GDPR
Last updated: 31 May 2026
Kinbox is built with privacy by design. We are committed to complying with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Portuguese data protection law, supervised by the Comissão Nacional de Proteção de Dados (CNPD).
1. Data Controller vs. Data Processor
Kinbox as Data Controller
Kinbox (António Carvalho, trading as Kinbox) is the data controller for:
- Personal data of gym owners and staff who register and use Kinbox directly
- Visitor data collected via getkinbox.com
Kinbox as Data Processor
For gym member data, Kinbox acts as a data processor on behalf of the gym owner (who is the controller). This means:
- We process member data only on the gym's instructions
- We do not use member data for our own purposes
- We implement appropriate security measures
- We assist gym owners in fulfilling their data subject obligations
Gym owners who use Kinbox to manage member data take on GDPR responsibilities as data controllers and must ensure they have an appropriate lawful basis for processing.
2. Data Processing Agreement (DPA)
Gym owners who process personal data of EU residents through Kinbox may require a Data Processing Agreement under GDPR Article 28.
To request a DPA, contact us at: hello@getkinbox.com
3. Your Rights as a Data Subject
| Right | What It Means |
|---|---|
| Access (Article 15) | Request a copy of the personal data we hold about you |
| Rectification (Article 16) | Ask us to correct inaccurate or incomplete data |
| Erasure (Article 17) | Ask us to delete your data ("right to be forgotten") |
| Restriction (Article 18) | Ask us to limit how we use your data in certain circumstances |
| Data Portability (Article 20) | Receive your data in a structured, commonly used format |
| Object (Article 21) | Object to processing based on legitimate interests |
| Withdraw Consent (Article 7(3)) | Withdraw consent at any time where processing is consent-based |
| Automated Decision-Making (Article 22) | Not be subject to solely automated decisions with significant effects |
Submit a request to: hello@getkinbox.com. We will respond within 30 days.
4. Lawful Basis for Processing
- Contract — to provide the Kinbox service to gym owners and process subscriptions
- Legitimate interests — for fraud prevention, security, and product improvement
- Legal obligation — for tax, accounting, and regulatory compliance
- Consent — for marketing communications and non-essential analytics cookies
5. Data Transfers Outside the EEA
| Provider | Transfer Mechanism |
|---|---|
| Stripe (USA) | Standard Contractual Clauses (SCCs) |
| Supabase (USA) | Standard Contractual Clauses (SCCs) |
| Google (USA) | Standard Contractual Clauses (SCCs) |
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Active gym owner/staff accounts | Duration of account + 12 months after closure |
| Financial/billing records | 10 years (Portuguese fiscal law) |
| Member data (processed for gyms) | As directed by the gym owner |
| Marketing consent records | Until consent is withdrawn + 3 years |
| Server/access logs | 12 months |
7. Security Measures
Kinbox implements technical and organisational measures in line with GDPR Article 32, including:
- Encryption in transit: All data is transmitted over TLS/HTTPS
- Encryption at rest: Database storage is encrypted
- Access controls: Role-based access; staff access only what they need
- Authentication: Secure password hashing; optional Google OAuth
- Regular reviews: Periodic security assessments
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will:
- Notify the CNPD within 72 hours of becoming aware (GDPR Article 33)
- Notify affected individuals without undue delay where there is a high risk to their rights (GDPR Article 34)
9. Gym Owners: Your GDPR Obligations
If you are a gym owner using Kinbox, you are a data controller for your members' data. Your key obligations include:
- Provide a privacy notice to your members explaining how their data is used
- Have a lawful basis for collecting and processing member data (typically contract or consent)
- Respond to data subject requests from your members within 30 days
- Protect data with appropriate security measures
- Report breaches to your supervisory authority and affected members where required
- Ensure any third parties you share data with provide adequate protection
Kinbox provides the infrastructure, but compliance with GDPR as a data controller is your responsibility as the gym operator.
10. Supervisory Authority
You have the right to lodge a complaint with the CNPD or with the supervisory authority in your EU member state if you believe your data rights have been violated.
11. Contact
Data protection contact: hello@getkinbox.com | Website: getkinbox.com