Note: The legally authoritative version of this document is the German version. This English version is a non-binding service translation; in case of doubt or contradiction, the German version prevails.
1. Controllers
The controllers within the meaning of the General Data Protection Regulation (GDPR) are the two partners of Strido as joint controllers (Art. 26 GDPR):
Strido Heinrich Mergel, Pavlo Lobariev Erbacher Straße 3 | 65428 Rüsselsheim am Main Email: support@strido.net
For questions about data protection or to exercise your rights, you can reach us at the email address above. You may request the essence of the arrangement between us under Art. 26 GDPR; irrespective of that arrangement, you may exercise your rights against each of us.
2. General information, legal bases
We process personal data only to the extent necessary to provide a functional service and our content and features. The legal bases are, in particular:
- Art. 6 (1) (a) GDPR – consent;
- Art. 6 (1) (b) GDPR – performance of the usage contract or pre-contractual measures;
- Art. 6 (1) (f) GDPR – legitimate interest, in particular in secure and stable operation.
The service is free of charge. You are only required to provide personal data where this is technically necessary to use the respective functionality (e.g. an email address for the user account).
Minors: Minors may use the service only with the consent of a parent or legal guardian. In that case, we process the minor’s data on the basis of the usage contract concluded via the parent or legal guardian or on the basis of the consent given (Art. 6 (1) (a) and (b), Art. 8 GDPR). We may require proof of consent.
3. Hosting and server log files (Google Cloud)
We operate Strido on the infrastructure of the Google Cloud Platform (in particular Cloud Run, Cloud SQL and Cloud Storage). Servers and database are located in the europe-west1 region (Belgium), i.e. within the European Union.
When the service is accessed, information is automatically processed in so-called server log files that your browser or device transmits: IP address, date and time of the request, requested resource, status code, amount of data transferred, referrer, as well as browser and device information. The purpose is secure and stable operation, error analysis and the defence against attacks (Art. 6 (1) (f) GDPR). A data processing agreement (Art. 28 GDPR) is in place with the hosting provider.
Provider: Google Cloud EMEA Limited (Ireland) or Google LLC (USA). On transfers to third countries, see section 13.
4. User account and authentication (WorkOS)
For registration and login we use the authentication service WorkOS with its hosted login interface “AuthKit”. Verification of your email address also takes place via WorkOS. In doing so, the data required to manage the account and login is processed, in particular email address, name, login identifiers and, where applicable, details of a single sign-on provider you use, as well as login log data. The purpose is the provision and security of your user account (Art. 6 (1) (b) and (f) GDPR).
Provider: WorkOS, Inc., USA. On transfers to third countries, see section 13.
5. Video upload and streaming (Mux)
To upload, process (transcode) and play back your training videos, we use the service Mux. The video content you upload, associated metadata (e.g. duration, format) and technical playback data are processed. The purpose is to provide the core “video coaching” function (Art. 6 (1) (b) GDPR).
Provider: Mux, Inc., USA. On transfers to third countries, see section 13.
6. Live coaching and recording (Agora)
For live coaching in the form of video calls, we use the real-time communication solution provided by Agora. Audio and video data of the participants in real time as well as connection and metadata are processed (Art. 6 (1) (b) GDPR). If a live coaching session is recorded, the recording is stored in our Google Cloud Storage (region europe-west1, EU) and is available in the personal area of the respective user.
Provider: Agora Lab, Inc., USA. On transfers to third countries, see section 13.
7. Email dispatch (Resend)
To send and receive service-related emails (e.g. notifications, booking and appointment emails, support, social-media and DSA enquiries), we use the email service provider Resend. Your email address as well as the content, attachments and metadata of the respective message are processed (Art. 6 (1) (b), © and (f) GDPR). Incoming messages may be made available to authorised operational recipients and mirrored into access-restricted Discord channels for processing.
Providers: Resend (Plus Five Five, Inc.), USA, and Discord Inc., USA. On transfers to third countries, see section 13.
