We use cookies to improve your experience.

    Privacy Policy

    Last Updated: 18/06/2026

    Privacy Policy

    Last Updated: June 18, 2026

    1. Introduction

    MyGymDesk ("Company", "we", "our", "us"), operated by Mygymdesk Technologies Private Limited (CIN: U62013TS2026PTC213750), is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use MyGymDesk, our cloud-based gym management software ("Service").

    This policy applies to our website, our mobile applications — MyGymDesk Business and MyGymDesk Member (available on the Apple App Store and Google Play Store) — and all related services.

    This Privacy Policy is published in compliance with the Information Technology Act, 2000 and the rules thereunder, the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025, and — for individuals in the European Union, European Economic Area, and United Kingdom — the EU/UK General Data Protection Regulation ("GDPR").

    Where you provide consent as a lawful basis, that consent is given freely, is specific to the purposes described below, and can be withdrawn at any time (see Section 7). For many processing activities, however, we rely on lawful bases other than consent, as set out in Section 4A.

    2. Our Role: Data Fiduciary / Controller and Data Processor

    MyGymDesk serves two distinct roles, using the terminology of both the DPDP Act and the GDPR:

    Data Fiduciary (DPDP) / Controller (GDPR): For data we collect directly from gym owners and their staff (account information, billing details, usage data). We determine the purpose and means of processing this data.

    Data Processor (DPDP and GDPR): For gym member data that gym owners upload to and manage through our platform (member names, phone numbers, attendance records, payment records, health/fitness data). We process this data strictly on behalf of and on the documented instructions of the gym owner (who is the Data Fiduciary / Controller for their members' data) and only to provide the Service.

    If you are a gym member whose data is managed by a gym using MyGymDesk, please contact your gym directly regarding your data rights. The gym is responsible for establishing a lawful basis (including obtaining consent where required) and for responding to your data requests. We will assist and cooperate with the gym to fulfil any such requests, as set out in our Data Processing Agreement.

    3. Information We Collect

    a) Information You Provide (Gym Owners & Staff)

    • Account registration information: full name, email address, phone number
    • Gym business information: gym name, address, city
    • Payment and billing information (processed by our payment partners — we do not store full card numbers)
    • Communications with us via email, WhatsApp, or in-app chat
    • Business address and tax identifier (e.g. GSTIN for Indian customers) collected for invoicing

    b) Gym Member Data (Uploaded by Gym Owners)

    • Member names, phone numbers, email addresses
    • Membership plan and subscription details
    • Attendance and check-in records
    • Payment and billing records
    • Body measurements and fitness progress data (weight, BMI, chest, waist, hips, bicep measurements) — this may constitute health-related data / a special category of data under the GDPR
    • Biometric identifiers where a gym uses biometric attendance devices (e.g. fingerprint templates), processed on the gym's instructions
    • Any other information the gym owner chooses to record about their members

    c) Information Collected Automatically

    • Device and browser information (type, version, operating system)
    • IP address
    • Usage data: pages visited, features used, time spent, actions performed
    • Cookies and similar technologies (see Section 9)
    • Error logs and performance data (collected via Sentry for debugging and Service improvement)
    • Camera and photo library access (only when you choose to upload photos such as member photos or profile pictures)
    • Push notification device tokens (if you opt in to push notifications)

    d) Information Collected by App Stores

    When you download our apps from the Apple App Store or Google Play Store, those platforms may collect data as described in their respective privacy policies. We do not control and are not responsible for data collected by Apple or Google during app download or installation.

    4. How We Use Your Information

    We use your information for the following specific, limited purposes:

    • Service Delivery: To provide, operate, and maintain the Service, including processing member data, generating reports, and enabling communication features.
    • Payment Processing: To process subscription payments, including recurring charges on a saved payment method where you have authorized them, and to generate invoices and receipts.
    • Communication: To send transactional messages (billing, account updates), onboarding guidance, and product announcements via email and WhatsApp.
    • Push Notifications: To send membership reminders, class booking confirmations, payment receipts, and gym announcements (only if you opt in to push notifications on your device).
    • Support: To respond to your requests, troubleshoot issues, and provide customer support.
    • Improvement: To analyse usage patterns and improve the Service (using aggregated, anonymized data where possible).
    • Security & Fraud Prevention: To detect, prevent, and address security issues, fraud, and abuse.
    • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

    We do NOT use your data or your members' data for automated decision-making that produces legal or similarly significant effects, nor for profiling or targeted advertising. We do NOT sell, rent, or trade your personal data to any third party.

