Privacy Policy.

The controller (Verantwortlicher) within the meaning of Art. 4 (7) GDPR is:

For all questions about the processing of your personal data, please write to us at the email address above.

Data Protection Officer

We are not currently required to appoint a Data Protection Officer under § 38 BDSG. If you have a data protection concern, please contact the controller directly using the details above.

2.1 Server log files

When you visit mainact.co, your browser automatically transmits standard technical data that our hosting provider records in log files. These include:

• your IP address
• the date and time of the request
• the page requested and HTTP status code
• your browser type, version, and operating system
• the referring URL

This data is processed on the basis of Art. 6 (1) (f) GDPR, with our legitimate interest being the secure, stable, and functional operation of our website (defence against attacks, error analysis, capacity planning). Server logs are automatically deleted or anonymised after 30 days at the latest.

Our website is hosted by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Firebase Hosting, Cloud Firestore, Cloud Functions, Cloud Storage, Firebase Authentication). Function and database workloads run primarily in the europe-west3 region (Frankfurt am Main).

A transfer to the United States is not excluded, as Google LLC (USA) as parent company may have access in the context of processing on our behalf. As safeguards we rely on the EU–US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) and additionally on EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR). A data processing agreement under Art. 28 GDPR is in place with Google (Google Cloud Data Processing Addendum).

2.2 Web fonts

All typefaces used on this site (Fraunces, Inter, JetBrains Mono, DM Serif Display) are loaded directly from our own servers. No font data is requested from third-party services, and no font-related data is transmitted to Google or any other external provider.

3.1 Waitlist signups

When you fill in the "Be one of the first" form on the landing page (entering your email address and selecting a role — instructor, studio, or athlete), we store that information so we can notify you when early access opens and so we can send you a confirmation email summarising what to expect next. Submitting the form does not create a user account.

Data we process:

• your email address;
• the role you selected;
• the referring URL and any UTM parameters present in the page URL (for example, utm_source) — used to understand how visitors found us;
• a one-way SHA-256 hash of your IP address (not the IP itself), salted, used solely to throttle abusive resubmissions for one hour;
• technical metadata such as the submit timestamp and a randomly generated unsubscribe token.

Email addresses are stored under a SHA-256 hash of the address as the document ID, with the plain-text address only inside the document body so we can actually send you mail.

Legal basis: Art. 6 (1) (a) GDPR (your consent, given by submitting the form) and, for the confirmation email, Art. 6 (1) (b) GDPR (performance of pre-contractual measures at your request).

Processors:

• Google Ireland Limited — Cloud Firestore (Frankfurt, europe-west3) and Cloud Functions store the entry and run the form handler. See section 02 for the transfer framework.
• Resend, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA — delivers the confirmation email and any future waitlist communication you receive from hello@mainact.co. Resend processes your email address and the message content solely to deliver the message. Transfer to the United States is covered by EU Standard Contractual Clauses under Art. 46 (2) (c) GDPR and, where applicable, the EU–US Data Privacy Framework. A data processing agreement under Art. 28 GDPR is in place.

Retention: Waitlist entries are retained until the platform launches and we have either onboarded you or completed the launch communication, after which entries are deleted on request or at the latest within 24 months of inactivity. You can unsubscribe at any time using the link at the bottom of each email — that marks the entry as unsubscribed and stops further sends. You can also request full deletion at scharly.timon@gmail.com.

Your right to withdraw consent: at any time, with effect for the future, by clicking the unsubscribe link in any confirmation email or by writing to scharly.timon@gmail.com. The lawfulness of any processing before your withdrawal is not affected.

3.2 Account creation

If we invite you to early access and you click through to create an account, you provide your email address and any further profile information you voluntarily supply (such as name, role, and city).

Legal basis: Art. 6 (1) (b) GDPR (performance of pre-contractual measures and contract performance) for the provision of the user account; Art. 6 (1) (f) GDPR (operation of the platform) for related technical processing.

Processors: Google Ireland Limited (Firebase Authentication, Cloud Firestore) — see section 02 for the legal-transfer details and DPA framework.

Retention: As long as your account exists. On request we delete your account and the associated data; statutory retention obligations (e.g. §§ 147 AO, 257 HGB for invoicing data) remain unaffected.

Your right to withdraw: You can request deletion of your account at any time by writing to scharly.timon@gmail.com. Withdrawing your consent does not affect the lawfulness of any processing before withdrawal.

