Privacy Policy for Forma

At Forma, a software of DeltaX LIMITED ("we," "us," or "our"), we are committed to protecting your personal data and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable laws in the European Economic Area (EEA). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our gym management software, including the gym owner portal ("Owner Portal") and the client mobile application ("Mobile App") (collectively, the "Services"). By using our Services, you agree to the terms of this Privacy Policy.

1. Information We Collect

We collect personal data from gym owners ("Owners") and gym members ("Members") to provide and improve our Services. The types of data we collect include:

a. Information Provided by You

Gym Owners:

• Account Information: Name, email address, phone number, gym name, business address, and payment details (e.g., for software subscription billing processed via Revolut).
• Administrative Data: Information entered into the Owner Portal, such as employee details, class schedules, and Member subscription data.

Gym Members:

• Account Information: Name, email address, phone number, and payment details (e.g., for membership subscriptions processed via Revolut).
• Preferences and Activity: Class bookings, workout preferences, attendance records, and fitness goals entered via the Mobile App.
• Special Categories of Data: Health-related data, such as workout preferences or fitness goals, considered sensitive under GDPR Article 9.
• Camera Usage: If you grant permission, the Mobile App may access your device’s camera to scan QR codes for class check-ins or membership verification.

b. Automatically Collected InformationUsage Data:

• InformationUsage Data: Information about how you interact with the Services, such as pages visited, features used, time spent, and device information (e.g., IP address, device type, operating system, browser type).
• Location Data: If you enable location services in the Mobile App, we may collect approximate location data to provide location-based features (e.g., finding nearby gyms or classes), with your explicit consent.
• Cookies and Tracking Technologies: We use cookies and similar technologies for essential functions, analytics, and marketing (see Section 12).

c. Information from Third PartiesPayment Processors:

• Payment Processors: We use Revolut, a third-party payment processor, to handle subscription payments for Owners and Members. Revolut provides us with limited transaction-related data (e.g., payment confirmation, amount) to process and verify payments.
• Integration Partners: If you connect our Services to third-party platforms (e.g., fitness tracking apps), we may receive data from those platforms, subject to your consent.

2. How We Use Your Information

We process your personal data to provide, improve, and personalize our Services. The legal bases for processing under GDPR Article 6 and Article 9 (for special categories of data) are as follows:

Gym Owners:

• Manage gym operations, including subscriptions, class schedules, and Member communications (Legal Basis: Contract, Article 6(1)(b)).
• Process payments for software subscriptions via Revolut (Legal Basis: Contract, Article 6(1)(b)).
• Provide customer support and respond to inquiries (Legal Basis: Contract, Article 6(1)(b)).

Gym Members:

• Facilitate class bookings, subscription management, and personalized workout recommendations (Legal Basis: Contract, Article 6(1)(b)).
• Send notifications about class bookings, schedules, cancellations, or membership updates via email, push notifications, or in-app messages, with your consent where required (Legal Basis: Contract, Article 6(1)(b) or Consent, Article 6(1)(a)).
• Process health-related data (e.g., workout preferences, fitness goals) with your explicit consent (Legal Basis: Explicit Consent, Article 9(2)(a)).
• Use camera access to scan QR codes for class check-ins or membership verification, with your explicit consent (Legal Basis: Consent, Article 6(1)(a)).

For Both Owners and Members:

• Send marketing communications (e.g., promotional emails about new classes or features) with your explicit consent (Legal Basis: Consent, Article 6(1)(a)).
• Improve our Services through analytics and user feedback (Legal Basis: Legitimate Interests, Article 6(1)(f), provided your rights do not override our interests).
• Ensure the security of our Services by detecting and preventing fraud or unauthorized access (Legal Basis: Legitimate Interests, Article 6(1)(f)).
• Comply with legal obligations, such as tax reporting or responding to lawful requests (Legal Basis: Legal Obligation, Article 6(1)(c)).

You may withdraw consent at any time by updating your preferences in the Mobile App or Owner Portal or contacting our Data Protection Officer at dpo@forma.com.cy (mailto:dpo@forma.com.cy).

3. How We Share Your Information

We do not sell your personal data. We may share your data in the following circumstances, in compliance with GDPR:Service Providers:

• Service Providers: We share data with third-party vendors, including Revolut for payment processing, cloud hosting providers, and analytics tools, to deliver our Services. These providers are bound by GDPR-compliant Data Processing Agreements (DPAs) and may only process data on our instructions.
• Gym Owners and Members:
  Owners may access Member data (e.g., names, attendance records, booking details) entered into the Owner Portal to manage gym operations, acting as data controllers or processors under GDPR.
  Members’ booking information may be shared with gym staff for class check-ins or membership verification (e.g., via QR code scans).
• Legal Compliance: We may disclose data to comply with legal obligations, such as responding to court orders or requests from supervisory authorities (Legal Basis: Legal Obligation, Article 6(1)(c)).
• Business Transfers: If we sell or transfer our business (e.g., via merger or acquisition), your data may be transferred, subject to GDPR-compliant safeguards.
• With Your Consent: We may share data with third parties (e.g., fitness tracking apps) if you provide explicit consent.

