Legal
Privacy Policy
Susanoo SAS ("FitResa") is committed to protecting the personal data of its users. This policy describes what data is collected, why, how it is processed, and what your rights are.
1. Data controller
- Data controller
- Susanoo SAS
- Address
- 7 RUE DU GENERAL LECLERC, 94350 VILLIERS-SUR-MARNE
- GDPR contact
- legal@fitresa.com
- Data Protection Officer (DPO)
- Hervé BOYER — legal@fitresa.com
2. Data collected
| Category | Data | Profile |
|---|---|---|
| Identity | Name, email address | Professionals + End Users |
| Account | Credentials, hashed password, registration date | Professionals + End Users |
| Professional activity | Studio name, discipline, photos, pricing, schedule | Professionals |
| Billing | Card data (managed by Stripe), billing history | Professionals |
| Bookings | Date, time, service, status, history | End Users |
| Communications | Emails sent, SMS, push notifications | All |
| Health data (optional) | Medical information in client profile (injuries, contraindications) | End Users |
| Technical data | IP address, browser, access logs, session data | All |
3. Purposes and legal bases for processing
| Purpose | Legal basis | Data concerned | Profile |
|---|---|---|---|
| Account creation and management | Contract performance | Identity, account | All |
| SaaS service provision | Contract performance | All data | Professionals |
| Booking management | Contract performance / Legitimate interest | Bookings, identity | End Users |
| Payment processing (subscriptions) | Contract performance | Billing | Professionals |
| Transactional emails | Contract performance | Email, activity | All |
| SMS reminders | Contract performance / Consent | Phone number | End Users |
| Analytics and service improvement | Legitimate interest | Technical data (anonymised) | All |
| Marketing communications | Consent | Professionals | |
| Health data processing | Explicit consent | Health data | End Users |
| Legal and accounting obligations | Legal obligation | Billing, identity | Professionals |
4. Sub-processors and recipients
FitResa uses the following sub-processors to operate its services. Each has been selected for their data protection guarantees:
| Sub-processor | Role | Country | Guarantees |
|---|---|---|---|
| Stripe | Payment processing (subscriptions) | Transfer outside EU — USA | SCCs + DPA |
| Resend | Transactional emails | Within the EU — UE | DPA |
| SMSFactor / SMS Partner | SMS sending | Within the EU — France (EU) | DPA |
| Anthropic (Claude API) | AI assistance features | Transfer outside EU — USA | DPA + SCCs |
| Ionos SE | VPS hosting (Coolify) | Within the EU — UE | DPA |
5. Transfers outside the European Union
Some of our sub-processors are established outside the European Union (notably Stripe and Anthropic, based in the United States). These transfers are governed by Standard Contractual Clauses (SCC) approved by the European Commission, or an equivalent mechanism providing an adequate level of protection. You may obtain a copy of these guarantees by contacting us at the address in section 10.
6. Retention periods
| Data category | Retention period |
|---|---|
| Active Professional account | Duration of subscription + 3 years after termination |
| Booking data | 3 years after last activity |
| Billing data | 10 years (legal accounting obligation) |
| Technical logs | 12 rolling months |
| Health data | Period defined by the Professional (as data controller) — deleted on account closure |
| Marketing emails | Until unsubscription or 3 years of inactivity |
| Data after account deletion | Permanent deletion within 30 days, subject to legal obligations |
7. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — obtain a copy of the data held about you
- Right of rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data (subject to legal retention obligations)
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to restriction — request suspension of processing pending review
- Right to withdraw consent at any time, without prejudice to prior processing
To exercise your rights, send your request to legal@fitresa.com. FitResa will respond within 30 days. You also have the right to lodge a complaint with the CNIL (French data protection authority) at cnil.fr, or with your national supervisory authority.
8. Data security
FitResa implements appropriate technical and organisational measures to protect your data against unauthorised access, loss or alteration: encryption in transit (TLS) and at rest (AES-256), secure authentication (magic link), role-based access control (RBAC), access logging, regular backups. In the event of a data breach likely to result in a risk to your rights and freedoms, FitResa will notify the CNIL (French data protection authority) within 72 hours and inform you as soon as possible.
9. Cookies
FitResa uses technically necessary cookies (session, authentication, preferences) and, with your consent, analytics cookies to measure audience in an anonymous manner. No advertising or third-party tracking cookies are set without your explicit consent. For more information, please see our Cookie Policy.
10. Use of artificial intelligence
FitResa may use Anthropic's Claude API for certain assistance features. Data transmitted to the API is processed in accordance with Anthropic's privacy policy. FitResa commits to transmitting only strictly necessary data and to anonymising or pseudonymising data where possible. Anthropic states that it does not use API customer data to train its models.
11. Changes to this policy
FitResa reserves the right to modify this policy at any time. Any material change will be notified to users by email with 30 days' notice. The current version is always accessible from the site footer.
12. Contact and exercising your rights
- GDPR contact
- legal@fitresa.com
- Address
- 7 RUE DU GENERAL LECLERC, 94350 VILLIERS-SUR-MARNE