Skip to main content

Legal

Privacy Policy

Effective date: 25 April 2026 ยท Last updated: 25 April 2026

Compliant with India's Digital Personal Data Protection Act, 2023 (DPDP) and the EU's General Data Protection Regulation (GDPR).

Contents

1. Who we are 2. Personal data we collect 3. How we use your data 4. Lawful basis for processing 5. How we share data 6. International transfers 7. Data retention 8. Security 9. Cookies 10. Your rights 11. DPDP rights (India) 12. GDPR rights (EU/EEA/UK) 13. Children 14. Changes to this policy 15. Contact & Grievance Officer

1. Who we are

This Privacy Policy describes how GymCare (a product of VisionUs, the "Company", "we", "us", "our") collects, uses, discloses, and safeguards personal data when you visit https://gymcare.co.in, use the Owner Dashboard, Trainer App, or Member App, or otherwise engage with our services (collectively, the "Service").

For the purposes of the GDPR, GymCare is the Data Controller for personal data collected through our website and the Owner Dashboard. For data submitted by your gym members and trainers into our platform, GymCare acts as a Data Processor and the gym/business is the Data Controller.

For the purposes of the DPDP Act, GymCare is the Data Fiduciary for our website and direct customer data, and acts as a Data Processor for member/trainer data submitted by gyms.

2. Personal data we collect

2.1 You provide

  • Account & contact: name, email, mobile, gym/business name, number of branches, designation
  • Billing: billing address, GSTIN (where applicable), tax identifiers, payment instrument details (handled by our payment partners โ€” we do not store full card numbers)
  • Member/trainer data uploaded by gyms: names, contact details, attendance, biometric IDs, photographs, plans, payments, workout/diet plans, classes, complaints
  • Communications: messages, support tickets, feedback, demo enquiries

2.2 Collected automatically

  • Device & usage: IP address, browser type, OS, device IDs, pages viewed, referring URLs, timestamps, error logs
  • Cookies & analytics: see Section 9

2.3 Sensitive personal data

Where you or your gym uploads health-related data (e.g. body measurements, BMI, fitness goals, biometric IDs), we treat it as sensitive personal data and apply the additional safeguards required under DPDP and GDPR.

3. How we use your data

  • To provide and operate the Service (members, trainers, billing, attendance, classes, workouts, diet plans, reports)
  • To process payments and issue invoices (including GST invoices for Indian customers)
  • To send service notifications, renewal reminders, and announcements (via email, SMS, WhatsApp where you have opted in)
  • To provide customer support and respond to enquiries
  • To improve the Service, fix bugs, and develop new features
  • To detect, prevent, and respond to fraud, abuse, or security incidents
  • To comply with legal, tax, audit, and regulatory obligations
  • For marketing communications about GymCare features and offers โ€” you can opt out anytime

4. Lawful basis for processing (GDPR)

PurposeLawful basis
Providing the Service to youPerformance of contract
Billing, invoicing, tax recordsLegal obligation
Service notifications & security alertsLegitimate interest
Marketing emails / WhatsApp / SMSConsent (you can withdraw anytime)
Cookies (non-essential)Consent
Sensitive / health dataExplicit consent

Under the DPDP Act, our processing relies on either your explicit consent or the legitimate uses recognised in Section 7 of the Act (e.g. providing the Service you requested, complying with law, employment-related processing).

5. How we share data

We do not sell your personal data. We share it only with:

  • Service providers / sub-processors: cloud hosting (e.g. AWS, Google Cloud), payment processors (e.g. Razorpay, Stripe), email/SMS/WhatsApp providers, analytics (Google Analytics), customer support tools, biometric device vendors. These parties act under our instructions and are bound by data-processing agreements.
  • Within your gym: your gym's owners, admins, and assigned trainers can see member data on a need-to-know basis.
  • Legal & safety: when required by law, court order, or to protect rights, property, or safety.
  • Business transfers: in connection with a merger, acquisition, or asset sale, with notice to you.

6. International data transfers

By default, data is hosted in India and the United States (US-East). EU/EEA/UK customers may request EU-region hosting. We use Standard Contractual Clauses (SCCs) and equivalent safeguards approved by the European Commission for any transfers outside the EU/EEA/UK.

For DPDP, cross-border transfers are made only to jurisdictions not specifically restricted by the Government of India.

7. Data retention

  • Active accounts: we retain data for the duration of your subscription
  • After cancellation: 90 days grace period to restore your account; data is permanently deleted thereafter (except as required by law)
  • Billing & tax records: retained for 7 years to meet Indian tax law (or longer where required)
  • Backups: rolling backups deleted within 35 days

8. Security

We protect your data with industry-standard measures, including:

  • TLS encryption in transit (HTTPS)
  • AES-256 encryption at rest
  • Role-based access controls and least-privilege permissions
  • Regular automated backups
  • Audit logs and intrusion detection
  • Vendor due diligence and signed data-processing agreements

No system is 100% secure. If we become aware of a personal data breach, we will notify the relevant supervisory authority and affected individuals in accordance with the DPDP Act and GDPR Article 33/34.

9. Cookies & tracking

We use cookies and similar technologies for:

  • Strictly necessary: session, login, security (set without consent โ€” required for the Service to function)
  • Analytics: Google Analytics (G-MEF3VFTWBN) to understand traffic and improve the Service
  • Preferences: remembering your billing-cycle and currency preferences

You can control cookies through your browser settings. Disabling some cookies may affect Service functionality.

10. Your rights

Subject to applicable law, you can:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data ("right to erasure")
  • Restrict or object to certain processing
  • Withdraw consent at any time (without affecting prior lawful processing)
  • Port your data in a machine-readable format
  • Lodge a complaint with a supervisory authority

To exercise these rights, email contact@visionus.io. We respond within 30 days.

11. DPDP Act rights (India)

If you are a Data Principal in India, you have the following rights under the Digital Personal Data Protection Act, 2023:

  • Right to information about personal data being processed and processing activities
  • Right to correction and erasure of personal data
  • Right of grievance redressal โ€” contact our Grievance Officer below
  • Right to nominate another person to exercise your rights in the event of death or incapacity
  • Right to withdraw consent for processing based on consent

If you are not satisfied with our response, you may approach the Data Protection Board of India.

12. GDPR rights (EU / EEA / UK)

If you are in the EU, EEA, or UK, you have the rights set out in Articles 15โ€“22 of the GDPR (and equivalent UK GDPR rights):

  • Article 15 โ€” right of access
  • Article 16 โ€” right to rectification
  • Article 17 โ€” right to erasure ("right to be forgotten")
  • Article 18 โ€” right to restriction of processing
  • Article 20 โ€” right to data portability
  • Article 21 โ€” right to object (including direct marketing)
  • Article 22 โ€” rights related to automated decision-making

You may lodge a complaint with your local Data Protection Authority. For the UK, this is the Information Commissioner's Office (ICO).

13. Children

The Service is intended for businesses and adults aged 18+. We do not knowingly collect personal data from children under 18 without verifiable parental/guardian consent (DPDP) or under 16 without explicit consent in line with GDPR. If you believe a child has provided us personal data, please contact us so we can delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent version. Material changes will be notified by email or in-app notice at least 14 days before they take effect.

15. Contact & Grievance Officer

For privacy questions, to exercise your rights, or to file a grievance, contact us at:

Email: contact@visionus.io
Website: https://visionus.io

Grievance Officer (DPDP, India) and Data Protection Officer (GDPR): reachable via contact@visionus.io. We acknowledge complaints within 7 days and resolve within 30 days.