gräfstraße 113, 81241 München · info@strongfitgym.de. We respond without undue delay, at the latest within one month (Art. 12(3)).
16. Changes to this policy
We adapt this policy when legal requirements change or new services are added; the currently published version applies. As of June 2026 | STRONGFIT Gym, München
Cookie declaration
The cookies and tracking technologies currently used on this site, kept up to date automatically by our consent tool (Cookiebot).