Data & Privacy - GymPlus

Data location

AWS eu-west-1, Ireland. All data stays within the EU.

What is transmitted

Metadata only. No raw video ever leaves your premises.

GDPR compliant

GDPR-compliant by design. Controller: Indoor Informatics Oy, Finland.

1. Where your data lives

All GymPlus data is stored on Amazon Web Services (AWS) in the eu-west-1 region (Ireland). This means your data never leaves the European Economic Area.

Data at rest is encrypted using AES-256. Data in transit is encrypted using TLS 1.2 or higher. Access to production systems is restricted to authorised Indoor Informatics personnel only.

2. What is transmitted to the cloud

GymPlus processes video locally on-premises using edge computing hardware installed at your gym. Only the results of that processing — structured metadata — are transmitted to our servers. Raw video footage never leaves your premises.

Equipment usage events

When a machine becomes occupied or free: timestamp and zone identifier only.

Visitor count data

Aggregated headcount per time interval. No individual tracking or identification.

Tailgating event metadata

Incident timestamp, zone, and a short video clip (stored locally, accessible via the app). No biometric data.

Raw video: never transmitted

Video streams are processed on your on-premises hardware. No continuous video feed is sent to GymPlus servers.

Biometric or personal identification data: never collected

GymPlus does not perform facial recognition or collect any biometric identifiers.

3. GDPR sub-processors

Indoor Informatics Oy uses the following sub-processors to deliver the GymPlus service. All sub-processors are contractually bound to data protection obligations in line with the EU GDPR.

Sub-processor	Purpose	Location	Safeguard
Amazon Web Services (AWS) Amazon Web Services EMEA SARL	Cloud infrastructure, data storage, compute	Ireland (eu-west-1)	EU
Microsoft Azure Microsoft Ireland Operations Ltd	Cloud platform services, identity and access management	EU — Sweden	EU
Google Workspace Google Ireland Limited	Business productivity and collaboration tools	EU	EU
Google LLC Google Analytics 4	Analytics, only with user consent	USA	EU-US DPF
Auth0 (Okta) Okta, Inc. — EU tenant	Customer identity and access management, authentication	EU — Germany	EU
1Password AgileBits Inc. — EU region	Credential and secret management	EU	EU
Atlassian Atlassian Network Services — EU tenant	Project management and internal documentation	EU	EU
Anthropic (Claude) Anthropic, PBC	AI language model services for AI-assisted features and internal operations. Customer data not used for model training.	USA	EU SCCs (Module 2) + UK Addendum
Hikvision Hikvision Europe B.V.	Camera hardware and firmware for on-premises computer vision	EU — Ireland	EU

EU-US DPF = EU-US Data Privacy Framework. Changes to this list are notified via website update at least 14 days before taking effect. This list is reviewed and updated at least annually. Last reviewed: March 2026.

4. Data retention

Equipment usage and visitor count analytics: retained for 26 months, then automatically deleted.
Tailgating incident video clips: stored locally on-premises for 14 days, then automatically overwritten. Where required by local law (e.g. Germany), a shorter period is applied automatically based on the Customer's jurisdiction.
Tailgating event metadata: retained for 12 months.
Analytics data: retained for 26 months (platform default).

5. Contact

To exercise your rights or to request an updated copy of the sub-processor list, contact us at:

Indoor Informatics Oy Kuhantie 10, 15540 Villahde, Finland
privacy@indoorinformatics.com

For contractual terms and privacy documentation governing the use of the Service:

General Terms Data Processing Agreement Privacy Notice — Template for Gyms

How we handle your gym's data