Mybjjstory
Legal

Privacy Policy

Last updated: 2026-06-06

Who we are

Mybjjstory is a personal BJJ training journal operated from Norway under the name Mybjjstory. We are the data controller for the personal data described in this policy. For privacy questions or to exercise any of the rights below, contact us at privacy@mybjjstory.com.

This policy was last updated on 2026-06-06.

What this policy covers

This policy applies to data you provide to Mybjjstory and data we collect when you use the app at mybjjstory.com. It does not cover third-party sites we link to.

What personal data we collect

From you, when you sign up

  • Email address (always)
  • Password (only if you choose email + password sign-in; stored hashed by Supabase, never in plain text)
  • Google identity (only if you choose "Sign in with Google" — we receive your email address and a Google-issued ID)

From you, after you sign up

  • Profile: display name, username, country of residence, primary academy, belt, stripes, years training, bio
  • Age & eligibility: your country of residence and birth year (year only — we never store a full date of birth). We use your birth year to apply our age rules (you must be at least 13; members under 16 get a youth-protected account with social features switched off), and your country of residence to offer the right payment options for your region in future.
  • Optional profile fields: weight (kg), sex (female / male / other — only ever visible to you, never to other users), avatar image, cover image
  • Geolocation (opt-in only): if you choose to turn on location-based discovery, we store your country and city only. Your browser asks the operating system for your GPS coordinates and reverse-geocodes them to a country and city on your device; only those two text values are ever sent to us. We never receive or store your precise latitude/longitude. This feature is off by default, requires your explicit consent, can be switched off at any time, and is not available to members under 16 (youth-protected accounts).
  • Visibility preferences: who can see your profile, rank, activity, and session notes
  • Notification preferences

From your training log

  • Training sessions: date, duration, type (Gi / No-Gi / strength / flexibility / other), intensity, how you felt, location, notes, photos you upload
  • Sparring rounds: partner names, snapshot of partner belt, techniques used
  • Self-evaluations and partner evaluations: ratings, notes
  • Promotions: belt date, academy, coach, optional note

From your interactions

  • Follows, bumps (likes), comments, @mentions
  • Notes you write about training partners

Technical data

  • Authentication cookie (httpOnly, set by Supabase) — required to keep you signed in
  • Theme cookie — remembers light or dark mode
  • Local browser storage — temporarily saves your in-progress session log so you don't lose it before submit; never sent to our servers until you save
  • In-app feedback — when you submit a bug report or idea via the in-app feedback widget, we record the message, the page URL, your browser's user-agent string, and the viewport size to help us reproduce the issue

Product analytics (opt-in). With your consent, we use privacy-friendly product analytics — Vercel Web Analytics and Vercel Speed Insights — to understand which features are used and how the app performs. These collect aggregate page views, referrers, an approximate country (derived by the provider from your IP, which we do not store as a separate data point), and device and performance metrics. They load only after you opt in via the consent banner shown on your first visit, and you can withdraw consent at any time from Settings → Analytics (or by declining the banner). We use no advertising trackers and no cross-site tracking pixels. Beyond opt-in analytics, we do not record your IP address as a separate data point beyond the standard request logs handled by our hosting providers.

Why we collect each category — purposes and lawful bases

Data categoryPurposeLawful basis (GDPR Art. 6)
Email + password / Google identityCreate and secure your accountContract
Profile fieldsIdentify you to yourself and other users you choose to share withContract
Sex (optional, visible only to you)Frame your own stats and partner evaluations against grapplers of similar age and sexContract
Geolocation (country + city, derived on your device from browser GPS)Suggest people training near you (same city / country)Consent (Art. 6(1)(a)) — opt-in, revocable; precise GPS never stored; city shown only per your profile visibility; not offered to members under 16 (youth-protected accounts)
Training log + evaluationsProvide the core journaling feature you signed up forContract
Visibility preferencesHonour your explicit choices about who sees whatConsent + contract
Social interactions (follows, comments, bumps)Provide social featuresContract
Theme cookieRemember your display preferenceLegitimate interest
In-app feedback (message, URL, user-agent, viewport)Reproduce and fix bugs you reportLegitimate interest
Product analytics (Vercel Web Analytics + Speed Insights: aggregate page views, referrers, approximate country, device/performance)Understand which features are used and how the app performsConsent (Art. 6(1)(a)) — opt-in via the banner, withdraw any time in Settings → Analytics; cookieless
Admin audit log (when admin actions affect your account)Security, abuse prevention, audit trailLegitimate interest + legal obligation

We do not engage in automated decision-making with legal effects (GDPR Art. 22). We do not profile you for advertising.

Who we share your data with

We use a small number of carefully chosen processors that handle data on our behalf:

  • Supabase, Inc. — database, authentication, and file storage. Our project lives in the EU (Ireland) region.
  • Vercel, Inc. — application hosting. We have configured our deployment to run server functions in the EU. If you opt in to analytics, Vercel also provides Vercel Web Analytics + Speed Insights (cookieless).
  • BigDataCloud Pty Ltd — only if you turn on opt-in geolocation. Your browser sends your GPS coordinates directly to BigDataCloud's reverse-geocoding service to convert them into a country and city. The coordinates never reach our servers; we receive only the resulting country and city text.

