Privacy Policy
Last updated: March 2026
1. Data Controller
AKTIV GYM BV
Vlyminckshoek 6, 9100 Sint-Niklaas, Belgium
VAT: BE0535.555.905
Email: info@aktivgym.be
Phone: 0498 52 66 16
2. Personal Data We Collect
Depending on how you interact with us, we may collect different categories of personal data:
2.1 Website Visitors (no account)
- Technical data: IP address (anonymized), browser type, operating system, pages visited, scroll depth
- Cookie data: cookie preferences (stored on your device)
- Contact data: name, email, phone, message (if you submit the contact form)
- Booking data: name, email, phone, preferred time slot (if you book a discovery session)
2.2 Members and Coaching Clients (with portal account)
- Identity data: first name, last name, email, phone, date of birth, gender, address
- Financial data: IBAN, BIC (for SEPA direct debit), order history, invoices, payments
- Health and fitness data: InBody measurements (weight, body fat percentage, muscle mass, BMI), injury history, workout logs, goals
- Coaching data: training programs, exercise logs, lifestyle data, chat messages with coach, check-ins
- Business data (B2B): company name, VAT number, company address (if applicable)
- Minor's data: guardian name, phone, email, relationship (if member is under 18)
2.3 Data We Do NOT Collect
- We do not perform advertising behavioural tracking or fingerprinting
- We do not create profiles for third parties
- We do not track email opens or clicks
3. Purposes of Processing
| Purpose | Legal Basis |
|---|---|
| Membership management, billing, and SEPA payments | Contract performance (art. 6.1.b GDPR) |
| Personalised coaching and health/fitness tracking | Explicit consent (art. 6.1.a & 9.2.a GDPR) |
| Email communications (invoices, reminders, newsletters) | Legitimate interest / consent (art. 6.1.f / 6.1.a GDPR) |
| Website security and fraud prevention | Legitimate interest (art. 6.1.f GDPR) |
| Accounting and tax obligations | Legal obligation (art. 6.1.c GDPR) |
4. Data Processors (Third Parties)
We share personal data only with the following processors, all bound by data processing agreements:
| Service | Purpose | Data Shared |
|---|---|---|
| Resend (email) | Sending transactional and newsletter emails | Email address, email content |
| Google Places API | Displaying Google reviews of our business | No personal data (fetches reviews only) |
| Railway (hosting) | Application and database hosting | All data (EU server — Germany) |
We do not sell, trade, or provide data to data brokers, advertising platforms, or other third parties.
5. Retention Periods
| Data | Retention Period | Reason |
|---|---|---|
| Invoices and accounting data | 7 years | Belgian legal obligation (Code of Economic Law) |
| SEPA mandates | 13 months after last collection | EU banking regulation |
| Member account data | Until deletion or GDPR request | Contract performance |
| Coaching and health data | Until deletion or GDPR request | Consent |
| Contact messages | Maximum 2 years | Legitimate interest |
| Cookie consent logs | 1 year | Demonstrating consent |
| Audit logs (system actions) | Indefinite | Financial and security traceability |
6. Your Rights
Under the GDPR, you have the following rights:
- Right of access: request a copy of your personal data
- Right to rectification: correct inaccurate data
- Right to erasure: request deletion of your data ("right to be forgotten")
- Right to restriction: restrict the processing of your data
- Right to portability: receive your data in a machine-readable format
- Right to object: object to processing based on legitimate interest
- Right to withdraw consent: at any time for data processed under consent
Practical exercise: Members can export all their data (JSON format) and request deletion directly through their portal account. Deletion requests have a 30-day grace period during which you can cancel the request. Financial data (invoices) is anonymized but not deleted (7-year legal obligation).
To exercise your rights, contact: info@aktivgym.be
7. Cookies
Our website uses cookies. For detailed information about the exact cookies used, please see our Cookie Policy.
8. Security
We protect your personal data through the following measures:
- Encrypted connections (HTTPS/TLS) for all communication
- Hashed passwords (never stored in plain text)
- CSRF protection on all forms
- Rate limiting on login attempts (max 10 per 15 minutes per IP)
- Audit logging of all system actions
- Hosting in EU data centre (Germany)
9. Data Protection Authority
If you have a complaint about how we handle your personal data, you can contact the Belgian Data Protection Authority:
www.gegevensbeschermingsautoriteit.be
Drukpersstraat 35, 1000 Brussels
contact@apd-gba.be