01

Overview & Scope

The General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") came into force on 25 May 2018 and applies to any organisation that processes the personal data of individuals located in the European Union or European Economic Area (EEA), regardless of where the organisation itself is based.

Kaayu Gym Management serves gym operators across Europe. As a result, we process personal data of EU/EEA residents — including gym members, staff, and operator contacts — and are subject to GDPR obligations. This page explains how we meet those obligations, what rights EU residents have, and how to exercise them.

This GDPR Compliance Statement should be read alongside our full Privacy Policy, which provides broader detail on the personal data we collect, how we use it, and the sub-processors we engage.

Regulation Reference

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Full text available at gdpr-info.eu.

02

Our Role: Controller & Processor

GDPR distinguishes between a Data Controller (who determines the purposes and means of processing) and a Data Processor (who processes data on behalf of the Controller). Kaayu operates in both capacities depending on the context.

Kaayu as Data Processor

When gym operators use Kaayu to manage their members' data — names, contact details, health information, membership records, access logs — the gym operator is the Data Controller and Kaayu acts as their Data Processor. We process that data strictly under the operator's instructions and do not use it for our own purposes.

EU gym operators who require a Data Processing Agreement (DPA) in compliance with GDPR Article 28 should contact legal@kaayu.online. We provide a standard DPA at no additional cost.

Kaayu as Data Controller

Kaayu acts as a Data Controller for personal data it collects for its own business purposes, including operator account contacts (name, email, billing address), marketing opt-in records, platform usage analytics, and support communications. For this data, Kaayu is solely responsible for GDPR compliance.

Data Processing Agreement

A GDPR-compliant DPA is available to all EU operator clients. Email legal@kaayu.online with subject line "DPA Request" and we will respond within 3 business days.

03

Lawful Basis for Processing

Under GDPR Article 6, every processing activity must have a lawful basis. Where Kaayu acts as a Data Controller (for its own operational data), the following lawful bases apply:

Processing ActivityLawful BasisGDPR Article
Operator account management and platform accessContract necessity — processing required to deliver the SaaS serviceArt. 6(1)(b)
Billing and invoicingContract necessity and legal obligation (VAT records)Art. 6(1)(b) & (c)
Platform security, fraud prevention, abuse detectionLegitimate interests — protecting the platform and its usersArt. 6(1)(f)
Aggregate, anonymised product analyticsLegitimate interests — improving the productArt. 6(1)(f)
Marketing emails and product updatesConsent — opt-in at signup or via preferencesArt. 6(1)(a)
Optional analytics cookiesConsent — via cookie banner on first visitArt. 6(1)(a)
Tax record retentionLegal obligation — EU VAT Directive and member-state tax lawArt. 6(1)(c)

Where Kaayu acts as a Data Processor (processing gym member data on behalf of an operator), the lawful basis is the operator's own determination. Gym operators are responsible for identifying and documenting their lawful basis for processing member data.

04

Data Subject Rights

GDPR grants EU/EEA residents a comprehensive set of rights over their personal data. The following rights apply to data for which Kaayu acts as Data Controller. For gym member data (where the gym operator is the Controller), members should contact their gym directly — operators can then coordinate with Kaayu as needed.

🔍
Access & Portability
Arts. 15 & 20
  • Obtain a copy of your personal data
  • Know how and why it's processed
  • Receive data in a machine-readable format
  • Transfer data to another provider
✏️
Correction & Erasure
Arts. 16 & 17
  • Correct inaccurate personal data
  • Request deletion ("right to be forgotten")
  • Applies where data is no longer necessary
  • Subject to legal retention obligations
🛑
Restriction & Objection
Arts. 18, 21 & 22
  • Restrict processing in certain circumstances
  • Object to legitimate-interest processing
  • Opt out of direct marketing at any time
  • Rights re. automated decision-making

To exercise any of the above rights, email privacy@kaayu.online with the subject line "GDPR Rights Request" and describe your request. We will respond within 30 days and may need to verify your identity before processing the request. In complex cases we may extend by up to two further months, with notice.

Gym Member Rights

If you are a gym member whose data is managed by a gym that uses Kaayu, your gym is the Data Controller for your membership data. Please contact your gym operator first. They can engage us directly to fulfil your request.

05

International Data Transfers

Kaayu's primary infrastructure is hosted on servers with data centre options in the EU (Frankfurt) and Singapore. EU gym operators can request EU data residency to ensure that member data does not leave the EEA — contact legal@kaayu.online to configure this option.

Where personal data is transferred outside the EEA (for example, to sub-processors headquartered in the Philippines or the United States), Kaayu relies on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, which provides appropriate safeguards for transfers to third countries without an adequacy decision.
  • Adequacy Decisions — where the European Commission has determined that a third country provides an adequate level of data protection.
  • Binding Corporate Rules (BCRs) — for sub-processors within corporate groups that have obtained BCR approval.

