Privacy policy
Version 2.0 · Last updated: May 6, 2026 · Compliant with GDPR (EU), Quebec Law 25, and PIPEDA (Canada). The French version is the binding reference; this English version is provided for convenience.
In one sentence
OwnDesk only stores what is necessary to run your gym (account, bookings, payments, athletic performance, community). No reselling, no third-party advertising tracking, no sharing with marketing partners — ever.
1. Data controller
OwnDesk is a trademark operated by Fabien Barcelo, self-employed in Canada. Official contact: support@owndesk.co. Mailing address available upon legitimate request.
For Owners located in the European Union, OwnDesk may designate a representative within the meaning of Article 27 of the GDPR; this information will be published here as soon as available.
2. Data Protection Officer (DPO)
For any question regarding your data or to exercise your rights, contact the person responsible for personal information protection: support@owndesk.co (with “DPO” in the subject for priority). Response within 30 days.
3. Data collected and legal bases
| Category | Examples | Legal basis (GDPR art.6) |
|---|---|---|
| Identity | Name, email, phone, profile photo | Contract performance |
| Athletic activity | Bookings, attendance, PRs, goals, challenges | Contract performance |
| Payments | Transaction history (amount, date, status). Card stored by Stripe only. | Contract performance + legal obligation (taxation) |
| Declared health | Self-declared health notes or injuries (explicit consent) | Consent (GDPR art.9) |
| Technical | Server logs (IP, user-agent), session cookies | Legitimate interest (security) |
| Communications | Internal messages, community posts, PR photos | Contract performance |
4. Subprocessors (GDPR Article 28)
OwnDesk uses the following subprocessors, all contractually committed to GDPR and Quebec Law 25 standards:
| Subprocessor | Use | Location |
|---|---|---|
| Supabase | Database + authentication + file storage | Frankfurt (EU) |
| Stripe | Payment processing (PCI-DSS Level 1) | United States |
| Vercel | Web hosting + CDN | Multi-region (EU primary) |
| Resend | Transactional emails | EU / US |
| Sentry | Error observability | EU |
| PostHog | Product analytics (anonymized) | EU (Frankfurt instance) |
| Anthropic | AI coach briefings (Claude API). No training on your data. | United States |
For transfers outside the EU and Canada (Stripe, Anthropic in particular), OwnDesk relies on the Standard Contractual Clauses of the European Commission (SCC 2021) and applicable adequacy decisions.
5. Retention period
- Active account: as long as the account is in use.
- Closed account: 30-day grace period for reactivation or export, then permanent deletion.
- Technical logs: 30 days (security, debugging).
- Tax and transactional data: 7 years (legal accounting obligation in Canada and the European Union).
- Self-declared health notes: deletable at any time from the profile. Otherwise kept for the duration of the account.
- Photos and community posts: deletable at any time. Incremental backups retained for 30 days.
6. Your rights
In accordance with GDPR and Quebec Law 25, you can at any time:
- Access your data from your OwnDesk profile (CSV or JSON export).
- Rectify via your profile settings.
- Delete (“right to be forgotten”): from the profile or by email to support@owndesk.co. Processed within 30 days, except for legal retention obligations.
- Portability: receive your data in a structured format (JSON or CSV).
- Restrict or object to processing: write to us with the reason.
- Withdraw your consent at any time (especially for health notes).
- Complaint: with the CAI (Quebec Access to Information Commission) or the data protection authority of your country.
7. Data breach notification
In the event of a personal data breach likely to pose a risk to your rights, OwnDesk notifies:
- the competent authorities (CAI Quebec, CNIL or EU authority) within 72 hours;
- affected Users without unreasonable delay, by email, describing the nature of the breach, likely consequences, and measures taken.
8. Cookies and trackers
OwnDesk only uses strictly necessary cookies for the operation of the Service:
- login session (Supabase auth) — duration: session or 30 days if “remember me” is enabled;
- UI preferences (dark mode, language) — duration: 1 year, deletable from the browser.
No third-party advertising tracking (Google Ads, Meta Pixel, TikTok…). PostHog is used in anonymized mode for product metrics (feature adoption rate, average flows) — no individualized user profile. You can opt out via support@owndesk.co.
9. Minors
OwnDesk is not intended for people under 14 (Quebec Law 25 threshold) or 16 (GDPR threshold depending on country). The Owner of a gym warrants that they collect appropriate parental consent for underage Members before inviting them to the Platform.
10. Changes
This policy may change. Any substantial change is notified by email at least 30 days before it takes effect. The “last updated” date at the top of the document is authoritative.
See also the terms of service.