Privacy Policy
Last updated: 31 May 2026
1. Introduction
Kinbox ("we", "us", "our") is a gym management platform operated by António Carvalho, trading as Kinbox (NIF 257928383), a sole trader (Empresário em Nome Individual) registered in Portugal. Our registered address is Rua Conselheiro Martins de Carvalho 19, 3º Esq., 1400-069 Lisboa, Portugal.
This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Kinbox platform at getkinbox.com — whether you are a gym owner, staff member, or gym member accessing Kinbox through your gym.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) (EU 2016/679) and applicable Portuguese data protection law.
2. Who This Policy Applies To
This policy applies to:
- Gym owners and administrators who create and manage a Kinbox account (our direct customers).
- Staff members added to a gym's Kinbox account.
- Gym members whose data is managed by the gym via Kinbox.
- Visitors to getkinbox.com.
3. Data Controller
For the purpose of GDPR:
- Kinbox (António Carvalho, trading as Kinbox) is the data controller for data collected directly from gym owners, staff, and website visitors.
- Gym owners act as data controllers for the personal data of their gym members. Kinbox acts as a data processor on their behalf when processing member data.
4. Data We Collect
4.1 Gym Owners & Staff
| Data | Purpose |
|---|---|
| Name, email address, password (hashed) | Account creation and authentication |
| Business name, address | Billing and invoicing |
| Payment method (via Stripe Billing) | SaaS subscription payment (Growth, Pro, Enterprise plans) |
| Profile photo (optional) | Platform profile display |
| Date of birth, tax ID, t-shirt size, gender, emergency contact (optional) | Staff profile completeness |
| Usage logs, device and browser information | Security, support, and service improvement |
4.2 Gym Members (processed on behalf of the gym)
| Data | Purpose |
|---|---|
| Name, email address | Member identification and communication |
| Date of birth | Age verification and profile |
| Profile photo (optional) | Member profile display |
| Tax ID (NIF/NIF equivalent) | Gym's invoicing and legal compliance |
| T-shirt size, gender (optional) | Gym-specific operational needs |
| Emergency contact | Safety purposes |
| Class bookings, attendance records | Schedule and attendance management |
| Payment records (method, amount, status) | Gym payment and financial management. Payment methods include card, SEPA Direct Debit, MB Way, and in-person. Actual payment processing is handled by Stripe — Kinbox stores only a reference to the transaction. |
4.3 Payment Data
Kinbox uses Stripe for payment processing. Kinbox does not store card numbers, bank account numbers, or full payment credentials. Stripe processes payment data under their own privacy policy (stripe.com/privacy). For gym-member payments, Stripe Connect Express is used, and funds flow directly to the gym's Stripe account — Kinbox never holds member funds.
4.4 Website Visitors
We collect standard server logs (IP address, browser, pages visited, time of visit) for security and analytics purposes.
5. Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Contract (Article 6(1)(b)) |
| Processing SaaS subscription payments | Contract (Article 6(1)(b)) |
| Sending service-related communications | Contract (Article 6(1)(b)) |
| Processing gym member data on behalf of the gym | Legitimate interests / Contract (Article 6(1)(b), (f)) |
| Fraud prevention and security | Legitimate interests (Article 6(1)(f)) |
| Compliance with legal obligations (e.g. tax records) | Legal obligation (Article 6(1)(c)) |
| Marketing communications (optional) | Consent (Article 6(1)(a)) |
6. How We Use Your Data
We use personal data to:
- Provide and operate the Kinbox platform
- Process payments and manage SaaS subscriptions
- Send transactional emails (confirmations, invoices, password resets)
- Provide customer support
- Detect and prevent fraud or abuse
- Improve and develop our services
- Comply with applicable legal obligations
We do not sell personal data to third parties. We do not use personal data for automated decision-making that produces legal or similarly significant effects.
7. Data Sharing
| Recipient | Reason |
|---|---|
| Stripe, Inc. | Payment processing (SaaS subscription billing for Growth/Pro/Enterprise plans, and Stripe Connect Express for gym member payment collection) |
| Supabase, Inc. | Secure cloud database and authentication hosting |
| Google LLC | Authentication (Google OAuth login option) |
| Gym owner | As data processor, we share gym member data with the gym that manages it |
| Legal authorities | When required by law or court order |
All third-party processors are contractually bound to process data only on our instructions and to appropriate security standards.
8. International Data Transfers
Some of our service providers (e.g. Stripe, Supabase, Google) are based outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of the account + 12 months after closure |
| Billing and financial records | 10 years (Portuguese tax law obligation) |
| Server logs | 12 months |
| Member data (processed for gyms) | As instructed by the gym operator |
| Marketing consent records | Until withdrawal of consent + 3 years |
10. Your Rights Under GDPR
- Right of access — Request a copy of your personal data.
- Right to rectification — Request correction of inaccurate data.
- Right to erasure — Request deletion of your data ("right to be forgotten"), subject to legal obligations.
- Right to restriction — Request we limit how we process your data.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interests.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.
To exercise your rights, contact us at: hello@getkinbox.com
We will respond within 30 days. If you are unsatisfied, you have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD) at cnpd.pt.
11. Cookies
We use cookies and similar tracking technologies. See our Cookie Policy for full details.
12. Security
We implement appropriate technical and organisational measures to protect personal data, including TLS/HTTPS encryption in transit, encrypted storage at rest, access controls and role-based permissions, and regular security reviews.
13. Children
Kinbox is not intended for use by individuals under the age of 16. We do not knowingly collect data from children.
14. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email or in-app notification. Continued use of Kinbox after the effective date constitutes acceptance of the updated policy.
15. Contact
Email: hello@getkinbox.com | Website: getkinbox.com