FlexDropin

PERSONAL DATA PROCESSING POLICY

pursuant to EU Regulation 2016/679 (GDPR) and Legislative Decree 196/2003

Effective date: 08/05/2026

Terms   |  Privacy  |   Cookie

 

Introduction

This Personal Data Processing Policy (hereinafter "Policy") describes in a transparent and detailed manner how FlexDropin collects, uses, stores, shares, and protects the personal data of platform users, as well as the rights that applicable law grants to data subjects and the means by which such rights may be exercised.

FlexDropin is a mobile platform dedicated to booking drop-in sessions at gyms and sports facilities. The platform serves two categories of users: athletes (users who search for and book sessions) and gym managers (owners who register their facility, publish classes, and receive payments).

This Policy applies to the FlexDropin mobile application, the website flexdropin.com, and all related services, products, technologies, and features (collectively, the "Services"). We also invite you to read our Terms and Conditions of Use, which govern access to and use of the Services.

IMPORTANT NOTE ON HEALTH DATA: The app collects and stores sports medical certificates from athlete users. Such documents constitute health data pursuant to Art. 9 GDPR and are subject to enhanced protections. Their processing takes place exclusively on the basis of the explicit consent of the data subject and with security measures appropriate to their sensitive nature.

 

1. Data Controller and Data Protection Officer

1.1 Data Controller

The Data Controller for personal data collected through the Services is:

Maria Petaccia

Registered address: Via Dante Alighieri 40, 65012 Cepagatti (PE), Italy

Tax Code: PTCMRA67L44C474J

Email: info@flexdropin.com

Website: https://flexdropin.com

(hereinafter "FlexDropin", "we", "our", or "us")

1.2 Data Protection Officer (DPO)

The Controller has appointed a Data Protection Officer pursuant to Art. 37 GDPR, reachable at the following contact details:

DPO Email: dpo@flexdropin.com

The DPO is available for any matter relating to the processing of personal data and the exercise of rights recognised by applicable law. All privacy-related communications will be handled with the utmost confidentiality.

 

2. Categories of Data Subjects and Scope of Application

This Policy applies to the following categories of data subjects:

2.1 Athlete Users

Natural persons who download the app, create an account, and use FlexDropin to search for gyms, view the class calendar, make bookings, and manage payments. Athletes may upload sports medical certificates and receive push notifications related to their bookings.

2.2 Gym Managers

Natural persons or legal entities represented by a natural person contact who registers their facility on the platform, creates classes, manages received bookings, and configures their Stripe Connect account to receive payments. The same account may act as both an athlete and a manager.

2.3 Website Visitors

Persons who access the website flexdropin.com without necessarily creating an account. For such users, processing is limited to technical browsing data and any data voluntarily provided through contact forms.

 

3. Categories of Personal Data Collected

3.1 Data Provided Directly by the Athlete User

3.1.1 Registration and Profile Data

• First and last name
• Email address
• Password (stored in encrypted form and not accessible in plaintext)
• Profile photo (optional, uploaded by the user)
• Registration method: email/password, Sign in with Apple, Google Sign-In

When a user registers via Apple or Google, FlexDropin receives only the information that the provider authorises to share (typically: name, email address and, in the case of Google, profile photo). The access credentials of the third-party service are never received or stored.

3.1.2 Health Data — Sports Medical Certificate

SPECIAL CATEGORY OF DATA (Art. 9 GDPR): The sports medical certificate constitutes health data. Its processing is conditional upon the explicit and specific consent of the data subject, provided via a dedicated checkbox in the app, separate from the general acceptance of the Terms of Use. Consent may be withdrawn at any time.

Data collected in relation to the medical certificate includes:

• The certificate file (PDF or image), uploaded and stored on Supabase Storage with encryption at rest
• The certificate expiry date
• The status of the self-declaration signed by the user

Such data is accessible exclusively to the athlete user and, solely for the purpose of verifying validity, to the gym at which the user intends to make a booking, where the gym has activated the medical certificate requirement as a condition for booking.

3.1.3 Booking and Payment Data

• Booking history (gym, class, date, time, status)
• Payment status (free, pending, confirmed, cancelled, refunded)
• Amount paid

Payment card data or other payment instrument data (Apple Pay, etc.) are never transmitted to FlexDropin or stored on our systems. The processing of payment data is carried out entirely by Stripe, Inc., certified PCI-DSS level 1, within the Stripe Connect model (Direct Charges). FlexDropin receives only confirmation of the payment outcome via webhook.