4. Data Security

We implement industry-standard security measures to protect your personal data, particularly sensitive data like health information and payment details. All personal data is encrypted during transmission and storage using secure protocols. We store data securely on approved virtual private server (VPS) providers that comply with GDPR requirements. However, no system is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

5. Your Choices and Rights

As an individual in the EEA, you have the following rights under GDPR:Right of Access: Request a copy of the personal data we hold about you.

• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"):
  Request deletion of your data, subject to legal or contractual obligations (e.g., retaining financial records for tax purposes).
• Right to Restrict Processing: Request that we limit processing in certain circumstances.
• Right to Data Portability: Request a machine-readable copy of your data to transfer to another service.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent (e.g., for marketing, location data, or camera access), without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: Lodge a complaint with a supervisory authority in your country (e.g., the Data Protection Commission (DPC) in Ireland at www.dataprotection.ie).

To exercise these rights, contact our Data Protection Officer at dpo@forma.com.cy (mailto:dpo@forma.com.cy). We will respond within one month, as required by GDPR, though this may be extended by two months for complex requests. You may also update your account settings in the Owner Portal or Mobile App.

Additional Choices:

• Marketing Communications: Opt out of promotional emails or notifications by clicking the "unsubscribe" link or updating your preferences in the Services.
• Notifications:
  Manage class booking or membership notifications in the Mobile App settings.
• Location Data and Camera Access: Disable location services or camera access in your device settings or the Mobile App.
• Cookies: Manage cookie preferences via our cookie consent tool or your browser settings (see Section 12).

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or comply with legal obligations. For example:

• Account data is retained while your account is active.
• Transaction records processed via Revolut are kept for tax or accounting purposes as required by law (e.g., up to 7 years in some EEA countries).
• Health-related data is deleted upon account closure or withdrawal of consent, unless required for legal purposes.
• Inactive accounts may be deleted after 2 years, unless otherwise required by law.

7. International Data Transfers

Our Services are hosted on approved virtual private server (VPS) providers in Cyprus or the EEA. If you are in the EEA and your data is transferred outside the EEA, we ensure compliance with GDPR by using safeguards such as:

• Standard Contractual Clauses (SCCs): Approved by the European Commission to ensure adequate protection.
• Adequacy Decisions: Where the recipient country is deemed to have adequate data protection by the European Commission.

For more information on these safeguards, contact our Data Protection Officer at dpo@forma.com.cy (mailto:dpo@forma.com.cy).

8. Children’s Privacy

Our Services are not intended for individuals under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent, as required by GDPR Article 8. If you believe we have collected such data, contact us at info@forma.com.cy (mailto:info@forma.com.cy), and we will take steps to delete it.

9. Third-Party Links and Integrations

Our Services may include links to or integrations with third-party services, such as Revolut for payment processing or fitness tracking apps. We are not responsible for their privacy practices. Please review their privacy policies (e.g., Revolut’s privacy policy at www.revolut.com) before sharing data. Third-party integrations are only enabled with your explicit consent, in compliance with GDPR.

10. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours, as required by GDPR, unless the breach is unlikely to result in a risk to your rights and freedoms. If the breach poses a high risk, we will inform you without undue delay, including details of the breach and steps you can take to mitigate any impact.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance functionality, analyze usage, and provide personalized features. Cookies are small data files stored on your device. We use:

• Essential Cookies: Necessary for the operation of the Services (e.g., login functionality).
• Analytics Cookies: To understand how you use our Services (e.g., Google Analytics).
• Marketing Cookies: To deliver personalized advertisements, where applicable.

Non-essential cookies are only used with your explicit consent, as required by GDPR and the ePrivacy Directive. You can manage preferences through our cookie consent tool or your browser settings.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email, push notifications, in-app alerts, or by posting the updated policy on our website. Your continued use of the Services after such changes constitutes acceptance of the updated policy.

13. Account Deletion (including all relevant user data)

If you would like to delete your account and all associated data collected, you can do so within the Forma mobile app. Login to Forma app, navigate to "Profile" tab, choose "Preferences" and click on "Delete Account". If you would like any further assistance in deleting your account please contact us on info@forma.com.cy

14. Contact Us

For questions about this Privacy Policy or our data practices, contact us at on: info@forma.com.cy

[DeltaX]
Email: info@forma.com.cy
Phone: +357 97823482
Data Protection Officer
For GDPR-related inquiries or to exercise your data subject rights, contact our Data Protection Officer: Email:
dpo@forma.com.cy