Data & Privacy - GymPlus

Data location

AWS eu-west-1, Ireland. All data stays within the EU.

What is transmitted

Metadata only. No raw video ever leaves your premises.

GDPR compliant

GDPR-compliant by design. Controller: Indoor Informatics Oy, Finland.

1. Where your data lives

All GymPlus data is stored on Amazon Web Services (AWS) in the eu-west-1 region (Ireland). This means your data never leaves the European Economic Area.

Data at rest is encrypted using AES-256. Data in transit is encrypted using TLS 1.2 or higher. Access to production systems is restricted to authorised Indoor Informatics personnel only.

2. What is transmitted to the cloud

GymPlus processes video locally on-premises using edge computing hardware installed at your gym. Only the results of that processing - structured metadata - are transmitted to our servers. Raw video footage never leaves your premises.

Equipment usage events

When a machine becomes occupied or free : timestamp and zone identifier only.

Visitor count data

Aggregated headcount per time interval. No individual tracking or identification.

Tailgating event metadata

Incident timestamp, zone, and a short video clip (stored locally, accessible via the app). No biometric data.

Raw video: never transmitted

Video streams are processed on your on-premises hardware. No continuous video feed is sent to GymPlus servers.

Biometric or personal identification data: never collected

GymPlus does not perform facial recognition or collect any biometric identifiers.

3. GDPR sub-processors

Indoor Informatics Oy uses the following sub-processors to deliver the GymPlus service. All sub-processors are bound by data processing agreements meeting GDPR Article 28 requirements.

Sub-processor	Purpose	Location	Safeguard
Amazon Web Services (AWS)	Cloud infrastructure, data storage, compute	Ireland (eu-west-1)	EU
Google LLC	Website analytics (Google Analytics 4), only with visitor consent	USA	EU-US DPF
Formspree / email provider	Contact form message delivery	USA	EU-US DPF

EU-US DPF = EU-US Data Privacy Framework. This list is reviewed and updated at least annually. Last reviewed: March 2026.

4. Data retention

Equipment usage and visitor count analytics: retained for 26 months, then automatically deleted.
Tailgating incident video clips: stored locally on-premises for 14 days, then automatically overwritten.
Tailgating event metadata: retained for 12 months.
Contact form enquiries: retained until the enquiry is resolved, then deleted.
Google Analytics data: retained for 26 months (Google default).

5. Your rights and contact

Under GDPR you have the right to access, correct, delete, or restrict processing of your data. To exercise these rights or to request an updated copy of this sub-processor list, contact us at:

Indoor Informatics Oy
Finland
privacy@indoorinformatics.com

Where your data livesand how we protect it