Privacy Policy

The data controller responsible for your personal data is:

We collect the following types of personal data:

Identification Data:

• Full name
• Email address
• Phone number
• Address (optional)
• Tax ID (for invoicing)
• Date of birth
• Photograph (optional, for facility identification)

Health Data (with explicit consent):

• Medical conditions relevant to sports practice
• Injury history
• Training goals and physical limitations
• Nutritional information (if applicable)

Service Usage Data:

• Check-in/check-out records via QR code
• Class and service booking history
• Class and training participation
• Progress and training metrics

Financial Data:

• Payment information (processed by SIBS/MBWay)
• Transaction and invoice history
• Authorized payment mandate data

Technical Data:

• IP address
• Device type and browser
• Cookie data (see Cookie Policy)

Your data is used for the following purposes:

Service Provision:

• Managing your account and subscription
• Class and service booking
• Facility access control
• Personalization of training programs
• Nutritional support (if contracted)

Administrative Management:

• Invoicing and payment processing
• Communications about your account and services
• Customer service and support
• Compliance with legal and tax obligations

Safety and Quality:

• Ensuring your safety during training
• Fraud prevention and misuse prevention
• Continuous improvement of our services

Marketing (with consent):

• Sending newsletters and updates
• Communication of promotions and events
• Satisfaction surveys

The processing of your data is based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR): To provide the services you have subscribed to and manage your account.
• Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR): For health data processing, marketing communications, and non-essential cookies.
• Legal obligation (Art. 6(1)(c) GDPR): To comply with tax and legal obligations (e.g., invoice issuance, mandatory reports).
• Legitimate interest (Art. 6(1)(f) GDPR): For fraud prevention, facility security, and service improvement.

Your data is retained for the following periods:

• Contractual data: During the contract term + 1 year after termination (for potential reactivation).
• Tax and invoicing data: 10 years after the end of the contractual relationship (legal obligation).
• Health data: During the contract term. Deleted within 30 days after termination, unless legally required.
• Marketing data: Until you withdraw consent or request deletion.
• Access data (logs): 12 months.

After these periods, data is securely deleted or anonymized for statistical purposes.

Under the GDPR, you have the following rights:

• Right of access (Art. 15): Obtain confirmation of whether your data is being processed and access to it.
• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), where applicable.
• Right to restriction (Art. 18): Restrict processing of your data in certain situations.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used format.
• Right to object (Art. 21): Object to processing for direct marketing or based on legitimate interest.
• Right to withdraw consent: Withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise your rights, contact us at suporte@thefitnesslab.pt. We will respond within a maximum of 30 days.

Your data may be shared with the following entities:

Service Providers:

• SIBS/MBWay: Payment processing (financial data)
• FacturaLusa: Invoice issuance (billing data)
• Hosting providers: Technical infrastructure (technical data)
• Email services: Sending communications (email)

Authorities:

• Tax Authority (tax obligations)
• Courts and competent authorities (when legally required)

We never sell your personal data to third parties.

All our service providers are bound by data processing agreements that ensure the protection of your personal data.

Your data is preferably stored and processed within the European Economic Area (EEA).

If any transfer outside the EEA is necessary, we ensure that appropriate safeguards are applied as required by the GDPR, namely:

• European Commission adequacy decisions
• Standard contractual clauses approved by the European Commission
• Approved certifications or codes of conduct

We implement appropriate technical and organizational measures to protect your data:

Technical Measures:

• Data encryption in transit (HTTPS/TLS) and at rest
• Strong authentication and access control
• Firewalls and intrusion detection systems
• Regular backups and recovery plans
• Continuous system monitoring

Organizational Measures:

• Internal data protection policies
• Staff training on security and privacy
• Data access limited to strictly necessary
• Incident response procedures

Our website uses cookies to improve your browsing experience. For detailed information about the cookies we use, please see our Cookie Policy.

We may update this privacy policy periodically. Changes will be published on this page with the updated revision date.

In case of significant changes, you will be notified via your registered email or through a notice on our website.

For privacy questions or exercising your rights:

If you believe your rights have not been respected, you have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD):