Back to Home

Privacy Policy

Last Updated: December 16, 2024

1. Introduction

Grappling Reviews ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website grapplingreviews.com and use our services. We process personal data in compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws. Please read this policy carefully. By using our services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for processing your personal data is:

nStern Digital Solutions UG (haftungsbeschränkt)

Wilhelm-Leuschner-Straße 68

60329 Frankfurt am Main

Germany

Managing Director: Felix Morgenstern

Commercial Register: Amtsgericht Frankfurt am Main, HRB 125245

VAT ID: DE349156874

For any questions regarding data protection, you can contact us at:

info@grapplingreviews.com

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Registration Data

When you create an account, we collect:

  • Email address (required)
  • Password (stored in hashed form using Supabase Auth)
  • If you register via Google OAuth: your name, email address, and profile picture URL as provided by Google

3.2 Profile Information

When you set up and update your profile, we may collect:

  • Username (public display name)
  • Full name
  • Biography/personal description
  • BJJ belt rank (white, blue, purple, brown, black, red)
  • Profile picture/avatar

3.3 User-Generated Content

When you submit reviews or comments, we collect:

  • Star rating (1-5 stars)
  • Written review text
  • Photos you upload with your review
  • Date and time of submission

3.4 Gym Owner Data

If you claim ownership of a gym listing, we collect:

  • Business email address
  • Phone number
  • Written proof of ownership/authorization
  • Supporting documents (business registration, utility bills, etc.)

3.5 Gym Information

If you add or manage a gym, we collect:

  • Gym name and address
  • Geographic coordinates (latitude/longitude)
  • Gym description and facilities
  • Logo, cover image, and gallery photos
  • Website, social media links, contact information
  • Class schedules and event information

3.6 Technical and Usage Data

We automatically collect:

  • IP address (anonymized after 7 days)
  • Browser type and version
  • Device type and operating system
  • Pages visited and interactions
  • Referring website
  • Access timestamps
  • Language preferences

3.7 Location Data

We may collect:

  • Approximate location derived from IP address (city/region level)
  • Location searches you perform to find gyms
  • We do NOT collect precise GPS location without explicit consent

4. Purpose of Processing

We process your personal data for the following purposes:

  • Providing our Services: To operate the Grappling Reviews platform, display gym information, enable user accounts, and facilitate reviews.
  • Account Management: To create and manage your user account, authenticate your identity, and provide customer support.
  • Communication: To respond to your inquiries, send service-related notifications, and inform you about important changes.
  • Ownership Verification: To verify gym ownership claims and manage the gym verification process.
  • Service Improvement: To analyze usage patterns, identify bugs, and improve our website's functionality and user experience.
  • Security and Fraud Prevention: To protect against unauthorized access, abuse, and fraudulent activities.
  • Legal Compliance: To comply with legal obligations, respond to lawful requests, and protect our legal rights.

5. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Consent (Art. 6(1)(a) GDPR)

Where you have given us explicit consent to process your data for specific purposes, such as uploading photos or sharing location data. You can withdraw consent at any time.

Contract Performance (Art. 6(1)(b) GDPR)

Where processing is necessary to provide our services to you, including creating your account, enabling reviews, and processing gym ownership claims.

Legitimate Interests (Art. 6(1)(f) GDPR)

Where processing is necessary for our legitimate business interests, such as improving our services, ensuring security, preventing fraud, and analyzing usage patterns. We have conducted balancing tests to ensure your rights are not overridden.

Legal Obligation (Art. 6(1)(c) GDPR)

Where processing is necessary to comply with legal obligations under German and EU law.

6. Data Sharing and Third-Party Processors

We share your personal data with the following categories of recipients:

6.1 Service Providers (Sub-processors)

We use the following service providers who process data on our behalf under strict Data Processing Agreements (DPAs):

Supabase Inc.

