This Privacy Policy explains what personal data Body Prison collects, why, how it is protected, who it is shared with, and the rights you have over it. We are committed to handling your data lawfully, fairly and transparently under the EU & UK GDPR, the California Consumer Privacy Act as amended by the CPRA, Canada's PIPEDA (and Québec's Law 25), and other applicable privacy laws.
Who operates Body Prison: Body Prison is operated by Gal Patrik Stirn s.p. (trading as Body Prison), Detelova 10, 4000 Kranj, Slovenia ("Body Prison", "we", "us", "our"), who is the data controller for the purposes of this policy.
Body Prison is a private online community and digital product platform accessible at www.bodyprison.com.
For all privacy matters — including any request to exercise your rights — contact our privacy contact at bodyprison.book@gmail.com.
EU establishment: We are established in the European Union (Slovenia), so no Article 27 representative is required.
We collect only what we need to run the platform. The categories below also map to the "categories of personal information" disclosure required by California law.
| Category | Examples | Source |
|---|---|---|
| Identifiers & account data | Email address, display name, chosen alias, hashed password | You, at sign-up |
| Profile data | Tagline, profile photo (optional), join/"awakening" date | You |
| User content | Messages, breakthroughs, transmissions, reactions, images you post | You |
| Activity data | XP, streaks, message counts, last-active time | Generated by use |
| Commercial data | Purchase of access (order confirmation, access code) — handled by Stripe | Stripe / you |
| Technical & usage data | IP address (transient, for security), browser/device type, aggregated page views | Automatic |
We do not collect government IDs, and we do not store your payment card number, bank details, or billing address — those are handled entirely by Stripe (see Section 7). We do not knowingly collect special-category/sensitive data; please do not post it.
We do not sell your data, do not "share" it for cross-context behavioural advertising, do not run advertising, and do not use your data to make solely automated decisions with legal or similarly significant effects (see Section 12).
Body Prison is intentionally low-tracking. We use only what is necessary to keep you logged in and to understand traffic in a privacy-preserving way.
| Technology | Purpose | Type |
|---|---|---|
| Supabase auth token (browser local storage) | Keeps you signed in between visits | Strictly necessary |
| Vercel Web Analytics | Aggregated, anonymised page-view counts | Cookieless — sets no cookies and does not track you across other sites |
We use no advertising cookies, no third-party tracking cookies, and no cross-site profiling. Because we rely only on strictly-necessary storage and a cookieless analytics tool, no consent banner is legally required; if we ever add non-essential cookies, we will request your consent first.
We share data only with the service providers needed to run Body Prison. Each acts as our processor under a data-processing agreement and has its own privacy policy.
| Provider | Role | Data location |
|---|---|---|
| Supabase | Database, authentication, file storage | European Union (Ireland, eu-west-1) |
| Vercel | Website hosting, CDN, cookieless analytics | Global edge network; company US-based |
| Stripe | Payment processing (PCI-DSS Level 1) | EU/US, global |
| Resend | Transactional email delivery | US |
| Google Fonts | Font delivery | Global CDN |
We never sell or rent your data to anyone. We may disclose data if required by law, to protect our rights, or to prevent harm.
Purchases are processed by Stripe. Your card number, security code, bank and billing details are entered directly with Stripe and are never seen or stored by us. We receive only your email and an order/payment confirmation so we can issue your access code. See Stripe's Privacy Policy.
Your core account and content data is stored in the European Union (Ireland). Some processors (e.g. Stripe, Resend, Vercel) may process limited data in the United States or other countries. Where data leaves the EU/UK, transfers are protected by appropriate safeguards under GDPR Articles 44–49 — typically the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and/or the EU–US Data Privacy Framework where the provider participates.
| Data | Retention |
|---|---|
| Account, profile, content | Until you delete your account or ask us to delete it |
| Purchase / transaction records | As required by tax and accounting law (typically 6–7 years), in minimised form |
| Security logs (incl. transient IP) | Short-term only, then deleted |
| Encrypted backups | Purged on a rolling cycle (up to ~30 days) after deletion |
You can delete your account at any time using the self-service "Delete Account" button in The Hub, or by emailing us.
Uploading images (including photos of yourself) is voluntary. By uploading, you confirm you own or have the right to share the image, you have the consent of anyone identifiable in it, and it contains no illegal content.
No system is perfectly secure. If a breach affects your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected users without undue delay, as required by law.
We do not subject you to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. XP and streaks are simple activity counters, not automated decision-making about you.
You have the right to: access your data; correct it; erase it; restrict or object to processing; data portability; and to withdraw consent at any time. To exercise any right, email bodyprison.book@gmail.com; we respond within one month. You may also lodge a complaint with your local supervisory authority (e.g. Ireland's Data Protection Commission, or the UK ICO).
California residents have the right to know, to access, to correct, to delete, and to opt out of the "sale" or "sharing" of personal information, plus the right to limit use of sensitive personal information and the right to non-discrimination for exercising these rights.
If you are in Canada, you may access and correct your personal information and withdraw consent (subject to legal/contractual limits). We collect, use and disclose personal information only for the purposes identified here, with your knowledge and consent. You may direct questions or complaints to us and, if unresolved, to the Office of the Privacy Commissioner of Canada (or, for Québec residents, the Commission d'accès à l'information).
The platform is intended for adults. We do not knowingly collect data from children under 13 (or under 16 in parts of the EU without parental consent). If you believe a child has registered, contact us and we will delete the account promptly.
We may update this policy. We will revise the "Last updated" date and, for significant changes, notify members via the platform. Continued use after changes means you accept the updated policy.
Contact our privacy team directly
bodyprison.book@gmail.comWe aim to respond to privacy requests within the timeframes required by law (typically 30–45 days).