GDPR Compliance
How GYMBIM handles personal data in accordance with the General Data Protection Regulation (EU) 2016/679.
1. Data Controller
TECHIMPACE INNOVATIONS PRIVATE LIMITED (CIN: U62099WB2025PTC280498), operating GYMBIM, acts as the data controller for personal data processed through our platform when we determine the purposes and means of processing.
Our registered office is at RBC Road, Lakurdi, Bardhaman- 713102, West Bengal, India. Contact: office@techimpace.com.
2. Lawful Basis for Processing
We process personal data only where a lawful basis applies under Article 6 GDPR: contract performance (providing gym management services), legitimate interests (security, fraud prevention, product improvement), legal obligation, or explicit consent (biometric enrollment, marketing communications).
Gym operators using GYMBIM may act as independent controllers for their members' data. We provide data processing agreements (DPAs) to clarify roles and responsibilities.
3. Categories of Data Processed
Member identity data (name, email, phone, membership ID), attendance and access logs, payment and billing records, biometric templates (mathematical representations — not raw images), device and usage metadata, and support communications.
Biometric data is classified as special category data under Article 9 GDPR. We process it only with explicit member consent obtained at enrollment, with additional safeguards including encryption, access controls, and purpose limitation.
4. Data Subject Rights
EU/EEA data subjects may exercise rights of access, rectification, erasure, restriction, portability, and objection. Requests can be submitted to office@techimpace.com. We respond within 30 days.
Members may withdraw biometric consent at any time. Withdrawal does not affect prior lawful processing but may limit access-control functionality requiring biometric verification.
You have the right to lodge a complaint with your local supervisory authority if you believe your rights have been violated.
5. Security & International Transfers
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is role-based with audit logging. Infrastructure providers are vetted for GDPR compliance.
Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms as required by Chapter V GDPR.
6. Retention
Personal data is retained only as long as necessary for the stated purpose or as required by law. Inactive member accounts are anonymized or deleted per the gym operator's retention policy, subject to minimum legal retention periods for financial records.