Security & privacy

Infrastructure

• Multi-tenant SaaS architecture with isolation per gym and per site.
• Managed database with AES-256 encryption at rest by default.
• Frontend globally distributed via CDN.
• No hidden providers: we don't use third-party models that receive your data without your consent.

Encryption

• In transit: TLS 1.3 on every connection.
• At rest: AES-256 at the managed-storage level.

Backups & recovery

• Automatic snapshots with retention, stored outside the production server.
• Restore tested periodically on a staging environment.

Isolation between gyms

• Each gym (and each site) operates inside its own isolated logical space.
• All queries validate the authenticated user's gym identity before returning data.
• Automated tests verify that no user can access data from a gym other than their own.

Roles, internal access & traceability

• Granular permissions per profile (athlete, coach, front desk, administrator) and per site.
• The UWOD team's internal access to customer data is restricted and logged.
• Actions are recorded with author and date, visible to the gym owner.

Data protection (LGPD / Habeas Data)

• Data controller: AppByte Tecnología e Informática SpA (Chile).
• Data Protection Officer (DPO): dpo@uwod.app
• Data subject rights: access, rectification, erasure, portability and objection. Request them by writing to the DPO; we respond within a maximum of 15 business days.
• We don't sell, don't transfer to third parties for commercial purposes, and don't use personal data to train AI models without your consent.

Responsible vulnerability disclosure

If you find a security issue, write to security@uwod.app. We respond within 48 hours and work with you on coordinated disclosure.