Privacy Policy

Last updated: March 23, 2026

1. Controller & Contact

SpinningFlow is operated by Stephan Gensch from Potsdam, Brandenburg, Germany. If you have questions about data processing, contact us at:

office@stephan-gensch.net

2. Hosting & Infrastructure

This application is hosted on Hetzner Online GmbH servers located in Nuremberg, Germany (EU). All data remains within the European Union.

Hetzner's data processing practices comply with the GDPR. Their privacy policy is available at hetzner.com/de/legal/privacy-policy.

3. Data We Collect

Data Details Purpose
Account data Email address, name, fitness level Account creation & login
Authentication Hashed password, session tokens Secure access
Workout plans Plans, segments, duration, intensity settings Providing the service
Server logs IP address, browser info, timestamps Security & troubleshooting (auto-deleted after 30 days)

4. Legal Basis (Art. 6 GDPR)

  • Contract performance (Art. 6(1)(b)) — Processing your account and workout data is necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — Server logs for security monitoring and abuse prevention.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties, except:

  • Hetzner Online GmbH (hosting provider, Nuremberg, Germany) — data processor under a DPA compliant with Art. 28 GDPR.

7. Data Retention

  • Account data is retained as long as your account exists.
  • Server logs are automatically deleted after 30 days.
  • When you delete your account, all personal data (plans, segments, tokens) is permanently erased from our database.

8. Your Rights (Art. 15–21 GDPR)

You have the right to:

  • Access your stored personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten", Art. 17)
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time

To exercise any of these rights, email office@stephan-gensch.net. We will respond within 30 days.

9. Cookies & Tracking

SpinningFlow uses only essential session cookies required for authentication and CSRF protection. We do not use analytics cookies, tracking pixels, or any third-party tracking.

10. Data Security

All data is transmitted over TLS (HTTPS). Passwords are hashed using bcrypt. Authentication tokens are signed with HMAC-SHA256. The database is not publicly accessible and is restricted to the application server.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent authority for our hosting location is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg (LDA Brandenburg)
Stahnsdorfer Damm 77, 14532 Kleinmachnow, Germany
www.lda.brandenburg.de
← Back to home