3.1.4 Preferences and Searches

• Last 5 searches performed (stored locally on the device via AsyncStorage)
• Preferred filters (category, distance)
• Geographic location saved in preferences
• Selected mode (athlete or manager)

3.2 Data Provided by the Gym Manager

Operational and contact data of the facility, collected during the registration flow:

• First and last name of the contact person
• Name of the sports facility
• Gym description
• Full address of the premises (with geographic coordinates derived from Mapbox geocoding)
• Categories of activities offered (e.g. functional fitness, yoga, pilates)
• Contact details: phone, email, website, social media profiles (Instagram, Facebook, TikTok)
• Gym logo and cover image (uploaded to Supabase Storage)
• Instructor data (first name, last name, photo)

Tax, billing, and identification data required for invoicing and for the fulfilment of obligations under Council Directive (EU) 2021/514 (DAC7) and Legislative Decree 32/2023, collected as a technical prerequisite for completing the registration flow (Art. 6.1.b and 6.1.c GDPR):

• Legal/registered name (ragione sociale)
• Registered office (sede legale) and billing address (indirizzo di fatturazione), where different
• VAT identification number (partita IVA), where issued, or Tax Identification Number (Italian Codice Fiscale or equivalent foreign TIN) with indication of the issuing Member State
• Member State(s) of tax residence, derived from the data referred to in the previous point
• For Managers established in Italy, the Italian Recipient Code (Codice Destinatario SDI) or, alternatively, the certified e-mail address (PEC) for the receipt of electronic invoices through the Italian Interchange System
• For legal entities, indication of any permanent establishment in another EU Member State through which the Relevant Activity is carried out

Data acquired through Stripe, as part of the Stripe Connect onboarding required to receive payments. Stripe operates as an autonomous data controller for these data and shares with FlexDropin only the information strictly necessary for the operation of the platform and for the fulfilment of DAC7 obligations:

• Stripe account identifier and payment enablement status (charges_enabled, payouts_enabled)
• Identifier of the financial account on which the consideration of the Relevant Activities is paid (specifically, the IBAN associated with the Stripe Connect account, where made available by Stripe to FlexDropin)
• Name of the holder of the financial account, where different from the Manager
• For Managers who are natural persons (sole traders, freelancers), date of birth and primary address, made available by Stripe to FlexDropin to the extent strictly necessary for DAC7 due diligence
• Identification document and identity verification data of the Stripe account holder are processed exclusively by Stripe in accordance with its anti-money-laundering and KYC obligations and are not stored on FlexDropin's systems

The tax data referred to above are also processed for purposes of automatic exchange of information in tax matters, in accordance with the modalities and time limits described in Sections 4, 6.3, and 8 of this Policy. Their entry is a technical prerequisite for completing the registration flow: without complete provision, the Manager cannot register the gym on the platform, in accordance with Art. 7.5 of the Terms of Use.

3.3 Data Collected Automatically Through Use of the Services

3.3.1 Technical and Session Data

• IP address
• Operating system type and version (iOS, Android)
• Device model
• App version
• Device language
• Supabase authentication token (stored locally and invalidated upon logout)
• Push notification token (Expo Push Notifications), associated with the user ID

3.3.2 Usage Data

• Screens viewed and features used
• Searches performed and filters applied
• Interactions with the class calendar
• Booking status and history
• Notification preferences

3.3.3 Geolocation Data

Geolocation is an optional feature. FlexDropin requests permission to access the device's location exclusively for the following purposes:

• Displaying gyms near the user ("Search" tab → "Near me" filter)
• Displaying gyms on a map in the "Explore" tab

The user may deny or revoke geolocation permission at any time from the device settings, while continuing to use all other app features (search by name, search by manually entered address).

When acquired, location data is processed locally and transmitted to the Mapbox APIs solely for geographic search purposes. It is not stored in identifiable form on FlexDropin's servers.

 

4. Purposes of Processing and Legal Bases

Every processing of personal data carried out by FlexDropin is based on a specific legal basis pursuant to Art. 6 GDPR (and, where applicable, Art. 9 GDPR for special categories of data). The purposes, legal bases, and mandatory or optional nature of data provision are set out below.

