Privacy Policy | GoGym PH

1. About this Privacy Policy

This Privacy Policy explains how GoGym (Go Fitness Technology Inc.), with registered office at 5048 P Burgos, Poblacion, Makati, Metro Manila, collects, uses, shares, and protects your personal information when you use our mobile application, website, gym facilities, and related services (together, the Platform). We are the Personal Information Controller of your data under Republic Act No. 10173, the Data Privacy Act of 2012 (the DPA), and we are accountable for it.

This Policy applies to:

Members (“GoGetters”) who use our app, our website, or our gym facilities;
Visitors who browse the Platform without registering;
Anyone who books, inquires about, or pays for our services;
Job applicants and others who interact with us in connection with the Platform.

Please read this Policy together with our Terms of Service and our Cookie Policy.

By using the Platform, you confirm that you have read this Policy. Where we rely on your consent for specific processing — for example, processing of fitness data, biometric data, or marketing communications — we will ask for that consent separately at the point of collection, and you can withdraw it at any time.

2. Definitions

“Aggregated Information” — data that has been irreversibly combined, generalized, or anonymized so that it can no longer be linked to an identified or identifiable individual.
“Data Privacy Act / DPA” — Republic Act No. 10173, the Data Privacy Act of 2012, together with its Implementing Rules and Regulations and applicable circulars and advisories of the National Privacy Commission (NPC).
“Personal Information / PI” — any information that can identify you, directly or together with other information.
“Sensitive Personal Information / SPI” — personal information that the DPA gives heightened protection, including (in our case) your health and fitness data, biometric data, government-issued identification numbers, payment-card data, and other categories listed in §3(l) of the DPA.
“Personal Information Controller / PIC” — the entity that decides what personal information is collected and why. GoGym is the PIC for your information.
“Personal Information Processor / PIP” — a service provider that processes personal information on the PIC’s instructions.
“Processing” — any operation performed on personal information, including collection, recording, storage, use, disclosure, transfer, and deletion.

Where a term is defined in our Terms of Service but not here, that definition applies.

3. Data Protection Officer and How to Reach Us

GoGym has designated a Data Protection Officer (DPO) responsible for overseeing our compliance with the Data Privacy Act and for handling your privacy requests.

Name: Felicia Perez (Chief Product Officer and Corporate Secretary)
Email: data@gogym.ph
Postal: 5048 P Burgos, Poblacion, Makati, Metro Manila, Attn: Data Protection Officer

For general privacy questions or to exercise any right under Section 12, write to data@gogym.ph. For all other matters, write to hello@gogym.ph.

If you are not satisfied with how we handle a privacy concern, you have the right to lodge a complaint with the National Privacy Commission at complaints@privacy.gov.ph or by visiting https://www.privacy.gov.ph.

NPC Registration. GoGym is registered with the National Privacy Commission as a Personal Information Controller, and our Data Protection Officer has been notified to and registered with the Commission. Our NPC registration has been in place since 2025.

4. Information We Collect

4.1 Information You Provide

Category	Examples
Account Information	Name, email, phone, mailing address, date of birth, profile photo.
Booking Information	Sessions booked, branches visited, instructors selected, packages purchased.
Payment Information	Card details (handled by our PCI-compliant payment processors), billing address, transaction history.
Fitness Data (SPI)	Workout routines, frequency, performance metrics, goals, body measurements you share.
Nutrition Data (SPI)	Dietary preferences, allergies, and goals you provide.
Communications	Messages to support, feedback, survey responses.
Government IDs (SPI)	Tax Identification Number where required for tax remittance; government-issued ID where required for identity verification.
Emergency Contact	Optional name and number you provide for safety reasons.
Personal Training Intake (SPI)	Health and fitness intake data, baseline assessments, and periodic progress measurements collected by our staff in person during Personal Training.

