Back to home
English

Last updated June 2026

Privacy Policy

This is a working draft. The final policy will be reviewed by counsel and published before launch.

Bulletproof Stamina ("the app", "we", "us") is built to keep your training private. This policy explains what personal data we collect, why, who processes it on our behalf, how long we keep it, and the rights you have over it. The data controller is Ludosati SL (see the Legal notice for company details).

What we collect

  • Account data — the email address and password you sign up with. You may use a throwaway email; we never ask for your real name.
  • Consents — a record that you confirmed you are 18+ and accepted the medical disclaimer, with the document version and timestamp.
  • Purchase data — that you bought the one-time access, and when. Card details are handled entirely by our payment processor; we never see or store them.
  • Your training data — course progress, porn-free day entries, session-duration entries, personal notes, and favourited techniques. This is the private content the app exists to track.
  • Support messages — any question you submit, and your conversations are not stored when you use the AI chatbot.
  • Technical data — anonymous, aggregated usage events and error reports used to keep the app working. These are not tied to your identity.

Why we use it (legal bases)

  • To provide the service you bought — performance of a contract.
  • To keep the app secure and working — our legitimate interest in a reliable, safe product.
  • To meet legal duties such as tax and consumer-law records — legal obligation.
  • Age and medical-disclaimer confirmation — your consent, recorded at sign-up.

Who processes your data

We use a small set of trusted providers ("processors") who handle data only on our instructions:

  • Supabase — database and authentication hosting (your account and training data).
  • Paddle — payment processing and Merchant of Record for the one-time purchase.
  • Vercel — application hosting and content delivery.
  • Resend — sending transactional emails (sign-up code, password reset).
  • DeepSeek — powers the optional AI chatbot. Only your message text and our course context are sent; never your account identifiers. Processing may occur outside the EU.
  • Sentry — error monitoring, with personal data scrubbed before it is sent.
  • TelemetryDeck — privacy-first, anonymised product analytics (no personal identifiers).

How long we keep it

We keep your account and training data for as long as your account exists. When you delete your account, all of it is removed (see below). Limited purchase records may be retained where the law requires it (for example, tax records).

Your privacy rights & data requests

You can permanently delete your account and all of its data at any time from Settings → Danger zone inside the app.

To request a copy of your data, or to exercise any other data-protection right — access, correction, portability, or objection — or if you can no longer sign in, email us and we will respond within one month. You also have the right to lodge a complaint with your data-protection authority; in Spain this is the Agencia Española de Protección de Datos (AEPD).

Privacy contact: privacy@ludosati.com