8. AI-assisted text improvement (OpenRouter)
Coaches or experts can use a function that allows them to have their review (the feedback text on a training video) linguistically improved. If this function is used, we transmit the entered review text to the service OpenRouter, which forwards it to a provider of an AI language model (Art. 6 (1) (b) and (f) GDPR). According to the provider, inputs are generally not stored permanently and not used to train models. Nevertheless, please do not enter any special categories of personal data (Art. 9 GDPR) or confidential information of third parties into this function.
Provider: OpenRouter, LLC, USA, as well as the respective integrated model providers. On transfers to third countries, see section 13.
9. Push notifications (Expo)
If you use our app and enable push notifications, we process a push token of your device in order to deliver notifications to you. Delivery takes place via the service Expo. The legal basis is your consent given via the device settings or our legitimate interest in the notification function (Art. 6 (1) (a) and (f) GDPR). You can deactivate push notifications at any time in your device settings.
Provider: Expo (650 Industries, Inc.), USA. On transfers to third countries, see section 13.
10. Contact form and contact by email
If you contact us via the contact form or by email, we process the data you provide (in particular name, email address and your message) in order to handle and respond to your enquiry (Art. 6 (1) (a), (b) and (f) GDPR). The data is deleted once the enquiry has been conclusively dealt with and no statutory retention obligations prevent deletion.
11. Recipients and categories of recipients
Beyond the processors named in sections 3 to 10, personal data is made accessible to the following recipients within the scope of the Service’s functions:
Coaches/experts: So that the coaching service can be provided, the training videos you upload, the live coaching (audio/video) and any recordings, your name or display name, the relevant group context, and texts you submit are made accessible to the coach(es) selected for the respective review or live coaching session (Art. 6 (1) (b) GDPR). In line with section 6, the coach involved in a live coaching session can also access the corresponding recording. Because the coaching service is — as described in our Terms of Use (section 2.2) — provided exclusively between you and the coach, the coach is an independent controller in this respect and has their own data-protection obligations toward you.
Other users: If you take part in groups, make bookings, or upload or review content, your display name and related information (e.g. video title, group name, type of activity) become visible to the other users involved — for example to group members, inviting or invited persons, and to the reviewing coach or the reviewed person. This information may also be shown to the users involved within push notifications. The legal basis is the performance of the usage contract (Art. 6 (1) (b) GDPR). The classification of the push delivery as such (section 9) remains unaffected.
12. Cookies and local storage
We use exclusively technically necessary cookies or comparable storage techniques, in particular a session/login cookie that is strictly necessary for the operation of the user account. No consent is required for this storage under Section 25 (2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act); a consent banner (cookie banner) is therefore not required.
We use no analytics, tracking or advertising services and no non-essential external resources (e.g. externally loaded fonts).
13. Transfers to third countries
Some of the service providers we use are based in, or process data in, the USA or other third countries outside the European Economic Area (in particular WorkOS, Mux, Agora, Resend, Discord, OpenRouter, Expo, as well as Google’s parent company). Where personal data is transferred to a third country, this takes place on the basis of an adequacy decision (in particular the EU-US Data Privacy Framework, where the respective provider is certified) or on the basis of appropriate safeguards, in particular the European Commission’s standard contractual clauses (Art. 44 et seq., Art. 46 GDPR). You may request a copy of the safeguards from us.
14. Storage period
We process and store personal data only for as long as is necessary for the respective purpose. We store your user account data and your content for the duration of the usage relationship; after the account is deleted, they are deleted unless statutory retention obligations prevent this. Server log files are stored only for a short period and then deleted or anonymised.
15. Your rights
Subject to the statutory requirements, you have the right to:
- access (Art. 15 GDPR),
- rectification (Art. 16 GDPR),
- erasure (Art. 17 GDPR),
- restriction of processing (Art. 18 GDPR),
- data portability (Art. 20 GDPR), and
- object to processing (Art. 21 GDPR).
You can withdraw any consent given at any time with effect for the future (Art. 7 (3) GDPR).
16. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular with the authority responsible for us: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Postfach 31 63, 65021 Wiesbaden (datenschutz.hessen.de).
17. Data protection officer
We are not legally obliged to appoint a data protection officer and have therefore not appointed one.