3.3 Following an instructor (email updates)

When you click "Follow" on a public instructor profile and submit your email address, we send you a confirmation email (double opt-in) and — once you confirm — periodic updates about that instructor's classes, workshops, or other offerings. You can subscribe without creating a user account.

Data we process:

• your email address;
• the instructor you chose to follow (Firestore user id);
• your chosen frequency (weekly Sunday digest or every update);
• technical metadata: a randomly generated confirmation token (used only to verify the link you click in the confirmation email; discarded after confirmation), a randomly generated unsubscribe token, and timestamps for sign-up, confirmation, and unsubscribe.

Double opt-in: Until you click the confirmation link, no further emails are sent. If you do not confirm within 72 hours, the confirmation link expires; we do not write again.

Legal basis: Art. 6 (1) (a) GDPR (your consent, given explicitly via the confirmation click). Each instructor you follow is a separate, individually revocable consent.

Processors:

• Google Ireland Limited — Cloud Firestore (Frankfurt, europe-west3) stores the follower entry, Cloud Functions run the confirmation flow and digest scheduler. See section 02 for the transfer framework.
• Resend, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA — delivers all follow-related emails (confirmation, welcome, weekly digest, new-class triggered updates) from hello@mainact.co. Resend processes your email address and the message content solely to deliver the message. Same EU Standard Contractual Clauses, EU–US Data Privacy Framework coverage, and Art. 28 DPA as for waitlist signups (section 3.1).

Retention: We retain your follower entry as long as the subscription is active. When you unsubscribe (via the link in any email, the self-service subscription page, or by request) we set an unsubscribe timestamp and stop all sends; the entry itself is then deleted on request or at the latest within 24 months of inactivity. Unconfirmed entries (where the confirmation link was never clicked) are pruned after 30 days.

Your right to withdraw consent: at any time, with effect for the future, by:

• clicking the Unsubscribe link at the bottom of any follow-related email (one-click, no login required) — also exposed via the List-Unsubscribe mail header so your inbox client can offer a native unsubscribe affordance;
• using the self-service subscription page linked in every email, to change frequency, unsubscribe from a single instructor, or unsubscribe from all;
• writing to scharly.timon@gmail.com.

The lawfulness of any processing before your withdrawal is not affected.

No profiling, no ads: we do not enrich your email address with third-party data, do not run behavioural profiling, and do not sell or share follower data with advertisers. The only outbound use of your address is the email updates you explicitly subscribed to.

Signed-in instructors can optionally connect a Google Calendar account from /app/settings → Calendar to detect scheduling conflicts between mainact classes and personal calendar events, and (planned) to publish mainact classes back into the connected calendar. Sportler / studio users do not see this surface; only instructor accounts can connect.

OAuth scopes requested:

• openid, userinfo.email, userinfo.profile — the Google account identity (email address shown in Settings as "Connected as {email}"; profile name reserved for future UI display);
• calendar.events — read events from your selected Google Calendar to render them in the mainact scheduling view and detect time conflicts with planned classes; in the future also write mainact classes back to your calendar (opt-in via Settings).

Data we process:

• your Google account email address and (when permitted) display name;
• event metadata of the calendars you authorise: title, start/end time, location, attendee count, recurrence — stored under externalCalendarEvents/{uid}_{eventId} in our Firestore;
• OAuth access + refresh tokens, stored server-side under calendarTokens/{uid}_google with security rules that deny all client reads and writes (tokens are never exposed to the browser);
• connection metadata (status, last sync timestamp, last error) under calendarConnections/{uid}_google.

Legal basis: Art. 6 (1) (a) GDPR — your explicit consent via the Google OAuth consent screen. Each connection is individually revocable.

Processors:

• Google Ireland Limited — Cloud Firestore (Frankfurt, europe-west3) stores tokens + imported events; Cloud Functions (Frankfurt) run the OAuth callback and scheduled sync. Calendar data is fetched from Google LLC via the Google Calendar API under Google's Calendar API Terms of Service. See section 02 for the transfer framework.

Retention while connected: we keep imported calendar events as long as the connection is active and refresh them on each sync. Tokens are kept until disconnect or until Google revokes them.

Data retention after disconnect:

• OAuth tokens are immediately revoked with Google when you click Disconnect in Settings;
• all externalCalendarEvents/{uid}_{eventId} records are deleted from Firestore within 24 hours;
• no backup or cache of calendar data is retained beyond this window.

Your right to withdraw consent: at any time, with effect for the future, by:

• clicking Disconnect in /app/settings → Calendar;
• revoking access at myaccount.google.com/permissions — mainact's next sync will then fail with invalid_grant, and we delete the imported events within 24 hours;
• writing to scharly.timon@gmail.com.

