Privacy Policy

Jodaro Gym is the controller of your personal data processed through Knock Out Challenge. Digital Empower provides the underlying platform (Rondz) as a processor on Jodaro Gym's behalf.

Contact for privacy matters: privacy@digitalempower.nl. Digital Empower has not appointed a Data Protection Officer; the controller contact above is the primary point for data-subject requests.

We collect only what the Service needs to work.

• Account data — name, email, password hash (via Clerk), role, language preference, profile photo if you upload one.
• Intake & body data — age, gender, height, weight, activity level, fitness goal, target weight, optional allergies. Used to generate your calorie and macro plan.
• Weekly progress — weight check-ins, optional measurements (waist, chest, hips, arms), optional progress photos.
• Diary — weekly reflections, highlights, struggles, mood rating, optional photos.
• Exercise logs — sessions, type, duration, effort, notes.
• Meals — meals logged as eaten or favourited; coach-authored meal plans assigned to you.
• Chat — messages between you and your assigned coach.
• Billing data — (tenants only) contact name, address, invoicing email.
• Technical data — session cookies (Clerk), locale preference cookie, and consented analytics cookies if you opt in.

• Contract (Art. 6(1)(b) GDPR) — to deliver the programme you signed up for: calculating your calorie plan, storing your weekly logs, enabling coach communication, hosting your chat thread.
• Legitimate interest (Art. 6(1)(f)) — keeping the Service secure, preventing abuse, error diagnostics.
• Legal obligation (Art. 6(1)(c)) — retaining invoice records for 7 years under Dutch tax law.
• Consent (Art. 6(1)(a)) — non-essential cookies (analytics, marketing). You can withdraw consent at any time from the cookie banner or settings.

Rondz uses AI (Anthropic Claude) to generate suggestions, not to make decisions with legal or similarly significant effects about you.

• Calorie & macro engine — on intake completion, Claude produces a calorie and macronutrient target from the information you entered. This is a starting point; you and your coach remain in charge.
• Daily corner message ("Vanuit de hoek") — when your coach has not written a message, Claude generates a short motivational line from your recent activity. You cannot regenerate it; the message resets daily.
• Coach chat drafts — your coach can draft a message with an AI suggestion; a human coach reviews and sends it. No AI message is ever sent to you automatically.
• Meal suggestions — the meal planner pulls recipes from Spoonacular filtered by your calorie targets and allergies; it does not make medical or dietary decisions.

You have the right to contest any decision, request human review, or opt out of AI features entirely by contacting your coach or privacy@digitalempower.nl.

Rondz is not directed at children. If you are under 16, Dutch law (UAVG, implementing GDPR Art. 8) requires the consent of a parent or legal guardian before your data can be processed. If you believe a child has signed up without proper consent, contact privacy@digitalempower.nl and we will delete the account.

We use the following sub-processors. Each is bound by a Data Processing Agreement.

• Clerk (US) — authentication & account data.
• Neon (EU — Frankfurt) — Postgres database hosting.
• Vercel (US, EU edge) — application hosting & CDN.
• Cloudflare R2 (EU) — encrypted storage for progress, diary, and logo images. All access via short-lived presigned URLs.
• Anthropic (US) — Claude API for the calorie engine, corner message, and coach draft. Inputs are ephemeral; Anthropic does not train on API data.
• Spoonacular (US) — recipe data for the meal planner. We send your calorie target and allergy tags; no personally identifying data.
• Stripe (via Nexus, our sister billing system) — tenant invoicing. Participants never enter card data into Rondz.

Transfers to US sub-processors rely on the EU–US Data Privacy Framework where the provider is certified, or on Standard Contractual Clauses (SCCs) otherwise. We keep primary storage in the EU (Neon Frankfurt, Cloudflare R2 EU).

• Account & programme data — while your account is active, plus 90 days after cancellation so a returning participant can resume. After that, deleted.
• Invoice records — 7 years, required by Dutch tax law (Algemene Wet Rijksbelastingen art. 52).
• Chat messages — retained with the thread for the duration of the programme, deleted on erasure request.
• Analytics cookies — up to 24 months, only if you opted in.

Erasure requests are actioned within 30 days. Invoice records may be retained beyond that under the tax-law exception above.

Under GDPR you have the right to:

• Access a copy of your data (Art. 15).
• Correct inaccurate data (Art. 16).
• Have your data erased (Art. 17), subject to the tax-law retention above.
• Restrict processing (Art. 18).
• Receive your data in a portable format (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Contest automated decisions and request human review (Art. 22).
• Withdraw consent at any time (Art. 7(3)).

Exercise any of these by emailing privacy@digitalempower.nl or contacting Jodaro Gym directly. We respond within one month.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Data is transmitted over TLS. Images are stored in tenant-isolated buckets with short-lived presigned URLs — buckets are never public. Passwords are hashed and managed by Clerk; multi-factor authentication is available and recommended. Database queries are scoped by tenant at every layer so no participant data can leak across tenants.

In the event of a personal-data breach, we notify the supervisory authority within 72 hours (GDPR Art. 33) and affected data subjects where required (Art. 34).

Rondz uses strictly necessary cookies (session, locale) without consent. Analytics and marketing cookies require your opt-in via the consent banner. See the Cookie Policy for the full list.

If we materially change this policy, we will notify you in-app or by email before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Digital Empower · Nieuwegein, Netherlands · privacy@digitalempower.nl