1. Who are we?
Sport-Buddy.com is operated by ScoorOnline.be, based in Belgium. Sport-Buddy.com is a sports platform offering tools for Hyrox analysis, training planning, and personal sports coaching.
Data Controller:
ScoorOnline.be
Contact: via our contact form
Supervisory authority: Belgian Data Protection Authority (GBA).
2. What data do we collect?
Account data
- First and last name
- Email address
- Password (hashed — never stored in readable form)
- Date of birth (optional)
- Profile picture (optional)
Sports performance & health data
- Hyrox race results
- Training activities (synced via Strava or manually uploaded)
- Body measurements (weight, height, etc. — optional)
- Heart rate zones (optional)
Technical data
- IP address (via server logs)
- Browser and device information
- Cookie preferences
Third-party data
- When signing in via Google: name and email from your Google account
- When connecting Strava: activity data from Strava
3. Why do we process your data?
| Purpose | Legal basis |
|---|
| Creating and managing your account | Performance of contract (Art. 6(1)(b) GDPR) |
| Hyrox analysis and AI reports | Performance of contract |
| Syncing Strava activities | Consent (Art. 6(1)(a) GDPR) |
| Analytics (Google Tag Manager) | Consent (Art. 6(1)(a) GDPR) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f) GDPR) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
4. How long do we keep your data?
- Account data: for as long as your account is active, plus 2 years after last use.
- Activity and training data: for as long as your account is active.
- Server logs: maximum 90 days.
- Analytics cookies: per Google Analytics policy (maximum 26 months).
5. Who do we share your data with?
- OpenAI: when generating AI reports, your sports performance data (anonymised) is sent to the OpenAI API. OpenAI processes this data according to their privacy policy.
- Google: analytics via Google Tag Manager and Google Sign-In. See Google's privacy policy.
- Strava: when connected, activities are fetched via the Strava API. See Strava's privacy policy.
- Hosting provider: our server processes your data on secure EU infrastructure.
We never sell your data to third parties.
6. Your rights
Under GDPR you have the following rights:
- Access: you can request a copy of your data.
- Rectification: you can correct inaccurate data via Settings.
- Erasure ("right to be forgotten"): you can request deletion of your account and all associated data.
- Portability: you can request your data in a machine-readable format (JSON).
- Objection: you can object to processing based on legitimate interest.
- Withdrawal of consent: you can withdraw consent for analytics or Strava connection at any time.
Submit your request via the contact form. We respond within 30 days.
7. Cookies
We use the following types of cookies:
| Cookie | Type | Purpose |
|---|
| Session cookie | Necessary | Keeping you logged in |
| CSRF token | Necessary | Form security |
| sb_cookie_consent | Functional | Storing your cookie preference |
| Google Analytics / GTM | Analytical | Measuring website visits (only after consent) |
You can update your cookie preferences at any time via the cookie banner at the bottom of the page.
8. Security
We take appropriate technical and organisational measures to secure your data, including:
- HTTPS/TLS encryption for all connections
- Hashed password storage (bcrypt)
- Database access controls
- Regular security updates
9. Changes to this policy
We may update this policy. For material changes we will notify you by email or a notice on the website. The date at the top of this page reflects the most recent version.
10. Contact & complaints
Questions or complaints about our privacy policy? Contact us via the contact form.
You also have the right to lodge a complaint with the Belgian Data Protection Authority.