Trust & Security
Your gym data is sensitive — member information, payment records, health profiles, and attendance logs. Here's how we protect it and your rights under the DPDP Act 2023.
Compliance
DPDP ACT 2023
The Digital Personal Data Protection Act 2023 governs how personal data of Indian citizens is collected, stored, and processed. We are aligned with its principles of purpose limitation, data minimisation, and individual rights.
IT ACT 2000 / SPDI RULES
We comply with the Information Technology Act 2000 and the Sensitive Personal Data or Information (SPDI) Rules 2011, including reasonable security practices for handling sensitive personal data.
Data Practices
DATA COLLECTION
We collect member names, contact details, payment information, membership records, and attendance logs. Data is collected only to operate the gym management platform — no third-party advertising use.
DATA STORAGE
All gym data is stored on PostgreSQL hosted on Hostinger VPS in India. File uploads are stored on Cloudflare R2 object storage. The entire infrastructure runs on Indian servers.
DATA RETENTION
Deleted member records are purged from our systems within 30 days. Payment and transaction records are retained as required by applicable tax and accounting regulations.
DATA ENCRYPTION
All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Encryption keys are managed separately from the data they protect.
CONSENT MANAGEMENT
Member consent is recorded by gym staff at signup. Members can withdraw consent for individual data uses via the mobile app. Consent logs are timestamped and auditable.
Security Controls
INFRASTRUCTURE SECURITY
- Encryption key access is strictly controlled and separated from application data
- Network access requires authentication; no publicly exposed admin ports
- All remote access to infrastructure is encrypted and logged
APPLICATION SECURITY
- API rate limiting protects against brute-force and credential stuffing attacks
- All input is validated and sanitised before database operations
- CSRF and XSS protections are enforced across all endpoints
AUTHENTICATION & ACCESS
- JWT-based authentication with automatic token rotation; tokens are revocable server-side
- OTP verification required for sensitive operations such as password reset
- Role-based access control with four levels: Super Admin, Admin, Staff, and Trainer
DATA ISOLATION
- Multi-tenant architecture with strict company-level scoping
- Every database query is filtered by companyId; cross-tenant data access is architecturally impossible
BIOMETRIC DATA
- Fingerprint processing happens entirely on-device via CamsUnit hardware
- No raw biometric templates are transmitted to or stored on our servers
- We only receive attendance metadata — timestamps and device identifiers
Subprocessors
We use the following third-party services to operate the platform. Each is selected for security and regional compliance.
Hostinger— VPS hosting, database & application servers (India)
Cloudflare— R2 object storage & CDN
Brevo— Transactional email
CamsUnit— Biometric devices (on-premise)
Razorpay— Payment processing
Sentry— Error monitoring
Your Rights under DPDP Act 2023
As a data principal under Indian law, you have the following rights with respect to your personal data.
Access your data
Request a JSON export of your gym's data via the admin dashboard.
Correct inaccuracies
Edit member profiles, staff records, and payment details directly in the platform.
Delete your account
Request account deletion; records are fully purged within 30 days.
Withdraw consent
Revoke consent for individual data uses via the mobile app or admin settings.
File a grievance
Contact our Data Protection Officer at hello@thegymmanager.com for any privacy concerns.
Legal
Have security concerns, want to report a vulnerability, or exercise your data rights? Contact our Data Protection Officer at hello@thegymmanager.com.