 

Purpose	Data processed	Legal basis	Provision
Account creation and management	Email, name, password, login method	Contract (Art. 6.1.b)	Mandatory
Authentication and security	Session token, IP, device	Legitimate interest (Art. 6.1.f)	Mandatory
Provision of the booking service	Profile data, calendar, booking status	Contract (Art. 6.1.b)	Mandatory
Payment and refund management	Transaction ID, amount, payment status	Contract (Art. 6.1.b)	Mandatory for paid classes
Storage and verification of medical certificate	Certificate file, expiry date	Explicit consent (Art. 9.2.a)	Optional (mandatory if the gym requires it)
Geolocation for gym search	GPS coordinates, geocoding queries	Consent (Art. 6.1.a)	Optional
Push notifications (class reminders, bookings)	Push token, user ID	Consent (Art. 6.1.a)	Optional
Gym registration and management	Gym data, instructors, VAT number	Contract (Art. 6.1.b)	Mandatory for managers
Stripe Connect onboarding for managers	Stripe account data, verification status	Contract (Art. 6.1.b)	Mandatory to receive payments
Aggregate analytics for service improvement	Aggregated and anonymised usage data	Legitimate interest (Art. 6.1.f)	Not applicable (anonymous data)
Fraud prevention and platform security	IP, device, technical logs	Legitimate interest (Art. 6.1.f)	Mandatory
Tax and accounting obligations	Transaction data, VAT number, commissions	Legal obligation (Art. 6.1.c)	Mandatory
DAC7 reporting and automatic exchange of information in tax matters (gym managers)	Identification data of the Manager (legal name, registered office, billing address, Codice Fiscale/TIN, VAT number, SDI/PEC, Member State of residence), IBAN of the financial account (acquired through Stripe), consideration paid per quarter, fees and commissions withheld	Legal obligation (Art. 6.1.c GDPR; Council Directive (EU) 2021/514 — DAC7; Legislative Decree 32/2023)	Mandatory for managers
Sending account-related communications	Email, push notifications	Contract (Art. 6.1.b)	Mandatory
Marketing communications (newsletter, promotions)	Email	Consent (Art. 6.1.a)	Optional

 

LEGITIMATE INTEREST: Before relying on legitimate interest as a legal basis, FlexDropin carries out a balancing test between its own interest and the fundamental rights and freedoms of data subjects, ensuring that processing does not unjustifiably prejudice the data subject's interests. Data subjects have the right to object to such processing pursuant to Art. 21 GDPR.

 

5. Processing of Special Categories of Data (Art. 9 GDPR)

Sports medical certificates uploaded by athlete users constitute health data pursuant to Art. 9(1) GDPR. As such, they are subject to the general prohibition on processing, unless one of the exceptions provided for in Art. 9(2) GDPR applies.

FlexDropin processes such data exclusively on the basis of the explicit consent of the data subject pursuant to Art. 9(2)(a) GDPR, collected by means of:

• A dedicated informed consent screen in the app, separate from the acceptance of the Terms of Use
• A specific confirmation checkbox for the processing of health data
• A self-declaration signed by the user regarding the truthfulness of the document

The safeguards adopted to protect such data include:

• Encryption at rest of files on Supabase Storage
• Encryption in transit via TLS/SSL
• Limited access: the file is accessible exclusively to the athlete user; gyms can only view the validity status (valid/expired/absent), not the content of the document
• No sharing with third parties for commercial or advertising purposes
• Right of deletion exercisable at any time from the user profile

Consent to the processing of health data is entirely optional. Its absence does not prevent use of the app, but may prevent booking at gyms that require verification of the medical certificate as a condition of access.

 

6. Communication and Sharing of Data with Third Parties

FlexDropin does not sell, transfer for consideration, or rent users' personal data to third parties for their own commercial or advertising purposes.

