Datenschutz (andorranisches LQPD)

Wie Compteam das andorranische Datenschutzgesetz für Ihr Gym erfüllt und was Sie als Branch-Admin tun müssen, um konform zu bleiben.

1. 1

   Who is responsible for what

   Under the Andorran data-protection law — Llei 29/2021 (LQPD), closely aligned with the EU GDPR — your gym is the data controller for your athletes' personal data: you decide why and how it is used. Compteam is the data processor: we host the software and process the data only on your instructions, under the Data Processing Agreement you accept at sign-up.

   This guide explains what we handle for you, and the few things that remain your responsibility as the controller.

2. 2

   What Compteam already handles for you

   You don't have to build any of this — it's built in:

   • Consent capture & proof — every athlete's acceptance of your Terms and the privacy notice is recorded with its version, date, and IP, and kept as an audit trail (LQPD Art. 7).
   • Data-subject rights — athletes can export their data and delete their account from their profile; you can export an athlete's data and consent history from the admin area (Arts. 18–20, 23).
   • Erasure with "blocking" — when an athlete deletes their account but has billing history you must keep for accounting, their data is blocked (frozen, reserved only for legal claims) and then destroyed after the retention period (Art. 30).
   • Security — bank details (IBAN) are encrypted; access is restricted; data is hosted in the EU (Art. 35).
   • Sub-processors & transfers — our providers (Supabase, Stripe, Resend, and the AI assistant) are disclosed with their transfer safeguards (Arts. 42–45).
   • Breach response — if a data breach affects your athletes, we notify you so you can meet your own obligations (Arts. 36–37).
3. 3

   Your job: review and publish your Terms & privacy info

   When you register your branch you get a default Terms & Conditions template. Review and customise it to match how your gym actually operates — it's a starting point, not legal advice. Athletes accept your Terms and the privacy notice when they join, so make sure the text is accurate before you invite them.

4. 4

   Your job: under-16 members need a guardian

   Under the LQPD (Art. 8), a person under 16 cannot consent on their own to an online service — a parent or legal guardian must. Compteam enforces this: an under-16 cannot self-register. Instead, you add them as a member through the kids flow, where their guardian gives consent. See the Kids program guide.

5. 5

   Your job: only collect what you need

   Collect and store only the personal data you actually need to run the membership (data minimisation, Art. 5). In particular, don't put health/medical information (injuries, medical conditions) into free-text fields — health data is a special category (Art. 9) that needs a separate, explicit consent. If you need to record it, ask first.

6. 6

   Your job: handle athlete requests & know the authority

   If an athlete asks to access, correct, or delete their data, the in-app tools cover most cases — point them to their profile, or use the admin export. You are the controller, so the request is ultimately yours to honour.

   Athletes (and you) can complain to the Andorran supervisory authority, the Agència Andorrana de Protecció de Dades (APDA) — www.apda.ad (Art. 61). Keep your gym's own records of how you handle personal data.