4.2 Sensitive Personal Information (SPI)

We treat the following with heightened protection because they qualify as Sensitive Personal Information under §3(l) of the DPA:

fitness and health data (workout patterns, performance, body measurements);
nutrition and dietary data;
biometric data, where biometric gym entry is offered (we use templates rather than raw images, and we always offer a non-biometric access alternative);
payment-card data;
government-issued identification numbers (e.g., TIN).

We process SPI only on the basis of your explicit, informed, and revocable consent obtained at the point of collection, except where another narrow legal basis under §13 applies (for example, legal obligation, vital interest, or a court order). You may withdraw your SPI consent at any time by writing to data@gogym.ph. Withdrawal does not affect processing already lawfully carried out and may end your access to features that depend on the data.

4.3 Information Collected Automatically

When you use the Platform, we automatically collect:

device data (model, operating system, language, time zone);
log data (IP address, pages visited, timestamps, crash reports);
approximate location derived from your IP address (precise location only with your express consent);
cookies and similar technologies (see Section 8).

4.4 Information from Third Parties

We may receive information about you from:

linked accounts (Facebook, Google, Apple), if you choose to connect them — limited to the data those services are configured to share with us based on your settings;
wearable and fitness platforms (such as Apple Health, Garmin, Fitbit), if and when you connect them, with the scope of data you authorize;
identity-verification, fraud-prevention, and credit-screening providers, where permitted by law;
our service providers (such as payment processors providing fraud signals);
publicly available sources, where permitted by law.

5. Why We Process Your Information (Lawful Basis)

Under the Data Privacy Act, every act of processing must rest on a lawful basis under §12 (for ordinary Personal Information) or §13 (for Sensitive Personal Information). The table below pairs each purpose with its basis.

Data Category	Purpose	Lawful Basis (DPA)
Account & contact info	Account creation, authentication, communication	§12(b) contractual necessity
Booking & payment data	Service delivery, billing, tax compliance	§12(b) contractual; §12(c) legal obligation (BIR record-retention)
Fitness, health, nutrition data (SPI)	Personalized coaching, recommendations, progress tracking	§13(a) explicit consent
Biometric data (SPI)	Gym access control where biometric entry is offered (with non-biometric alternative)	§13(a) explicit consent
Government IDs (SPI)	Tax remittance, identity verification, fraud prevention	§12(c) legal obligation; §13 where SPI
Marketing identifiers	Direct marketing, retargeting, cross-context behavioral advertising	§12(a) consent — revocable any time
Device & log data	Security, fraud prevention, analytics, service improvement	§12(f) legitimate interest (with documented balancing)
Communications	Customer support, service quality	§12(b); §12(f)
Emergency contact	Safety in case of an emergency on premises	§12(d) vital interest of the data subject

6. Special Handling of Sensitive Personal Information

We apply the following protections to all SPI:

Explicit, recorded consent at collection — captured through one of three channels: (a) Sign-up SPI consent: a separate checkbox at account creation authorizes GoGym to process your in-app fitness, health, and nutrition data. The SPI consent is independent of Terms and Privacy consents — you may decline or later withdraw it without losing your account, but features that depend on SPI processing will become unavailable. (b) Personal Training intake: health and fitness intake data collected in person with a separate, signed consent. (c) Feature-specific consent: for connecting wearable platforms or enrolling in biometric gym entry. All consent events are recorded with timestamp in our consent register.
Need-to-know access. Access is limited to authorized personnel under role-based access controls; we log access for audit.
Encryption. SPI is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
No advertising sale or sharing. We do not sell or share your individual fitness, health, or biometric data with advertisers.
No third-party AI training. We do not use your SPI to train third-party AI models.
Withdrawal of consent. You can withdraw SPI consent at any time. Withdrawal will end access to features that depend on the data; it does not affect processing already lawfully carried out.

Service Providers (Personal Information Processors)

Vendors process data on our behalf, under written instructions, and are bound by Data Processing Agreements requiring protections at least equivalent to ours. Categories include cloud hosting and infrastructure; payment processing and PCI-compliant tokenization; customer-support tools; email and SMS delivery; analytics (privacy-preserving where available); identity verification and fraud detection; and IT support and security monitoring.