A full list of our sub-processors, including their locations and the transfer mechanism applied to each, is maintained in our Privacy Policy. EU operators may request a copy of the relevant SCCs by emailing legal@kaayu.online.

06

Data Retention

Kaayu retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our retention schedule is as follows:

  • Active operator accounts: Data retained for the duration of the contract plus 12 months to facilitate potential reactivation or data export.
  • Deleted/terminated accounts: Personal data anonymised within 90 days of account termination; system logs purged within 180 days.
  • Financial and billing records: Retained for 7 years to comply with EU VAT Directive and applicable member-state tax law.
  • Backup media: Backup snapshots overwritten within 30 days following account deletion, ensuring personal data is purged from all backup tiers.
  • Marketing data: Retained until consent is withdrawn or, if no interaction in 3 years, automatically suppressed.
  • Security/audit logs: Retained for 12 months for incident investigation purposes.

Gym operators (as Data Controllers) are responsible for setting appropriate retention policies within Kaayu for their members' data. Kaayu provides data deletion tools within the platform and will action deletion requests on behalf of operators.

07

Security Measures

Kaayu implements appropriate technical and organisational measures under GDPR Article 32 to ensure a level of security appropriate to the risk:

Technical Measures

  • AES-256 encryption for all data at rest
  • TLS 1.3 for all data in transit
  • Multi-factor authentication (MFA) available for all operator and staff accounts
  • Role-based access controls limiting data access to authorised personnel
  • Annual third-party penetration testing
  • Automated vulnerability scanning and patch management
  • Database-level audit trails for sensitive data access

Organisational Measures

  • Mandatory annual data privacy and security training for all staff
  • Confidentiality and data processing agreements with all employees and contractors
  • Vendor due diligence programme for all sub-processors
  • Internal data classification policy
  • Privacy Impact Assessment (PIA) process for new features and processing activities

Physical Measures

  • Servers hosted in ISO 27001-certified data centres with 24/7 physical access controls
  • Clean desk and clear screen policy for staff handling personal data
  • Restricted access to production systems — principle of least privilege
08

Data Breach Notification

Kaayu has an incident response process aligned with GDPR Articles 33 and 34:

Notification to Supervisory Authorities (Art. 33)

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Kaayu will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where Kaayu acts as Controller). Where Kaayu acts as Processor, we will notify the affected gym operator without undue delay so they can meet their own notification obligations to their supervisory authority.

Notification to Data Subjects (Art. 34)

Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, Kaayu (or the gym operator as Controller) will notify those individuals directly without undue delay, in clear and plain language describing the nature of the breach and the measures taken.

Incident Response Process

  • Detection: Automated alerting and 24/7 security monitoring to identify potential incidents
  • Containment: Immediate isolation of affected systems and evidence preservation
  • Assessment: Classification of severity and scope; determination of notification obligations
  • Notification: Timely notification to supervisory authority and/or data subjects as required
  • Post-incident review: Root cause analysis and remediation to prevent recurrence
Report a Security Concern

If you believe you have discovered a security vulnerability or data breach, please contact us immediately at security@kaayu.online. We will acknowledge all reports within 24 hours.

09

Privacy by Design & Default

Kaayu implements the principles of Privacy by Design and Privacy by Default as required by GDPR Article 25. This means data protection is built into our systems and processes from the ground up, not added as an afterthought.

  • Data minimisation: We collect and process only the personal data that is strictly necessary for the specific purpose.
  • Purpose limitation: Personal data collected for one purpose is not used for incompatible purposes without a new lawful basis.
  • Storage limitation: Automated retention schedules ensure data is not kept longer than necessary.
  • Pseudonymisation: Where technically feasible, identifiers are separated from data sets used for analytics and testing.
  • Privacy-first defaults: Platform privacy settings default to the most restrictive option. Users opt in to optional data sharing rather than opting out.
  • Data Protection Impact Assessments (DPIAs): Conducted for all new features, integrations, or processing activities that are likely to result in a high risk to individuals.
10

Data Protection Officer

Kaayu has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance programme, advise on data protection obligations, and act as the primary point of contact for data subjects and supervisory authorities on matters relating to the processing of personal data.

Contact Our DPO

Data Protection Officer
Kaayu Technology Inc.
Email: dpo@kaayu.online
Phone: +63 947 984 1430
Manila, Philippines

The DPO can be contacted for any GDPR-related queries, to exercise your data subject rights, to request a copy of our DPA, or to raise concerns about our data processing activities. We aim to respond to all DPO inquiries within 5 business days.

11

Supervisory Authority Complaints

If you believe that Kaayu has not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state without prejudice to any other administrative or judicial remedy.

The European Data Protection Board (EDPB) maintains a directory of national Data Protection Authorities at edpb.europa.eu. Common DPAs include:

We encourage you to contact us first at dpo@kaayu.online — most concerns can be resolved quickly and informally, and we are committed to addressing every inquiry seriously and promptly.