The lawfulness of any processing before your withdrawal is not affected.

No profiling, no ads: we do not enrich calendar data with third-party data, do not run behavioural profiling on event content, and do not share calendar data with advertisers or any party outside the processors listed above.

The "Get in touch" contact form on this site opens your own email client (via a mailto: link) with the subject and message you typed, addressed to scharly.timon@gmail.com. Submitting the form does not send your data through any server we operate — your message travels from your own email client through your email provider to our inbox.

Once your message arrives at scharly.timon@gmail.com, we process it to respond to your inquiry. The legal basis is either Art. 6 (1) (b) GDPR (if your inquiry relates to a potential contract or product use) or Art. 6 (1) (f) GDPR (our legitimate interest in responding to inquiries).

Email hosting: Our inbox is operated by Zoho Mail (Zoho Corporation B.V., Beneluxlaan 4B, 3527 HT Utrecht, Netherlands). Email data is stored on Zoho's EU data centres (Netherlands / Ireland). A data processing agreement under Art. 28 GDPR is in place.

Retention: We retain correspondence for as long as the matter is active, and afterwards typically for up to 24 months for follow-up purposes, unless a longer retention is legally required (e.g., commercial correspondence under § 257 HGB / § 147 AO can require 6–10 years).

Recipients: Only the founders of mainact and, where necessary, our IT/email service provider as processor. We do not share inquiry data with third parties for marketing.

This site currently does not use cookies for analytics, marketing, or tracking. We do not use Google Analytics, advertising pixels, A/B testing tools, session-recording tools, or similar technologies. We do not set non-essential cookies on your device. For this reason, no consent banner is displayed under § 25 (2) TDDDG.

Essential browser storage we do use: our pre-launch signup and portal routes are gated by a single password; once you enter it, a small flag is written to your browser's sessionStorage so you don't have to re-enter it on every page within the same tab. This is strictly necessary to provide the function you requested (entering the gated area) and falls under the exemption in § 25 (2) Nr. 2 TDDDG. The flag is cleared automatically when you close the tab and contains no personal data. If you log into a user account, Firebase Authentication additionally stores session tokens locally — also strictly necessary to keep you logged in.

If we add analytics, marketing, or tracking technologies in the future, we will update this policy and implement a compliant consent banner before activation.

Some of the services described above transfer data to countries outside the European Union, in particular the United States. For each such transfer we rely on one of the following legal mechanisms:

• An adequacy decision by the European Commission, in particular the EU–US Data Privacy Framework (for providers certified under it);
• Standard Contractual Clauses under Art. 46 (2) (c) GDPR, supplemented where appropriate by additional technical and organisational measures;
• Your explicit consent under Art. 49 (1) (a) GDPR, where applicable.

You can obtain copies of the safeguards used for any specific transfer by writing to scharly.timon@gmail.com.

Under the GDPR, you have the following rights regarding personal data we process about you:

To exercise any of these rights, please contact us at scharly.timon@gmail.com. We will respond within one month (Art. 12 (3) GDPR), with one extension of up to two further months in complex cases.

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for our registered seat is:

You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence or workplace.

This site is not directed at users under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you become aware that a person under 18 has submitted data to us, please contact us so we can delete it.

This site is delivered exclusively via TLS-encrypted HTTPS connections. We apply technical and organisational measures appropriate to the risks of the processing, including access controls, encryption in transit, and the principle of data minimisation.

When you book a paid 1:1 session with an instructor, we process the data needed to perform that booking: your name, email address and (optionally) phone number, together with the session details (instructor, date, time, price, status). The legal basis is the performance of the booking contract (Art. 6 (1) (b) GDPR).

Payment is handled by Stripe Payments Europe, Ltd. (Stripe) as our payment service provider; card data is processed by Stripe and is not stored by us. Stripe acts as a processor / independent controller for payment data under its own terms and may transfer data outside the EU under EU Standard Contractual Clauses. The charge is made on the instructor's connected Stripe account.

We retain the booking record for accounting and tax purposes, but your contact details associated with a booking are automatically anonymised 18 months after the session date (the amount, date and status are kept without personal identifiers). The cancellation, refund and rescheduling rules that apply to your booking are set out in our Booking Terms.

We may update this policy when we change our processing activities, add new tools (such as analytics), or when legal requirements change. The current version is always available at this URL. Material changes will be communicated by appropriate means (e.g., a notice on the site or, where you have given us your email, by email).