Data Processing
Agreement.

This Agreement governs the processing of personal data carried out by RPM Technologies s.r.o. (“Processor”) on behalf of the gym operator identified in the signed copy (“Controller”) in connection with the provision of the GymSys software-as-a-service platform (“Platform”).

The Platform enables the Controller to manage gym memberships, process payments, operate physical access-control devices, and — where the Controller elects — authenticate members via biometric face recognition or ingest face-event data from connected CCTV systems. All processing activities described in this Agreement are performed exclusively on the documented instructions of the Controller as set out in the GymSys SaaS Terms of Service and in any supplementary written instructions the Controller provides.

This Agreement supplements and forms an integral part of the SaaS Terms of Service between the parties. In the event of any conflict between this Agreement and the SaaS Terms of Service with respect to the subject matter of data protection, this Agreement shall prevail.

This Agreement enters into force on the date of signature and remains in effect for as long as the Controller’s SaaS Terms of Service subscription is active, including any renewal periods.

Upon cancellation or non-renewal of the SaaS subscription, the Processor shall continue to make the Controller’s data available for export for a period of thirty (30) calendar days following the effective date of termination (the “export window”). After the export window closes, the Processor shall delete or irreversibly anonymise all personal data processed under this Agreement in accordance with Article 6(h) below, unless a longer retention period is mandated by applicable law.

Obligations of confidentiality and data security set out in this Agreement survive its termination for a period of five (5) years.

The Processor carries out the following types of processing on behalf of the Controller:

• Member management software: collection, storage, retrieval, update, and deletion of member profiles, plan assignments, ticket records, wallet balances, and visit histories within the GymSys database.
• Physical access control: real-time evaluation of QR codes and, where applicable, RFID card identifiers presented at gym access-control devices connected to the Platform via the GymSys WebSocket protocol, resulting in a door-open or door-deny response.
• Biometric face authentication (optional): where enabled by the Controller, extraction of 512-dimensional ArcFace embedding vectors from member-supplied photographs, storage of those vectors in an encrypted, row-level-secured database, and 1:1 or 1:N face-match verification at access-control devices to authenticate members without a physical credential.
• CCTV face-event ingestion (optional): where the Controller connects a compatible IP camera system (e.g. LEEKGO HF series), receipt and logging of face-detection events forwarded by the camera, including confidence scores and timestamps, for the purpose of attendance monitoring as instructed by the Controller. No independent face identification is performed against external databases.
• Payment processing facilitation: transmission of payment initiation requests to third-party payment gateways (see Article 7) on the Controller’s behalf; storage of transaction references, amounts, and statuses.
• Notifications and communications: dispatch of transactional emails (welcome, receipts, expiry reminders) and push notifications to member devices, using content and triggers defined by the Controller.

Processing is performed exclusively within the scope necessary to provide the Platform. The Processor shall not use the Controller’s data for any secondary purpose, including training of machine-learning models, advertising, benchmarking against other customers, or any purpose not expressly authorised by the Controller.

The following categories of personal data are processed under this Agreement:

• Identification data: full name, email address, phone number, date of birth, gender (where provided by the member).
• Contact data: email address and phone number used for service notifications and account recovery.
• Biometric data (special category — Art. 9 GDPR): numeric face-embedding vectors (512-dimensional ArcFace representation); optionally, source photographs retained for staff audit where the Controller activates that feature. These data are processed only on the basis of the member’s explicit consent, obtained by the Controller.
• Membership and transaction data: active plan, ticket types and purchase history, wallet balance and top-up history, subscription renewal dates.
• Visit and access logs: date, time, gym location, access-device identifier, and verification method (QR, face, RFID, or ticket) for each entry and exit event.
• Authentication credentials: Argon2id-hashed passwords; session tokens; one-time codes. Cleartext passwords are never stored or transmitted.
• Device and technical data: mobile device model, OS version, app version, language preference, FCM push-notification token, and anonymised crash diagnostics.

Special-category data (biometric) is processed only where the Controller has obtained the explicit consent of the relevant data subject as required by Article 9(2)(a) GDPR and has configured the biometric feature in the Platform admin portal. The Processor does not activate biometric processing on its own initiative.

Processing under this Agreement may affect the following categories of natural persons:

• Gym members: individuals who have entered into a membership agreement with the Controller and hold an active or lapsed plan or subscription.
• Staff and administrators: employees or contractors of the Controller who use the GymSys Staff mobile application or the web admin portal to manage gym operations.
• Walk-in ticket purchasers: individuals who have not subscribed to a membership plan but have purchased a single-entry or multi-entry ticket from the Controller, including drop-in or MultiSport-scheme visitors processed via the front-desk kiosk.
• Employees of the Controller: individuals whose personal data (name, contact, role) is entered by the Controller into the Platform for the purpose of staff scheduling, role-based access, or trainer–client assignment.

