GDPR

Last updated: 31 May 2026

Kinbox is built with privacy by design. We are committed to complying with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Portuguese data protection law, supervised by the Comissão Nacional de Proteção de Dados (CNPD).

1. Data Controller vs. Data Processor

Kinbox as Data Controller

Kinbox (António Carvalho, trading as Kinbox) is the data controller for:

Kinbox as Data Processor

For gym member data, Kinbox acts as a data processor on behalf of the gym owner (who is the controller). This means:

Gym owners who use Kinbox to manage member data take on GDPR responsibilities as data controllers and must ensure they have an appropriate lawful basis for processing.

2. Data Processing Agreement (DPA)

Gym owners who process personal data of EU residents through Kinbox may require a Data Processing Agreement under GDPR Article 28.

To request a DPA, contact us at: hello@getkinbox.com

3. Your Rights as a Data Subject

RightWhat It Means
Access (Article 15)Request a copy of the personal data we hold about you
Rectification (Article 16)Ask us to correct inaccurate or incomplete data
Erasure (Article 17)Ask us to delete your data ("right to be forgotten")
Restriction (Article 18)Ask us to limit how we use your data in certain circumstances
Data Portability (Article 20)Receive your data in a structured, commonly used format
Object (Article 21)Object to processing based on legitimate interests
Withdraw Consent (Article 7(3))Withdraw consent at any time where processing is consent-based
Automated Decision-Making (Article 22)Not be subject to solely automated decisions with significant effects

Submit a request to: hello@getkinbox.com. We will respond within 30 days.

4. Lawful Basis for Processing

5. Data Transfers Outside the EEA

ProviderTransfer Mechanism
Stripe (USA)Standard Contractual Clauses (SCCs)
Supabase (USA)Standard Contractual Clauses (SCCs)
Google (USA)Standard Contractual Clauses (SCCs)

6. Data Retention

Data CategoryRetention Period
Active gym owner/staff accountsDuration of account + 12 months after closure
Financial/billing records10 years (Portuguese fiscal law)
Member data (processed for gyms)As directed by the gym owner
Marketing consent recordsUntil consent is withdrawn + 3 years
Server/access logs12 months

7. Security Measures

Kinbox implements technical and organisational measures in line with GDPR Article 32, including:

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will:

9. Gym Owners: Your GDPR Obligations

If you are a gym owner using Kinbox, you are a data controller for your members' data. Your key obligations include:

Kinbox provides the infrastructure, but compliance with GDPR as a data controller is your responsibility as the gym operator.

10. Supervisory Authority

Comissão Nacional de Proteção de Dados (CNPD)
Website: cnpd.pt

You have the right to lodge a complaint with the CNPD or with the supervisory authority in your EU member state if you believe your data rights have been violated.

11. Contact

António Carvalho, trading as Kinbox
Rua Conselheiro Martins de Carvalho 19, 3º Esq., 1400-069 Lisboa, Portugal
NIF: 257928383

Data protection contact: hello@getkinbox.com | Website: getkinbox.com