Last update:
•
Version:
1
In short
Your account is yours. We keep the account information needed to give you one login across the studios you book with - usually your name, email, phone, and, where needed, date of birth or address.
Your studio relationship belongs to the studio. Bookings, memberships, invoices, payments, internal notes, and studio communications are controlled by the studio you transact with.
You can ask us to delete your Ferb data anytime. Email data@ferb.co from the address on your account. We do the work within 30 days.
You can ask any studio to delete your data with them. Each studio is responsible for its own service data. Use the contact details in the studio's own terms/privacy policy or booking pages.
1. Who we are
Ferb ApS, a Danish company CVR 46257456.
We make and operate Ferb, a booking platform for fitness and wellness studios.
In this Privacy Policy:
"Ferb," "we," "us" - Ferb ApS
"You," "your" - anyone using a Ferb account or booking through Ferb
"Studio" - a fitness or wellness business using Ferb to manage their bookings, members, and payments
For privacy questions: data@ferb.co. For sub-processor list requests and other legal matters: legal@ferb.co. For complaints, you can contact Datatilsynet, the Danish data protection authority.
2. Who's responsible for what
Ferb plays different roles depending on the data. Knowing which role applies tells you who to contact and how the data is governed.
Ferb is the controller for:
Your identity: name, email, phone, and where, collected date of birth/address
Your account: authentication, password, sessions
Security and access logs about how you use the platform
Ferb consent records - current and event-recorded choices for analytics, marketing, and ads personalization, plus versioned studio onboarding acceptances where applicable
Fraud signals we collect to keep the platform safe
Ferb's own waitlist marketing (if you signed up for our waitlist before launch)
Studios are the controller for:
Your bookings, attendance, memberships, credits
Payment records through the studio's Stripe Connect account
Internal notes the studio writes about you
Marketing data routed through tools the studio chose (Klaviyo, Meta Pixel, Google Ads)
Communications between you and the studio through Ferb
For studio-controlled data: contact the studio using the contact details in the studio's own terms/privacy policy or booking pages.
Ferb is a processor for studios for:
Storing the studio-controlled data above on the studio's behalf
Delivering studio-configured marketing/advertising events on Ferb-controlled surfaces where the relevant consent and integration settings allow it
Stripe is an independent controller for:
Payment method tokens, payment intents, refund records, fraud detection on their side
We work with Stripe to process payments.
3. What we collect about you, why, and how long we keep it
Ferb-controlled data
Category | What it is | Why we have it | Legal basis | How long |
|---|---|---|---|---|
Identity | Name, email, phone, and where collected date of birth/address | One login across studios. Date of birth for Danish VAT calculation, and in some cases, marketing-related activities where consent is given by the user. Address is used for invoicing where collected. | Contract performance + legal obligation | Until you delete your account |
Authentication | Password (hashed), session tokens, login/session state | To log you in safely | Contract performance | Until you delete your account |
Stripe customer mapping | The IDs that link your account to each studio's Stripe Connect customer or your Ferb Account | So your saved card at a studio is yours when you come back | Contract performance | Until you delete your account or update change your data yourself. |
Access logs | Login times, IP address, device, user agent | Fraud prevention, security, debugging | Legitimate interest | 12 months on a rolling basis |
Consent records | Current and event-recorded choices for analytics, marketing, and ads personalization; studio onboarding acceptances include version, IP, user agent, and timestamp | Prove what you agreed to where Ferb records it. We need this if there's ever a dispute. | Legal obligation / legitimate interest | 5 years from acceptance where versioned evidence is recorded |
Deletion record | Hashed email and phone, after deletion | Prevent silent re-creation of banned or fraudulent accounts | Legitimate interest | 5 years from deletion |
Fraud signals | Linked to access logs and deletion record | Platform safety | Legitimate interest | 5 years |
Invoices | Payment information about purchases made at a Studio | Ferb generates invoices outside of Stripe to better control fitness based VAT rules | Legitimate interest | 5 years |
We keep the "Ours by necessity" records (access logs, consent audit, deletion record, fraud signals) because the platform stops working safely without them. Nothing else.
Studio-controlled data we store on their behalf
Category | Where it lives | Retention |
|---|---|---|
Bookings, attendance, memberships, credits | Your relationship with that studio | Per the studio's policy and Danish law |
Payment records | Studio's Stripe Connect ledger; Ferb stores a copy for them | 5 years, per Danish bookkeeping law |
Internal notes the studio writes | Studio dashboard | Per the studio's policy |
Marketing data the studio uses | Studio's Klaviyo / Meta / Google account | Per the studio's policy and the tool's policies |
Messages between you and the studio | Through Ferb | Per the studio's policy |
To request deletion of studio-controlled data: contact the studio directly using the studio's own contact details.
4. Cookies and tracking
On a studio's own website, the studio runs their own cookie banner. That's their site and their cookies. Some of it might mention us; some won't. That's up to them.
On a Ferb embed (a Ferb-powered widget the studio added to their website - for example a class schedule or booking calendar), we aim to use only essential storage unless the flow moves onto a Ferb-controlled booking surface where consent can be collected.
On <studio>.ferb.co, we show a Ferb cookie banner if you have not already made a choice. The current banner lets you reject all, accept all, or manage choices for:
Essential - always on. Without them the platform can't work. (Login session, multi-tenant routing, payment integrity.)
