GymSysGymSys
Get started
Legal · Sub-processors

Sub-
processors.

Last updated: 1 June 2026

GymSys is operated by RPM Technologies s.r.o., Bidovce 316, Slovak Republic. As a data processor under Art. 28 GDPR, GymSys engages the following sub-processors to deliver the platform. Each sub-processor is bound by a Data Processing Agreement and is permitted to process personal data only for the specific purpose listed. This list is maintained in accordance with Art. 28(2) GDPR.
01

Sub-processor List

The table below identifies every sub-processor currently engaged by GymSys, the service they provide, the categories of personal data transferred to them, the region where that data is processed, and the legal transfer mechanism applied where processing occurs outside the European Economic Area.

ProviderServiceData sharedRegionTransfer mechanism
Supabase Inc.Managed PostgreSQL database, authentication, and object storage (pgvector face embeddings, member records, memberships, access logs, uploaded files)All platform dataEU (Frankfurt)EU — no transfer
Oracle Cloud InfrastructureVirtual machine hosting for the GymSys application server (gymsys-server), including WebSocket device relay, REST API, face-verification engine, and background jobsServer-processed data in flightEU (Frankfurt)EU — no transfer
Vercel Inc.Edge hosting and CDN delivery for the GymSys web portal (admin UI, marketing site, gym public pages built with the website builder)Marketing & web assets; admin session tokens in transitEU (edge nodes)EU — no transfer
Resend Inc.Transactional email delivery (welcome emails, enrollment QR codes, payment receipts, subscription reminders, OTP verification codes)Recipient email address and message bodyUSStandard Contractual Clauses (SCCs) — EU Commission Implementing Decision 2021/914
Google LLC (Firebase)Firebase Cloud Messaging (FCM) for push notification delivery to iOS and Android devices (booking confirmations, expiry alerts, access events)Device FCM token and push notification payloadUSStandard Contractual Clauses (SCCs) — EU Commission Implementing Decision 2021/914
Anthropic / OpenAIAI language model inference — not integrated into any production data flow at this timeN/AN/AN/A

For all sub-processors operating within the EU/EEA, personal data does not leave the European Economic Area. For Resend and Google Firebase, which process data in the United States, GymSys has executed Standard Contractual Clauses under the European Commission's Implementing Decision (EU) 2021/914. Copies of executed SCCs are available upon written request to privacy@gymatic.eu.

02

Payment Providers

Payment processors such as Stripe, PayPal, and Comgate are not sub-processors of GymSys. When a gym member makes a payment, the contractual relationship for that transaction is between the member and the gym. The gym is the merchant of record and the data controller for payment data. GymSys stores only a payment-gateway reference identifier and transaction status; it does not receive, store, or process card numbers, bank-account details, or other sensitive payment instrument data.

Each gym is responsible for ensuring that its chosen payment provider relationship complies with applicable data protection law, including the execution of any required data processing agreements with those providers.

03

Notice & Objection Right

GymSys commits to providing all gym administrators with at least 30 days' prior written notice before engaging any new sub-processor or materially changing the role of an existing one. Notice will be delivered via email to the gym's primary administrator address on record and through an in-app notification in the GymSys web portal.

If a gym objects to a new or changed sub-processor on reasonable data-protection grounds, it may notify GymSys in writing within the 30-day notice period. GymSys will work in good faith to accommodate the objection. If the parties cannot reach a resolution and the gym elects to terminate its subscription as a result, GymSys will provide a pro-rata refund of any prepaid subscription fees for the remaining unused term, and the gym may terminate its subscription agreement without penalty.

  • Notice period: 30 days before a new sub-processor becomes active.
  • Objection window: within 30 days of receipt of the notice.
  • Remedy if unresolved: termination without penalty + pro-rata refund.
  • This list is updated whenever a sub-processor is added, changed, or removed.
04

Contact

For questions about this sub-processor list, to request copies of executed SCCs, or to submit a sub-processor objection, please contact GymSys's Data Protection contact:

  • Email: privacy@gymatic.eu
  • Postal: RPM Technologies s.r.o., Bidovce 316, Slovak Republic
  • Subject line for sub-processor objections: "Sub-processor objection — [gym name]"

GymSys will acknowledge sub-processor objection notices within five business days of receipt. The supervisory authority for GymSys in Slovakia is the Úrad na ochranu osobných údajov Slovenskej republiky (ÚOOÚ SR). Members and gym operators retain the right to lodge a complaint with ÚOOÚ SR at any time, independently of any objection process described in this document.