Legal
Data Processing Addendum
Last Updated: April 2026 · GDPR-Ready · Effective: April 2026
1. Definitions
Controller
The gym/business using GymForge
Processor
GymForge LLC
Personal Data
Any information relating to an identifiable individual
Data Subject
The individual (e.g., gym member, parent, student)
2. Scope of Processing
GymForge processes Personal Data only:
- To provide the Service
- On documented instructions from the Controller
- In accordance with applicable data protection laws including GDPR
3. Categories of Data Processed
GymForge may process:
Customer (Gym Member) Data
- Name, email, phone
- Attendance history
- Rank/belt level
- Parent/guardian relationships
- Billing status (not full payment details)
Business User Data
- Account holder info
- Staff access and permissions
Sensitive Considerations
- Minor (child) data
- Family/guardian relationships
4. Obligations of the Controller
The gym agrees to:
- Obtain lawful consent from members
- Obtain parental consent for minors
- Provide accurate data
- Comply with GDPR and local laws
5. GymForge Obligations (Processor)
GymForge agrees to:
a. Data Processing
- Process data only as instructed
- Not sell or misuse data
b. Confidentiality
- Ensure personnel are bound by confidentiality
c. Security Measures
- Encryption in transit (HTTPS)
- Secure cloud infrastructure
- Access controls
6. Subprocessors
GymForge may use subprocessors including:
- Payment processors (e.g., Stripe)
- Cloud hosting providers (e.g., AWS, Vercel, etc.)
We will ensure subprocessors are GDPR-compliant and provide adequate safeguards.
7. International Data Transfers
If data is transferred outside the EU:
- We rely on Standard Contractual Clauses (SCCs)
- Or equivalent safeguards
8. Data Subject Rights
GymForge will assist the Controller in responding to:
- Access requests
- Deletion requests
- Data portability requests
9. Data Breach Notification
GymForge will:
- Notify the Controller without undue delay
- Provide details of the breach
- Assist in mitigation
10. Data Retention & Deletion
Upon termination:
- Data will be deleted within a reasonable timeframe (e.g., 30–60 days)
- Or returned upon request
11. Audits
GymForge will:
- Provide reasonable documentation of security practices
- Not allow excessive or abusive audit requests
12. Liability
Each party is responsible for its own compliance under GDPR.
Questions about this DPA? Contact: getgymforge@gmail.com