A current list of named processors and their location is available on request from our DPO at data@gogym.ph and is updated within 30 days of any material change.

Affiliates

Subsidiaries and entities under common control with GoGym, where this enables consistent service delivery. Affiliates are bound by the same standards and use your data only for the purposes set out in this Policy.

Other GoGetters and Branches

When you book a session, your name and the relevant booking details are visible to the Branch and the assigned instructor. Your billing and payout information is never shared with another user.

Tax Authorities

Where the law requires, we share information necessary for tax remittance — including TIN and transaction details — with the Bureau of Internal Revenue and other competent tax authorities.

Legal and Regulatory Authorities

We disclose information when compelled by valid legal process — subpoena, warrant, or court order — and where we have a good-faith belief disclosure is necessary to protect rights, property, or safety. We will use commercially reasonable efforts to notify you about law-enforcement requests for your data unless we are prohibited from doing so or we believe notification would create a risk of harm to a person, would involve potential harm to minors, or would expose GoGym, its members, or the Platform to fraud or harm.

Business Transfers

In a merger, acquisition, financing, or sale of assets, your data may be transferred subject to the protections of this Policy, and you will be notified of any material change to how your data is handled.

Aggregated and De-identified Data

We may publish or share aggregated, irreversibly de-identified data for industry research, marketing, and product development. Such data cannot be used to re-identify you.

Our Commitments

We do not sell your personal information.
We do not share or sell your individual fitness, health, or biometric data with advertisers.

8. Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

Essential operations (log-in, security, basic functionality) — these cannot be disabled while using the Platform.
Analytics (understanding how the Platform is used) — opt-in for non-essential analytics.
Personalization (remembering your preferences).
Marketing (only with your consent, where applicable).

You can manage cookie preferences through our cookie banner or your browser settings. Our cookie banner allows you to reject non-essential cookies before providing consent; rejecting non-essential cookies will not prevent you from using the Platform. Some third-party tags (for example, Meta Pixel and Google Analytics) may operate as joint controllers with us under EU data protection law; where applicable, our Cookie Policy explains the allocation of responsibilities.

We do not currently respond to a “Do Not Track” signal because there is no industry standard for honoring it. Where we offer a marketing-cookie opt-out, that mechanism applies regardless of DNT.

9. International Data Transfers

GoGym is a Philippine company. All processing of your personal information currently takes place within the Philippines. If and when we engage service providers located outside the Philippines, we will update this Policy to identify the destination jurisdictions and the safeguards applied. For any future cross-border processing, GoGym will remain accountable in accordance with NPC Advisory No. 2017-01 and will contractually require recipients to apply protections comparable to those of the Data Privacy Act, including by way of:

Standard Contractual Clauses incorporated into Data Processing Agreements; and
where the recipient is a U.S.-based entity self-certified to the EU-U.S. Data Privacy Framework, reliance on that certification.

10. How Long We Keep Your Information

We retain your information only for as long as necessary for the purposes set out in this Policy or as required by applicable law. Specific periods are set out below.

Data Category	Retention Period	Reason
Account information	Life of account + 30 days after closure	Operational; reactivation window
Booking and payment records	10 years from transaction	BIR tax record-retention requirement
Fitness and health data (SPI)	Life of account; 24 months residual after closure (anonymized)	Service personalization; user benefit
Biometric templates (SPI)	Until membership end + 30 days	Operational
Marketing logs	Until consent is withdrawn + 12 months	Recordkeeping of consent events
Device and log data	12 months	Security and forensics
Customer support tickets	24 months from closure	Service quality and dispute resolution
Litigation hold	As required by the matter	Legal obligation

After the retention period expires, we securely delete or irreversibly de-identify your data.

11. How We Protect Your Information

We implement layered technical and organizational measures, including:

encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
multi-factor authentication for administrative access;
role-based access controls and the principle of least privilege;
written Data Processing Agreements with vendors and a vendor-security review prior to onboarding;
periodic vulnerability assessments and, where appropriate, penetration testing;
mandatory security and privacy training for all staff;
a documented incident-response runbook with escalation paths and breach-notification timelines.

