ABC Level | GDPR & Privacy

Data Protection & Privacy

How ABC Level handles your personal data to comply with the GDPR.

Data controller

ABC Level operates the CrossFit tracking platform (also referenced as "ABC Level Accept"). For any privacy queries, please email contact@abclevel.com.

If your local box runs its own deployment, that organisation acts as a joint controller for the data it collects and can be contacted using the details provided in your membership agreement.

What personal data we process

The platform stores the following categories of information to deliver coaching and athlete management features.

Account & identity data

Full name, email address, language preference, and user roles used to create and secure your account.
Password hashes (never the plain-text password) created with bcrypt for authentication.
Timestamps and audit references that record when an account was created or updated and by whom.

Profiles & preferences

Athlete profiles may include birth date, preferred name, unit preference, preferred language, gender, and optional body metrics such as body weight, height, fat mass, and muscle mass.
Coach profiles may include the items above plus availability slots and optional hourly rates.
Explicit GDPR consent records (including consent date and version) stored with each profile.

Training & performance data

Workout scores you log (movement, result values, ratings, notes, and the date performed).
Workout-of-the-day assignments and results, including any notes you add for your coaches.
Automatically derived performance level diagnostics that summarise your logged training data.

Membership & collaboration data

Box memberships that link you to specific gyms and identify the roles you hold there (athlete, coach, admin, owner).
Invitation tokens created by staff include the invitee’s name, email, intended role, and relevant box IDs so they can complete onboarding.

Communications & support

Transactional email content (invites, onboarding, notifications) sent via the configured SMTP provider.
Support requests or feedback you provide to our team.
Server-side security and error logs that may include identifiers such as email addresses when diagnosing problems.

Why we use this data (legal bases)

Contractual necessity

We process account, profile, membership, and training data to provide the CrossFit tracking platform you sign up for and to fulfil invitations issued by your box.

Consent

Optional health-related metrics (body composition, training notes that include sensitive details, marketing preferences) are processed only when you give explicit consent, which you can withdraw at any time.

Legitimate interests

We maintain audit logs, invitation records, and aggregated performance insights to keep the service secure, prevent abuse, and help staff coach athletes effectively. We balance these interests against your rights.

Legal obligations

If local regulations require us to retain certain records (for example proof of consent or invoices), we will keep only what is necessary to comply with the law.

Who can access your data

Within ABC Level

Authorised staff and contractors operating the platform, strictly on a need-to-know basis.
Box owners, admins, and coaches attached to your memberships, who can view workouts, scores, and profile details needed to run training programs.

Processors & infrastructure

Hosting for the Accept application and other web apps is managed via Vercel or the deployment target configured by your organisation.
The core application data resides in a managed PostgreSQL database controlled by ABC Level or your box operator.
Email delivery uses the SMTP service configured by the operator (for example, a transactional email provider). We share only the information required to deliver the specific message.
Operational tooling such as logging and monitoring solutions may receive pseudonymised event data to detect errors or abuse.

Storage, retention, and security

All application data lives in a PostgreSQL database. Access is restricted to authorised administrators using role-based accounts.
Passwords are irreversibly hashed with bcrypt before storage.
Invitation tokens are JWTs that expire after seven days; they are validated server-side and are not stored once used.
Audit metadata (created/updated timestamps and user IDs) is kept together with each record to support traceability.
We retain account and training history while your account remains active. When you request deletion, related memberships, scores, and profiles are removed or anonymised unless legal retention rules apply.

Automated analyses

We use automated calculations to derive performance level grades and diagnostics from the scores you log.
These insights support coaching decisions but do not produce legal or similarly significant effects on their own.

Your rights

You can exercise these rights by emailing contact@abclevel.com or contacting your box operator.

Access: request a copy of the personal data we hold about you.
Rectification: ask us to correct inaccurate or incomplete data.
Deletion: request erasure of your data where we have no overriding reason to keep it.
Restriction: ask us to pause processing in specific circumstances.
Portability: obtain your data in a portable format for reuse elsewhere.
Objection: object to processing based on legitimate interests or direct marketing.
Withdraw consent: change your mind about optional data at any time without affecting lawful processing that already occurred.
Lodge a complaint: contact your local supervisory authority if you believe we have not handled your data lawfully.

Contact & complaints

Email contact@abclevel.com for privacy questions or to make a request. If you prefer, you may also contact your local data protection authority.

If your account was provisioned by a CrossFit box or employer, that organisation manages invitations and local data retention policies. Please reach out to them for box-specific questions or to request account deletion directly from the source.

Back to invite

Last updated: March 2026