How long does it take to set up ManageYourGym?

Getting started is quick and easy. Sign up, create your gym profile, add your membership plans, and start registering members. Most gyms are fully set up and operational within a few hours.

What payment methods can I track?

ManageYourGym supports recording payments via Cash, Card, UPI, Bank Transfer, and more. You can track payment status, generate invoices, and get a complete view of your revenue at any time.

How does QR-based attendance work?

Each member gets a unique QR code. When they arrive at the gym, staff can scan the code to instantly check them in. You can also set attendance policies like time-based restrictions.

Can I manage multiple branches?

Yes! ManageYourGym supports multi-branch management. You can manage members, staff, and operations across all your locations from a single dashboard.

What notifications can I send to members?

You can send automated reminders for membership renewals, payment dues, and announcements via WhatsApp, SMS, and Email. Customize notification templates to match your gym's tone and branding.

What kind of reports and analytics do I get?

ManageYourGym provides detailed dashboards with revenue trends, member growth, attendance patterns, trainer performance, and subscription analytics.

Absolutely. ManageYourGym is hosted on secure cloud infrastructure with encrypted connections and regular backups. Your gym and member data is protected and only accessible to authorized staff.

What plans are available?

We offer a free trial to get started, followed by Starter, Professional, and Enterprise plans. Each tier scales with your gym — from a single location with 50 members up to unlimited members and branches on Enterprise.

Back to Home

GDPR Compliance

Last updated: February 17, 2026

At ManageYourGym, operated by VectorWay Technologies (OPC) Private Limited, we are committed to protecting the privacy and rights of individuals in the European Union (EU) and European Economic Area (EEA). This page outlines our compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and describes how we handle personal data of EU/EEA residents.

While VectorWay Technologies is an Indian company, we recognize that our Platform may be used by gym owners and members located in the EU/EEA. We are committed to meeting GDPR requirements for all personal data of EU/EEA data subjects that we process.

1. Our Role Under GDPR

Under GDPR, organizations that handle personal data are classified as either Data Controllers or Data Processors:

As a Data Controller

We act as the Data Controller for personal data we collect directly from you when you register an account, subscribe to our services, contact us, or visit our website. We determine the purposes and means of processing this data.

As a Data Processor

We act as a Data Processor when gym owners (our customers) use the Platform to store and manage their gym members' personal data. In this case, the gym owner is the Data Controller, and we process data on their behalf according to their instructions.

2. Lawful Basis for Processing

Under Article 6 of the GDPR, we process personal data only when we have a valid lawful basis. The specific basis depends on the context:

Processing Activity	Lawful Basis	GDPR Article
Providing the Platform service	Performance of a contract	Art. 6(1)(b)
Processing subscription payments	Performance of a contract	Art. 6(1)(b)
Sending transactional emails	Performance of a contract	Art. 6(1)(b)
Platform security & fraud prevention	Legitimate interest	Art. 6(1)(f)
Analytics & service improvement	Legitimate interest	Art. 6(1)(f)
Marketing communications	Consent	Art. 6(1)(a)
Non-essential cookies & analytics	Consent	Art. 6(1)(a)
Tax & financial record keeping	Legal obligation	Art. 6(1)(c)

3. Your Rights Under GDPR

If you are located in the EU/EEA, you have the following rights under the GDPR. We are committed to honoring these rights:

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data we hold about you.

Right to Erasure / Right to Be Forgotten (Article 17)

You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, you withdraw consent, or there is no overriding legitimate interest for continued processing. Note: certain data may be retained where we have a legal obligation (e.g., financial records).

Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) and to transmit it to another controller.

Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds.

Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. ManageYourGym does not currently engage in automated decision-making or profiling.

Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact our Data Protection team:

Email: privacy@manageyourgym.com

Subject line: "GDPR Data Request - [Your Request Type]"

When submitting a request, please include:

Your full name and email address associated with your account.
A clear description of the right you wish to exercise.
Any additional information to help us locate your data (e.g., gym name if you are a gym member).

We will acknowledge your request within 72 hours and respond substantively within 30 days of receipt. If your request is complex or we receive a large number of requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

We provide these services free of charge. However, if requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act on the request, as permitted under Article 12(5) of the GDPR.

5. Data Protection Measures

In compliance with GDPR Article 32, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

5.1 Technical Measures

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS).
Encryption at Rest: Sensitive personal data is encrypted at rest in our databases.
Password Security: Passwords are hashed using bcrypt with appropriate cost factors; we never store plaintext passwords.
Multi-Tenant Isolation: Each gym's data is logically isolated. Users can only access data belonging to their own gym through strict access controls enforced at the application and database level.
Access Controls: Role-based access control (RBAC) ensures users can only access data appropriate to their role (Owner, Admin, Staff).
Rate Limiting: API rate limiting and throttling protect against brute force attacks and abuse.
Secure Authentication: JWT-based authentication with short-lived access tokens and secure refresh token rotation.

5.2 Organizational Measures

Access to personal data is restricted to authorized personnel on a need-to-know basis.
Regular security reviews and vulnerability assessments.
Incident response procedures in place for data breaches.
Data processing agreements with all third-party sub-processors.

