We take the privacy of gym operators, staff, and members seriously. This policy explains exactly what data we collect, how we use it, and the rights you have under Philippine, European, and international law.
Kaayu Gym Management ("Kaayu," "we," "us," or "our") is a cloud-based gym management platform operated by Kaayu Technology Inc., registered in the Philippines. We operate the website at kaayu.online and the Kaayu software-as-a-service platform.
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our website or platform — whether you are a gym operator, a staff member, or a gym member whose information is managed within the platform.
We are committed to compliance with the Philippines Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations, applicable Southeast Asian data protection laws, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as relevant to your jurisdiction.
This policy is a legal document, not legal advice. If you have questions about your specific compliance obligations as a gym operator, please consult qualified counsel in your jurisdiction. Kaayu's built-in contract and consent templates are reviewed by regional counsel but are provided as tools, not guaranteed legal compliance.
This policy applies to three distinct groups of individuals whose data Kaayu may process:
If you are the owner, manager, or staff member of a gym that subscribes to Kaayu, you are our direct customer. We collect and process your data to provide you with the platform, manage your account, process subscription payments, and communicate with you about the service.
If you are a member of a gym that uses Kaayu, your data is entered into the platform by your gym — either by staff or by yourself during self-registration. In this context, your gym is the data controller of your personal data, and Kaayu acts as a data processor operating under instruction from your gym. For requests related to your membership data (access, correction, deletion), you should first contact your gym directly. We explain this two-tier model fully in Section 5.
If you visit kaayu.online without signing up, we collect limited data as described in our Cookies section (Section 13), including analytics and form submissions you voluntarily provide.
Where gyms use Kaayu's access control integration (fingerprint or facial recognition hardware), biometric data is processed by the access hardware and matched locally or via a one-way hash. Kaayu stores only the biometric template hash, not raw biometric images. This data is subject to heightened protection under Philippine RA 10173 and applicable laws as "sensitive personal information."
We rely on the following legal bases to process personal data, depending on the nature of the processing and the applicable law:
| Processing Activity | Legal Basis | Applicable Law |
|---|---|---|
| Providing the platform to gym operators | Contract performance | RA 10173 / GDPR Art. 6(1)(b) |
| Processing subscription payments | Contract performance | RA 10173 / GDPR Art. 6(1)(b) |
| Storing gym member data on behalf of gyms | Data Processing Agreement with the gym (controller) | RA 10173 / GDPR Art. 28 |
| Sending product updates and service announcements | Legitimate interest / contract | RA 10173 / GDPR Art. 6(1)(f) |
| Marketing communications (promotional) | Consent (opt-in) | RA 10173 / GDPR Art. 6(1)(a) |
| Security monitoring and fraud prevention | Legitimate interest | RA 10173 / GDPR Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation | RA 10173 / GDPR Art. 6(1)(c) |
For gym member data specifically, the legal basis is determined by the gym operator (the data controller), not by Kaayu. Gyms are responsible for obtaining appropriate consent or establishing a valid legal basis from their members before entering member data into Kaayu.
Kaayu is a multi-tenant platform: each gym subscribing to Kaayu has their own isolated tenant environment. Each gym owns their own data. Kaayu does not commingle tenant data, does not use member data from one gym to benefit another, and does not sell or share individual gym's member data with other Kaayu customers.
Gym Operator = Data Controller. The gym decides what member data to collect, why, and how long to keep it. They are responsible for member consent and compliance with local laws regarding their members.
Kaayu = Data Processor. We process member data strictly under the instructions of the gym operator, as governed by our Data Processing Agreement (DPA) included in our Terms of Service. We do not process member data for our own purposes beyond what is necessary to provide the service.
Gym operators can export their complete member data at any time from within the platform in standard CSV and JSON formats. This data belongs to the gym and can be migrated to another system. Upon subscription termination, we provide a 30-day export window, after which data is securely deleted in accordance with our retention policy (Section 11).
Each gym tenant's data is logically isolated using tenant-scoped database schemas and access controls. Kaayu engineering staff access to production tenant data is role-restricted, logged, and requires multi-party approval for non-routine operations.
We do not use gym member data for: advertising, profiling unrelated to the gym's operations, training AI or machine learning models, or any purpose not directed by the gym operator.
Kaayu uses third-party payment processors to handle all financial transactions. Kaayu does not collect, store, or transmit payment card numbers, bank account numbers, or other sensitive financial account credentials.
We use the following payment processors depending on your region:
| Processor | Regions | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Xendit | Philippines, Indonesia, Malaysia, Vietnam, Thailand | Name, email, amount, transaction reference | xendit.co/privacy-policy |
| PayMongo | Philippines | Name, email, amount, transaction reference | paymongo.com/privacy |
| Stripe | Global (EU, US, Scandinavia, SEA) | Name, email, amount, transaction reference | stripe.com/privacy |
When you make a payment, you are interacting directly with the payment processor's secure form or hosted payment page. Card data is tokenized by the processor and never passes through Kaayu's servers. Our processors are PCI DSS compliant. We retain only: payment status (success/fail), transaction reference IDs, invoice amounts, and dates — for accounting, support, and dispute resolution purposes.
When gyms use Kaayu to process member payments (membership fees, PT sessions, etc.), the same processor rules apply. The gym's members' payment card data is handled by the payment processor — not stored by Kaayu or the gym. Kaayu stores only the payment record (date, amount, status, reference ID) in the gym's tenant environment.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We share data only as necessary to provide the service, as described below.
