Aller au contenu

Privacy Policy

Last updated : May 1, 2026

1. Data Controller

The data controller for personal data is FV – Fitness Vendor, publisher of the Stopsport service, reachable at contact@fitness-vendor.com.

2. Platform Role in Data Processing

In the context of using the Stopsport service, club users act as data controllers for the personal data of their members.

The Stopsport platform acts as a technical service provider and data processor within the meaning of applicable data protection regulations.

Clubs are responsible for:

  • the lawfulness of the processing they carry out
  • compliance with their legal obligations towards their members
  • informing members about the use of their data
  • managing data subject rights requests

Stopsport acts solely in accordance with the club’s instructions within the scope of the features offered by the platform.

3. Data Collected

As part of using the Platform, we collect the following data:

Club Managers:

  • Email address and password (authentication)
  • Club name, SIRET number, company name, address
  • Bank details (IBAN and account holder): for clubs that have activated Stripe Connect Express (default mode since April 2026), provided directly to Stripe during KYC onboarding and stored exclusively by Stripe. For clubs still in legacy non-Connect mode, IBAN, BIC, and account holder name provided via the platform are retained in the database and will be deleted upon migration to Connect.
  • Logo and customization preferences

Network Administrators:

  • Email address and password (authentication)
  • First name and last name

Members (cancellation requesters):

  • Last name, first name, email address
  • Phone number (optional)
  • Cancellation reason and questionnaire responses
  • Satisfaction score
  • Supporting document (if provided)
  • Geolocation data (latitude, longitude): collected via the browser with your consent, used solely for displaying nearby clubs via Mapbox. This data is not retained after the session

Network Audit Log:

  • Identity of the author of modifications (name, email)
  • Date, time, and details of changed parameters

4. Purposes of Processing

Data is collected for:

  • Enabling the creation and management of user accounts
  • Processing cancellation requests
  • Collecting and transferring payments
  • Sending email notifications (confirmations, reminders, daily network change summaries)
  • Generating anonymized statistics for the dashboard
  • Administering establishment networks (settings, invitations, audit log)
  • Displaying nearby clubs via a mapping service (Mapbox)
  • Transmitting events to third-party systems via webhooks configured by the club
  • Providing technical support (account data access by FV – Fitness Vendor teams)
  • Storing anonymized navigation events internally (pages visited, traffic sources, device type) from Vercel Analytics to generate weekly performance reports
  • Measuring the performance of B2B communication actions and building audiences for advertising retargeting purposes (Meta Pixel and Conversions API), only after the visitor's explicit consent via the cookie banner
  • Generating automated performance analyses using an artificial intelligence service (Anthropic), based exclusively on aggregated and anonymized data, with no transmission of personal data

5. Legal Basis for Processing

  • Performance of contract: processing cancellations and payments
  • Legitimate interest: service improvement and statistics
  • Legal obligation: retention of billing data

6. Sub-processors and Transfers

Your data may be processed by the following sub-processors:

  • Supabase (database) — EU
  • Vercel (hosting) — United States, governed by standard contractual clauses
  • Stripe Payments Europe Limited (payments and payouts) — Ireland (Block 4, Harcourt Centre, Harcourt Road, Dublin 2, D02 Y7C2). Data transmitted: name, email, transaction amounts. Legal basis: performance of contract (Article 6.1.b GDPR). Stripe Payments Europe Limited is PCI-DSS Level 1 certified
  • Resend (transactional emails) — United States, EU-US Data Privacy Framework
  • Sentry (error monitoring) — United States, standard contractual clauses
  • Mapbox (mapping and geolocation) — United States, standard contractual clauses (Mapbox DPA)
  • API Entreprise (gouv.fr) (SIRET verification at registration) — France, public data
  • Upstash (abuse protection) — EU
  • VirtuaGym (optional integration, member lookup) — Netherlands / United States, activated only at the manager's request
  • Microsoft Clarity (usage analytics, heatmaps, anonymized session recordings) — United States, EU-US Data Privacy Framework (Microsoft DPA)
  • Anthropic (automated performance report generation from aggregated and anonymized data, no personal data transmitted) — United States, standard contractual clauses (Anthropic Privacy Policy)
  • Intercom (embedded customer support, live chat) — United States, standard contractual clauses (Intercom DPA). Data transmitted: user identifier, email address and club manager's name
  • Meta Platforms Ireland Ltd. (Meta Pixel and Conversions API, marketing performance measurement and advertising retargeting) — Ireland / United States, EU-US Data Privacy Framework (Meta Privacy Policy). Activated only after the visitor's explicit consent. Data transmitted: IP address, user agent, Meta cookie identifiers (_fbp, _fbc), navigation events (page view, CTA click, registration, subscription). No directly identifying personal data is transmitted in clear (emails are SHA-256 hashed before sending)