Analytical - optional. Helps us understand how the platform is used.
Advertising - optional. Lets studio-configured advertising/tracking tools such as Meta Pixel work where enabled and consented.
Your choice persists for 365 days unless you clear cookies or change it earlier.
Full details in our Cookie Policy.
5. How we share your data
We share data with:
Studios you book with
When you make your first booking, purchase, or staff invite acceptance with a studio, your Ferb identity (name, email, phone, and where collected date of birth/address) is shared with that studio. The studio uses it to deliver the service, and stay in touch with you.
You accept Ferb's account-level terms when you create or use your Ferb account. Each studio relationship is governed by the studio's own terms, which are surfaced separately in the booking/signup flow.
Our sub-processors
We use a number of trusted service providers to run the platform. The current list is available on request - email legal@ferb.co. After our launch period, we'll publish the full list at ferb.co/terms/sub-processors with 30 days' prior notice of any changes.
Legal compliance
We disclose data when required by Danish or EU law - for example, court orders, Datatilsynet requests, or fraud investigations.
6. Sub-processors and international transfers
Our sub-processors
We use a number of trusted service providers to run the platform. The current list is available on request - email legal@ferb.co. After our launch period, we'll publish the full list at ferb.co/terms/sub-processors with 30 days' prior notice of any changes.
Studio-managed integrations: When a studio connects their own Klaviyo, Meta, Google, e-conomic, Dinero, or similar account to Ferb, those tools are the studio's sub-processors or independent controllers, not Ferb's general sub-processors for every studio. The studio is responsible for their own data agreements with those providers.
7. Your rights under GDPR
You have these rights regardless of where you are:
Right | What it means | How to use it |
|---|---|---|
Access | Get a copy of the data we hold about you | Email |
Rectification | Fix anything that's wrong | Account settings currently support editing name, phone, and consent choices. For email, date of birth, address, or anything else: email us. |
Erasure | Delete your Ferb data | Email |
Restriction | Stop processing in specific scenarios (e.g., during a dispute) | Email us with details. |
Portability | Export your data in a structured, machine-readable format | Email us. Account-settings export is not available at launch. |
Object | Stop us from processing data on the basis of legitimate interest | Email us with the specifics. |
Withdraw consent | Pull marketing consent or cookie consent at any time | Account settings for marketing/analytics/ad choices where available; otherwise, email us. For cookies, use the cookie-preferences control once wired or clear the Ferb consent cookie. |
Complain | If we get this wrong, you can complain | Datatilsynet (Denmark) or your local data protection authority |
We respond to requests within 30 days. If we need longer (rare, complex cases), we'll tell you why.
8. Children's privacy
You must be at least 13 years old to create a Ferb account. We don't accept accounts from anyone younger.
For users aged 13 to 18:
Users aged 13 to 15 need a parent or legal guardian to consent on their behalf before creating an account. Danish data protection law allows young people from age 13 to consent to digital services themselves, but using Ferb is also a service contract with payment obligations, and under Danish contract law, minors under 18 generally need a parent or guardian to enter into that kind of agreement.
By creating a Ferb account, you confirm that you have the consents required to use Ferb - including, if you are under 18, the consent of your parent or legal guardian.
Studios may set higher minimum ages for their own services - for example, a kids' yoga studio might allow under-13s with parental enrollment, or an adult fitness studio might require 18+. That's published in the studio's own handelsbetingelser / Terms of service
9. Security
We protect your data with measures that include:
Encryption in transit (TLS for everything) and at rest
Per-tenant secret encryption using AES-256-GCM for integration credentials
Row-level security at the database to enforce that one studio cannot see another studio's data
Audit logs for sensitive operations (role changes, payment actions, refunds, approvals)
Vulnerability scanning and dependency audits in our build pipeline
Secret scanning to keep credentials out of code
Least-privilege access for our personnel
We can't promise that no security incident will ever happen - nobody honestly can. But we work hard to make them unlikely, and we have a clear plan if one occurs. See §10.
10. Data breach response
If something goes wrong and your data is exposed, we'll tell the affected studio without undue delay (targeting within 72 hours of discovery). The studio is then responsible for notifying you and Datatilsynet as required by GDPR Articles 33 and 34. We support the studio with everything we know.
If a breach affects Ferb-controlled data directly (your identity, account, audit trail), we'll contact you directly.
11. Changes to this Privacy Policy
We classify changes into three tiers:
Editorial - a typo, a clearer sentence, no meaning change. No notification.
Notice-only - minor updates, a new contact email, a sub-processor added or removed (after the launch period). We update the policy, and a banner appears in your dashboard. No re-acceptance needed.
Material - anything that changes what we do with your data, your rights, or how we keep things. You'll see a non-blocking message on your next login: "We've updated our Privacy Policy. See what changed. Accept & Continue."
12. Contact
For | Reach us at |
|---|---|
Data requests (access, deletion, rectification) |
|
Sub-processor list, legal matters |
|
General support | support@ferb.co |
Postal address | Ferb ApS, Amalievej 20 Frederiksberg c 1875 Danmark. CVR: 46257456 |
Complaints | Datatilsynet (Denmark) or your local DPA |