Privacy policy

1. Controller and contact

• Data controller: AppByte Tecnología e Informática SpA, a stock company incorporated in the Republic of Chile, Tax ID 78.410.317-K, registered office at Santa Magdalena 75, Of. 304, Providencia, Santiago (Región Metropolitana), Chile.
• Product: UWOD.
• Privacy / DPO email: dpo@uwod.app.
• Legal email: legal@uwod.app.
• Support: contacto@uwod.app.

2. Who this policy applies to

This policy covers three different relationships:

• Visitors to uwod.app and subdomains.
• Customers contracting UWOD (Controllers of the data they upload).
• Data Subjects / Related Third Parties whose data are uploaded by the Customer to the platform (members, athletes, emergency contacts, representatives and the Customer's staff — coaches, front-desk and administrators).

With respect to Customer Data, AppByte acts as Processor. The Customer is the Controller and decides purposes, legal bases, retention and rights. If you are a Data Subject whose data was uploaded by a Customer, you must exercise your rights directly with that Customer; UWOD will provide technical assistance where applicable.

3. What data we process

3.1. Website visitors

• Technical data: IP address, user agent, language, approximate country, pages visited, date and time.
• Contact form data: name, email, phone, company and message.
• Strictly necessary cookies for site operation. Details in the Cookie policy.

3.2. Customers and platform users

• Account data: legal name, tax ID, country, domicile, contact data, representative, sites and billing data.
• Authorized staff data (coaches, front-desk and administrators): name, email, role, permissions, hashed password, activity and audit logs.
• Athlete app data: profile, email, reservations, training logs and the device data needed to deliver the mobile experience.
• Service usage data: logins, events, sessions, IP, devices, errors and technical metrics.
• Subscription and billing data for the Customer's UWOD plan, managed directly or through authorized payment gateways.

3.3. Data uploaded by the Customer (Customer Content)

In the day-to-day operation of UWOD, the Customer may upload and generate the following categories of personal and operational data:

• Identification and contact of members and athletes, their emergency contacts, representatives and the Customer's staff (coaches, front-desk and administrators).
• Classes, reservations and attendance: class schedules, bookings, check-ins, waitlists and no-shows.
• Plans and memberships: plan assignments, membership status, validity periods and membership payment metadata recorded operationally by the Customer.
• WOD and training results: workout programming, recorded results, personal records (PRs) and benchmarks, progress statistics and sport metrics. Some of these may be health-adjacent and therefore sensitive; the Customer is responsible for having a sufficient legal basis and, where required, the Data Subject's consent.
• Cash and financial movements (income, expenses and cash) recorded operationally by the Customer.
• Images and documents uploaded by the Customer (profile photos, supporting documents and other files).
• Audit data: user, action, module, IP, date and time, company.

These data are processed by AppByte only to provide, maintain, secure, back up and improve the Service in accordance with the Customer's instructions as Controller.

UWOD does not request biometric or minors' data as a general rule. Where training results, progress statistics or sport metrics qualify as sensitive or health-adjacent data, the Customer is solely responsible for having sufficient legal basis and, where applicable, obtaining the Data Subject's consent before uploading them.

4. Purposes and legal bases

• Service delivery (contractual performance): platform operation, account management, support, billing.
• Security and fraud prevention (legitimate interest): monitoring, auditing, misuse detection.
• Legal compliance (legal obligation): accounting and tax retention and response to competent authorities.
• Communication with visitors (consent): response to the contact form and requested communications.
• Service improvement (legitimate interest): aggregated analysis, technical metrics, quality control — no commercial use of Customer Data.

AppByte does not sell Customer Data, does not share them with third parties for commercial or advertising purposes and does not use personal data to train AI models without contractual authorization, the Data Subject's consent or another sufficient legal basis. The optional AI features in the athlete app (such as AI-generated training plans) do not feed personal data into model training without consent.

