Gympify, Your Data & the GDPR

Your Data & the GDPR

Here at Gympify, we store our clients’ data on servers in close geographic proximity to your facility. This reduces the likelihood of an event causing an outage with your service, improves the responsiveness of the service, and allows us and our clients to more easily comply with local data laws. Specifically, where we store the information will depend on your location.

For your convenience, we’ve listed the information that we store for our clients and their members:

Personal Details

  • Date of Birth
  • Postal & Billing Address History
  • Postal & Communication History
  • Email
  • Phone Numbers
  • Medical Details
  • User Documents

Membership Details

  • Payment History
  • Visit History

Booking Details

  • Personal Training History
  • Class History

Fitness Details

  • Workout Results
  • Measurements

Mobile Phone DetailsFor the phone applications, we record Firebase IDs to facilitate push notifications as well as device model and operating system for login verification. We may store crash logs for troubleshooting purposes.

Billing DetailsPlease note that while we do record the history of your payments, we don’t store any of our clients’ billing information on our servers. This information is instead stored in a secure facility at one of our payment processing partners. Our servers store a token, which is used to reference the relevant billing information. If you would like to access this information for one of your members, you can browse to the member's detail page and select the “Member Debtors Report” from the bottom of the page. If you would like a copy of the information we store for your business, please contact our support staff.

Data PoliciesThe below data policies apply to Gympify and cover our obligations under Indian data protection laws and the GDPR. If you have further questions about data protection, or if you are a Client with questions specific to meeting your GDPR requirements and how Gympify facilitates that, you can email our Data Protection Officer at gdrp@gympify.gomedia

Audit of InformationWe store daily backups of each of our clients’ data for one week on a secure server in our head office, with a rotation to weekly storage for the following 5 weeks (providing a total of six weeks of backup for each client). This means that while we can delete a specific member’s information immediately upon request, it will likely take up to eight weeks for the member's information to be completely removed from all of our systems. To facilitate the use of our Gympify member Portal app, we store all of our Clients’ Staff and Members’ email addresses on a central server, which then allows club members to log in to their Gympify portal. The member emails on the server are used solely to facilitate Member App logins. Beyond the explicitly collected data, we also store web server logs for each of our services, containing information about the HTTP request that was made, which includes the endpoint that was requested, the IP address of the user that requested it as well as a timestamp of when the request was made. This information is used strictly for diagnostic and fraud prevention purposes and is only kept for 14 days.

Explicit ConsentThe GDPR requires that gyms who wish to send their Members marketing material through Gympify have the explicit consent of their members before doing so. To ensure this, Gympify has adopted the industry standard “Double Opt-In” process for ensuring gym members are only receiving the material they’ve signed themselves up for. Double Opt-In is a process wherein the member must provide their email address to the system, and then confirm that email address via a link sent to their inbox. This change helps reduce spam & unwanted emails and ensures that emails are going to the correct people. We recognize that we are required to obtain explicit consent from those who give us their email address in exchange for products/services on our website. For those in India, this will also be in the form of a Double Opt-In email.

72 Hour Breach NotificationIn the unlikely event that one of our systems is compromised, we will notify affected clients within 72 hours of becoming aware of the breach. Once notified, our engineering team will do a full investigation of the breach, ensuring that all data is secured and that no further breaches are likely to occur. Once we’re confident the systems are secure again, we’ll do a full post-mortem on the event to determine the cause and to ensure it doesn’t happen again. The post-mortem write-up including resulting changes can be made available upon request. As soon as you’ve been made aware of a breach, it is your obligation to communicate it to your members. If you so choose, we can communicate the security breach to your members on your behalf. However, if you would like us to do that for you, we would require a written request.

The Right to AccessThe Right to Access ensures Clients and Members have access to their information in the Gympify system. To this end, Gympify has a feature available that lets you print a report of all the data associated with your members in the system. This report includes membership information, communication records, and billing history, including but not limited to:

  • The purposes of processing
  • The categories of personal data concerned
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed
  • Where possible, the envisioned period for which the personal data will be stored
  • The existence of a right to lodge a complaint with a supervisory authority
  • The existence of automated decision-making, including profiling

The right to access your information with us applies under the same process.

Data PortabilityIn order to assert their right to data portability, Clients or Members may at any time contact the Data Protection Officer as listed above. We can provide machine-readable data to our clients upon request. Note that this data request generally contains your entire Gympify database. If you would like a single member’s information, you should use the report discussed in “The Right to Access.”

Right of ConfirmationClients and Members have the right to obtain confirmation of whether or not personal data concerning them is being processed or held. Should you wish to do so, Clients can contact our Data Protection Officer at gdpr@gympify.gomedia. Members should contact their facility in the first instance.

Right to RectificationClients and Members have the right to rectify or correct any personal data concerning them that is being processed or held. Should you wish to do so, please contact any member of our support staff by emailing hello@gympify.gomedia.

Right to be ForgottenGympify will also respect your right to be forgotten. If you request, we can remove all of your personal details from our system. As per our legal accounting obligations, we’ll retain a record of the transactions that have occurred but will remove any associations between those transactions and your records, as well as the records themselves (so all of your personal details will be purged from our system). The Data Protection Officer of Gympify or another employee will promptly ensure that the erasure request is complied with.

Right of Restriction of ProcessingClients and Members have the right to obtain from Gympify a restriction of processing where one of the following applies:

  • The accuracy of the data is contested by the Client or Member.
  • The data usage is deemed to be unlawful and the Client or Member opposes the erasure of the data and requests restriction of its use instead.
  • The data is no longer required by Gympify, however, the Client or Member requires it for the establishment, exercise, or defense of legal claims.

If one of the above conditions is met, and a Client or Member wishes to request the restriction of the processing of personal data stored by Gympify, he or she may at any time contact our Data Protection Officer or another employee of the controller. The Data Protection Officer of Gympify or another employee will arrange the restriction of the processing.

Existence of Automated Decision-MakingAs a responsible company, we do not use automatic decision-making or profiling.

This Policy May Be Updated at Any TimeGympify retains the right to amend this privacy statement at any time.

Expand Your Gym’s Reach

Whether you're looking to sell memberships, products, or services locally or globally, Gympify provides you with all the tools you need to grow. From integrated online sales and booking systems to powerful marketing tools and 24/7 gym access control, we’ve got you covered to help scale your business effortlessly.

Start free trial