Overview

This privacy policy explains which personal data we process when you use Xircuit (the "Service") at https://app.xircuit.com or via our mobile applications, on what legal basis we process it, with whom we share it, and which rights you have under the EU General Data Protection Regulation (GDPR).

Xircuit is a multi-tenant software-as-a-service platform for fitness clubs, gyms, personal trainers, spas, beauty and hair studios, therapy practices, and individual end-users. Depending on the tier you or your organisation has licensed, Xircuit may process ordinary personal data, billing data and activity data, and — for the Practice tier only — health data within the meaning of Article 9 GDPR.

Controller

The controller within the meaning of Article 4 (7) GDPR is:

ThreeB IT GmbH Bergstrang 105 49479 Ibbenbüren Germany Email: hello@threebit.io

For data processed on behalf of a business customer (e.g. a gym, practice or studio that uses Xircuit to manage its own members or patients), that customer is the controller and ThreeB IT GmbH acts as a processor under a separate data-processing agreement (DPA, Art. 28 GDPR).

Data protection officer

You can reach our data-protection contact at hello@threebit.io. We will appoint a formal data protection officer where required by Art. 37 GDPR or § 38 BDSG; the contact details will be published here as soon as the appointment becomes mandatory.

Categories of personal data we process

Depending on how you use the Service, we process:

- Account data: name, email address, authenticated user identifier from Auth0, organisation membership, role. - Profile and preference data: display name, avatar, language, theme. - Usage data: pages visited, actions taken within the Service, device and browser type, IP address, timestamps. - Billing data (where you purchase a paid tier): company name, billing address, VAT ID, payment status (the payment itself is processed by our payment service provider). - Activity and wellness data (Gym, Club, PT, Spa tiers): bookings, check-ins, body metrics you enter, earned achievements. - Health data (Practice tier only, Art. 9 (2)(h) GDPR): patient profile, medical notes, insurance-claim information. This data is only processed for the purposes of preventive medicine, medical diagnosis, the provision of health care or treatment, or the management of health-care systems, by users acting under a duty of professional secrecy.

After account deletion, ThreeB IT GmbH retains: (a) billing records and related accounting documents for the period required by § 257 HGB / § 147 AO (10 years); (b) anonymised audit traces for security forensics; (c) records owned by the clinics, gyms, or studios you used during your subscription — those remain under the respective organisation's privacy policy and statutory retention rules (e.g. § 630f BGB for medical records, 10 years).

Legal bases for processing

We rely on the following legal bases under Article 6 (1) GDPR:

- (b) Performance of a contract: to provide, operate and bill the Service to you or your organisation. - (c) Legal obligation: to comply with German commercial, tax and accounting law (e.g. retention periods under § 147 AO, § 257 HGB). - (f) Legitimate interest: to operate the Service securely, to detect fraud and abuse, to maintain server logs, to monitor errors via Sentry, and to defend legal claims. - (a) Consent: where required, e.g. for non-essential cookies or for marketing communications. Consent can be withdrawn at any time with effect for the future.

For health data in the Practice tier we additionally rely on Article 9 (2)(h) GDPR in conjunction with § 22 (1) no. 1 lit. b BDSG; processing is performed by or under the responsibility of professionals subject to professional secrecy. Where this basis does not apply we will obtain explicit consent under Article 9 (2)(a) GDPR.

Recipients and processors

We share personal data only with carefully selected processors who act on our documented instructions under Art. 28 GDPR. The current processors are:

- Auth0 by Okta (identity and authentication) — EU region. Auth0's parent company is established outside the EEA; transfers to the parent are covered by the EU Standard Contractual Clauses (SCCs) and supplementary measures. - Microsoft Azure (hosting, databases, storage) — EU regions (West Europe / North Europe). Transfers outside the EEA, if any, are covered by SCCs and the EU-U.S. Data Privacy Framework. - Functional Software, Inc. dba Sentry (error and performance monitoring) — EU region. Transfers outside the EEA, if any, are covered by SCCs. - Our future email delivery provider (to be disclosed before general availability) — will be selected on the basis of EU hosting and an Art. 28 DPA.

We do not sell personal data and we do not use it for cross-context behavioural advertising.

