← Back

Privacy Policy

Last updated: April 8, 2026

1. Who We Are

Ronin Academy Platform ("we", "our", "us") is a multi-tenant Software-as-a-Service (SaaS) platform for Brazilian Jiu-Jitsu academies, enabling coaches, managers and students to manage training sessions, track progress and communicate within their teams.

Data Controller: Ronin Academy
Contact email: privacy@roninacademy.app
Website: https://roninacademy-d3db3.web.app

If your team or academy processes student data through this platform, the team owner/manager acts as a data controller for their members, and Ronin Academy acts as a data processor on their behalf.

2. Data We Collect

2.1 Account & Identity Data

  • Full name and optional nickname
  • Email address
  • Encrypted password (never stored in plain text)
  • Profile photo (URL, stored in Firebase Storage)
  • Short biography (optional)

2.2 Physical & Demographic Data

  • Age and gender (optional, used for team management)
  • Body weight and height (optional, common in combat sports contexts)
  • Country of origin

2.3 Training & Performance Data

  • Belt grade and degree
  • Total training hours, weekly hours, lesson count
  • XP points, streak, and skill ratings (guard, passing, submissions, escapes)
  • Class attendance records
  • Sparring logs (date, result, position, opponent, notes)
  • Technique library progress and unlocked techniques
  • Mission completions and competition results
  • Graduation reviews and certificates

2.4 Payment Data

  • PayPal Subscription ID (used to verify active subscription status)
  • Subscription status and last verification timestamp
  • We do not store card numbers, bank details or full payment information.

2.5 Technical & Usage Data

  • Firebase Analytics data (page views, events) β€” only with your consent
  • Browser localStorage values (language preference, demo session)
  • Firebase Cloud Messaging token for push notifications (only if permitted)
  • Device/browser information collected by Firebase services

2.6 Social & Team Data

  • Team and unit memberships, roles, and join requests
  • Contacts list (athlete IDs and names of training partners)
  • Feed posts and interactions
  • Athlete ID (derived from team name, country and user ID)

3. How We Use Your Data

PurposeLegal Basis (GDPR Art. 6)
Providing the platform and its featuresArt. 6(1)(b) – Contract performance
Managing your account and authenticationArt. 6(1)(b) – Contract performance
Processing subscription payments via PayPalArt. 6(1)(b) – Contract performance
Displaying your progress, rankings and certificatesArt. 6(1)(b) – Contract performance
Sending push notifications (if enabled)Art. 6(1)(a) – Consent
Analysing platform usage with Firebase AnalyticsArt. 6(1)(a) – Consent
Security, fraud prevention, abuse detectionArt. 6(1)(f) – Legitimate interests
Compliance with legal obligationsArt. 6(1)(c) – Legal obligation

4. Data Sharing & Third Parties

Firebase / Google (Data Processor)

We use Firebase services (Google LLC, USA) for authentication, database (Firestore), file storage, analytics, cloud functions and hosting. Google processes data on our behalf under a Data Processing Agreement compliant with GDPR. Data may be stored on Google servers in the EU or USA. Google is certified under the EU–US Data Privacy Framework. Learn more: firebase.google.com/support/privacy

PayPal (Payment Processor)

Subscription payments are handled by PayPal (PayPal Holdings, Inc., USA). Only the subscription ID is stored by us; your full payment details remain with PayPal. PayPal's privacy policy: paypal.com/privacy

Google Fonts

Fonts are loaded via Next.js which downloads and self-hosts them at build time β€” no font requests are sent to Google servers at runtime.

Team Coaches & Managers

If you join a team, coaches and managers within that team can see your profile, training records, attendance and progress as part of the platform's function. They are authorised by you when you join or request to join a team.

We do not sell personal data to third parties. We do not share data with advertisers.

5. Cookies & Local Storage

We use browser localStorage for language preference, session state and cookie consent preference. Firebase Analytics uses cookies only with your explicit consent. See our Cookie Policy for full details.

6. Data Retention

  • Account data is retained while your account is active.
  • Training records and logs are retained for the duration of your account.
  • After account deletion, data is removed within 30 days except where required by law.
  • Firebase Analytics data is retained per Google's standard retention settings (14 months).
  • Server logs are retained for up to 90 days for security purposes.

7. International Data Transfers

Your data may be transferred to and processed in the United States via Firebase (Google LLC). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and/or the EU–US Data Privacy Framework. By using the platform you acknowledge this transfer.

8. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Firebase Authentication (passwords hashed by Google)
  • Firestore security rules restricting data access by role
  • Firebase Storage security rules for uploaded files
  • HTTPS enforced for all traffic
  • Strict Content Security Policy headers

9. Children's Privacy

This platform is not directed to children under 16. If you are under 16, please obtain parental or guardian consent before registering. If we become aware that a user under 16 has registered without consent, we will delete that account. Coaches and managers registering minors into the system are responsible for obtaining appropriate parental consent.

10. Your Rights Under GDPR

If you are in the EEA, UK or another jurisdiction with equivalent legislation, you have the following rights:

  • Right of access – Request a copy of all personal data we hold about you.
  • Right to rectification – Request correction of inaccurate data. Most data can be updated directly in your profile.
  • Right to erasure – Request deletion of your account and personal data ("right to be forgotten").
  • Right to data portability – Receive your data in a structured, machine-readable format.
  • Right to restrict processing – Ask us to stop processing your data in certain circumstances.
  • Right to object – Object to processing based on legitimate interests.
  • Right to withdraw consent – Withdraw consent for analytics or push notifications at any time without affecting prior processing.
  • Right not to be subject to automated decisions – We do not make legally significant automated decisions about you.

To exercise any right, email privacy@roninacademy.app. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g. CNPD in Portugal).

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent version. For material changes, we will notify you via email or an in-app notice. Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or requests:
Email: privacy@roninacademy.app
Platform: Ronin Academy β€” https://roninacademy-d3db3.web.app

Terms of ServiceCookie Policy