GDPR/CCPA Regulations

Transparency and Control of your Data

Detailed information about your rights under the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) regulations, and how we apply them at Gymlan to protect your privacy and personal data.

1. Collection of Personal Data

Under GDPR and CCPA, we collect the following categories of personal data:

  • Identifiers: real name, alias, postal address, unique personal identifier, online identifier, IP address, email, account name
  • Characteristics of protected classifications: age, gender, sexual orientation, ethnic origin
  • Commercial information: subscription history, products or services considered
  • Biometric information: facial verification data (if you use this feature)
  • Network activity: browsing history, information regarding interactions with the app
  • Geolocation data: precise location (only with explicit consent)
  • Audio/visual information: profile photos, voice messages
  • Professional information: occupation, workplace (if you share it)
  • Inferences: profiles created about preferences, characteristics, psychological trends

2. Sources of Collection

We collect personal information from the following sources during the last 12 months:

  • Directly from you: when you create an account, complete your profile, or apply for a job
  • Social media: if you link Facebook, Instagram, or other platform accounts
  • Business partners: where our ads are published on partner websites
  • Affiliated companies: specifically for anti-fraud and security purposes
  • Data brokers: for anti-fraud and security purposes
  • Other users: as part of the general operation of the service
  • Third parties: under the instruction of a user utilizing profile sharing features

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Consent (Art. 6(1)(a)): to process sensitive data, profile photos, and geolocation data
  • Contract performance (Art. 6(1)(b)): to provide matching and messaging services
  • Legitimate interest (Art. 6(1)(f)): to improve services, prevent fraud, and ensure security
  • Legal obligation (Art. 6(1)(c)): to comply with legal and regulatory requirements
  • Vital interest (Art. 6(1)(d)): to protect user safety in emergencies
  • Public interest task (Art. 6(1)(e)): when applicable for tasks carried out in the public interest
  • Special Categories (Art. 9 GDPR): Processing of biometric data (selfie/ID) for verification is performed ONLY under your Explicit Consent (Art. 9(2)(a)), which is necessary to operate as a verified Trainer.

4. Business Purposes for Processing

We use your personal information for the following business purposes:

  • Providing services: maintaining accounts, customer service, processing transactions
  • Verification: verifying customer information, processing payments
  • Marketing and advertising: providing personalized marketing and advertising services
  • Analytics: providing analytics and storage services
  • Auditing: counting ad impressions, verifying positioning and quality
  • Transient use: contextual customization of ads in the same interaction
  • Security: ensuring the security and integrity of our services
  • Debugging: identifying and repairing errors that affect functionality
  • Internal research: technological development and demonstration
  • Quality improvement: verifying and maintaining service and device quality

5. Third Parties With Whom We Share Data

We share personal information with the following categories of third parties:

  • Affiliated companies: to prevent, detect, and combat fraud or other illegal activities
  • Payment and anti-fraud service providers: for anti-fraud purposes and combatting illegal activities
  • Joint marketing partners: for collaborative marketing campaigns
  • Professional service providers and organizations: that assist us in business purposes
  • Legal authorities: when required by law or to protect rights and safety
  • Other users: visible profile information according to privacy settings

6. Sensitive Personal Information

Under the CCPA, we process the following categories of sensitive personal information:

  • Identity Documentation: Images of ID, Passport, or License (collected exclusively for Trainer verification)
  • Precise geolocation (only with explicit consent)
  • Racial or ethnic origin, sexual orientation (inferred from profile preferences)
  • Religious or philosophical beliefs (if you voluntarily share them)
  • Biometric information (for optional facial verification)
  • Content of private messages on our services
  • We do not use sensitive personal information to infer characteristics about you

7. Detailed Data Retention

We retain your personal information for the following specific periods:

  • Safety window: 3 months after account closure or 1 year after ban
  • Transaction data: 10 years to fulfill tax and accounting obligations
  • Credit card information: for the period the user can dispute the transaction
  • Traffic/log data: 1 year to fulfill legal retention obligations
  • Consent records: 5 years to prove legal compliance
  • Customer service records: 5 years for support decisions and legal defense
  • Past account data: 3 years after closure for financial forecasting
  • Profile data: 1 year in anticipation of potential litigation
  • Data to prevent banned accounts: as long as necessary for security

8. California Consumer Rights (CCPA)

If you are a California resident, you have the following specific rights:

  • Sale/Share Opt-out: We do not sell or share your personal information
  • Know/Access: right to request information about personal data we process
  • Correction: right to request correction of inaccurate information
  • Deletion: right to request deletion of collected personal information
  • Non-discrimination: right not to receive discriminatory treatment for exercising CCPA rights
  • Limit use of sensitive information: right to limit the use of sensitive personal information

9. Your Rights under GDPR

If you are an EU/EEA resident, you have the following rights:

  • Access (Art. 15): obtain confirmation and a copy of your personal data
  • Rectification (Art. 16): correct inaccurate or incomplete personal data
  • Deletion (Art. 17): request deletion of personal data ('right to be forgotten')
  • Restriction (Art. 18): restrict processing in certain circumstances
  • Portability (Art. 20): receive data in a structured format and transfer it
  • Objection (Art. 21): object to processing based on legitimate interest
  • Automated decisions (Art. 22): not be subject to decisions based solely on automated processing
  • Withdraw consent: withdraw consent at any time without affecting prior lawfulness

10. Specific Response Times

We commit to the following response times for rights requests:

  • GDPR access requests: 1 month (extendable to 3 months in complex cases)
  • GDPR rectification requests: 1 month from receipt
  • GDPR deletion requests: 1 month (can be extended to 3 months)
  • GDPR portability requests: 1 month from identity verification
  • CCPA access requests: 45 days (extendable to 90 days)
  • CCPA deletion requests: 45 days from verification
  • Extension notice: we will inform you within 1 month if we need additional time
  • Identity verification: may require additional time for secure verification

11. How to Exercise Your Rights

You can exercise your rights in the following ways:

  • App settings: use the privacy options in your profile
  • Direct email: send a request to privacy@gymlan.com
  • Web form: complete our rights request form
  • Postal mail: Gymlan Argentina S.A.S., Buenos Aires, Argentina
  • Authorized agent: you can designate an agent to act on your behalf
  • Identity verification: we may request additional verification for security
  • Required documentation: power of attorney or other written authorization for agents

12. International Data Transfers

When we transfer data outside the EU/EEA or California, we implement:

  • Standard Contractual Clauses (SCC) approved by the European Commission
  • Adequacy decisions for countries with equivalent protection
  • Certifications like Privacy Shield (where applicable)
  • Additional security measures to protect data in transit
  • Transfer Impact Assessments (TIA) when necessary
  • Continuous monitoring of the legal situation in destination countries

13. Supervisory Authorities

You can file complaints with the following authorities:

  • Argentina: Agency of Access to Public Information (AAIP)
  • EU/EEA: Data protection authority of your country of residence
  • California: California Attorney General
  • Right to an effective judicial remedy if you are not satisfied with our response
  • Direct contact with authorities without needing to contact us first

Date of last update: 01/27/2026

Gymlan Mascot