    4A. Lawful Bases for Processing (GDPR)

    Where the GDPR applies, we rely on the following lawful bases (Art. 6) for processing personal data of gym owners and staff:

    | Purpose | Lawful basis | |---|---| | Providing the Service under our contract with you | Performance of a contract (Art. 6(1)(b)) | | Billing, recurring charges, invoicing | Performance of a contract (Art. 6(1)(b)) / legal obligation for tax records (Art. 6(1)(c)) | | Security, fraud prevention, service improvement | Legitimate interests (Art. 6(1)(f)) | | Marketing communications to gym owners | Consent (Art. 6(1)(a)), withdrawable at any time | | Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |

    For gym member data, the gym (as Controller) is responsible for establishing the lawful basis; we process such data only as Processor on the gym's instructions.

    5. Data Sharing & Third-Party Processors / Sub-Processors

    We share your data only with the following categories of third-party service providers (sub-processors), strictly to provide the Service:

    | Service Provider | Purpose | Data Shared | |---|---|---| | Supabase (Supabase Inc.) | Database hosting, authentication, file storage | All platform data (encrypted at rest and in transit) | | Razorpay Software Pvt. Ltd. | Payment processing (Indian customers) | Billing details, payment amounts, tokenized card mandate | | Stripe, Inc. | Payment processing (international customers) | Billing details, payment amounts, tokenized card mandate | | PayPal (Europe) S.à r.l. et Cie / PayPal, Inc. | Payment processing (international customers) | Billing details, payment amounts | | WhatsApp messaging provider (Meta WhatsApp Business Platform / approved BSP) | WhatsApp messaging automation | Phone numbers, message content for approved templates | | Resend Inc. | Transactional email delivery | Email addresses, email content | | Brevo (Sendinblue SAS) | Marketing email campaigns | Email addresses (gym owners only, not member data) | | Sentry (Functional Software Inc.) | Error tracking and performance monitoring | Error logs, device info, IP addresses (anonymized) |

    A current list of sub-processors is available on request. We will give you advance notice of any new sub-processor and a reasonable opportunity to object before that sub-processor begins processing your personal data.

    We may also disclose your information: (a) when required by law, court order, or government authority; (b) to protect our rights, property, or safety; (c) in connection with a merger, acquisition, or sale of assets (with prior notice to you).

    6. Data Storage & Security

    • Your data is stored on Supabase's cloud infrastructure (primary region: Mumbai, India). We select hosting regions that provide reliable performance for our users.
    • We use TLS 1.2+ encryption for all data in transit and encryption at rest.
    • Sensitive credentials (such as payment gateway keys) are stored in encrypted form. We do not store full payment card numbers; these are tokenized by our payment partners.
    • We implement Row-Level Security (RLS) policies in our database to ensure complete data isolation between tenants — no gym can access another gym's data.
    • We use role-based access controls and Supabase Auth for authentication.
    • We conduct periodic security reviews of our application and infrastructure.

    Despite our best efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we take commercially reasonable measures to protect your data.

    7. Your Rights

    a) Rights under the DPDP Act, 2023 (Data Principal Rights)

    • Right to Access: Request a summary of the personal data we process and the related processing activities.
    • Right to Correction: Request correction of inaccurate or incomplete personal data. You can also update most information directly in your account settings.
    • Right to Erasure: Request deletion of your personal data, subject to legal retention requirements. Upon a valid request, we delete data within 30 days from active systems and within 90 days from backups. Account deletion can be requested in app settings or by emailing [email protected].
    • Right to Grievance Redressal: Raise a complaint with our Grievance Officer (Section 14).
    • Right to Nominate: Nominate an individual to exercise your rights in the event of death or incapacity, as per the DPDP Act.

    b) Additional Rights under the GDPR (EU/UK individuals)

    In addition to access, correction, and erasure above, if you are in the EU/EEA/UK you also have:

    • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (CSV/Excel), and have it transmitted to another controller where technically feasible.
    • Right to Restriction of Processing: Request that we limit processing in certain circumstances.
    • Right to Object: Object to processing based on legitimate interests, and object at any time to processing for direct marketing.
    • Rights related to automated decision-making: We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects.
    • Right to Withdraw Consent: Where we rely on consent, withdraw it at any time (as easily as it was given); withdrawal does not affect prior lawful processing.
    • Right to lodge a complaint with your local supervisory authority (and, in India, with the Data Protection Board of India).

