Skip to content

Privacy Policy

Data Controller

AthleteX Series

Sole trader (micro-entreprise) registered in France — SIRET: [To be completed before go-live]

[Full registered address — To be completed]

Email: contact@athletexseries.com

Data protection contact: privacy@athletexseries.com. The appointment of a Data Protection Officer (DPO) is not mandatory for this structure (sole trader, no large-scale processing of sensitive data within the meaning of Art. 9 GDPR).

1. Introduction

AthleteX Series is committed to protecting your personal data. This policy explains how we collect, use, and safeguard your information when you use our platform to create and purchase personalized collectible cards.

2. Data We Collect

We collect two categories of data:

  • Data you provide: name, email address, billing address, shipping address, and photos uploaded for card personalisation.
  • Publicly accessible performance data: event rankings, times, and results from public leaderboards (e.g. HYROX), used to populate card statistics.
  • Payment data: card transactions are processed securely by Stripe, Inc. (PCI DSS certified). AthleteX Series does not store your full card number or CVV.
  • Technical data: IP address, browser type, and access logs collected automatically for security and service operation purposes.

3. Legal Bases for Processing

Your personal data is processed on the following legal bases:

  • Contract performance (Art. 6.1.b GDPR): processing necessary to fulfil your order — account creation, card production, shipping, digital card delivery.
  • Legal obligation (Art. 6.1.c GDPR): retention of accounting and tax records as required by French law (Art. L123-22 of the French Commercial Code — 10 years).
  • Legitimate interest (Art. 6.1.f GDPR): security monitoring, fraud prevention, and service improvement.

4. Use of Your Image

You retain full ownership of any image you upload to the platform.

By uploading a photo, you grant AthleteX Series a limited, non-exclusive, revocable licence solely for:

  • generating the digital preview of your card;
  • producing the printed physical card;
  • storing the digital version in your private user space.

Your images are never sold, transferred, or used for advertising or commercial purposes without your explicit prior consent.

5. Data Recipients & Sub-processors

To fulfil your orders, your data may be shared with the following categories of recipients:

  • Printing partner (France): receives card design data and delivery address for physical card production.
  • Shipping carrier: receives your name and delivery address for parcel delivery.
  • Payment processor — Stripe, Inc. (United States): processes payment transactions. Data transfers governed by Standard Contractual Clauses (SCCs) approved by the European Commission. Stripe Privacy Policy: https://stripe.com/privacy.
  • Hosting provider — Microsoft Azure (Ireland): hosts the application and data in EU-based data centres.

6. International Data Transfers

Your data is primarily processed and stored within the European Union (Azure Ireland). Payment processing by Stripe, Inc. involves data transfers to the United States, governed by Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914). Authentication via Google, Apple, or Facebook OAuth may also involve processing of your data by those entities under their own privacy policies.

7. Data Retention

  • Order and billing data: retained for 10 years in accordance with French accounting and tax obligations (Art. L123-22 of the French Commercial Code).
  • User account data and digital cards: retained for the duration of account use. Deleted within 30 days of account closure, except data subject to legal retention requirements.
  • Technical data (access logs): retained for 12 months in accordance with CNIL recommendations.

8. Cookies & Trackers

This site uses only strictly necessary cookies for service operation: session management, secure authentication, and CSRF protection. No advertising, third-party analytics, or behavioural tracking cookies are set on your device. Under the ePrivacy Directive as transposed into French law (Article 82 of the Data Protection Act), strictly necessary cookies do not require prior user consent.

9. Your Rights

Under the GDPR and the French Data Protection Act, you have the following rights over your personal data:

  • Right of access (Art. 15 GDPR): obtain confirmation that your data is being processed and receive a copy.
  • Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17 GDPR): request deletion of your data, subject to legal retention obligations.
  • Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR): object to processing based on legitimate interest.
  • Right to restriction (Art. 18 GDPR): request temporary restriction of a contested processing activity.
  • Right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the competent French supervisory authority: www.cnil.fr — 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07.

To exercise your rights: privacy@athletexseries.com