No system is impervious. Please use a strong, unique password and keep your account credentials confidential. Notify us immediately at data@gogym.ph if you suspect unauthorized access to your account.

12. Your Rights Under the Data Privacy Act

Under §16 of the Data Privacy Act, you have the right to:

Be Informed — to know that your personal data is being or has been processed and the purposes of the processing.
Access — to obtain a copy of the personal data we hold about you, together with the source, recipients, and purposes.
Rectification (Correction) — to correct any inaccuracy or error in your data.
Object — to object to processing for direct marketing, automated processing, or processing based on our legitimate interest.
Erasure or Blocking — to suspend, withdraw, order the blocking, removal, or destruction of your data, where applicable under §16(e).
Damages — to be indemnified for damages sustained from inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your data.
Data Portability — to receive a copy of your data in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted directly to another controller.
Lodge a Complaint — with the National Privacy Commission at complaints@privacy.gov.ph or https://www.privacy.gov.ph.
Transmissibility — your lawful heirs and assigns may exercise these rights with respect to your data after your death or incapacity.

In addition, where we process your data on the basis of consent (including all SPI), you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

13. How to Exercise Your Rights

To exercise any right under Section 12, please contact our DPO at data@gogym.ph and provide:

your full name and a primary identifier (the email address or phone number associated with your account);
a description of the right you wish to exercise and the data it concerns;
a copy of a valid government-issued ID, submitted via our secure upload channel.

Verification

To protect against fraudulent requests, we will verify your identity before acting. If we cannot verify, we will let you know and ask for additional information. We do not retain your verification ID for longer than 30 days unless required by law.

Response Time

We will respond within 15 working days of receipt. Where the request is complex or numerous, we may extend by a further 15 working days, in which case we will tell you about the extension and the reasons within the initial period. California residents have a separate 45-calendar-day timeline under Section 18; where both regimes apply, we will apply the more protective (i.e., shorter) timeline.

Authorized Agents

You may use an authorized agent to make a request on your behalf. The agent must provide written authorization signed by you, and we may still ask you to verify your identity with us directly.

Charges

We do not charge a fee for these requests, except where they are manifestly unfounded or excessive — in which case we will explain the charge before proceeding.

If We Cannot Fulfill Your Request

If a legal or operational reason prevents us from fulfilling your request, we will explain why in writing. You can always escalate to the National Privacy Commission.

14. Marketing Communications

We send marketing communications only with your consent. You can withdraw consent at any time via the unsubscribe link in any marketing email, your in-app marketing preferences, or by emailing data@gogym.ph. Withdrawing marketing consent does not affect transactional communications (such as booking confirmations, billing notices, and security alerts), which we send under contractual necessity.

15. Automated Decision-Making and Profiling

We use automated systems to:

recommend workouts and nutrition based on your fitness profile and goals;
detect suspicious activity for fraud prevention and security;
personalize content within the Platform.

These activities are profiling that helps deliver and improve the Platform. They do not produce legal effects on you or significantly affect you in a similar way. If we ever introduce automated decisions that produce legal or similarly significant effects (for example, denying access to services), we will tell you in advance, give you a way to obtain human review, and ensure you can contest the decision.

16. Children’s Privacy

The Platform is intended for users 18 years and older. We do not knowingly collect personal information from individuals under 18 without verifiable parental or guardian consent for limited supervised use (such as a parent-and-child membership). If you believe a minor has provided us with information without proper authorization, contact data@gogym.ph and we will promptly investigate and, where appropriate, delete the data.

17. Data Breach Notification

If we become aware of a personal data breach that is reasonably likely to result in serious harm — for example, where Sensitive Personal Information is involved, or where the breach may enable identity fraud — we will notify the National Privacy Commission and the affected data subjects within 72 hours of becoming aware, in accordance with NPC Circular 16-03.

Notifications will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we have taken or propose to take to address the breach and mitigate its effects. We will notify affected data subjects through the most reliable channel available — typically a combination of email and in-app notification.

Where investigation cannot be reasonably completed within 72 hours, we will provide an initial notification within that window confirming the fact of the breach and the categories of data and individuals affected, and follow with a complete notification as soon as practicable. We maintain a documented incident-response plan with pre-positioned notification templates and escalation paths designed to meet this timeline.

18. Additional Information for California Residents

If you are a California resident, the California Consumer Privacy Act (the CCPA) as amended by the California Privacy Rights Act (the CPRA) gives you the rights below, subject to identity verification. We treat any California resident who interacts with the Platform as eligible for these rights regardless of whether the statutory thresholds technically apply, as a matter of policy.

Response time for California residents: we will respond to verifiable consumer requests within 45 calendar days of receipt. Where the request is complex, we may extend by a further 45 calendar days, with notice to you within the initial period.

Your California Rights

Right to Know — the categories and specific pieces of personal information we collect, sell, or share, and our purposes.
Right to Delete — your personal information, subject to legal exceptions under CPRA §1798.105.
Right to Correct — inaccurate personal information.
Right to Opt Out of Sale or Sharing — including for cross-context behavioral advertising. Email data@gogym.ph with “Do Not Sell or Share” in the subject line.
Right to Limit Use of Sensitive Personal Information — email data@gogym.ph with “Limit Use of Sensitive PI” in the subject line.
Right to Non-Discrimination — we will not deny you services, charge different prices, or provide a different level of service for exercising your rights.
Authorized Agent — you may designate someone to make a request on your behalf, with verification.

Categories We Collected, Sold, or Shared in the Last 12 Months

Identifiers (name, email, phone, account ID, device identifier);
Customer records (billing details, payment method);
Commercial information (bookings, packages, transactions);
Internet/network activity (log data, app interactions);
Geolocation data (approximate, derived from IP; precise only with consent);
Sensory data (progress photos or videos you upload);
Professional information (employer, where relevant for corporate-wellness programs);
Inferences (fitness profile and recommendations derived from the above).

We have not sold personal information for monetary consideration. We have shared limited identifiers (such as advertising IDs, hashed email, and approximate IP-derived location) and internet/network activity information with advertising partners for cross-context behavioral advertising. You can opt out by emailing data@gogym.ph as described above. We retain CCPA-covered personal information per the schedule in Section 10.

19. Users Outside the Philippines

GoGym is a Philippine company and the Platform is directed to users in the Philippines. We do not target the European Economic Area, the United Kingdom, or other jurisdictions, although individuals located there may access the Platform. If you access the Platform from outside the Philippines, you do so at your own initiative and are responsible for compliance with local law. Philippine law and the Data Privacy Act govern the processing of your data by GoGym, except where local law mandates otherwise. Where local law confers specific rights on you (for example, the rights of California residents in Section 18), we will respect those rights.

20. Changes to this Policy

We may update this Policy from time to time. Where the change is material, we will communicate it by email, in-app notice, or prominent notice on our website at least 30 days before it takes effect. The Change Log records each version with a one-line summary. By continuing to use the Platform after a change takes effect, you accept the updated Policy.

21. Contact Us

Privacy and DPA matters: data@gogym.ph
Security incidents: data@gogym.ph
General inquiries and customer support: hello@gogym.ph
Postal: 5048 P Burgos, Poblacion, Makati, Metro Manila, Attn: Data Protection Officer
National Privacy Commission: https://www.privacy.gov.ph; complaints@privacy.gov.ph

Change Log

Version	Date	Summary
2.0	May 6, 2026	Comprehensive rewrite: designated DPO disclosure; SPI handling and §13(a) consent architecture; lawful-basis table; full §16 rights with verification protocol and 15-working-day response SLA; 72-hour breach notification; CCPA/CPRA section; retention schedule; updated cookie, transfer, and processor language; non-sale commitments for fitness, health, and biometric data.
1.0	January 22, 2025	Initial publication.