Personal data may be shared in the following circumstances:

6.1 Data Processors (Art. 28 GDPR)

FlexDropin uses the following service providers, appointed as Data Processors pursuant to Art. 28 GDPR, bound by specific contractual agreements (Data Processing Agreement) that limit their use of data to the purposes indicated:

 

Provider	Country	Service provided	Data shared	Privacy Policy
Supabase Inc.	USA (SCC)	Database, authentication, storage, Edge Functions, real-time	All user and gym data	supabase.com/privacy
Mapbox, Inc.	USA (SCC)	Interactive maps, address geocoding, geographic search	Geographic queries, GPS coordinates (if authorised)	mapbox.com/legal/privacy
Stripe, Inc.	USA (SCC)	Payments, refunds, Stripe Connect onboarding for managers	Transaction ID, amount, payment status, gym account data	stripe.com/privacy
Expo (Snack Tech)	USA (SCC)	iOS and Android push notifications	Push token, user ID	expo.dev/privacy
Apple Inc.	USA (SCC)	Sign in with Apple, iOS push notifications (APNs)	Name, email (from Apple ID)	apple.com/legal/privacy
Google LLC	USA (SCC)	Google Sign-In, Android push notifications (FCM)	Name, email, profile photo (from Google account)	policies.google.com/privacy
Vercel Inc.	USA (SCC)	Website hosting, authentication and Stripe redirect management	Technical browsing data, post-payment redirects	vercel.com/legal/privacy-policy

 

6.2 Sharing Between Platform Users

In the course of normal service operation, certain information is visible to other platform users:

• To athletes viewing a gym profile: gym name, description, address, categories, contacts, logo, cover, class calendar, and instructors
• To gym managers: the booking athlete's first and last name, booked date and class, amount paid, booking status, and — solely for validity verification — the medical certificate status (valid/expired/absent, not the document itself)

Gym managers never have access to the content of the athlete's medical certificate, only to its validity status (valid, expired, or not present).

6.3 Sharing for Legal Obligations

FlexDropin may communicate personal data to public authorities, law enforcement, or judicial bodies when required by a legal obligation, a court or administrative order, or where such communication is necessary to:

• Assert, exercise, or defend a right in judicial proceedings
• Prevent serious harm to persons or property
• Fulfil tax and accounting obligations
• Fulfil information reporting obligations imposed on FlexDropin as a Reporting Platform Operator under Council Directive (EU) 2021/514 (DAC7) and Legislative Decree no. 32 of 1 March 2023

In such cases, FlexDropin limits itself to sharing only the data strictly necessary for the purpose, in compliance with the data minimisation principle (Art. 5.1.c GDPR).

DAC7 reporting and automatic exchange of information in tax matters. In particular, with reference to gym Managers qualifying as "Reportable Sellers", FlexDropin transmits annually to the Italian Revenue Agency (Agenzia delle Entrate — Centro Operativo di Pescara, in its capacity as autonomous data controller for the purposes of the obligations referred to therein), by 31 January of the calendar year following that to which the report refers, the identification data, financial data, and data relating to consideration paid for Relevant Activities, as required by Articles 4 to 11 of Legislative Decree 32/2023 and by the Provision of the Director of the Italian Revenue Agency Prot. no. 406671/2023. The Italian Revenue Agency in turn shares such information with the Competent Authorities of the other EU Member States in which the Reportable Seller is resident, or in which the rented immovable property is located, pursuant to Art. 8-bis-quater of Council Directive 2011/16/EU. The legal basis for the processing is the legal obligation referred to in Art. 6.1.c GDPR. The data subject (Manager) has the right to receive, on request, a copy of the data communicated to the Italian Revenue Agency, in accordance with Art. 16 of Legislative Decree 32/2023 and as set out in Section 9 of this Policy.

6.4 Business Transfer

In the event of a merger, acquisition, business transfer, or insolvency proceedings involving FlexDropin, personal data may be transferred to the assignee or acquirer, in compliance with applicable law and following notification to data subjects, who may exercise their rights against the new Controller.

 

7. International Data Transfers

All providers listed in Section 6.1 are based in the United States of America. The transfer of personal data outside the European Economic Area (EEA) to such countries is carried out in compliance with the safeguards provided by Chapter V of the GDPR, using the following instruments:

• Standard Contractual Clauses (SCC) adopted by the European Commission with Implementing Decision (EU) 2021/914 of 4 June 2021
• EU-US Data Privacy Framework, where the provider is certified
• Adequacy decisions by the European Commission, where applicable

FlexDropin has entered into Data Processing Agreements (DPA) compliant with Art. 28 GDPR with each of its providers, verifying that they adopt appropriate technical and organisational measures to protect transferred data.