If you choose "Sign in with Google", Google LLC receives the minimum data needed to authenticate you (your email, plus a Google account ID). For sign-in Google acts as an independent controller — it decides its own purposes for that data, rather than processing it on our behalf — so it is not one of the processors listed above. See /sub-processors for details.

We do not sell your data. We do not share your data with advertisers. We do not share your data with other Mybjjstory users beyond what your visibility settings explicitly allow.

A full and up-to-date list of our sub-processors is available at /sub-processors.

Where your data is stored

Our database and file storage are hosted in the European Union (Ireland). Server functions are pinned to EU regions. Browser-side assets (images, scripts) are served from Vercel's global CDN — these are not personal data.

If you sign in with Google, your authentication request is processed by Google as an independent controller. Google is a US-based company and relies on the EU Commission's Standard Contractual Clauses (Module 1 — Controller to Controller) for transfers of personal data outside the EU.

How long we keep your data

  • Active account data: as long as your account is active.
  • Account you have asked to delete: 30 days (so you can change your mind), then permanently erased.
  • Admin audit log entries: up to 24 months.
  • In-app feedback (bug reports): up to 12 months.
  • Backup snapshots: standard rolling backups retained for up to 30 days; encrypted at rest.

When data is permanently erased we retain only what we are legally required to keep (for example, tax records, if any) — typically nothing in this product.

Your rights

Under GDPR you have the following rights. You can exercise most of these directly inside the app, or by contacting us at privacy@mybjjstory.com.

  • Right to be informed (Art. 13–14): this policy is your starting point.
  • Right of access (Art. 15): on your account settings page you can download a copy of all your data as a JSON file.
  • Right to rectification (Art. 16): edit your profile and your training entries at any time.
  • Right to erasure / "right to be forgotten" (Art. 17): your account settings page has a "Delete my account" option. We delete your account after a 30-day grace period. If another user has written a note about you that names you, you can request its redaction from your notifications inbox — see Notes about me.
  • Right to restriction of processing (Art. 18): contact us.
  • Right to data portability (Art. 20): use the JSON export.
  • Right to object (Art. 21): contact us.
  • Right to withdraw consent (Art. 7(3)): where we process data based on consent (for example, your public profile visibility, or product analytics), you can withdraw it at any time — visibility via your visibility settings, analytics via Settings → Analytics — or by deleting your account.
  • Right to lodge a complaint with a supervisory authority (Art. 77). If you are in Norway your authority is Datatilsynet (datatilsynet.no). If you live elsewhere in the EU/EEA you can complain to your local data protection authority.

We respond to rights requests within 30 days. If your request is complex we may extend by a further 60 days and will tell you why.

Children

Mybjjstory is not intended for children under 13, and we do not knowingly collect personal data from anyone under 13. Members who are at least 13 but under 16 get a youth-protected account: they can keep a private training log, but social features — a public profile, following others, the activity feed, comments, and location sharing — stay switched off until they turn 16. This is a single, conservative rule we apply worldwide, regardless of your country's specific digital-consent age. If you become aware that a child under 13 has provided us with personal data, please contact us and we will delete the account.

A youth-protected account is also never asked to consent to product analytics: while a youth-protected member is signed in, the analytics banner is not shown, the analytics toggle in Settings is hidden, and analytics never loads — even if consent was previously granted on the same browser. In other words, we do not offer members under 16 any consent-dependent processing at all.

Cookies and local storage

We use the following on your device:

  • Authentication cookie — strictly necessary; set by Supabase to keep you signed in. Cannot be disabled if you want to use the app.
  • Theme cookie — remembers whether you chose light or dark mode. Functional, not tracking.
  • Local storage (session draft) — saves your in-progress session log on your device only, so you do not lose it on page refresh. Cleared when you submit.
  • Local storage (analytics consent) — remembers your choice to allow or decline product analytics, so we don't ask again. Functional, not tracking.
  • Product analytics (opt-in only) — if you accept the consent banner, Vercel Web Analytics and Speed Insights run. Vercel Web Analytics is cookieless by default; nothing analytics-related loads until you opt in, and you can withdraw at any time from Settings → Analytics.

We use no advertising cookies and no cross-site tracking. Product analytics is off until you opt in.

Security

We protect your data using:

  • TLS in transit (all traffic is HTTPS)
  • Encryption at rest (Supabase and Vercel)
  • Row-level security on every personal-data table in our database
  • Two-factor authentication available for admin accounts
  • Audit logging on all admin actions affecting user data
  • Strict access controls: only the small set of administrators we designate can view other users' data, and every such view is logged

No system is perfectly secure. If you become aware of a vulnerability, please email us at security@mybjjstory.com.

Data breaches

If a data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33, and will notify you directly without undue delay if the risk to you is high (Art. 34).

Changes to this policy

If we make material changes we will notify you by email and update the "last updated" date at the top of this page. Continued use of Mybjjstory after a change means you accept the updated policy.

Contact

For any privacy question, to exercise a right, or to report a breach, contact privacy@mybjjstory.com.