International transfers

We host the Service in the European Union and we contractually require our processors to keep data in the EU/EEA wherever possible. Where a processor's group structure makes onward transfers to a third country unavoidable, those transfers are covered by an adequacy decision of the European Commission or by the EU Standard Contractual Clauses together with supplementary technical and organisational measures (encryption in transit and at rest, access controls, EU-bound support routing). On request we will provide a current list of sub-processors and the relevant safeguards.

Retention periods

We retain personal data only for as long as necessary for the purposes for which it was collected:

- Account data: for the duration of the contract and up to 90 days after termination to allow account recovery; thereafter deleted or anonymised. - Billing and tax records: 10 years (§ 147 AO, § 257 HGB). - Server and security logs: up to 30 days, longer only in case of a security incident. - Error-monitoring data in Sentry: up to 90 days. - Health data (Practice tier): in accordance with statutory retention periods for medical documentation; deletion routines are configurable by the controlling practice.

After expiry of the retention period the data is securely deleted or irreversibly anonymised.

Cookies and similar technologies (§ 25 TTDSG)

We use only cookies that are strictly necessary to provide the Service you have requested. These cookies are exempt from the consent requirement of § 25 (2) no. 2 TTDSG:

- Session cookie: maintains your signed-in session. - CSRF token cookie: protects you against cross-site request forgery. - Preference cookies: remember your selected language and theme.

We do not use advertising, marketing or cross-site tracking cookies. We do not integrate third-party analytics. If we ever introduce non-essential cookies we will first obtain your consent through a compliant consent banner.

Your rights

Subject to the conditions of the GDPR you have the right to access (Art. 15), portability (Art. 20), erasure (Art. 17), and the other rights listed below:

- access your personal data (Art. 15), - have inaccurate data corrected (Art. 16), - request erasure (Art. 17), - request restriction of processing (Art. 18), - receive your data in a portable format (Art. 20), - object to processing based on a legitimate interest (Art. 21), - withdraw any consent you have given, with effect for the future (Art. 7 (3)).

To exercise your right of access or portability (Art. 15, 20 GDPR), open Profile → Your data → Request data export. To exercise your right of erasure (Art. 17), open Profile → Danger zone → Delete my account. See https://app.xircuit.com/legal/account-deletion for the deletion process and what is retained.

For all other rights, or if you prefer to contact us directly, write to hello@threebit.io. We will respond within one month in accordance with Article 12 (3) GDPR. Where Xircuit acts only as a processor for your gym, practice or studio, please address your request to that organisation; we will forward such requests on request.

Account deletion

You may delete your Xircuit account at any time by opening Profile → Danger zone → Delete my account.

Deletion takes effect 30 days after you submit the request (the "grace period"). During this period your account remains accessible and you can cancel the deletion in any of three ways:

1. Profile → Danger zone → Cancel deletion 2. The persistent banner shown at the top of every app page while deletion is pending 3. The cancel-link in the deletion-request confirmation email we send you immediately after you submit the request

At the end of the grace period, if the request has not been cancelled, your account is permanently deleted and we send you a confirmation email. Permanent deletion cannot be undone.

What is removed: all account data, profile data, activity and wellness data, and any content you created that is classified as user-owned (see "Categories of personal data" above). What is retained: (a) billing records and related accounting documents for the statutory retention period (§ 257 HGB / § 147 AO, 10 years); (b) anonymised audit traces for security forensics; (c) records owned by the clinics, gyms, or studios you used during your subscription — those records remain under the respective organisation's privacy policy and statutory retention obligations (e.g. § 630f BGB for medical records, 10 years) and are outside our control.

See https://app.xircuit.com/legal/account-deletion for the full description of the deletion mechanism and what is retained.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR). The supervisory authority competent for ThreeB IT GmbH is the data-protection authority of the federal state in which the company has its registered office.

Automated decision-making

We do not use the personal data we process for automated decision-making or profiling within the meaning of Article 22 GDPR that produces legal effects concerning you or significantly affects you in a similar way.

Security

We implement appropriate technical and organisational measures pursuant to Article 32 GDPR, including TLS encryption in transit, encryption of data at rest in Azure, principle-of-least-privilege access controls, audit logging, secret management and regular security reviews. For the Practice tier we apply additional safeguards consistent with the sensitivity of health data.

Changes to this policy

We will update this privacy policy where necessary to reflect changes to the Service or to applicable law. The current version is identified by the "Last updated" date at the top of this page. We will notify users in advance of material changes that require renewed consent or that adversely affect data-subject rights.