Data subjects have the right to request a copy of the safeguards adopted for international transfers by writing to dpo@flexdropin.com.

 

8. Data Retention Periods

Personal data is retained for the period strictly necessary to achieve the purposes for which it was collected, in compliance with the storage limitation principle (Art. 5.1.e GDPR), and in any case no longer than the periods indicated below:

 

Data category	Retention period	Rationale
Account data (email, name, password hash)	Until account deletion or 3 years of inactivity	Performance of contract
Medical certificate (file and metadata)	Until certificate expiry + 30 days, or until the user withdraws consent, whichever is earlier	Consent — withdrawable at any time
Booking and payment history	10 years from the transaction date	Tax and accounting obligations (Presidential Decree 600/1973)
Gym data (profile, classes, instructors)	Until deletion of the gym or manager account	Performance of contract
Stripe Connect account data (manager)	10 years from Stripe account closure	Tax and regulatory obligations Stripe/PSD2
DAC7 data of gym managers (identification, fiscal data, financial account, consideration paid)	10 years from the end of the calendar year to which the report refers	Legal obligation (Art. 9 of Legislative Decree 32/2023, in conjunction with Art. 8 of Presidential Decree 600/1973 and Art. 22 of Presidential Decree 633/1972)
Technical and system logs	12 months from last interaction	Legitimate interest (security and diagnostics)
Push notification tokens	Until notifications are disabled or account is deleted	Consent
Geolocation data	Not stored in identifiable form; processed in real time	Minimisation (Art. 5.1.c GDPR)
Recent searches (AsyncStorage)	Stored locally on the device; deleted upon app uninstallation or from the profile section	Contract / user interest
Data for legal protection (litigation)	Up to 10 years or until conclusion of proceedings	Legal obligation / legitimate interest

 

Upon expiry of the indicated periods, data will be permanently deleted or irreversibly anonymised so as to no longer permit identification of the data subject. Mere anonymisation does not constitute retention for GDPR purposes.

 

9. Rights of Data Subjects

Applicable law grants data subjects a comprehensive set of rights against the Data Controller. Such rights may be exercised without formality and free of charge, except in the case of manifestly unfounded or excessive requests.

9.1 Right of Access (Art. 15 GDPR)

The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed and, where that is the case, to obtain access to the personal data processed, the purposes of the processing, the categories of data concerned, the recipients or categories of recipients, the envisaged retention period, and the existence of any international transfers.

9.2 Right to Rectification (Art. 16 GDPR)

The data subject has the right to obtain the rectification of inaccurate personal data concerning them and the completion of incomplete data, taking into account the purposes of the processing. Most profile information can be updated directly by the user in the app settings.

9.3 Right to Erasure ("Right to be Forgotten", Art. 17 GDPR)

The data subject has the right to obtain the erasure of personal data concerning them without undue delay in the following cases:

• The data is no longer necessary for the purposes for which it was collected
• The data subject withdraws consent on which the processing is based and there is no other legal ground
• The data subject objects to the processing and there is no overriding legitimate ground
• The data has been unlawfully processed

The right to erasure does not apply where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for the further purposes referred to in Art. 17(3) GDPR. In such cases, FlexDropin will inform the data subject of the reasons for the refusal.

To delete an account, navigate to: Profile → Account Settings → Delete account. After deletion, data will be removed within 30 days, subject to the mandatory retention periods set out in Section 8.

9.4 Right to Restriction of Processing (Art. 18 GDPR)

The data subject has the right to obtain restriction of processing where:

• The accuracy of the personal data is contested (for the period necessary to verify it)
• The processing is unlawful and the data subject opposes erasure
• The data is needed by the data subject for the establishment, exercise, or defence of legal claims, although the Controller no longer needs it
• The data subject has objected to the processing pending verification of whether the Controller's legitimate grounds override

9.5 Right to Data Portability (Art. 20 GDPR)

The data subject has the right to receive, in a structured, commonly used, and machine-readable format, the personal data concerning them that they have provided to the Controller, and to transmit those data to another controller without hindrance, where processing is based on consent or on a contract and is carried out by automated means.

9.6 Right to Object (Art. 21 GDPR)

The data subject has the right to object at any time, on grounds relating to their particular situation, to processing of personal data concerning them that is based on the legitimate interest of the Controller (Art. 6.1.f GDPR). In that case, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject.