In accordance with Article 28(3) GDPR, the Processor undertakes the following obligations:

• Processing on instructions only: process personal data solely on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
• Confidentiality of personnel: ensure that persons authorised to process personal data on behalf of the Controller have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited on a strict need-to-know basis.
• Technical and organisational security measures (Art. 32 GDPR): implement and maintain appropriate measures, including: TLS encryption for all data in transit; encryption at rest on Supabase PostgreSQL (EU region); row-level security (RLS) enforcing tenant isolation; Argon2id password hashing; HMAC-signed WebSocket sessions with nonce-based replay protection for access-control devices; structured audit logging of all administrative actions; and regular review of security controls. The current technical detail is published at gymsys.eu/privacy#security.
• Sub-processing with general authorisation: not engage any new sub-processor without prior general written authorisation of the Controller, effected by the publication of a change notice to the sub-processor list at gymsys.eu/subprocessors at least thirty (30) calendar days before the new sub-processor begins processing. If the Controller objects to a new sub-processor, it may terminate the SaaS subscription without penalty upon written notice within that 30-day window. Where the Processor engages sub-processors, it shall impose on them the same data-protection obligations as those set out in this Agreement.
• Assistance with data-subject rights: assist the Controller in fulfilling its obligations to respond to requests exercising data-subject rights (access, rectification, erasure, restriction, portability, objection) within fourteen (14) calendar days of the Controller’s written request, by providing export, deletion, and rectification tooling in the Platform admin portal and, where tooling is insufficient, by direct action on the underlying database.
• Personal data breach notification: notify the Controller without undue delay, and in any event within twenty-four (24) hours of detection, of any personal data breach affecting data processed under this Agreement. The notification shall include, to the extent then known: a description of the nature of the breach; the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach.
• Deletion or return of data at contract end: upon termination of the SaaS subscription and expiry of the 30-day export window, delete all personal data in the Processor’s systems that was processed on behalf of the Controller, unless Union or Member State law requires storage of the data, and provide written confirmation of deletion to the Controller within seven (7) days of completion.
• Audit and compliance demonstration: make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Remote paper audits (document requests and questionnaires) are provided free of charge with thirty (30) calendar days’ written notice. On-site inspections require thirty (30) calendar days’ written notice and shall be conducted at the Controller’s reasonable cost; the Controller shall ensure that inspections do not unreasonably interfere with the Processor’s operations or compromise the security or confidentiality of other customers’ data.

The Controller grants general authorisation to the Processor to engage sub-processors as listed on the GymSys Sub-processor Register, which is maintained at:

gymsys.eu/subprocessors

The Sub-processor Register identifies each sub-processor by name, country of establishment, the categories of processing it performs on the Processor’s behalf, and the safeguard used for any transfers outside the EEA (Standard Contractual Clauses or adequacy decision).

Changes to the sub-processor list — additions, removals, or material changes to an existing sub-processor’s role — will be communicated to Controllers by email notification and by updating the register with at least thirty (30) calendar days’ advance notice, in accordance with Article 6(d) above.

The technical and organisational security measures applied by the Processor to protect personal data processed under this Agreement are described in detail in the GymSys Privacy Policy, Security section:

gymsys.eu/privacy#security

Those measures include, without limitation: mutual TLS for all client-server communications; AES-256 encryption at rest on the Supabase PostgreSQL database hosted in an EU region; row-level security policies enforcing strict tenant isolation so that no gym’s data is readable by another gym’s credentials; Argon2id hashing of all passwords with per-user salts; HMAC-SHA256 signed WebSocket sessions for access-control devices with per-message nonces preventing replay attacks; structured audit logs of all privileged administrative operations retained for a minimum of two years; and regular review and penetration testing of security controls.

The Processor shall review and update these measures at regular intervals and, in any event, following any personal data breach, material change in the threat landscape, or change in the underlying infrastructure. The Processor shall notify the Controller of any material downgrade in the security measures before it takes effect.

Member personal data — including biometric face embeddings, visit logs, membership records, and contact details — is stored and processed exclusively on infrastructure located within the European Union. The primary database is hosted on Supabase’s EU (Frankfurt) region. The Processor’s application servers run on Oracle Cloud Infrastructure in the EU (Amsterdam) region. No member personal data is routed to servers outside the EEA in the ordinary course of processing.

Sub-processors outside the EEA (including payment gateways, email delivery providers, and push-notification services as listed at gymsys.eu/subprocessors) receive only the minimum data necessary to perform their specific function. All such transfers are governed by the European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor, as applicable) in their form as approved by Commission Implementing Decision (EU) 2021/914, supplemented where required by a Transfer Impact Assessment.

In the event that the Controller instructs the Processor to transfer personal data to a destination outside the EEA that is not covered by an existing adequacy decision or SCCs in place with a sub-processor, the Processor shall notify the Controller that the transfer cannot be made without an appropriate safeguard and shall not proceed unless and until such safeguard is established.

The Processor shall promptly inform the Controller of any change in applicable law or binding court or government order that could reasonably be expected to affect the Processor’s ability to comply with this Agreement or that could compel disclosure of personal data to a public authority of a non-EEA country.