Privacy & Data Security
Last updated: April 2026
Where your data is stored
All member data is stored and processed exclusively within the European Union, on infrastructure dedicated to the Platform. Data never leaves the EU at any point during processing, storage, or backup.
Cookies and tracking
The Platform uses only strictly necessary cookies — those required to keep you signed in and to protect against cross-site request forgery. We do not use advertising, analytics, or behavioural tracking cookies, and we do not embed third-party trackers, pixels, or fingerprinting scripts.
What data we collect
The Platform collects only the information required to deliver and adapt training. Data is grouped into the following categories:
| Category | Purpose |
|---|---|
| Identifying and contact information | Account management and operational communication |
| Physical profile information | Personalisation of training |
| Health information relevant to safe exercise | Selecting appropriate exercises and adapting them over time |
| Activity within the Platform | Adapting and progressing the training programme |
Health-related information is treated as special category data under GDPR Article 9. The gym organisation is responsible for obtaining the member's explicit consent before submitting it to the Platform. We do not collect data we do not need, and we do not derive or infer information beyond what the service requires.
How data is used
- To generate and adapt personalised training
- To power the gym's day-to-day management of its members
- To communicate session schedules and summaries
Member data is never used for advertising, behavioural profiling outside the service, or sold or licensed to any third party. Aggregated, fully anonymised statistics may be used internally to improve the Platform.
Legal basis for processing
Where Adaptix processes member data on behalf of a gym (the controller), the gym relies on the following legal bases under the GDPR:
- Performance of a contract (Article 6(1)(b)) — to operate the member's account and deliver the service the gym has contracted for
- Explicit consent (Article 9(2)(a)) — for the processing of health-related information, obtained by the gym before such data is submitted to the Platform
- Legitimate interests (Article 6(1)(f)) — for security, fraud prevention, and the safe and reliable operation of the Platform, balanced against members' rights and freedoms
- Legal obligation (Article 6(1)(c)) — where required by applicable law
Members may withdraw consent for the processing of health-related information at any time. Withdrawal does not affect processing carried out before the withdrawal, and may limit the gym's ability to provide a safe, personalised service.
Automated decisions
The Platform uses an internal algorithm to suggest exercises and progress training. These suggestions support — and remain subject to — the gym's professional staff, who are responsible for what is prescribed to each member. The Platform does not produce decisions with legal or similarly significant effects on members within the meaning of GDPR Article 22.
Retention
Personal data is retained only as long as necessary for the purposes described above and to meet our legal and contractual obligations. Once a member's account is closed or the relationship with the gym ends, data is removed in accordance with our documented data deletion procedure. Backups are rotated on a defined schedule and any residual personal data within them is overwritten in the normal course of that rotation.
Third parties
The Platform does not use third-party advertising, behavioural analytics, or external profiling services. No member data is sold or shared for marketing purposes.
Sub-processors
A small, vetted set of sub-processors is used solely to operate the Platform. Each is bound by a Data Processing Agreement and is permitted only to perform the function shown.
| Provider | Function | Location | DPA |
|---|---|---|---|
| OVH SAS | Infrastructure hosting | Frankfurt, Germany (EU) | In place |
The current list of sub-processors is available on request through the gym or by writing to privacy@adaptix.me.
Security measures
The Platform is built and operated with a defence-in-depth approach. The full configuration, vendor list, and tooling are intentionally not published; the categories of safeguards in place include:
Technical controls
- Modern transport encryption and strict transport policies for all data in motion
- Encrypted backups stored separately from the production environment
- Hardened network configuration with automated abuse and brute-force prevention
- Continuous monitoring of application errors, authentication events, and system integrity
- Tamper-evident system audit trails with off-server retention
- Two-factor authentication on every administrative account
- Documented incident response and breach notification procedure
Organisational controls
- Principle of least privilege: each role can access only the data it needs
- Granular role-based permissions across the Platform
- Logged administrative actions on member data
- Controlled deployment process for code changes
- Periodic review of accounts, credentials, and access
- Periodic security audits of the codebase and operational environment
Data ownership
The gym organisation is the Data Controller and retains full ownership of all member data. Adaptix acts as the Data Processor, processing data exclusively under the controller's instructions for the purposes described above.
On termination of the partnership, all data is deleted in accordance with our documented data deletion procedure.
Member rights
Members have the right to:
- Access their personal data
- Request correction of inaccurate data
- Request deletion of their data
- Withdraw consent at any time
- Request a copy of their data in a portable format
- Object to processing of their data
- Lodge a complaint with the relevant data protection supervisory authority
Requests can be submitted through your gym or directly to privacy@adaptix.me. We respond within the timeframes set by GDPR (normally one calendar month).
Children
The Platform is intended for users aged 18 and over (see our Terms of Use). We do not knowingly collect personal data from children. If you believe that data relating to a person under 18 has been submitted to the Platform, please contact privacy@adaptix.me and we will delete it.
Data Processing Agreement
We provide a Data Processing Agreement (Article 28 GDPR) to all partner organisations. For a copy or to discuss data protection requirements, contact us at privacy@adaptix.me.
Contact
For any privacy-related inquiries:
privacy@adaptix.me