The data subject also has the right to object at any time to processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. In that case, the Controller must immediately cease processing for such purposes.

9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

To the extent that processing is based on the data subject's consent, the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent to the processing of health data (medical certificate) can be exercised directly from the user profile.

9.8 Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)

FlexDropin does not make decisions based solely on automated processing that produce significant legal effects or similarly significantly affect individuals.

9.9 Right to Lodge a Complaint with the Supervisory Authority (Art. 77 GDPR)

Without prejudice to the right to seek judicial remedies, the data subject has the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement.

The Italian supervisory authority is:

Garante per la Protezione dei Dati Personali

• Website: www.garanteprivacy.it
• Email: garante@gpdp.it
• Address: Piazza Venezia n. 11, 00187 Roma
• Phone: +39 06.696771

9.10 How to Exercise Your Rights

The rights listed above may be exercised by written communication sent to:

• Email: info@flexdropin.com
• DPO Email: dpo@flexdropin.com

The request must indicate: first and last name, email address registered on the account, description of the right to be exercised. FlexDropin reserves the right to verify the identity of the requester before fulfilling the request.

The Controller responds to requests without undue delay and, in any case, within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests; in that case, the Controller shall inform the data subject of the extension and the reasons for the delay within one month of receipt of the request.

The service is free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may charge a reasonable fee or refuse to act on the request.

 

10. Security Measures

FlexDropin adopts appropriate technical and organisational measures to ensure a level of security commensurate with the risk of the processing, pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons.

10.1 Technical Measures

• Encryption in transit: all communications between the app and servers take place exclusively via TLS 1.2 or higher (HTTPS)
• Encryption at rest: files stored on Supabase Storage (including medical certificates) are encrypted at rest
• Secure credential management: passwords are stored exclusively as hashes using secure algorithms (bcrypt); FlexDropin does not store or have access to passwords in plaintext
• Secure authentication: support for biometric authentication (Face ID, Touch ID) on compatible devices; session tokens with automatic expiry
• Row Level Security (RLS): the Supabase database implements row-level security policies, ensuring that each user can only access their own data
• Health data isolation: medical certificates are stored in a separate Supabase Storage bucket with restrictive access policies
• PCI-DSS payments: payment data never passes through FlexDropin servers; processing is delegated entirely to Stripe (PCI-DSS level 1 certified)

10.2 Organisational Measures

• Principle of least privilege: access to personal data is limited to personnel who strictly need it to perform their duties
• Data Processing Agreements: formal agreements with all providers appointed as Data Processors
• Internal security policies: written procedures for the management of personal data, incident response, and breach management
• Periodic audits: regular review of the security measures adopted

10.3 Data Breach Management

In the event of a security breach that accidentally or unlawfully results in the destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed, FlexDropin will:

• Notify the breach to the Supervisory Authority within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR)
• Communicate the breach to data subjects without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons (Art. 34 GDPR)
• Immediately adopt the necessary measures to contain and remedy the breach

Although FlexDropin adopts appropriate security measures, no computer system is immune to risk. Users are advised to use strong passwords and not to share their credentials.

 

11. Children's Privacy

11.1 Minimum Age

FlexDropin's Services are not intended for persons under the age of 18. Use of the platform involves the conclusion of contracts (paid bookings, acceptance of Terms of Use) which, under Italian law and many other legal systems, require full legal capacity.

FlexDropin does not knowingly collect personal data from persons under the age of 18. Where underage users are identified, the relevant account will be immediately suspended and the data deleted, subject to retention of data necessary to comply with any legal obligations.

11.2 COPPA Compliance (US Market)

With regard to the US market, FlexDropin complies with the Children's Online Privacy Protection Act (COPPA). The platform does not knowingly collect, use, or share personal data from persons under the age of 13. If a parent or guardian believes that a child under 13 has created an account, they are invited to contact info@flexdropin.com immediately to request data deletion.

11.3 Reporting

Parents, guardians, or anyone who becomes aware of an account belonging to a minor may report it to info@flexdropin.com. FlexDropin is committed to handling such reports with the utmost priority.

