GymSysGymSys
Get started
Legal · Privacy
Last updated: 18 May 2026

Privacy
Policy

This policy explains what data the GymSys platform — including the GymSys Member mobile app, the GymSys Staff app, the web admin portal, and gym front-desk software — collects from members and staff, why we collect it, and the choices you have.

Contents

  1. 01. Data Controller
  2. 02. What We Collect
  3. 03. Biometric (Face) Data
  4. 04. How We Use Your Data
  5. 05. Legal Basis
  6. 06. Who We Share Data With
  7. 07. Where Your Data Lives
  8. 08. How Long We Keep It
  9. 09. Your Rights
  10. 10. App Permissions
  11. 11. Children
  12. 12. Security
  13. 13. Changes to This Policy
  14. 14. Contact
01

Data Controller

GymSys is a multi-tenant software platform. For most personal data — your name, contact details, membership status, payments, visits, and biometric face data — the gym you signed up with is the data controller under the GDPR, and GymSys (operated by RPM Technologies s.r.o., Bidovce 316, Slovakia) is the data processor. For data we collect directly to run the platform itself (e.g. app crash diagnostics, account-level email/password), GymSys is the controller.
02

What We Collect

  • Identification: full name, email, phone number, date of birth, gender (optional), profile photo (optional).
  • Authentication: hashed password, one-time codes for email verification, session tokens.
  • Membership: the gym(s) you belong to, your plan, ticket purchases, visit history, schedule bookings, wallet balance.
  • Biometric: face data — see Section 03.
  • Payments: transaction amounts, currency, status, and a payment-gateway reference. Card / bank-account numbers are handled by the gateway (Stripe, PayPal, or Comgate) and never stored by GymSys.
  • Device & technical: device model, OS version, app version, IP address, language, push-notification token, crash reports.
  • Access logs: each check-in / check-out event at a gym (date, time, device, verification method).
03

Biometric (Face) Data

With your explicit consent, GymSys captures photos of your face during enrollment and converts them into numeric face embeddings (512-dimensional vectors). These embeddings are used solely to confirm your identity at the gym's access-control devices.

  • The original photos used for enrollment are stored alongside the embedding only when the gym's configuration requires it (for staff audit); otherwise they are discarded after embedding extraction.
  • Embeddings are per-gym. If you belong to two gyms, two separate embeddings exist, each readable only by that gym's staff and the access devices at that gym.
  • Embeddings are stored on encrypted PostgreSQL (Supabase, EU region) with row-level security enforced.
  • You can withdraw consent and have your embeddings deleted at any time from the app (Settings → Manage gyms → Leave gym, or Settings → Delete account). Deletion is propagated to all access devices that hold the data.
  • We do not share embeddings with advertisers, data brokers, or any third party outside the gym that controls them.
04

How We Use Your Data

  • Provide gym access (QR code, face match, RFID card lookup).
  • Manage your membership: plan, renewals, tickets, visit limits.
  • Process payments and send receipts.
  • Send service notifications (booking confirmations, payment receipts, expiry reminders).
  • Keep the platform secure: detect fraud, prevent abuse, audit access.
  • Comply with legal obligations (accounting, tax, anti-fraud).
  • Improve the product (aggregated, non-identifying analytics only).

We do not sell your data, run third-party advertising in the app, or use your data to train external AI models.

06

Who We Share Data With

  • Your gym(s): the gym admin and staff you registered with see your full profile, payments, and visits.
  • Payment processors: Stripe, Inc. (US), PayPal (Europe) S.à r.l., Comgate Payments a.s. (CZ) — when you pay through them.
  • Infrastructure providers: Supabase Inc. (database, EU region), Oracle Cloud (server hosting, EU), Vercel Inc. (web portal hosting), Caddy / Cloudflare (network).
  • Email delivery: Resend Inc. (transactional emails).
  • Push notifications: Google Firebase Cloud Messaging.
  • Authorities: if compelled by court order or to comply with applicable law.

All processors are bound by Data Processing Agreements that require them to handle your data only on our instructions and apply appropriate safeguards (SCCs for transfers outside the EU/EEA).

07

Where Your Data Lives

Member data (including face embeddings) is stored on servers located in the European Union. Some sub-processors (e.g. Stripe, Firebase) operate globally; transfers to non-EU jurisdictions rely on the European Commission's Standard Contractual Clauses.
08

How Long We Keep It

  • Active membership: for as long as you are a member of the gym.
  • Face embeddings: deleted within 24 hours when you leave a gym or delete your account.
  • Payment records: 10 years (Slovak Accounting Act No. 431/2002 Coll.).
  • Access logs: 2 years.
  • Account-level data (email, password): until you request account deletion, then a 30-day grace period before permanent erasure.
09

Your Rights

Under the GDPR you can, free of charge:

  • Access the data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased ("right to be forgotten") — see our account deletion page.
  • Restrict or object to processing.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent for biometric data or marketing at any time.
  • Lodge a complaint with your national data-protection authority (in SK: Úrad na ochranu osobných údajov Slovenskej republiky).

Most of these can be exercised directly in the app (Settings → Privacy). For anything else, contact us — see Section 14.

10

App Permissions

  • Camera — required for face enrollment and for scanning gym QR codes. Used only when you are actively in those screens; no background access.
  • Biometric (fingerprint / face unlock) — optional, for locking the app locally on your device.
  • Notifications — for booking confirmations, payment receipts, expiry reminders.
  • Storage — to cache your profile QR code offline.
  • Network — required to reach the GymSys servers.

You can revoke any of these from your device's app settings; the corresponding feature will then be unavailable.

11

Children

GymSys is not directed at children under 16. Members under 16 must be enrolled by a parent or legal guardian, who provides consent on the child's behalf and remains the primary contact.
12

Security

We apply industry-standard safeguards including TLS in transit, encryption at rest, row-level security in the database, short-lived access tokens, hashed passwords (Argon2), and audit logging of administrative actions. Access devices use HMAC-signed sessions and nonce-based replay protection. No system is perfectly secure; if a breach affects you we will notify you and the supervisory authority within 72 hours as required by Art. 33–34 GDPR.
13

Changes to This Policy

We may update this policy when the platform changes or the law changes. Material updates will be announced in the app and via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the current version.
14

Contact

Questions, requests, or complaints about your data:

  • Email: privacy@gymatic.eu
  • Postal: RPM Technologies s.r.o., Bidovce 316, Slovakia
  • For data held by your gym specifically, contact the gym's admin directly.