PRIVACY POLICY – KURLCLUB

1. Introduction

KurlClub is a gym, fitness studio, and wellness center management SaaS platform operated by a Private Limited company registered in India. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in compliance with the General Data Protection Regulation (GDPR) where applicable and the Digital Personal Data Protection Act, 2023 (India).

2. Roles & Data Responsibility

In most cases, the gym or fitness center using KurlClub is the Data Controller of member data. KurlClub acts as a Data Processor, processing personal data strictly on behalf of the gym. For website visitors and direct subscribers, KurlClub acts as the Data Controller.

3. Personal Data We Collect

• Account Information: Full name, email address, phone number, company name, job title, encrypted password.
• Member Information: Name, phone number, email, age, weight, height, membership details.
• Attendance Data: Check-in/check-out timestamps linked to member profiles.
• Payment Data: Transaction references and billing history (card/bank details are processed only by third-party payment providers).
• Usage Data: IP address, device information, browser type, log data.
• Communication Data: WhatsApp communication history for notifications and support.

4. Biometric Data Clarification

KurlClub does NOT store raw biometric templates such as fingerprint images or facial recognition data. If gyms use biometric devices, KurlClub only stores attendance results (member ID and timestamp) generated by the gym’s biometric system.

5. Purpose of Processing

• Provide and operate the SaaS platform
• Manage memberships and attendance
• Process billing and subscriptions
• Provide customer support
• Maintain security and prevent fraud
• Comply with legal obligations

6. Legal Basis (GDPR)

• Performance of a Contract
• Consent (including explicit consent for health-related data)
• Legal Obligation
• Legitimate Interests (platform security and improvement)

7. Third-Party Services

We may use trusted third-party providers for hosting, cloud storage, payment processing, analytics, and messaging services. These providers process data under contractual safeguards including Standard Contractual Clauses where applicable. We do not sell personal data.

8. Data Retention

• Account data: Retained while the account is active and deleted within 30 days of termination.
• Billing records: Retained as required under tax and financial laws.
• System logs: Retained for security monitoring for up to 12 months.
• Backup data: Automatically deleted within 45 days.

9. Data Deletion

Users may request deletion by emailing support@kurlclub.com with the subject line “Data Deletion Request”. We verify identity and process deletion within 7–14 business days. Certain data may be retained where legally required.

10. International Transfers

If data is transferred outside your country, we implement appropriate safeguards including contractual protections.

11. Data Security

We implement industry-standard safeguards including HTTPS encryption, encryption at rest, access controls, secure cloud infrastructure, and periodic security audits. In case of a data breach, affected users and relevant authorities will be notified as required by law.

12. Children’s Data

KurlClub is designed for business use. If minors’ data is processed by gyms, the gym is responsible for obtaining appropriate parental consent.

13. Your Rights

Depending on your jurisdiction, you may have rights including access, correction, deletion, restriction of processing, data portability, and withdrawal of consent. Requests can be sent to support@kurlclub.com.