 

12. Cookies and Tracking Technologies

FlexDropin uses cookies and similar tracking technologies in the mobile application and on the website. For a detailed description of the technologies used, their purposes, legal bases, and how to manage preferences, please refer to the Cookie Policy available at:

https://flexdropin.com/cookie

In summary, the tracking technologies used by FlexDropin belong exclusively to the categories of technical (necessary) cookies and anonymous aggregated analytics. FlexDropin does not use advertising cookies and does not carry out profiling for marketing purposes.

 

13. Additional Information for Residents in the European Economic Area, the United Kingdom, and Switzerland

13.1 Data Controller for EEA Users

The Data Controller for users resident in the EEA, the United Kingdom, and Switzerland is the entity identified in Section 1.1 of this Policy.

13.2 Legal Bases for Processing

The legal bases applicable to each processing purpose are indicated in the table in Section 4. It is noted that:

• Consent provided pursuant to Art. 6.1.a GDPR is always specific, informed, freely given, and withdrawable. Withdrawal has no retroactive effect.
• Legitimate interest invoked pursuant to Art. 6.1.f GDPR is always balanced against the fundamental rights and freedoms of data subjects through a documented assessment.
• Processing based on performance of a contract (Art. 6.1.b GDPR) covers only data strictly necessary for the provision of the requested service.

13.3 Enhanced Right to Object

Users resident in the EEA have the right to object at any time to the processing of their data for direct marketing purposes, including profiling connected to such marketing, without needing to provide any reason. FlexDropin immediately ceases such processing upon the objection.

13.4 Competent Supervisory Authorities

Users resident in other EEA countries may lodge a complaint with the supervisory authority of their Member State of residence. The full list of European supervisory authorities is available on the website of the European Data Protection Board (EDPB): edpb.europa.eu.

 

14. Additional Information for Residents in California and Other US States

This section applies to residents of the State of California (USA) pursuant to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), and, to the extent applicable, to residents of other states that have enacted similar privacy laws (Colorado, Connecticut, Virginia, Texas, etc.).

14.1 Categories of Personal Information Collected

In the past 12 months, FlexDropin has collected the following categories of personal information:

• Identifiers: first name, last name, email address, user ID, device ID
• Commercial information: booking history, amounts paid
• Internet or other electronic network activity: app interactions, searches performed
• Geolocation data: GPS coordinates (when authorised), addresses entered
• Audio, visual, or similar information: profile photos, gym logo and cover
• Health data: sports medical certificates (with explicit consent)
• Professional data: gym data, instructors, manager commercial information

14.2 Purposes of Use

Personal information is used for the purposes set out in Section 4 of this Policy.

14.3 FlexDropin Does Not Sell or Share Personal Data

FlexDropin does not "sell" or "share" personal data with third parties for cross-context behavioural advertising purposes, as defined by the CCPA/CPRA. Data shared with service providers (Section 6.1) is shared within the scope of Data Processor relationships and does not constitute a "sale" within the meaning of California law.

14.4 Rights of California Residents

California residents have the following additional rights:

• Right to know: obtain information about the categories and sources of personal information collected, the purposes of use, and the categories of third parties with whom such information is shared
• Right of access: receive a copy of the personal information collected in the past 12 months
• Right to deletion: request the deletion of personal information, subject to legal exceptions
• Right to correction: request the rectification of inaccurate personal information
• Right to opt-out from sale/sharing: not applicable (FlexDropin does not sell or share data for cross-context advertising)
• Right to limit the use of sensitive personal information: applicable to health data (medical certificate), manageable from the app settings
• Right to non-discrimination: FlexDropin does not discriminate against users for exercising their rights
• Right to appeal: the user may appeal FlexDropin's response by writing to info@flexdropin.com

14.5 How to Exercise California Rights

To exercise rights under CCPA/CPRA, you may:

• Send a written request to: info@flexdropin.com
• Specify in the subject line: "California Privacy Request"

FlexDropin responds within 45 days, extendable by a further 45 days where necessary, with prior notification to the user.

14.6 Authorised Agents

California residents may designate an authorised agent to exercise their rights on their behalf. For this purpose, written proof of the authorisation granted to the agent must be provided and, if requested, the identity of the requesting party must be verified.

 

15. Amendments to This Policy

FlexDropin reserves the right to modify this Policy at any time, in order to adapt it to any regulatory, technological, or operational changes.