Data Transfers to Stripe

Payment data is processed by Stripe Payments Europe Limited (EU) and stored in European datacenters. In the event of a transfer outside the EU (rare), Stripe applies the Standard Contractual Clauses (SCC) of the European Commission (Stripe Privacy Center).

Data is never sold to third parties. The use of Meta Pixel and the Conversions API for advertising purposes is strictly subject to your prior consent, revocable at any time via the cookie banner.

7. Data Retention Period

  • Account data: retained as long as the account is active. Upon deletion, a 30-day grace period is applied before final deletion
  • Cancellation data: kept 3 years in active base from the last significant business activity (creation, status change, payment, refund, transfer, manual edit), then archived for 2 years with restricted access for evidentiary purposes in case of litigation. After these 5 cumulative years, personal data (first name, last name, email, phone, supporting documents, new address) is irreversibly anonymized. Non-personal data (amounts, dates, status, reason) is retained for statistical and accounting purposes
  • Billing data: 10 years (legal obligation)
  • Technical logs (authentication sessions, server logs): 12 months
  • Network audit log: retained for the lifetime of the network
  • Geolocation data: retained with the cancellation request (same retention period as cancellation data)
  • Email deliverability tracking: 12 months

8. Your Rights

In accordance with the GDPR, you have the following rights:

  • Right of access: obtain a copy of your data
  • Right to rectification: correct inaccurate data
  • Right to erasure: request the deletion of your data
  • Right to portability: receive your data in a structured format
  • Right to object: object to the processing of your data
  • Right to restriction: restrict processing

To exercise your rights, contact us at contact@fitness-vendor.com. We are committed to responding within 30 days.

9. Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption of data in transit (HTTPS/TLS)
  • Secure authentication via Supabase Auth
  • Row Level Security (RLS) on the database
  • No banking data stored on our servers (delegated to Stripe)

Organizational Security Measures

Access to personal data is strictly limited to authorized persons and only when necessary for the performance of their duties.

Technical and organizational measures are implemented to ensure the confidentiality, integrity, and availability of personal data processed as part of the service.

Data Breach Notification

In the event of a personal data breach, FV – Fitness Vendor will notify the competent supervisory authority in accordance with applicable regulations.

Where the breach is likely to result in a high risk to the rights and freedoms of the data subjects, they will also be informed without undue delay.

10. Cookies

The Platform uses essential technical cookies for the operation of the service (authentication session), usage analytics cookies (Microsoft Clarity, Vercel Analytics) to improve the user experience, as well as marketing cookies (Meta Pixel and Conversions API) to measure the performance of our B2B communication and enable advertising retargeting. Marketing cookies are placed only after the visitor's explicit consent via the cookie banner, and this consent is revocable at any time.

11. Changes to the Privacy Policy

FV – Fitness Vendor reserves the right to modify this policy at any time. The current version is the one published on the website. Users are encouraged to regularly review this document.

12. Complaints

In the event of a complaint, you may contact the CNIL (French National Commission for Information Technology and Civil Liberties): www.cnil.fr.