Privacy Policy

    Last Updated: 14/04/2026

    Privacy Policy

    Last Updated: April 14, 2026

    1. Introduction

    MyGymDesk ("Company", "we", "our", "us"), operated by Mygymdesk Technologies Private Limited (CIN: U62013TS2026PTC213750), is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use MyGymDesk, our cloud-based gym management software ("Service").

    This policy applies to our website (mygymdesk.in), our mobile applications — MyGymDesk Business and MyGymDesk Member (available on Apple App Store and Google Play Store) — and all related services.

    This Privacy Policy is published in compliance with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and is designed to comply with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025 as and when they come into effect.

    By using the Service, you consent to the collection, processing, and use of your personal data as described in this Policy. This consent is given freely, is specific to the purposes described below, and can be withdrawn at any time (see Section 7).

    2. Our Role: Data Fiduciary and Data Processor

    MyGymDesk serves two distinct roles:

    Data Fiduciary: For data we collect directly from gym owners and their staff (account information, billing details, usage data). We determine the purpose and means of processing this data.

    Data Processor: For gym member data that gym owners upload to and manage through our platform (member names, phone numbers, attendance records, payment records, health data). We process this data strictly on behalf of the gym owner (who is the Data Fiduciary for their members' data) and only for the purpose of providing the Service.

    If you are a gym member whose data is managed by a gym owner using MyGymDesk, please contact your gym owner directly regarding your data rights. The gym owner is responsible for obtaining your consent and responding to your data requests. We will cooperate with the gym owner to fulfil any such requests.

    3. Information We Collect

    a) Information You Provide (Gym Owners & Staff)

    • Account registration information: full name, email address, phone number
    • Gym business information: gym name, address, city
    • Payment and billing information (processed by Razorpay — we do not store card numbers)
    • Communications with us via email, WhatsApp, or in-app chat
    • Business address and GSTIN (optional, collected during paid conversion for invoicing)

    b) Gym Member Data (Uploaded by Gym Owners)

    • Member names, phone numbers, email addresses
    • Membership plan and subscription details
    • Attendance and check-in records
    • Payment and billing records
    • Body measurements and fitness progress data (weight, BMI, chest, waist, hips, bicep measurements)
    • Any other information the gym owner chooses to record about their members

    c) Information Collected Automatically

    • Device and browser information (type, version, operating system)
    • IP address
    • Usage data: pages visited, features used, time spent, actions performed
    • Cookies and similar technologies (see Section 9)
    • Error logs and performance data (collected via Sentry for debugging and Service improvement)
    • Camera and photo library access (only when you choose to upload photos such as member photos or profile pictures)
    • Push notification device tokens (if you opt in to push notifications)

    d) Information Collected by App Stores

    When you download our apps from the Apple App Store or Google Play Store, those platforms may collect data as described in their respective privacy policies. We do not control and are not responsible for data collected by Apple or Google during app download or installation.

    4. How We Use Your Information

    We use your information for the following specific, limited purposes:

    • Service Delivery: To provide, operate, and maintain the Service, including processing member data, generating reports, and enabling communication features.
    • Payment Processing: To process subscription payments, generate invoices and receipts.
    • Communication: To send transactional messages (billing, account updates), onboarding guidance, and product announcements via email and WhatsApp.
    • Push Notifications: To send membership reminders, class booking confirmations, payment receipts, and gym announcements (only if you opt in to push notifications on your device).
    • Support: To respond to your requests, troubleshoot issues, and provide customer support.
    • Improvement: To analyse usage patterns and improve the Service (using aggregated, anonymized data where possible).
    • Security & Fraud Prevention: To detect, prevent, and address security issues, fraud, and abuse.
    • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

    We do NOT use your data or your members' data for automated decision-making, profiling, or targeted advertising. We do NOT sell, rent, or trade your personal data to any third party.

    5. Data Sharing & Third-Party Processors

    We share your data only with the following categories of third-party service providers, strictly for the purposes of providing the Service:

    | Service Provider | Purpose | Data Shared | |---|---|---| | Supabase (Supabase Inc.) | Database hosting, authentication, file storage | All platform data (encrypted at rest and in transit) | | Razorpay Software Pvt. Ltd. | Payment processing | Billing details, payment amounts | | Interakt (Haptik/Jio) | WhatsApp messaging automation | Phone numbers, message content for approved templates | | Resend Inc. | Transactional email delivery | Email addresses, email content | | Brevo (Sendinblue SAS) | Marketing email campaigns | Email addresses (gym owners only, not member data) | | Sentry (Functional Software Inc.) | Error tracking and performance monitoring | Error logs, device info, IP addresses (anonymized) |

    We may also disclose your information: (a) when required by law, court order, or government authority; (b) to protect our rights, property, or safety; (c) in connection with a merger, acquisition, or sale of assets (with prior notice to you).

    6. Data Storage & Security

    • Your data is stored on Supabase's cloud infrastructure. We select hosting regions that provide reliable performance for Indian users.
    • We use TLS 1.2+ encryption for all data in transit.
    • Sensitive credentials (such as payment gateway keys) are stored in encrypted form.
    • We implement Row-Level Security (RLS) policies in our database to ensure complete data isolation between tenants — no gym can access another gym's data.
    • We use role-based access controls and Supabase Auth for authentication.
    • We conduct periodic security reviews of our application and infrastructure.