In the event of material changes — meaning changes that significantly affect data subjects' rights or processing methods — FlexDropin will:

• Update the "Effective date" at the end of this document
• Send a push notification to users who have enabled app notifications
• Send an email communication to the address registered on the account
• Request, where required under applicable law, new explicit consent

Non-material changes (e.g. formal corrections, link updates) will be made available exclusively by updating this Policy, with an update of the date. Users are advised to periodically consult this Policy.

Continued use of the Services after the changes take effect constitutes acceptance of the updated version of the Policy, to the extent permitted by applicable law.

 

16. Third-Party Services and Websites

FlexDropin's Services may contain links to third-party websites, applications, or services (e.g. gym social media profiles, gym websites). This Policy does not apply to such third-party sites and services, over which FlexDropin exercises no control.

Users are advised to read the privacy policies of third-party sites and services before providing them with any personal data. FlexDropin is not responsible for the privacy practices of such parties.

 

17. Contacts

For any questions, requests, or reports relating to this Policy or the processing of personal data, data subjects may contact FlexDropin at the following details:

General Contacts

Email: info@flexdropin.com

Website: https://flexdropin.com

Postal address: Maria Petaccia, Via Dante Alighieri 40, 65012 Cepagatti (PE), Italy

Data Protection Officer (DPO)

DPO Email: dpo@flexdropin.com

The DPO is the primary point of contact for requests to exercise GDPR rights and for any matter relating to the protection of personal data.

Response Times

• General enquiries: within 5 business days
• Requests to exercise GDPR rights: within 30 days (extendable to 90 days in complex cases, with prior notification)
• CCPA/California requests: within 45 days (extendable by a further 45 days)
• Urgent security or data breach reports: within 24-48 hours

 

18. Glossary

Personal data: Any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).

Special category of data (sensitive data): Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data, data concerning health, sex life, or sexual orientation (Art. 9 GDPR).

Data Controller: The natural or legal person that determines the purposes and means of processing personal data (Art. 4(7) GDPR).

Data Processor: The natural or legal person that processes personal data on behalf of the Controller (Art. 4(8) GDPR).

Data subject: The natural person to whom the personal data relates.

Processing: Any operation or set of operations performed on personal data, with or without the aid of automated processes (Art. 4(2) GDPR).

Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of their data (Art. 4(11) GDPR).

DPO (Data Protection Officer): Data Protection Officer, a figure provided for by Arts. 37-39 GDPR with advisory, supervisory, and point-of-contact functions with the supervisory authority.

SCC (Standard Contractual Clauses): Standard Contractual Clauses approved by the European Commission for the transfer of personal data to third countries lacking an adequacy decision.

GDPR: General Data Protection Regulation — EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016.

CCPA/CPRA: California Consumer Privacy Act / California Privacy Rights Act — California state laws on the protection of consumers' personal data.

COPPA: Children's Online Privacy Protection Act — US federal law on the protection of data of children under 13.

Stripe Connect: Stripe product that enables platforms to facilitate payments between multiple parties. In FlexDropin: between athletes (payers) and gyms (recipients), with automatic deduction of the platform commission.

Row Level Security (RLS): A PostgreSQL/Supabase database security mechanism that restricts data access at the individual row level, ensuring that each user can only view their own data.

Data Breach: A security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data (Art. 4(12) GDPR).

Anonymisation: An irreversible process of modifying personal data so as to prevent the re-identification of the data subject. Anonymised data is not subject to the GDPR.

 

Legal References

This Policy has been drafted in compliance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR)
• Legislative Decree of 30 June 2003, no. 196 (Personal Data Protection Code), as amended by Legislative Decree of 10 August 2018, no. 101
• Italian Data Protection Authority Provision no. 243 of 10 June 2021 — Guidelines on cookies and other tracking tools
• European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Standard Contractual Clauses)
• California Consumer Privacy Act (CCPA) — Cal. Civ. Code § 1798.100 et seq.
• California Privacy Rights Act (CPRA) — Proposition 24 (2020)
• Children's Online Privacy Protection Act (COPPA) — 15 U.S.C. §§ 6501–6506
• Directive 2002/58/EC (ePrivacy Directive)

 

Last modified: 24/02/2026  —   Version: 1.0

© 2026 FlexDropin. All rights reserved.