    To exercise any of these rights, contact [email protected]. We will acknowledge your request within 7 days and complete the action within 30 days (for GDPR requests, within one month, extendable by two further months for complex requests with notice). If you are a gym member, please direct your request to your gym; we will support the gym in fulfilling it.

    8. Data Breach Notification

    In the event of a personal data breach that is likely to cause harm, we will:

    • Notify affected gym owners (tenants) without undue delay and within 72 hours of becoming aware of the breach.
    • Provide details of the nature of the breach, categories and approximate number of records affected, and steps taken or proposed to mitigate the impact.
    • Report the breach to the Data Protection Board of India as required under the DPDP Act, and — where the GDPR applies and the breach meets the threshold — support affected Controllers in notifying the relevant EU/UK supervisory authority within 72 hours.
    • Cooperate with affected tenants in notifying their gym members where required.

    9. Cookies & Tracking Technologies

    We use essential cookies and similar technologies for authentication, security, preferences, and aggregated/anonymized analytics. We do NOT use advertising or third-party tracking cookies. You can control cookies through your browser settings and, where required, through our consent banner; disabling essential cookies may affect functionality.

    10. Children's Privacy

    The MyGymDesk platform is a business tool intended for use by gym owners and staff who are at least 18 years of age.

    Gym owners may add members who are minors (under 18) to their gym records. In such cases, the gym (as Data Fiduciary / Controller) is responsible for ensuring that verifiable parental or guardian consent has been obtained before adding a minor's data to the Service, in compliance with the DPDP Act and, where applicable, the GDPR. MyGymDesk does not knowingly collect personal data directly from minors. We do not engage in behavioural monitoring or targeted advertising directed at children's data.

    11. International Data Transfers

    Your data is primarily stored in India (Supabase, Mumbai). Some sub-processors may process data outside India (for example, Stripe, PayPal, and Sentry infrastructure).

    • For personal data subject to the GDPR that is transferred outside the EU/EEA/UK (including to India, which does not currently benefit from an EU adequacy decision), we put in place an appropriate transfer mechanism such as the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum), together with supplementary measures where needed. A copy of the relevant safeguards is available on request.
    • For personal data subject to the DPDP Act, transfers outside India are made in accordance with the Act and any restrictions notified by the Government of India.

    12. Data Retention

    • Active account: Retained for as long as your account is active and the Service is being provided.
    • After cancellation/termination: Retained for 30 days to allow export, then permanently deleted from active systems.
    • Backups: Backup data may be retained for up to 90 days before permanent deletion.
    • Legal obligations: Certain data (such as billing and invoicing records) may be retained as required by applicable tax and accounting laws (in India and, for international customers, their local requirements).
    • Anonymized data: Aggregated, anonymized data that cannot identify any individual may be retained indefinitely for analytical and product-improvement purposes.

    13. Changes to This Policy

    We may update this Privacy Policy periodically. We will notify you of material changes at least 15 days in advance via email and/or a prominent notice within the Service, and may require renewed acceptance on next login. The "Last Updated" date indicates the most recent revision.

    14. Grievance Redressal / Data Protection Contact

    In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the following officer is designated as Grievance Officer / point of contact for data protection:

    • Name: Biswanath Sarkar
    • Email: [email protected]
    • Address: Mygymdesk Technologies Private Limited, Flat J705, Aparna Sarovar Zicon, Nallagandla, Serilingampally, Hyderabad - 500019, Telangana, India

    The Grievance Officer will acknowledge your complaint within 7 (seven) days and resolve it within 30 (thirty) days. If unsatisfied, you may complain to the Data Protection Board of India under the DPDP Act, or (for EU/UK individuals) your local data protection supervisory authority.

    EU/UK Representative: If and where required under GDPR Article 27 / UK GDPR, MyGymDesk will appoint an EU/UK representative and publish their contact details here.

    15. Contact Us

    For privacy-related questions or to exercise your data rights:

    • Email: [email protected]
    • Grievance Officer: Biswanath Sarkar — [email protected]
    • Address: Mygymdesk Technologies Private Limited, Flat J705, Aparna Sarovar Zicon, Nallagandla, Serilingampally, Hyderabad - 500019, Telangana, India