6. International Data Transfers

As VectorWay Technologies is based in India, personal data of EU/EEA residents may be transferred to and processed in India. India is not currently recognized by the European Commission as providing an adequate level of data protection under Article 45 of the GDPR.

To ensure appropriate safeguards for international data transfers under GDPR Chapter V, we rely on:

Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses as the primary mechanism for transferring personal data outside the EU/EEA, as approved under Commission Implementing Decision (EU) 2021/914.
Supplementary Measures: Where necessary, we implement supplementary technical and organizational measures (such as encryption and pseudonymization) to ensure the transferred data receives an essentially equivalent level of protection.
Transfer Impact Assessments: We conduct assessments of the legal framework in the destination country to evaluate and mitigate risks to data subjects.

7. Sub-Processors

We use the following categories of sub-processors to deliver our services. Each sub-processor is bound by data processing agreements that comply with GDPR requirements:

Category	Purpose	Data Processed
Cloud Infrastructure	Hosting, data storage, and compute services	All Platform data
Database Provider	Managed PostgreSQL database	All structured data
Payment Gateway	Subscription payment processing	Payment details, billing info
Email Service	Transactional & notification emails	Email address, name
Analytics	Website usage analytics	Anonymized usage data, IP (truncated)
Cache / Key-Value Store	Performance caching and session management	Session tokens, cached queries

We will notify existing customers before adding new sub-processors that handle personal data, giving them the opportunity to object.

8. Data Breach Notification

In compliance with GDPR Articles 33 and 34, we have procedures in place for handling personal data breaches:

Supervisory Authority Notification: In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
Data Subject Notification: If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay.
Gym Owner Notification: Where we act as a Data Processor, we will notify the affected gym owners (Data Controllers) without undue delay after becoming aware of a breach, enabling them to fulfill their own notification obligations.
Breach Documentation: We maintain records of all data breaches, including the facts relating to the breach, its effects, and the remedial actions taken.

9. Data Protection Impact Assessments (DPIAs)

In accordance with GDPR Article 35, we conduct Data Protection Impact Assessments for processing activities that are likely to result in a high risk to data subjects' rights and freedoms. This includes assessments for new features, significant changes to data processing, and new third-party integrations that involve personal data.

10. Data Minimization and Retention

In line with GDPR's data minimization principle (Article 5(1)(c)), we:

Only collect personal data that is necessary for the specific purposes outlined in our Privacy Policy.
Do not retain personal data longer than necessary for the purposes for which it was collected.
Provide gym owners with tools to delete member data that is no longer needed.
Automatically purge server logs after 12 months.
Delete account data within 90 days of an account deletion request, except where retention is legally required.

11. Privacy by Design and Default

In accordance with GDPR Article 25, we incorporate data protection principles into the design of our Platform:

Privacy by Design: Data protection is considered from the earliest stages of feature development, not as an afterthought.
Privacy by Default: Default settings are configured to provide the highest level of privacy. For example, analytics cookies require opt-in consent, and data sharing features are off by default.
Multi-Tenant Architecture: Our architecture ensures that each gym's data is logically isolated, preventing unauthorized cross-tenant access.
Role-Based Access: Different user roles (Owner, Admin, Staff) have different levels of access, ensuring the principle of least privilege.

12. Responsibilities for Gym Owners (Data Controllers)

If you are a gym owner using ManageYourGym to process personal data of EU/EEA gym members, you are the Data Controller under GDPR. As such, you are responsible for:

Ensuring you have a lawful basis (e.g., consent or contractual necessity) for collecting and processing your gym members' data.
Providing your gym members with appropriate privacy notices informing them of how their data is processed.
Responding to your gym members' data subject access requests (DSARs) in a timely manner.
Using the Platform's data export and deletion tools to fulfill data portability and erasure requests.
Notifying us promptly if you become aware of any data breach involving data processed through the Platform.
Ensuring that any data you enter into the Platform is accurate and up to date.

We provide features within the Platform (member data export, deletion, and management tools) to help you fulfill your GDPR obligations as a Data Controller.

13. Right to Lodge a Complaint

If you believe that we have not handled your personal data properly or have not responded adequately to your request, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. You may also contact the Irish Data Protection Commission (DPC) or any other competent EU/EEA supervisory authority. However, we encourage you to reach out to us first at privacy@manageyourgym.com so we can attempt to resolve your concern.

14. Changes to This GDPR Statement

We may update this GDPR Compliance statement from time to time. When we make changes, we will update the "Last updated" date at the top of this page. Material changes affecting the rights of EU/EEA data subjects will be communicated via email or through a prominent notice on the Platform.

15. Contact Us

For any GDPR-related inquiries or to exercise your data protection rights, please contact us:

VectorWay Technologies (OPC) Private Limited

Brand: ManageYourGym

Data Protection Email: privacy@manageyourgym.com

Website: manageyourgym.com

Related Policies

Privacy Policy — Full details on data collection, use, and protection.
Terms of Service — The rules governing your use of the Platform.
Cookie Policy — How we use cookies and tracking technologies.

This GDPR Compliance statement is effective as of February 17, 2026 and applies to ManageYourGym, a product of VectorWay Technologies (OPC) Private Limited.