Privacy and Cookie Policy
This Privacy and Cookie Policy ("Policy") applies to the processing of your personal data by Leonardo Ferro ("we" or "us") through "wodflow.fit" ("Platform") in accordance with Regulation (EU) 2016/679 – General Data Protection Regulation ("GDPR"), the Italian Legislative Decree 196/2003 (as amended), Directive 2002/58/EC – ePrivacy Directive (as amended), and other applicable local laws ("Data Protection Laws").
1. Data Controller
The Data Controller is Leonardo Ferro (private individual). For any requests regarding the processing of your personal data, please email us at leonardoferro@wodflow.fit.
2. Categories of Personal Data We Collect, Purposes and Legal Bases for Our Processing
We process the following categories of personal data, for the purposes and on the legal bases indicated below. Please note that not all the below information may be deemed personal data in your jurisdiction in all cases.
| Purpose | Legal basis | Categories of processed data |
|---|---|---|
| a. To enable you to use our Platform, including creating and managing your account, organizations, workouts, bookings, and memberships. | Processing is necessary for the performance of a contract to which you are party (art. 6(1)(b) of the GDPR). | Identification and contact information (such as first and last name, email address), account credentials, organizational role, and any other information you provide through the Platform that is necessary to its functioning. |
| b. To comply with our legal obligations and any other obligations arising out of the instructions received from the authorities. | Compliance with a legal obligation to which we are subject (art. 6(1)(c) of the GDPR). | Any information necessary to ensure the performance of these purposes. |
| c. To establish, exercise or defend our rights, and to carry out corporate transactions or operations (for example, in case of bankruptcy, merger, acquisition, reorganization, sale of assets or assignments, and due diligence related to any such transactions). | The legal basis for the processing is our legitimate interest (art. 6(1)(f) of the GDPR) to establish, exercise or defend our rights and to carry out corporate transactions or operations. | Any information necessary to ensure the performance of these purposes. |
| d. To process and respond to customer support communications and to requests for information you may raise with us. | The legal basis for the processing is the performance of our contractual relationship (art. 6(1)(b) of GDPR). | Identification and contact information you provide us (such as first and last name, email address) and the content of your communication or request. |
To know how we process your personal data through the use of cookies and similar technologies, see Section 8 (Cookies) below.
3. Data Retention
Personal data may be processed by both automated and non-automated means and may be stored on our service providers' servers. We adopt technical and organizational measures designed to prevent the loss, improper use and alteration of your personal data. In some cases, we may also adopt data encryption and pseudonymization measures. However, transmissions over the Internet are never 100% secure, and you should not provide any personal data if you want to avoid any risk.
Personal data processed for the purposes referred to in Section 2.a) and 2.d) will be kept for a period not exceeding the one necessary for the said purposes and, in each case, for no more than 3 years from the date of your last interaction with the Platform.
Personal data processed for the purposes referred to in Section 2.b) will be kept up to 5 years from the date of your last interaction with the Platform.
Personal data processed for the purposes referred to in Section 2.c) will be kept up to 10 years from the date of your last interaction with the Platform.
To know how long your data is stored through cookies and similar technologies, see Section 8 (Cookies) below.
4. Your Choices
Providing account and navigation data is necessary if you want to use our Platform and its features. The same goes for the information you share with us when you contact us to request information or support. You can freely decide whether to accept cookies and other tracking technologies not strictly necessary for the functioning of the Platform as indicated in Section 8 (Cookies) below.
5. Sharing Your Personal Data
We may share or disclose your personal data to the following categories of recipients:
- subjects carrying out activities that are related or instrumental to our business and operational activities as outsourced data processors appointed in writing in accordance with Data Protection Laws, or acting as autonomous data controllers (such as IT or storage service providers, authentication service providers, analytics service providers, and email delivery services);
- public, judicial or police authorities, within the limits established by applicable laws;
- in the event that we undertake extraordinary corporate transactions or operations (e.g., in the event of bankruptcy, mergers and acquisitions, reorganizations, sale of businesses or assets, and in connection with due diligence relating to such transactions), our advisors and potential purchasers, and your personal data may form part of the assets being transferred to a new owner.
Personal data will not be disclosed for any reason other than those stated above, unless such disclosure is deemed necessary for the fulfillment of a legal obligation or if we request your consent.
6. Transfer of Your Personal Data Outside the European Economic Area
We may transfer your personal data from the European Economic Area ("EEA") to other countries outside the EEA (e.g. if your personal data is processed by third-party service providers located outside the EEA, such as analytics providers).
Such data transfers are based on appropriate safeguards in accordance with Data Protection Laws, including (a) the standard contractual clauses developed by the European Commission; (b) the decisions of adequacy of the European Commission; or (c) Binding Corporate Rules.
More information on the relevant data transfers and appropriate warranties is available for consultation by sending an email to leonardoferro@wodflow.fit.
7. Your Rights
At any time and free of charge, you can exercise the following rights, as specified and subject to certain limitations and exceptions under Data Protection Laws:
- Right of access. You have the right to obtain information about the processing of your personal data and to access it.
- Right to rectification. You have the right to ask for the updating, rectification or integration of your personal data.
- Right to erasure. You have the right to request the deletion of your personal data.
- Right to restriction of processing. You have the right to request the restriction of the processing of your personal data.
- Right to data portability. You have the right to obtain a portable electronic copy of your personal data.
