Skip to main content
GymAxis — Smarter Fitness. Stronger Business.
Legal · Compliance

Data Processing Agreement

Last updated: 15 February 2026 · v1.0

This DPA forms part of the GymAxis AI Subscription Terms when one or both parties processes personal data subject to the UK GDPR or EU GDPR. Customers (the Data Controller) sign the Subscription Terms; this DPA applies automatically.

Need a counter-signed copy?

Email dpa@gymaxisai.com with your company details. We respond within one business day with a PDF of this DPA pre-signed by our DPO.

1. Definitions

Terms not defined here have the meaning given in the UK GDPR or in the GymAxis AI Subscription Terms.

  • Customer: the entity subscribing to GymAxis AI services.
  • Personal Data: data relating to identified or identifiable natural persons processed by us on the Customer's behalf.
  • Sub-processor: a third party we engage to assist with processing (Stripe, Resend, Mongo Atlas, AWS S3, etc.).
  • Supervisory Authority: the UK Information Commissioner's Office (ICO).

2. Scope & processing details

Subject matter: provision of the GymAxis AI platform.

Duration: for the term of the Subscription plus a 30-day grace period for export, then 90 days for backups.

Nature & purpose: hosting, storing, processing, and analysing Customer data to deliver gym CRM, memberships, marketing, and operations features.

Categories of data subjects: Customer's staff, members, prospects, and contacts.

Categories of personal data: contact details (name, email, phone, address), DOB, payment metadata (last-4 only), attendance, communication history, optional emergency contact, optional marketing preferences. We do not process special-category data unless explicitly uploaded by the Customer (e.g. medical waivers).

3. Roles

Customer is the Data Controller. GymAxis AI Ltd is the Data Processor for all Customer data, except where we collect data directly from website visitors (cookies, contact form), in which case we are an independent Controller per our Privacy Policy.

4. Customer instructions

We process Personal Data only on documented instructions from the Customer, including transfers to third countries, unless required by UK or EU law. Setting up the platform, configuring features, and using the public API constitute documented instructions.

5. Confidentiality & staff

All GymAxis personnel with access to Personal Data are bound by written confidentiality obligations and have received UK GDPR awareness training.

6. Security measures (Art. 32)

  • Encryption in transit (TLS 1.2+) and at rest (AES-256) for all customer databases.
  • Role-based access control with least-privilege principles.
  • JWT session tokens, MFA available for all operator accounts.
  • Tamper-evident audit log for sensitive operations.
  • Annual penetration test by an independent third party.
  • Quarterly secrets rotation, monthly dependency vulnerability scans.
  • 24-hour incident-response SLA; 72-hour breach notification per Art. 33.
  • Regular automated backups with documented restore tests.

7. Sub-processors

Our current authorised sub-processors:

Sub-processorPurposeRegion
MongoDB AtlasDatabase hostingEU (Ireland)
Stripe Payments UK LtdPayment processingUK / EU / US (SCCs)
Resend Inc.Transactional email deliveryUS (UK IDTA)
AWS Inc.Object storage (uploads, exports)EU (Ireland)
Anthropic PBCAI text generation (opt-in features)US (UK IDTA)
Sentry / Functional Software Inc.Error trackingUS (UK IDTA)

We provide 30 days' notice via the in-app status page when adding a new sub-processor. The Customer may object in writing within 14 days.

8. International transfers

Where Personal Data is transferred outside the UK / EEA, we rely on the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses or, where adequacy decisions exist, on those.

9. Data subject rights

We provide self-serve endpoints in the operator portal for: access (export), rectification (in-app edits), erasure (close-account button), restriction (suspend processing), portability (CSV export), and objection (notification preferences). Member-side equivalents live at /portal/me/gdpr. We will assist the Customer in responding to data-subject requests at no extra charge.

10. Personal data breach

We notify the Customer without undue delay (and within 72 hours) of any confirmed Personal Data breach, including: nature, categories & approximate volume of records, name & contact of our DPO, likely consequences, and measures taken or proposed.

11. Audits

Once per year (or after a confirmed breach) the Customer may request a written summary of our security posture and most recent third-party penetration test. On-site audits may be arranged with 30 days' notice and at the Customer's reasonable cost.

12. Termination & deletion

Upon termination, we provide the Customer with a 30-day grace period to export data via the operator portal CSV export tools or via API. Thereafter we delete or anonymise all live Customer data. Backups containing Customer data are deleted on a rolling 90-day cycle.

13. Liability

Our liability under this DPA is governed by the limitation-of-liability clause in the Subscription Terms.

14. Contact

Data Protection Officer (DPO): dpo@gymaxisai.com
Postal address: GymAxis AI Ltd, [Registered office address], United Kingdom.

We use essential cookies to keep you signed in and provide core functionality. We do not use tracking or advertising cookies. Privacy Policy

Made with Emergent