    Despite our best efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we take commercially reasonable measures to protect your data.

    7. Your Rights (Data Principal Rights)

    Under the DPDP Act, 2023 and applicable Indian law, you have the following rights as a Data Principal:

    • Right to Access: You may request a summary of your personal data that we process and the processing activities related to it.
    • Right to Correction: You may request correction of inaccurate or incomplete personal data. You can also update most information directly through your account settings.
    • Right to Erasure: You may request deletion of your personal data, subject to any legal retention requirements. Upon a valid erasure request, we will delete your data within 30 days from active systems and within 90 days from backups. You can request account deletion directly within the app settings or by emailing [email protected].
    • Right to Data Portability: You may request an export of your data in a commonly used, machine-readable format (CSV/Excel). Data export is available through the Service or on request via email.
    • Right to Withdraw Consent: You may withdraw your consent for data processing at any time. Withdrawal of consent may affect our ability to provide the Service. Withdrawal is as easy as granting consent — simply email us or use the unsubscribe mechanism provided.
    • Right to Nominate: In the event of your death or incapacity, your nominated individual may exercise your data rights on your behalf, as per the DPDP Act.

    To exercise any of these rights, contact us at: [email protected]. We will acknowledge your request within 7 days and complete the action within 30 days.

    8. Data Breach Notification

    In the event of a personal data breach that is likely to cause harm to you, we will:

    • Notify affected gym owners (tenants) within 72 hours of becoming aware of the breach.
    • Provide details of the nature of the breach, categories and approximate number of records affected, and steps taken or proposed to mitigate the impact.
    • Report the breach to the Data Protection Board of India (DPBI) as required under the DPDP Act.
    • Cooperate with affected tenants in notifying their gym members if required.

    9. Cookies & Tracking Technologies

    We use essential cookies and similar technologies for:

    • Authentication: To keep you logged in and maintain your session.
    • Security: To detect and prevent unauthorized access.
    • Preferences: To remember your settings and preferences.
    • Analytics: To understand how the Service is used and identify areas for improvement (using aggregated, anonymized data).

    We do NOT use advertising or tracking cookies. You can control cookies through your browser settings, but disabling essential cookies may affect the functionality of the Service.

    10. Children's Privacy

    The MyGymDesk platform is a business tool intended for use by gym owners and staff who are at least 18 years of age.

    We recognise that gym owners may add members who are minors (under 18) to their gym records. In such cases, the gym owner (as Data Fiduciary) is responsible for ensuring that verifiable parental or guardian consent has been obtained before adding a minor's data to the Service, in compliance with the DPDP Act. MyGymDesk does not knowingly collect personal data directly from minors. We do not engage in behavioural monitoring or targeted advertising directed at children's data.

    11. International Data Transfers

    Your data may be processed by third-party service providers located outside India (for example, Supabase and Sentry infrastructure). Where such transfers occur, we ensure that appropriate contractual safeguards are in place to protect your data in accordance with applicable Indian law and, when applicable, any restrictions notified by the Government of India under the DPDP Act.

    12. Data Retention

    • Active account: Data is retained for as long as your account is active and the Service is being provided.
    • After cancellation/termination: Your data is retained for 30 days to allow for data export. After 30 days, data is permanently deleted from active systems.
    • Backups: Backup data may be retained for up to 90 days before permanent deletion.
    • Legal obligations: Certain data (such as billing and invoicing records) may be retained as required by applicable Indian tax and accounting laws.
    • Anonymized data: Aggregated, anonymized data that cannot identify any individual may be retained indefinitely for analytical and product improvement purposes.

    13. Changes to This Policy

    We may update this Privacy Policy periodically. We will notify you of material changes at least 15 days in advance via email and/or through a prominent notice within the Service. We encourage you to review this Policy regularly. The "Last Updated" date at the top of this page indicates the most recent revision.

    14. Grievance Redressal

    In accordance with the Information Technology Act, 2000 and rules made thereunder, and the DPDP Act, 2023, the following officer has been designated as the Grievance Officer / Data Protection Officer:

    • Name: Biswanath Sarkar
    • Email: [email protected]
    • Address: Mygymdesk Technologies Private Limited, Flat J705, Aparna Sarovar Zicon, Nallagandla, Serilingampally, Hyderabad - 500019, Telangana, India

    The Grievance Officer will acknowledge your complaint or request within 7 (seven) days and resolve it within 30 (thirty) days of receipt, as required under applicable Indian law. If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India (once constituted) under the DPDP Act.

    15. Contact Us

    For privacy-related questions or to exercise your data rights:

    • Email: [email protected]
    • Grievance Officer: Biswanath Sarkar — [email protected]
    • Address: Mygymdesk Technologies Private Limited, Flat J705, Aparna Sarovar Zicon, Nallagandla, Serilingampally, Hyderabad - 500019, Telangana, India