5. Sub-processors and providers

To operate UWOD we use providers that act as sub-processors under confidentiality and security obligations equivalent to those of this policy. The relevant categories are:

• Frontend hosting and edge security: Cloudflare (global network, US) — DNS, CDN, WAF and Pages for the landing site and the gym web app.
• Backend / API hosting: Contabo VPS (US East).
• Database: MongoDB Atlas on AWS Northern Virginia (us-east-1).
• Image and document storage: Cloudinary (US / provider's global network).
• Transactional email and push notifications: Resend (US).
• App distribution: Apple App Store and Google Play for the athlete mobile app.
• Payment gateways: Transbank, Mercado Pago and Binance Pay, used solely to charge the Customer for its UWOD software subscription, depending on the means chosen. AppByte does not store full payment instrument data. These gateways are not used to process members' or athletes' membership payments, which flow directly between the member or athlete and the gym, outside the Platform.
• Error observability: Sentry (US).

On top of the Contabo infrastructure, operational components such as Grafana, Uptime Kuma, Portainer and Redis run self-hosted. They are not independent sub-processors.

The public, up-to-date sub-processor list is available at /en/support/subprocessors or on request at dpo@uwod.app.

6. International transfers

The Service operates through infrastructure located primarily in the United States (backend on Contabo US East, database on MongoDB Atlas us-east-1, storage on Cloudinary) and over Cloudflare's global network. Other sub-processors operate in their own regions as indicated in the public list.

For Customers and Data Subjects located in Chile, Colombia, Brazil, Ecuador or any other country, this may involve international transfer of personal data. AppByte adopts reasonable contractual, technical and organizational safeguards in accordance with applicable regulations, including data processing clauses with each sub-processor and encryption in transit.

7. Retention

• Account and billing data: during the contract term and afterwards in accordance with legal obligations (accounting, tax).
• Customer Data uploaded to the platform: according to the Customer's instructions. After termination, export is enabled for 30 calendar days and deletion from production systems follows. Backups are overwritten under the normal retention cycle, within a maximum of 90 days, except where a legal, technical or security obligation justifies their retention.
• Website visitor data: for the time necessary to address the query and, where applicable, in accordance with legal obligations.
• Audit and security logs: for the time necessary for security, legal defense and compliance purposes.

8. Security

We apply reasonable technical and organizational measures proportionate to risk, including encryption in transit per the configuration in force at Cloudflare and the other providers, encryption at rest subject to the capabilities of the database and file storage providers, access controls under the principle of least privilege, multi-tenant logical segregation, audit logs, separate production, test and development environments with independent databases, regular backup routines, monitoring and documented incident response processes. More details on Security & privacy.

No system is completely invulnerable. The Customer and its users must apply good practices: strong passwords, timely deactivation of accounts, device protection and periodic permission review.

9. Data subject rights

In accordance with applicable regulations (Law 19.628 and Law 21.719 in Chile, LGPD in Brazil, Law 1581 of 2012 and Decree 1377 of 2013 in Colombia, the Organic Personal Data Protection Law in Ecuador, and other relevant regimes), Data Subjects may exercise rights of:

• Access, rectification and update.
• Deletion, blocking or cancellation.
• Opposition and suspension of processing.
• Data portability where technically possible.
• Review of automated decisions where applicable.
• Withdrawal of consent given.

If your data was uploaded to UWOD by a Customer (e.g., you are a member or athlete of a gym), you must direct your request to the Customer acting as Controller. UWOD will provide technical assistance where the request requires access, correction, export, blocking or deletion of data stored in the Platform.

To exercise rights over data processed directly by AppByte, write to dpo@uwod.app. We respond within a maximum of 15 business days, without prejudice to shorter deadlines required by applicable local laws.

10. Security incidents

In the event of an incident compromising Customer Data, we will notify the Customer without undue delay and, where reasonably possible, within 72 hours of internal confirmation, providing reasonable technical information on the known scope and mitigation measures. The Customer, as Controller, will assess notification to authorities and Data Subjects according to applicable regulations.

11. Minors

UWOD's gym platform is a B2B product and is not directed at minors. If a Customer registers minors (for example, younger athletes training at the gym) as part of its legitimate operation, it must have the corresponding legal authorizations from a parent or guardian.

12. Changes to this policy

We may update this policy to reflect changes in the Service, regulations or our practices. We will notify material changes by email or in-Platform notice, with at least 30 calendar days' notice where applicable. The last update date appears at the end of this document.

13. Complaints to authorities

If you consider that your rights have not been adequately addressed, you may file a complaint with your country's data protection authority: ANPD (Brazil), Personal Data Protection Agency (Chile, under Law 21.719), Superintendence of Industry and Commerce (Colombia) or the competent authority in Ecuador, as applicable.