Privacy Policy

The BJJ Story is the data controller for personal data collected through thebjjstory.com and thebjjstory.no.

Contact information:
The BJJ Story
[ADDRESS]
Email: [CONTACT EMAIL]

We collect the following personal data:

• Google account (via OAuth login): name, email address, and Google user ID (sub). This is received directly from Google when you consent to sign in.
• Favorites: when you save a favorite, the combination of your user ID and the person ID (the person you bookmarked) is stored in our database.
• Page visit counts (anonymous): we count visits per page in a dedicated table. No personal data is associated with these counts.

We process personal data for the following purposes:

• Login and authentication: to identify you as a user and provide access to personalised features. Legal basis: contract (GDPR Art. 6(1)(b)).
• Saving favorites: to remember which athletes you have saved across visits. Legal basis: contract (GDPR Art. 6(1)(b)).
• Anonymous statistics: to understand which pages are most visited and to improve the site. Legal basis: legitimate interest (GDPR Art. 6(1)(f)). No personal data is involved.

• User data (name, email, Google ID) is kept for as long as your account is active. You may request deletion at any time.
• Favorites are automatically deleted if your account is removed.
• Anonymous page-visit data is kept indefinitely as it contains no personal data.

Under the GDPR you have the following rights regarding your personal data:

• Access: you may request a copy of the data we hold about you.
• Rectification: you may ask us to correct inaccurate data.
• Erasure: you may request that your data be deleted ("right to be forgotten").
• Data portability: you may request your data in a machine-readable format.
• Objection: you may object to processing based on legitimate interest.
• Withdrawal of consent: where processing is based on consent, you may withdraw it at any time.

To exercise your rights, contact us at [CONTACT EMAIL]. You also have the right to lodge a complaint with your national supervisory authority (e.g. Datatilsynet in Norway — datatilsynet.no) if you believe we are processing your data unlawfully.

We use the following sub-processors that may handle personal data on our behalf:

• Supabase (Supabase Inc.): our database is hosted by Supabase. Data is stored on servers in the EU/EEA. Supabase is SOC 2 Type II certified.
• Vercel Inc.: the website is hosted on Vercel, with servers in the US and EU. Vercel complies with Standard Contractual Clauses (SCCs) for international data transfers.
• Google LLC:used for OAuth sign-in (Google Sign-In). Google's own privacy terms apply to information you share with Google during sign-in. See Google's Privacy Policy.

We do not sell personal data to third parties and do not share data with anyone other than the processors listed above.

The BJJ Story only uses strictly necessary cookies to keep you logged in (session token). We do not use tracking cookies, advertising cookies, or analytics tools that require consent.

If you have questions about how we handle personal data, please contact us at:

Email: [CONTACT EMAIL]