GymMaster, Your Data & the GDPR
Here at GymMaster, we store our clients’ data on servers in close geographic proximity to your facility. This reduces the likelihood of an event causing an outage with your service, improves the responsiveness of the service, and allows us and our clients to more easily comply with local data laws. Specifically where we store the information will depend on your location.
For your convenience, we’ve listed the information that we store for our clients, and for our clients’ members:
- Date of Birth
- Postal & Billing Address History
- Postal & Communication History
- Phone Numbers
- Medical Details
- Next of Kin
- Payment History
- Visit History
- Personal Training History
- Class History
Please note that while we do record the history of your payments, we don’t store any of our clients’ billing information on our servers. This information is instead stored in a secure facility at one of our payment processing partners. Our servers store a token, which is used to reference the relevant billing information.
If you would like to access this information for one of your members, you can browse to the members detail page, and select the “Member Debtors Report” from the bottom of the page. If you would like a copy of the information we store for your business, please contact our support staff.
The below data policies apply to GymMaster and cover our obligations to the GDPR. If you have further questions about the GDPR, or if you are a Client and have questions specific to meeting your GDPR requirements to your Members and how GymMaster facilitates that, you can email our Data Officer at email@example.com
Audit of Information
We store daily backups of each of our clients’ data for one week on a secure server in our New Zealand head office, with a rotation to weekly storage for the following 5 weeks (providing a total of six weeks of backup for each client). This means that while we can delete a specific member’s information immediately upon request, it will likely take up to eight weeks for the member information to be completely removed from all of our systems.
To facilitate the use of our GymMaster member Portal app, we store all of our Clients’ Staff and Members’ email addresses on a central server in the US, which then allows club members to login to their GymMaster portal. The member emails on the server are used solely to facilitate Member App logins.
Beyond the explicitly collected data, we also store web server logs for each of our services, containing information about the HTTP request that was made, which includes the end point that was requested, the IP address of the user that requested it as well as a time-stamp of when the request was made. This information is used strictly for diagnostic and fraud prevention purposes, and is only kept for 14 days.
The GDPR requires that gyms who wish to send their Members marketing material through GymMaster, have the explicit consent of their members before doing so. To ensure this, GymMaster has adopted the industry standard “Double Opt-In” process for ensuring gym members are only receiving the material they’ve signed themselves up for.
Double Opt-In is a process wherein the member must provide their email address to the system, and then confirm that email address via a link sent to their inbox. This change helps reduce spam & unwanted emails, and ensures that emails are going to the correct people. We recognise that we are required to obtain explicit consent from those who give us their email address in exchange for products/services on our website. For those in Europe, this will also be in the form of a Double Opt-In email.
72 Hour Breach Notification
In the unlikely event that one of our systems is compromised, we will notify affected clients within 72 hours of becoming aware of the breach. Once notified, our engineering team will do a full investigation of the breach, ensuring that all data is secured and that no further breaches are likely to occur. Once we’re confident the systems are secure again, we’ll do a full post-mortem on the event to determine the cause, and to ensure it doesn’t happen again. The post-mortem write up including resulting changes can be made available upon request.
As soon as you’ve been made aware of a breach, it is your obligation to communicate it to your members. If you so choose, we can communicate the security breach to your members on your behalf, however if you would like us to do that for you, we would require a written request.
The Right to Access
The Right to Access is about ensuring Clients and Members have access to their information in the GymMaster system. To this end, GymMaster has a feature available that lets you print a report of all the data associated with your members in the system. This report includes membership information, communication records, and billing history, including but not limited to –
- The purposes of processing
- The categories of personal data concerned
- The recipients or categories of recipients to whom the personal data have been or will be disclosed
- Where possible, the envisioned period for which the personal data will be stored
- The existence of a right to lodge a complaint with a supervisory authority
- The existence of automated decision-making, including profiling
- The right to access your information with us applies under the same process, too.
In order to assert their right to data portability, Clients or Members may at any time contact the Data Protection Officer as listed above.
We can provide machine readable data to our clients upon request. Note that this data request generally contains your entire GymMaster database. If you would like a single member’s information, you should use the report discussed in “The Right to Access”.
Right of Confirmation
Clients and Members have the right to obtain the confirmation of whether or not personal data concerning you is being processed or held. Should you wish to do so, Clients can contact our Data Officer at firstname.lastname@example.org. Member’s should contact their facility in the first instance.
Right to Rectification
Right to be Forgotten
GymMaster will also respect your right to be forgotten. If you request, we can remove all of your personal details from our system. As per our legal accounting obligations, we’ll retain a record of the transactions that have occurred, but will remove any associations between those transactions and your records, as well as the records themselves (so all of your personal details will be purged from our system).
The Data Protection Officer of Treshna Enterprises (as noted above) or another employee will promptly ensure that the erasure request is complied with.
Right of Restriction of Processing
Clients and Members have the right to obtain from GymMaster a restriction of processing where one of the following applies:
- The accuracy of the data is contested by the Client or Member
- The data usage is deemed to be unlawful and the Client or Member opposes the erasure of the data and requests restriction of it’s use instead.
- The data is no longer required by GymMaster, however the Client or Member requires it for the establishment, exercise or defense of legal claims.
- If one of the above conditions are met, and a Client or Member wishes to request the restriction of the processing of personal data stored by Treshna Enterprises, he or she may at any time contact our Data Protection Officer or another employee of the controller. The Data Protection Officer of Treshna Enterprises or another employee will arrange the restriction of the processing.
Existence of automated decision-making
As a responsible company, we do not use automatic decision-making or profiling.
This policy may be updated at any time.
GymMaster retain the right to amend this privacy statement at any time.