Ironstead
Anmelden30 Tage gratis testen
GDPR Art. 13 + 14 · As of June 21, 2026

Privacy Policy

Information per GDPR Art. 13 + 14.

This page is only available in German in its legally binding version. The English text is a courtesy translation.

1. Data Controller

The controller within the meaning of the GDPR (Art. 4 No. 7) is:

Ironstead — Owner Jakob Seiffert
Kentroper Weg 60a
59063 Hamm
Germany

Email (privacy): datenschutz@iron-stead.com
General contact: contact@iron-stead.com

A data protection officer is not required by law (no applicable case under Art. 37 GDPR or §38 BDSG) and has not been appointed. Privacy enquiries may be directed to the email address above.

2. Data we process

When you visit this website we process technically necessary data (truncated IP address, user agent, timestamp). When registering as a coach: first name, last name, email, hashed password. In the product: training data, sets, RPE, notes, check-ins, photos — pseudonymized and linked to coach and trainee IDs.

3. Purposes & Legal Basis

  • Contract performance (Art. 6(1)(b) GDPR) — provision of the coaching platform.
  • Legitimate interest (Art. 6(1)(f) GDPR) — logging, security, abuse prevention.
  • Consent (Art. 6(1)(a) GDPR) — AI Critique, optional cookies, marketing.

4. AI Critique (Vertex AI)

With the trainee's explicit consent we send pseudonymized training data (no real names) to Google Vertex AI in the Frankfurt region (eu-west-3). Processing is carried out under a data processing agreement with Google Cloud EMEA Ltd. No training on customer data takes place. Trainees can withdraw consent at any time in the app.

5. Payments (Paddle)

Paddle.com Market Limited (Ireland) acts as reseller (Merchant of Record). For payment processing we transmit the data required for invoicing to Paddle. Paddle's own privacy policy also applies.

6. Crash diagnostics (Sentry)

To ensure the technical stability of the app, we collect technical diagnostic data on crashes and errors (error and stack information, device type, app version) via the Sentry service. The legal basis is our legitimate interest in stable, error-free operation (Art. 6(1)(f) GDPR). Personal data such as email addresses, names or access tokens is removed from the error reports on the device before they are transmitted; only pseudonymous technical data is sent. Processing is carried out on our behalf in an EU data region (data processing agreement with the provider). The retention period follows the retention settings of the Sentry project. You may object to this processing at any time under Art. 21 GDPR with an informal email.

7. Reach measurement (Plausible)

To measure site reach we use Plausible Analytics (Plausible Insights OÜ, EU-hosted). Plausible works without cookies and without personal identifiers; only aggregated, anonymous page views are evaluated. No cross-device recognition takes place. Because no cookies or other storage technologies are used on your terminal device (§ 25 TDDDG — German Telecommunications Digital Services Data Protection Act) and the processing of personal data (e.g. the truncated IP address) is based on our legitimate interest in data-minimizing reach measurement (Art. 6(1)(f) GDPR), no separate consent is required.

8. Push notifications

Push notifications are delivered via the push services of the respective platform: on iOS via the Apple Push Notification service (APNs, Apple Inc.), on Android via Firebase Cloud Messaging (FCM, Google LLC), and via Expo's push service (exp.host, Expo, operated by 650 Industries, Inc.). For delivery, a device-specific push token (an online identifier and therefore personal data) and the content of the respective notification are transmitted to these services. Apple, Google and Expo act as processors in this context. As part of APNs, FCM and Expo's push service, a transfer to the USA takes place. For Apple (APNs) and Google (FCM) it is based primarily on the EU-US Data Privacy Framework (adequacy decision of the EU Commission under Art. 45 GDPR); in addition, the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the Google Cloud / Firebase Data Processing Addendum apply as appropriate safeguards. For Expo's push service (650 Industries, Inc.), the transfer is safeguarded by the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as the appropriate safeguard. The legal basis for sending push notifications is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future via the notification settings of your terminal device.

9. Your rights

You have the right at any time to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21). An informal email is sufficient.

10. Retention period

Account data: up to 3 months after account deletion (cleanup job). Invoice data: 10 years (§147 AO — German Fiscal Code). Logs: 30 days.

11. Contact & Complaint

Privacy enquiries: datenschutz@iron-stead.com

Under Art. 77 GDPR you have the right to lodge a complaint with a supervisory authority. The authority responsible for the controller is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) — State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Kavalleriestraße 2–4
40213 Düsseldorf
Email: poststelle@ldi.nrw.de
Web: ldi.nrw.de

Ironstead - Privacy