GDPR Compliance
Last updated: November 4, 2025
EU General Data Protection Regulation (GDPR)
Plate Progress is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other data protection laws. This page explains your rights under GDPR and how to exercise them.
Your Rights Under GDPR
If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following data protection rights:
1. Right of Access
You have the right to request and receive a copy of all personal data we hold about you.
How to exercise: Go to Settings → Privacy & Data → Request Data Export, or email privacy@plateprogress.com
2. Right to Rectification
You have the right to correct any inaccurate or incomplete personal data.
How to exercise: Update your information directly in Settings, or contact support@plateprogress.com
3. Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data under certain circumstances.
How to exercise: Go to Settings → Privacy & Data → Request Account Deletion, or email privacy@plateprogress.com
4. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
How to exercise: Use the data export feature in Settings to download your data in JSON/CSV format
5. Right to Restrict Processing
You have the right to request that we limit the processing of your personal data under certain conditions.
How to exercise: Contact privacy@plateprogress.com with your specific request
6. Right to Object
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing.
How to exercise: Contact privacy@plateprogress.com or adjust your communication preferences in Settings
7. Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw that consent at any time.
How to exercise: Manage your consent preferences in Settings or contact privacy@plateprogress.com
How to Exercise Your Rights
Online (Fastest)
- Log into your Plate Progress account
- Go to Settings → Privacy & Data
- Use the self-service buttons for data export or account deletion
- You'll receive a confirmation email when your request is processed
By Email
Send your request to: privacy@plateprogress.com
Please include:
- Your full name and email address associated with your account
- The specific right you wish to exercise
- Any additional details or context
Response Time
We will respond to your request within:
- Data Export: Within 48 hours (usually immediate)
- Account Deletion: Within 30 days, with confirmation email
- Other Requests: Within 30 days as required by GDPR
Legal Basis for Processing
We process your personal data based on the following legal grounds:
Contractual Necessity
Processing is necessary to provide the Service you've signed up for (e.g., storing workout data, managing your account, processing Premium subscriptions).
Legitimate Interests
We have legitimate interests in processing your data to improve the Service, prevent fraud, and ensure security. We balance these interests against your privacy rights.
Consent
For optional features like analytics, marketing emails, or social features, we process data based on your explicit consent, which you can withdraw at any time.
Legal Obligations
We may process data to comply with legal requirements, such as responding to lawful requests from authorities.
Data Protection Measures
Technical Safeguards
- Encryption: All data is encrypted in transit (TLS/SSL) and at rest
- Row-Level Security: Database policies prevent unauthorized access to user data
- Secure Authentication: Industry-standard password hashing and session management
- Regular Audits: Security assessments and vulnerability scans
Organizational Safeguards
- Access Controls: Minimal team access with role-based permissions
- Data Minimization: We only collect data necessary for the Service
- Privacy by Design: Privacy considerations built into all features
- Staff Training: Team members trained on data protection best practices
Data Transfers
Your data may be transferred to and processed in the United States and other countries. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) - Approved by the European Commission
- EU-US Data Privacy Framework - For US-based service providers
- Adequate Safeguards - As recognized under GDPR Article 46
Our Service Providers
- Supabase (Database & Auth) - Hosted in EU region (Ireland/Frankfurt)
- Vercel (Hosting) - Global CDN with primary EU data centers
- Stripe (Payments) - GDPR-compliant payment processor, EU-US DPF certified
- Resend (Emails) - Transactional email service with EU infrastructure
All service providers are bound by Standard Contractual Clauses (SCCs) and comply with GDPR requirements for international data transfers.
Data Retention
| Data Type | Retention Period |
|---|---|
| Active Account Data | Duration of account + 30 days |
| Deleted Account Data | 30 days for recovery, then permanent deletion |
| Backup Copies | 90 days maximum |
| Analytics (Aggregated) | Indefinitely (anonymized) |
| Legal Hold Data | As required by law |
Automated Decision-Making
We do NOT engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. Features like XP calculations, PR tracking, and leaderboards are purely informational and for gamification purposes.
Children's Privacy
Our Service is not directed at children under 13 (or the applicable age of consent in your country). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it immediately.
Data Breach Notification
In the event of a data breach that affects your personal data, we will:
- Notify the relevant supervisory authority within 72 hours (if required by GDPR)
- Inform affected users without undue delay if the breach poses a high risk
- Provide details about the breach and steps we're taking to address it
- Offer guidance on protecting yourself from potential consequences
Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe we have not complied with GDPR.
Irish Data Protection Commission (DPC)
As we are based in Ireland, our lead supervisory authority is:
- Website: dataprotection.ie
- Email: info@dataprotection.ie
- Phone: +353 (0)761 104 800
- Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Other EU residents: You may also contact your local data protection authority. Find your authority at edpb.europa.eu
Contact Our Data Protection Officer
For any GDPR-related questions or to exercise your rights:
- Email: privacy@plateprogress.com
- Subject Line: "GDPR Request" or "Data Protection Inquiry"
Updates to This Policy
We may update this GDPR compliance page to reflect changes in our practices or legal requirements. Significant changes will be communicated via email and in-app notification.
Quick Access
To manage your data and exercise your GDPR rights right now:
This GDPR compliance page was last updated on November 4, 2025.
We are committed to transparency, data protection, and respecting your privacy rights under GDPR and other applicable laws.