Legal information

Privacy policy

Last updated:

1. Data controller

The controller of personal data collected through the website zorinlabs.com and the services of the Zõrin ecosystem (My Fit World, Medra and other products identifiable with the brand) is:

  • Owner: Raúl García Díaz
  • Tax ID (NIF): 45348381V
  • Address: Camino de la Cruz, 107, 35400 Arucas, Las Palmas, Spain
  • Email: hello@zorinlabs.com

If you have any questions about the processing of your data, you can get in touch via email indicating "Data protection" in the subject line.

2. What data we collect

2.1. When you browse our website

  • Minimal technical data: IP address, browser type, operating system, pages visited, time spent. See the Cookie Policy for details.
  • Meeting bookings (Cal.com): the "Book a meeting" section embeds a form from Cal.com, Inc. (USA). When that section is shown, your browser connects to Cal.com and sends it your IP address, user-agent and, if you fill in the form, the data you enter (name, email, reason, booked time). Cal.com acts as a Data Processor on behalf of Zõrin Labs.

2.2. When you contact us (contact form or email)

  • First name and last name
  • Email
  • Phone (optional)
  • Company (optional)
  • Message content

2.3. When you contract a service (My Fit World, Medra or other)

  • Identifying data: first name, last name, email, phone.
  • Billing data: tax ID, legal name, fiscal address.
  • Payment data processed by Stripe. Zõrin Labs does not store card numbers: Stripe is the direct controller of that data, certified PCI DSS.
  • Subdomain and brand configuration chosen at contracting.

2.4. When you use the products as an end user

In products like My Fit World, users (a coach's clients, for example) may enter additional data depending on the feature: body measurements (weight, body fat %, measurements), progress photos, routines, nutrition plans, chat messages with their coach.

In these cases, Zõrin Labs acts as Data Processor on behalf of the professional (the coach, clinic or studio that has contracted), who is the Data Controller for the data of their own clients. The data processing agreement (art. 28 GDPR) is formalised when the service is contracted.

3. Purposes and legal basis of processing

Purpose Legal basis (art. 6 GDPR) Data
Respond to enquiries sent through the contact form User consent — art. 6.1.a GDPR Name, email, phone (opt.), message
Manage contracting and execution of contracted services Contract performance — art. 6.1.b GDPR Identifiers, billing, tenant configuration
Comply with legal obligations (tax, accounting, commercial) Legal obligation — art. 6.1.c GDPR Billing data, transactions
Send service communications (trial, invoices, incidents) Contract performance / Legitimate interest — art. 6.1.b / 6.1.f GDPR Email
Send commercial communications about similar products Legitimate interest with right to object — art. 21.2 LSSI-CE Email
Minimal site analytics (without advertising profiling) Legitimate interest / Consent — depending on cookies used Aggregated technical data

4. Who do we share your data with?

Zõrin Labs does not sell personal data. Data is shared only with Data Processors (providers) strictly necessary to deliver the service, subject to a contract that guarantees the level of protection required by GDPR:

Provider Purpose Location
Vercel Inc. Hosting and software execution (serverless infrastructure) EU (Frankfurt · fra1)
Cal.com, Inc. Meeting booking from the website (embedded form) USA with standard contractual clauses
Neon Inc. Managed PostgreSQL database EU (Frankfurt)
Vercel Blob Photo storage (e.g. progress photos in My Fit World) EU
Stripe Payments Europe, Ltd. Payment processing and billing EU (Ireland) / USA with standard contractual clauses
Resend Transactional email (invitations, credentials, notifications) EU / USA with standard contractual clauses
ImprovMX Inbound email forwarding for the zorinlabs.com domain USA with standard contractual clauses
Anthropic PBC AI model (Claude) for internal content generation USA with standard contractual clauses — no data used to train the model
GitHub Inc. Source code repositories (no customer data) USA with standard contractual clauses
DonDominio Domain registration EU (Spain)

Additionally, data may be shared with Public Administrations, Courts or Tribunals when there is a legal obligation.

5. International transfers

Some providers (Cal.com, Stripe, Resend, ImprovMX, Anthropic, GitHub) have headquarters or infrastructure outside the European Economic Area. In these cases, transfers are covered by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, or
  • Adequacy decisions in force (e.g. the EU-US Data Privacy Framework when the provider is certified).

6. Retention period

  • Contact data without subsequent contracting: kept for a maximum of 2 years from the last contact, unless you exercise your right of erasure earlier.
  • Active customer data: for the duration of the contract and as long as necessary to provide the service.
  • Billing data: kept for 6 years by legal obligation (art. 30 Spanish Commercial Code and General Tax Law).
  • After service cancellation: operational data is kept for 30 days for possible reactivation; after that, it is deleted or anonymised, except for legal retention obligations.

7. Your rights

As the data subject, you can exercise the following rights:

  • Access: know what data of yours we process.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request the deletion of your data when it is no longer necessary or you withdraw consent.
  • Objection: object to certain processing (especially commercial communications).
  • Restriction: ask that processing be restricted while a dispute is being resolved.
  • Portability: receive your data in a structured format (CSV/JSON) to transfer to another controller.
  • Not be subject to automated decisions: Zõrin Labs does not make decisions with legal effect based solely on automated processing.

How to exercise them: send an email to hello@zorinlabs.com with the subject "GDPR Rights" indicating the right you wish to exercise and attaching a copy of an identifying document. We will respond within one month.

Complaint to the supervisory authority: if you consider that your rights have not been adequately addressed, you can file a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan, 6, 28001 Madrid.

8. Data security

We apply technical and organisational measures to protect the confidentiality, integrity and availability of personal data, including:

  • TLS encryption in transit for all site traffic and APIs.
  • Encryption at rest in the database (Neon).
  • Passwords stored with scrypt (never in plain text).
  • Session tokens marked HttpOnly and Secure.
  • Role-based access control (RBAC) and multi-tenant isolation by tenant_id.
  • Automatic daily backups.
  • Periodic dependency review for vulnerabilities.

9. Minors

The services are aimed at users over 18 years of age. If a contracting professional (for example, a My Fit World coach) wants to process minors' data, it is their responsibility to obtain consent from legal guardians in accordance with art. 8 GDPR and art. 7 of Spanish LOPDGDD.

10. Changes to this policy

This Privacy Policy may be updated when new services, providers or applicable laws are added. Any changes will be published at this same URL with the corresponding "Last updated" date. If changes are substantial, affected users will be notified by email.