Purpose: Database hosting, user authentication, and file storage

Location: Data is stored in Supabase Cloud (EU region when available, otherwise US with Standard Contractual Clauses)

Data: All user data, authentication data, uploaded files

Privacy Policy: https://supabase.com/privacy

DigitalOcean LLC

Purpose: Website hosting and application infrastructure

Location: Servers located in Frankfurt, Germany (EU region)

Data: Server logs, IP addresses, technical data

Privacy Policy: https://www.digitalocean.com/legal/privacy-policy

HERE Global B.V.

Purpose: Map visualization for displaying gym locations

Location: Netherlands (EU)

Data: Map interactions, location searches

Privacy Policy: https://legal.here.com/privacy

Google LLC

Purpose: OAuth authentication (sign in with Google)

Location: United States (with Standard Contractual Clauses)

Data: Only when you choose to sign in with Google: name, email, profile picture

Privacy Policy: https://policies.google.com/privacy

6.2 Publicly Visible Information

The following information may be publicly visible on our platform:

  • Your reviews, ratings, and associated photos
  • Your username and profile picture
  • Gym information you submit (for verified gym owners)

6.3 Legal Disclosures

We may disclose your data when required by law, court order, or to protect our legal rights.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

Transfer mechanisms we use include:

  • Adequacy decisions by the European Commission (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (where applicable)
  • Your explicit consent for specific transfers

We regularly assess the data protection practices of our service providers and the legal frameworks of recipient countries.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy:

  • Account data: Retained until you delete your account, then deleted within 30 days
  • Reviews: Retained until you delete them or your account; anonymized reviews may be retained
  • Ownership claim documents: Retained for 3 years after claim resolution for dispute purposes
  • Server logs: IP addresses anonymized after 7 days, aggregated logs retained for 12 months
  • Legal retention: Some data may be retained longer if required by German commercial or tax law (up to 10 years)

When you request account deletion, we will delete or anonymize your personal data within 30 days, except where we are legally required to retain it.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you, free of charge.

Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17 GDPR)

You can request deletion of your personal data ("right to be forgotten") when the data is no longer necessary for its original purpose.

Right to Restriction (Art. 18 GDPR)

You can request limitation of processing while we verify accuracy or assess legitimate interests.

Right to Data Portability (Art. 20 GDPR)

You can request to receive your data in a structured, commonly used, machine-readable format (JSON).

Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.

Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

Rights Related to Automated Decision-Making (Art. 22 GDPR)

We do not use automated decision-making or profiling that produces legal effects concerning you.

To exercise any of these rights, please contact us at info@grapplingreviews.com. We will respond within 30 days. We may need to verify your identity before processing your request.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. The competent supervisory authority for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit

Postfach 3163, 65021 Wiesbaden, Germany

https://datenschutz.hessen.de

You may also contact your local supervisory authority if you reside in a different EU member state.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. We use essential cookies for authentication and security, and may use analytics cookies with your consent. For detailed information about the cookies we use, please see our Cookie Policy.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Authentication: Secure password hashing using bcrypt, multi-factor authentication support
  • Access Control: Role-based access control, principle of least privilege
  • Monitoring: Regular security audits, intrusion detection, and vulnerability assessments
  • Backups: Regular encrypted backups with secure storage
  • Staff Training: All personnel with data access are trained in data protection
  • Incident Response: We have procedures to detect, report, and investigate data breaches

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR.

14. Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. If we discover that we have collected personal data from a child under 16, we will delete it promptly.

15. Third-Party Links

Our website may contain links to third-party websites (gym websites, social media profiles). We are not responsible for the privacy practices of these external sites. We recommend reviewing their privacy policies before providing any personal data.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We will notify you of material changes by posting a prominent notice on our website and updating the "Last Updated" date. For significant changes affecting your rights, we may also notify you by email. We encourage you to review this policy periodically.

17. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us at:

nStern Digital Solutions UG (haftungsbeschränkt)

Wilhelm-Leuschner-Straße 68

60329 Frankfurt am Main, Germany

info@grapplingreviews.com

We strive to respond to all legitimate inquiries within 30 days.