Company Logo

PRIVACY POLICY

Last updated: 07.10.2025.

This Privacy Policy describes how Bács M-Cs. Balázs ÎI ("we", the "Platform") collects and processes a limited set of data required to deliver GymBoard features. We do not sell personal data and aim to minimize what we store. This notice reflects the principles of the EU GDPR.

For the general terms of use seeTerms of Use

1. Data Controller

Controller: Bács M-Cs. Balázs ÎI Address: Bixad, 147, CV, RO Email: bmcb.dev@gmail.com Phone: +40743234307 Tax ID: 51894240

2. Processing Principles

  • Data minimisation – only what’s needed for core functionality.
  • Purpose limitation – no incompatible reuse.
  • Accuracy – gym operators can correct gym and member data.
  • Integrity & confidentiality – reasonable technical controls (encryption in transit, hashed passwords).
  • Transparency – this Policy explains categories and purposes.

3. Categories of Data

3.1. Operator Account Data

  • Email (required), hashed password (never stored in plain text).
  • Name and phone (optional).
  • Subscription state, gym limit, Stripe identifiers (if billing enabled).

3.2. Gym Data

  • Name, address, contact details, description, schedule, pricing (day/month/year), logo URL.

3.3. Pseudonymous Visitor Data

  • Unique visitor UUID and optional nickname (local).
  • Visits (gym reference, timestamp, optional IP & user agent if captured for security).
  • Feedback (8 fixed metrics + optional comment).
  • Custom question answer (one selection per question).

3.4. Technical & Optional Structures

  • Internal analytics cache (aggregations).
  • Announcements, achievements, courses, bookings, members (may be inactive or partially surfaced).

3.5. Technical Data

  • Session tokens / JWTs for operator authentication.
  • Language preference (local storage / cookie).
  • Basic diagnostic & security logs (server events, errors).

3.6. Member data

  • What we store: first name, last name, optional email and phone, unique internal membership number (not derived from national IDs).
  • Subscription: type, validity period (start / end), active/inactive status and change history.
  • Attendance: check‑in timestamps to manage access and usage tracking.
  • Optional fields: emergency contact name & phone, brief medical notes (only minimal necessary information should be entered).
  • Other auxiliary fields: gender (enum), profile image (optional), internal notes (organisation only – avoid sensitive data).
  • How it’s used: to administer membership validity, verify access (check‑in), manage periods, and provide operator support.
  • What we do NOT do: no advertising use, no profiling, no data selling.

4. Legal Bases & Purposes (GDPR)

4.1. Contract Performance

  • Create and manage operator accounts and associated gyms.
  • Display statistics and aggregates (visits, feedback averages).
  • Manage subscription limits and billing context.

4.2. Legitimate Interest

  • Technical monitoring for stability and abuse prevention.
  • Improving baseline security and performance.
  • Protecting against fraudulent or automated feedback submissions.

4.3. Consent (where required)

  • Showing a visitor nickname (if entered).
  • Any future optional communications (inactive at present).

4.4. Legal Obligation

  • Retention of accounting / tax records for paid subscriptions.
  • Responding to lawful authority requests.

5. Collection Methods

  • Directly from operators (registration, gym configuration, subscription management).
  • Through visitor actions (scan code, submit feedback, answer question).
  • Automatically at server level (timestamps, logs, tokens).
  • Optional: approximate browser location used client‑side only for UX (not persisted).

6. Cookies & Similar Technologies

  • Session / authentication storage (strictly necessary).
  • Language preference (functional).
  • No advertising / tracking cookies in the current version.
  • You can control cookies via browser settings; disabling required ones may block login.

7. Data Recipients (Sharing)

  • Stripe (subscription payment processing – operator data only).
  • Infrastructure / hosting providers (storage & execution).
  • Transactional email / error monitoring services (if active).
  • Authorities or legal entities where disclosure is mandatory.
  • No sale or brokerage of personal data.

8. International Transfers

Where possible data is stored within the EU/EEA. If a provider (e.g. email delivery or CDN infrastructure) involves transfer outside the EEA we rely on: (a) EU adequacy decisions; or (b) Standard Contractual Clauses (SCCs). We do not perform systematic transfers of sensitive data.

9. Retention

  • Operator & gym data – retained for the duration of the contractual relationship; upon closure may be anonymised / progressively deleted except where legal obligations apply.
  • Member data (if module active) – retained while the member is active or until deletion requested by the operator; on deactivation anonymisation (e.g. replacing name) may occur except where needed for tax or legal defence. Optional medical notes and internal notes should be cleaned when no longer required.
  • Feedback & visits – kept for historical integrity and aggregated statistics; can be anonymised where feasible on justified request.
  • Technical logs – short retention, only as needed for security & diagnostics.
  • Billing / accounting data – per applicable statutory retention periods.

10. Security

  • Encrypted transport (HTTPS).
  • Passwords stored using established hashing algorithms (never plain text).
  • Internal access limited by least‑privilege principles.
  • Logical separation between operator data and pseudonymous identifiers.
  • No absolute security guarantee – use unique, strong passwords.

11. No Automated Decisions / Profiling

We do not conduct profiling or automated decision‑making producing legal or similarly significant effects. Leaderboards are simple arithmetic averages of aggregated feedback per gym and are not personal visitor evaluations.

12. Data Subject Rights

  • Access – request confirmation and a copy of relevant data.
  • Rectification – correct inaccurate data (e.g. gym details).
  • Erasure – in certain conditions (not where legal retention applies).
  • Restriction – temporarily limit processing in specific cases.
  • Objection – to processing based on legitimate interest (we assess justification).
  • Portability – for data you actively provided (where technically feasible).
  • Complaint – to a competent supervisory authority.

13. Exercising Rights

  • Submit your request to: bmcb.dev@gmail.com.
  • Include a clear description of the right invoked and sufficient identifying details.
  • We normally respond within 30 days (extendable under GDPR for complex cases).

14. Minors

  • The Platform is not directed at individuals under 16.
  • If we discover accidental collection of data from minors we will promptly delete it.
  • Deletion requests can be sent to bmcb.dev@gmail.com.

15. Policy Changes

  • We may update this Policy for clarity, compliance or functional evolution.
  • Material changes may be signalled via interface or email (where applicable).
  • Continued use after the effective date indicates acceptance.

16. Contact