We engage trusted third-party vendors who process personal data on our behalf under data processing agreements:
| Vendor | Purpose | Data Category | Location |
|---|---|---|---|
| Cloud hosting provider (AWS / GCP) | Infrastructure, database storage | All data | Singapore / US (with SCCs) |
| Transactional email provider | System emails, notifications | Email, name | US (with SCCs) |
| SMS gateway | OTP, appointment reminders | Phone number | Regional |
| Analytics (self-hosted / anonymized) | Product usage analytics | Anonymized usage events | Philippines |
| Customer support platform | Help desk, support tickets | Email, name, messages | US (with SCCs) |
| Payment processors | See Section 7 | See Section 7 | Regional |
We may disclose personal data if required to do so by law, regulation, court order, or government authority. Where permitted, we will notify the affected party prior to disclosure. We will challenge requests we believe are overly broad or unlawful.
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will provide notice before such a transfer and ensure the receiving entity is bound by privacy obligations at least as protective as this policy.
Kaayu is headquartered in the Philippines and serves customers globally. Personal data may be stored or processed outside the country where it was collected. We take appropriate safeguards to ensure your data remains protected regardless of where it is processed.
Our primary data center is located in Singapore (AWS ap-southeast-1), chosen for its data sovereignty posture within Southeast Asia. Backup systems may operate in secondary regions, each subject to equivalent security standards and contractual protections.
We implement technical and organizational security measures appropriate to the risk of processing personal data. These include:
While we implement strong security measures, no internet transmission or electronic storage is 100% secure. We encourage gym operators to use strong passwords, enable two-factor authentication, and train staff on data handling best practices.
We retain your account data for the duration of your subscription plus 30 days following termination (to allow data export). After the 30-day export window, account data is deleted, with the exception of billing records and transaction logs, which are retained for 7 years to comply with Philippine tax and accounting regulations.
Because gyms are the data controllers of member data, retention is governed by the gym's own data retention policies, not Kaayu's. Gym operators can configure retention periods and delete member records within the platform. When a gym account is terminated, all associated member data is deleted within 30 days (following the export window), unless a longer period is required by law.
If you have opted in to marketing communications, we retain your contact information and preferences until you unsubscribe. You can unsubscribe at any time via the link in any marketing email or by contacting us at privacy@kaayu.online.
Anonymized, aggregated usage data (from which no individual can be identified) may be retained indefinitely to improve the platform and for business analytics purposes.
Depending on where you are located, you have the following rights regarding your personal data. Note that gym members should first contact their gym for requests related to membership data, as the gym is the data controller.
To exercise any of these rights, please contact us at privacy@kaayu.online with your full name and the nature of your request. We will respond within 30 days (or sooner as required by applicable law). We may need to verify your identity before fulfilling your request. We will not charge a fee for legitimate requests.
If you are a gym member, your gym is the primary contact for data requests. If your gym is unable or unwilling to assist, you may contact us and we will work with the gym to facilitate the request as required under applicable law.
Kaayu does not sell personal data to third parties in any form, including under the CCPA definition of "sale." California residents do not need to submit an opt-out request — we do not engage in this activity.
We use cookies and similar technologies on kaayu.online and within the platform. Here is what we use and why:
| Cookie Type | Purpose | Duration | Consent Required? |
|---|---|---|---|
| Essential | Session management, authentication, CSRF protection, load balancing | Session / 24 hours | No — essential for service |
| Functional | Remembering language preference, UI layout preferences | 1 year | No — service functionality |
| Analytics | Understanding how pages are used to improve the platform (self-hosted, anonymized) | 13 months | Yes (cookie banner) |
| Marketing | We do not use marketing or advertising cookies on the platform | N/A | N/A |
You can control cookies through your browser settings. Disabling essential cookies will affect the functionality of the platform. Our cookie banner (shown on first visit) allows you to accept or decline non-essential cookies. You may change your cookie preferences at any time via the cookie settings link in the footer.
The Kaayu platform is intended for use by gym businesses and their adult members. We do not knowingly collect personal data from children under the age of 13 (or the applicable age of digital consent in your jurisdiction — 16 in certain EU member states, 18 in the Philippines for independent consent).
Gym operators may enroll minor members (e.g., youth fitness programs) into the platform, but doing so requires that the gym operator has obtained verifiable parental or guardian consent in compliance with applicable laws. Gym operators represent and warrant that they have obtained such consent prior to entering minor member data into Kaayu.
If we become aware that we have collected personal data from a child without appropriate consent, we will delete that data promptly. If you believe we have inadvertently collected data about a child, please contact privacy@kaayu.online immediately.
We may update this Privacy Policy from time to time to reflect changes in our practices, the platform's features, legal requirements, or for other operational reasons. When we make material changes, we will:
For non-material changes (such as correcting typos or clarifying existing practices without substantively changing them), we may update the policy without prior notice beyond updating the revision date.
Your continued use of the platform after the effective date of an updated policy constitutes your acceptance of the changes. If you do not agree with a material change, you may terminate your account prior to the effective date.
For any privacy-related questions, requests to exercise your rights, or concerns about our data practices, please contact:
Kaayu Technology Inc.
Attn: Data Privacy Officer
Email: privacy@kaayu.online
Phone: +63 947 984 1430
Manila, Philippines
We aim to respond to all privacy inquiries within 5 business days and to resolve requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority:
Our team is happy to walk you through how Kaayu handles data for your gym — no legal jargon, just straight answers.