- Right to object. Where we rely on our legitimate interest to process your personal data, you have the right to object to such processing, wholly or partly, on grounds related to your particular situation.
- Right to withdraw your consent. Where we rely on your consent to process your personal data, you have the right to withdraw your consent, although the processing carried out before your withdrawal of consent will remain valid.
You also have the right to lodge a complaint before the competent national Data Protection Authority, in particular before the Data Protection Authority of the Member State of your habitual residence, place of work or place of the alleged infringement.
To exercise your rights, or if you have any other questions about privacy or data protection, you can contact us by sending an email to leonardoferro@wodflow.fit. We may take reasonable steps to verify your identity prior to responding to your request.
8. Cookies
What are cookies and tracking technologies?
When we use the word "cookies" in this Policy, we mean any tracking technology that stores or accesses information on the user's device, including any SDK, tracking pixel, HTML5 local storage, local shared object, and fingerprinting technique.
Cookies are usually classified:
- (A) by purpose (Technical cookies, Analytics cookies, Profiling cookies);
- (B) by publisher (First-party cookies, Third-party cookies); and
- (C) by duration (Session cookies, Permanent cookies).
This classification is important because different legal requirements apply based on how the cookie is classified.
A. By purpose
Technical cookies
Technical cookies are used solely for the purpose of transmitting messages over an electronic communication network, or to provide a service specifically requested by the user. In other words, technical cookies are essential for the correct functioning of the Platform and to provide the service offered to and requested by the user.
For example, technical cookies are used to maintain your authenticated session after logging in, so you do not have to re-enter your credentials on every page.
Technical cookies do not need your consent.
Analytics cookies
Analytics cookies may be used to assess the effectiveness of the Platform, to evaluate and improve its design, or to help measure its traffic. They collect aggregate data on the number of visitors and how they interact with the Platform to improve its services.
Please consider that if analytics cookies are properly anonymized, they can be installed without your previous explicit consent.
B. By publisher
First-party cookies
Cookies installed directly by wodflow.fit. The publisher installs the cookies directly without using any third-party publishers.
Third-party cookies
Cookies set by external providers other than wodflow.fit. The publisher installs the cookies indirectly using third-party publishers. The data collected by these third parties is governed by their own specific privacy policies and cookie policies.
C. By duration
Session cookies
Session cookies expire when the user's browsing session expires.
Permanent cookies
Permanent cookies last longer than a single browsing session.
Types of cookies used by the Platform
This Platform installs the following types of cookies:
| Host | Name & Purpose | Retention period | Purpose | Third-party Privacy Policy |
|---|---|---|---|---|
| wodflow.fit (First Party) | better-auth.session_token | 1 year | Technical — maintains your authenticated session | N/A |
| wodflow.fit (First Party) | ph_* | 1 year | Analytics — collects anonymized usage statistics via PostHog | posthog.com/privacy |
| challenges.cloudflare.com (Third Party) | cf_clearance and related signals | Session / up to 30 days | Technical — Cloudflare Turnstile bot detection on authentication and form pages (see Section 9) | cloudflare.com/privacypolicy |
When you choose to sign in using a third-party identity provider (Google, Facebook, or Apple), you will be redirected to that provider's website. Those providers may set their own cookies on their domains in accordance with their own privacy policies. We do not control those cookies.
Cookie settings
You can disable (in whole or in part) technical cookies through the specific functions of your browser. Please note, however, that if you do not allow technical cookies, you may not be able to use the Platform, view its contents or take advantage of its features.
You can find information on how to manage cookie settings on certain browsers via the following links:
With regards to your rights under applicable Data Protection Laws, please refer to Section 7 above.
9. Cloudflare Turnstile
We use Cloudflare Turnstile ("Turnstile"), a privacy-friendly bot detection service developed by Cloudflare, Inc., to protect the Platform from automated abuse such as spam, credential stuffing, and other malicious traffic, particularly on authentication and form submission pages. The same considerations apply to Cloudflare's Challenge Platform, where it is used in the same context.
What Turnstile processes
To distinguish human users from bots, Turnstile evaluates a limited set of client-side signals ("Signals") such as:
- IP address;
- TLS fingerprint;
- User-Agent header;
- the Turnstile sitekey and the origin of the page on which it is embedded.
According to Cloudflare, these Signals are strictly necessary for bot detection and Cloudflare does not have the ability to directly identify individuals from them, including from IP addresses.
Roles and legal bases
- Cloudflare as a processor. When Turnstile processes Signals to protect the Platform, Cloudflare acts as a data processor on our behalf, and we (Leonardo Ferro) act as the data controller. The legal basis for this processing is our legitimate interest (art. 6(1)(f) of the GDPR) in keeping the Platform secure and preventing automated abuse.
- Cloudflare as a controller. Cloudflare also processes the same Signals as an independent data controller in order to refine and improve its bot detection capabilities. This processing is governed by Cloudflare's own privacy notices and falls outside our control.
More information and contact
Full details on how Cloudflare processes Signals through Turnstile are available in the Cloudflare Turnstile Privacy Addendum and in the Cloudflare Privacy Policy. For requests or concerns specifically related to Cloudflare's controller processing of Turnstile data, you can contact Cloudflare's Data Protection Officer at dpo@cloudflare.com. For any other request concerning your personal data processed via the Platform, please refer to Section 7 above.
10. Changes
We may modify or update this Policy, also in view of future changes in applicable Data Protection Laws or in case we implement new features or functionalities that will process personal data.
Last updated: May 23, 2026