Privacy Policy

Last uptade: november, 2025

XXI CrossFit respects your privacy and commits to protecting your personal data in accordance with Regulation (EU) 2016/679 of 27 April (General Data Protection Regulation — GDPR) and Law No. 58/2019 of 8 August, which ensures the enforcement of the GDPR in Portugal.

This Privacy Policy explains how we collect, use, and protect your personal information, as well as your rights as a data subject.

1. Data Controller

The data controller is XXI CrossFit, the entity that manages the XXI brand boxes in Portugal. You can contact us via email at geral@xxicrossfit.pt for any questions related to the protection of your personal data.

XXI CrossFit currently does not have a Data Protection Officer (DPO), but commits to responding to all privacy requests within the applicable legal timeframe.

2. What data do we collect

We may collect the following categories of personal data:

  • Identification data: name, surname, and age (when applicable);

  • Contact data: email, mobile number;

  • Registration data: chosen unit, program or type (CrossFit, weightlifting, gymnastics, etc.);

  • Browsing data: IP address, type of device and browser, collected in an aggregated and anonymous manner;

  • Communication data: messages sent through forms or direct contact.

We do not collect sensitive data (such as health, religion, or biometric data) unless explicitly provided and with consent.

3. How we collect data

Data is collected in three ways:

  1. Directly, when you fill in forms on the website (pre-registration, drop-in, trial class, or contact);

  2. Automatically, through cookies and analytics tools (for example, Google Analytics or Framer integrations);

  3. Through direct communication, when you contact us via email, phone, or in person.
    All collections are conducted transparently and for legitimate purposes.

4. Purpose of Processing

Personal data is processed for the following purposes:

  • To manage pre-registrations, registrations, drop-ins, and trial classes;

  • To respond to requests for contact, information, or support;

  • To send communications about services, schedules, events, and news from XXI CrossFit (with consent);

  • To comply with legal or contractual obligations;

  • To improve the browsing experience on the site and the quality of services provided.

5. Legal Basis for Processing

The processing of personal data is legitimized by:

  • Consent given by the data subject at the time of collection;

  • Execution of pre-contractual or contractual diligence (such as registration for classes);

  • Compliance with legal obligations applicable to the activity;

  • Legitimate interest of XXI CrossFit in ensuring the functioning of the website and communicating with its users.

6. Data Retention

Data is retained only for as long as necessary to fulfill the purposes for which it was collected:

  • Contact data: up to 12 months after the last contact;

  • Registration data: during the duration of the contractual relationship and up to 5 years after its termination, in accordance with legal obligations;

  • Consent data for communications: until you withdraw consent.

After these time periods, the data will be securely deleted or anonymized.

7. Recipients and Subcontractors

Your data may be communicated to:

  • Technical Service Providers that support the operation of XXI CrossFit (for example, web hosting, system maintenance, and sending electronic communications);

  • Digital Management Platforms used by XXI CrossFit, namely:

    • Framer, which supports the operation of the website and the collection of forms;

    • RegyBox, box management software that allows scheduling classes, managing registrations, payments, attendance, and operational data securely and centrally;

  • Analysis and Monitoring Entities responsible for statistics and performance reports, always with restricted and regulated access;

  • Competent Public Authorities when communication is necessary to comply with legal obligations.

All subcontractors act on behalf of XXI CrossFit and are bound by contractual obligations of confidentiality and compliance with the GDPR.

8. International Data Transfers

Some platforms may be based outside the European Economic Area (EEA). In such cases, XXI CrossFit ensures that transfers comply with the Standard Contractual Clauses approved by the European Commission, ensuring a level of protection equivalent to that required by European legislation.

9. Rights of the Data Subject

Under the GDPR, you have the following rights:

  • Access: to know what data we hold about you;

  • Rectification: to request correction of incorrect or outdated data;

  • Erasure: to request the deletion of your data (“right to be forgotten”);

  • Restriction: to restrict processing in certain circumstances;

  • Portability: to receive your data in a structured format;

  • Objection: to refuse the processing of data in certain situations;

  • Withdrawal of consent: at any time, without affecting the lawfulness of previous processing.

To exercise any of these rights, contact us at geral@xxicrossfit.pt.

You also have the right to file a complaint with the National Data Protection Commission (CNPD) at www.cnpd.pt.

10. Automated Decisions and Profiling

XXI CrossFit does not make automated decisions or profiling based on the personal data collected. All communications and decisions related to registrations are made with human intervention.

11. Data Security

XXI CrossFit adopts appropriate technical and organizational measures to protect data against destruction, loss, alteration, unauthorized access, or improper disclosure.

Access is restricted to employees and service providers who need the data for legitimate purposes.

12. Communications and Marketing

XXI CrossFit will only send informative or promotional communications if the data subject gives explicit consent.

This consent can be withdrawn at any time by simply sending a request to geral@xxicrossfit.pt.

13. Changes to this Policy

XXI CrossFit may update this Privacy Policy whenever necessary to reflect legal or operational changes.

The most recent version will always be available at xxicrossfit.pt/politica-de-privacidade, indicating the date of the update.

14. Contact

XXI CrossFit
Email: geral@xxicrossfit.pt
Website: www.xxicrossfit.pt

Follow us on our social media: