Dokar Sirri
Last updated: March 23, 2026
Wannan takaddar tana samuwa cikin Faransanci (sigar hukuma) da Turanci. Idan akwai sabani, sigar Faransanci ce za ta yi rinjaye.
INTRODUCTION
This Privacy Policy describes how KEEZOKU, a simplified joint-stock company (SAS) with a capital of €5,000.00, registered with the R.C.S. of Paris under number 847 647 054, whose headquarters is located at 60 rue François Ier, 75008 Paris, France (hereinafter "Gymkee", "we", "our"), collects, uses, stores, and protects your personal data when you use the Gymkee platform, including the gymkee.com website, the Gymkee Coach web app, and the Gymkee mobile app.
This policy applies to all Gymkee users, whether they are sports coaches (professional users) or their clients/athletes (mobile app users).
Gymkee is committed to complying with the General Data Protection Regulation (GDPR , Regulation EU 2016/679), the French Data Protection Act of January 6, 1978, as amended, and the recommendations of the French Data Protection Authority (CNIL).
1. DATA CONTROLLER AND CONTACT
1.1 Data Controller
KEEZOKU 60 rue François Ier, 75008 Paris, France SIREN: 847 647 054 E-mail: [email protected]
1.2 Privacy Contact
For any questions about the protection of your personal data or to exercise your rights:
- E-mail: [email protected]
- Postal address: KEEZOKU , Data Protection, 60 rue François Ier, 75008 Paris, France
2. GYMKEE'S DUAL ROLE
Gymkee acts in two distinct roles under the GDPR:
2.1 Gymkee as Data Controller
KEEZOKU is the data controller for:
- Coach data (account data, billing data, platform usage data);
- Technical and usage data for all users (logs, cookies, browsing data);
- Data necessary for the operation of the platform and mobile app.
2.2 Gymkee as Processor
KEEZOKU acts as a processor (within the meaning of Article 28 of the GDPR) on behalf of Coaches regarding their Clients/Athletes' data. Coaches are the data controllers for the data of their Clients that they collect and use in their coaching activities via Gymkee.
The respective obligations are governed by our Data Processing Agreement (DPA), available at gymkee.com/legal/dpa.
3. DATA COLLECTED
3.1 Coach Data
| Category | Data | Purpose |
|---|---|---|
| Identification Data | Name, first name, email address, phone number, profile picture | Account management, communication |
| Professional Data | Trade name, SIRET/business number, qualifications, specialties | Professional identification |
| Billing Data | Billing address, payment method (via Stripe), billing history, VAT number | Billing, accounting |
| Usage Data | Logins, actions on the platform, features used, technical logs | Service improvement, support |
| Gymkee Pay Data | Stripe Connect account data, transaction history | Payment processing |
3.2 Client/Athlete Data
| Category | Data | Purpose |
|---|---|---|
| Identification Data | Name, first name, email address, profile picture | Account management |
| Profile Data | Date of birth, gender | Program personalization |
| Health Data ⚠️ | Weight, height, body measurements, body fat percentage, BMI | Progress tracking |
| Nutritional Data ⚠️ | Caloric intake, macronutrients, food journal, dietary preferences, allergies | Nutritional program |
| Training Data ⚠️ | Performance (weights, reps, time), heart rate, session history | Program tracking |
| Usage Data | Logins, app navigation, notifications | Service operation |
⚠️ This data constitutes "health data" within the meaning of Article 9 of the GDPR and benefits from enhanced protection. Their processing is based on your explicit consent, collected separately and specifically.
3.3 Automatically Collected Data
For all users, we automatically collect:
- Technical Data: IP address, browser type, operating system, device type, device identifier, screen resolution;
- Browsing Data: pages viewed, visit duration, actions taken;
- Log Data: connection timestamps, technical errors.
4. LEGAL BASES AND PURPOSES OF PROCESSING
4.1 Processing Based on Contract Performance (Art. 6(1)(b) GDPR)
- Creation and management of user accounts
- Provision of Services (programs, tracking, messaging)
- Payment processing and billing
- Customer support
- Service-related notifications (updates, maintenance, important changes)
4.2 Processing Based on Explicit Consent (Art. 9(2)(a) GDPR)
- Collection and processing of health data (measurements, nutritional data, training performance)
- Transmission of health data to the Coach for tracking
- Synchronization with third-party health apps (Apple HealthKit, Google Health Connect)
Consent for health data is:
- collected separately and distinctly, not bundled with acceptance of the T&Cs;
- specific to each category of data (measurements, nutrition, training);
- freely given, informed, and unambiguous;
- revocable at any time from the app settings, without affecting the lawfulness of prior processing.
4.3 Processing Based on Consent (Art. 6(1)(a) GDPR)
- Marketing and promotional communications
- Marketing push notifications
- Non-essential cookies and trackers (see our Cookie Policy)
4.4 Processing Based on Legitimate Interest (Art. 6(1)(f) GDPR)
- Platform improvement and usage analysis (aggregated and anonymized statistics)
- Fraud detection and prevention
- Platform security
4.5 Processing Based on Legal Obligation (Art. 6(1)(c) GDPR)
- Retention of billing data (accounting and tax obligations)
- Response to legal requests
- Tax declarations
5. DATA RECIPIENTS
5.1 Internal Access
Only authorized members of the KEEZOKU team have access to personal data, strictly as necessary for their functions.
5.2 Sub-processors
We share your data with the following sub-processors, who process data on our behalf and according to our instructions:
| Sub-processor | Country/Region | Function | Data Concerned |
|---|---|---|---|
| Amazon Web Services (AWS) | EU , eu-west-3 (Paris) | Hosting and infrastructure , HDS Certified | All data |
| MongoDB Atlas (MongoDB, Inc.) | EU | Database | All application data |
| Stripe Payments Europe, Ltd. | Ireland/EU | Payment processing | Billing and payment data |
| Cloudflare, Inc. | United States | Website hosting (Cloudflare Pages) | Navigation data |
| Algolia | EU | Search engine | Food data, exercises |
| Segment (Twilio) | United States | Analytics (server-side) | Anonymized usage data |
| Mixpanel | United States | Analytics | Anonymized usage data |
| Intercom | United States | Customer support and messaging | Identification data, messages |
| Google LLC | United States | Analytics (GA4, GTM) | Anonymized browsing data |
| Meta Platforms, Inc. | United States | Advertising measurement (Meta Pixel) | Anonymized conversion data |
| FirstPromoter | Netherlands | Affiliate tracking | Referral data |
| Expo (EAS) | United States | Mobile app distribution | Technical data |
The complete and up-to-date list of our sub-processors is available at gymkee.com/legal/sub-processors.
5.3 Transfers Outside the EU
Some of our sub-processors are located outside the European Economic Area (EEA), notably in the United States. These transfers are governed by:
- the Standard Contractual Clauses (SCCs) adopted by the European Commission;
- the EU-US Data Privacy Framework, where applicable;
- additional technical measures (encryption of data in transit and at rest).
5.4 Transmission to the Coach
When you are a Client/Athlete, your data (including health data for which you have given consent) is transmitted to your Coach via the platform. The Coach is the data controller for this data in the context of their coaching relationship with you.
5.5 Other Sharing Cases
We may disclose your data:
- to judicial or administrative authorities, in case of legal requisition;
- to a potential acquirer in case of restructuring, merger, or business transfer, subject to confidentiality obligations.
We never sell your personal data to third parties. We do not use your data for targeted advertising purposes.
6. DATA RETENTION
| Data Category | Retention Period |
|---|---|
| Account Data (active) | Throughout the contractual relationship |
| Account Data (after deletion) | 30 days after the deletion request, then erased |
| Health Data | Deleted within 30 days following consent withdrawal or account deletion |
| Billing Data | 10 years from the end of the fiscal year (legal accounting obligation , Art. L123-22 of the Commercial Code) |
| Stripe Payment Data | Retained by Stripe according to its own retention policy |
| Connection Logs | 12 months (legal obligation , LCEN Art. 6-II) |
| Analytics Data | Anonymized beyond 26 months |
| Commercial Prospecting Data | 3 years after the last contact |
| Consent Data (proof) | 5 years from withdrawal or expiration of consent |
At the end of these periods, the data is deleted or irreversibly anonymized.
7. DATA SECURITY
7.1 HDS Certified Hosting
The health data processed by Gymkee is hosted on the Amazon Web Services (AWS) infrastructure in the eu-west-3 region (Paris, France). AWS holds the Health Data Hosting (HDS) certification issued in accordance with Article L.1111-8 of the French Public Health Code, attesting to compliance with the security, confidentiality, and availability requirements applicable to the hosting of health data.
7.2 Security Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure, including:
Technical measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Secure authentication and access management
- Regular backups and disaster recovery plan
- Monitoring and intrusion detection
- Separation of environments (development, testing, production)
Organizational measures:
- Limited data access based on the principle of least privilege
- Team training on best data protection practices
- Security incident management procedure
- Regular assessment of security measures
8. RIGHTS OF DATA SUBJECTS
In accordance with the GDPR and the French Data Protection Act, you have the following rights:
8.1 Right of Access (Art. 15 GDPR)
You can obtain confirmation that data concerning you is being processed and receive a copy.
8.2 Right to Rectification (Art. 16 GDPR)
You can request the correction of inaccurate or incomplete data.
8.3 Right to Erasure (Art. 17 GDPR)
You can request the deletion of your data in the cases provided for by the GDPR. Deletion occurs within one (1) month of the request, subject to legal retention obligations.
8.4 Right to Data Portability (Art. 20 GDPR)
You can receive your data in a structured, commonly used, and machine-readable format (JSON or CSV).
8.5 Right to Restriction of Processing (Art. 18 GDPR)
You can request the restriction of processing in certain cases (dispute of accuracy, unlawful processing, etc.).
8.6 Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interest for reasons related to your particular situation.
8.7 Right to Withdraw Consent
For processing based on consent (notably health data), you can withdraw your consent at any time:
- from your account settings (app or web);
- by contacting us at [email protected]. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
8.8 Post-Mortem Directives
In accordance with the French Data Protection Act, you can define directives regarding the retention, deletion, and communication of your data after your death.
8.9 Exercising Rights
To exercise your rights:
- E-mail: [email protected]
- Mail: KEEZOKU , Data Protection, 60 rue François Ier, 75008 Paris, France
We respond to any request within one (1) month. This period may be extended by two (2) months in case of complexity or a large number of requests. We will inform you of any extension.
We may ask you to verify your identity before processing your request.
8.10 Complaint to the CNIL
If you believe that the processing of your data does not comply with the regulations, you can file a complaint with the French Data Protection Authority (CNIL):
- Website: https://www.cnil.fr
- Address: CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
9. COOKIES AND TRACKERS
Gymkee uses cookies and trackers. For detailed information on the cookies used, their purposes, and your setting options, please see our Cookie Policy.
10. MINORS' DATA
Gymkee is not intended for persons under 16 years of age. We do not knowingly collect data from persons under 16. Persons aged 16 to 18 must obtain permission from their legal representative to use Gymkee.
If we become aware that a minor under 16 has provided personal data, we will delete this data as soon as possible.
11. DATA BREACH NOTIFICATION
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours in accordance with Article 33 of the GDPR.
If the breach is likely to result in a high risk to your rights and freedoms, we will inform you directly as soon as possible, in accordance with Article 34 of the GDPR, specifying the nature of the breach, the likely consequences, and the measures taken or planned.
12. POLICY CHANGES
We may change this Privacy Policy at any time. In case of substantial changes, we will inform you by email or via the app at least fifteen (15) days before it takes effect.
The date of the last update is indicated at the top of this page. We encourage you to regularly review this policy.
13. CONTACT
For any questions about data protection:
KEEZOKU , Data Protection 60 rue François Ier, 75008 Paris, France E-mail: [email protected]
