Skip to content
Legal

Data Processing Terms

Last updated: 10 July 2026

These Data Processing Terms ("DPT") form part of the Terms of Service between [LEGAL ENTITY NAME — to be added on incorporation] ("Clubstance", the "Processor") and the customer operating a gym or fitness business on the platform (the "Customer", acting as "Data Fiduciary" under the DPDP Act, 2023 — equivalent to a "Controller" under the GDPR). They apply whenever the Customer uses Clubstance to process personal data of its members, staff, or leads ("Customer Personal Data").

1. Roles and scope of processing

  • The Customer is the Data Fiduciary of Customer Personal Data and warrants it has a lawful basis (including verifiable guardian consent for members under 18) for the data it uploads or collects through the platform.
  • Clubstance processes Customer Personal Data only as a Data Processor, on the Customer's documented instructions — which are: the use of platform features as configured by the Customer, these DPT, and the Terms of Service.
  • Subject matter & duration: provision of the Clubstance service for the subscription term. Nature & purpose: storage, organisation, retrieval, communication, and reporting needed to run the Customer's fitness business. Data categories: member identity and contact details, date of birth, photographs, emergency contacts, membership/attendance/payment records, workout and nutrition assignments, leads. Data principals: the Customer's members, staff, and prospects.
  • Biometric templates (fingerprint/face) are processed on the Customer's premises by the Customer's own devices and bridge software and are never stored on Clubstance cloud infrastructure; the platform receives only device-user mappings and check-in events.

2. Clubstance's obligations

  • Process Customer Personal Data only on documented instructions, unless required by law (in which case we inform the Customer unless prohibited).
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures: encryption in transit and at rest, row-level tenant isolation, role-based access control, audited and time-bound internal access, and daily backups (see Security).
  • Assist the Customer, insofar as reasonably possible, in responding to data principal requests (access, correction, erasure) — most of which the Customer can fulfil directly in the app.
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information reasonably needed for the Customer to meet its own notification duties.
  • Make available information reasonably necessary to demonstrate compliance with these DPT, and answer reasonable security questionnaires.

3. Sub-processors

The Customer gives general authorisation for the sub-processors listed on our Sub-processors page. We will update that page at least 15 days before adding or replacing a sub-processor that processes Customer Personal Data; if the Customer reasonably objects on data protection grounds and no workaround exists, the Customer may terminate the affected service and receive a pro-rata refund of prepaid fees. Each sub-processor is bound by data protection obligations no less protective than these DPT.

4. International transfers

Primary storage is on managed cloud infrastructure; some sub-processors process data outside India (see the Sub-processors page for locations). Transfers comply with the DPDP Act, 2023 (no transfers to countries restricted by the Central Government). If the Customer is subject to the GDPR/UK GDPR, we will execute standard contractual clauses on request for relevant transfers.

5. Return and deletion of data

  • The Customer can export Customer Personal Data at any time during the subscription and for 12 months after it ends.
  • After that period — or earlier on the Customer's written instruction — we delete Customer Personal Data from production systems within 30 days, and from backups on their rotation cycle (up to 35 additional days), unless retention is required by law.

6. Liability and order of precedence

Liability under these DPT is subject to the limitations in the Terms of Service. If these DPT conflict with the Terms of Service on data protection matters, these DPT prevail.

7. Contact

Data protection questions or a signed copy of these terms: [email protected].