Gym Vault

Privacy Policy

Last updated: April 2026

GYM VAULT OOD ("GYM VAULT", "we", "us", "our"), registered in Bulgaria, is the data controller for the personal data collected through our website and gym facility. We are committed to protecting your privacy in full compliance with Regulation (EU) 2016/679 (GDPR) and the Bulgarian Personal Data Protection Act (PDPA). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, who we share it with, how long we keep it, and what rights you have over it. Please read it carefully.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

  • Company: GYM VAULT OOD
  • Location: Plovdiv, Bulgaria
  • Email: support@gymvault.bg
  • Phone: +359 87 962 1721
  • Website: www.gymvault.bg

2. What Personal Data We Collect and Why

We collect only the personal data that is necessary for the purposes described below. We do not collect special category data (health, biometric, political, religious, or similar data).

a) Account Registration & Management

When you register an account, we collect:

  • Full name (first and last name)
  • Email address
  • Phone number
  • Date of birth (to verify you meet our minimum age requirement of 18)
  • Password (stored as a secure cryptographic hash — we cannot read your password)
  • Authentication provider (whether you registered via email/password, Google, or Facebook)
  • Email verification status and tokens (to confirm your email address is valid)

b) Bookings & Access

When you make a booking, we collect and process:

  • Booking details: date, start time, end time, location, number of attendees
  • Attendee information (for the person using the session): name, email, phone, date of birth
  • Your unique session access code (a 10-digit PIN sent to your email and used to unlock the facility)
  • Booking status and history (confirmed, cancelled, completed)

c) Payments

When you pay for a booking:

  • Payments are processed by Stripe, our payment processor. GYM VAULT does not store your card number, expiry date, or CVV at any point.
  • We store only: the Stripe payment intent ID, the Stripe checkout session ID, payment status (pending, paid, refunded), amount paid, and refund details where applicable.
  • For accounting and tax compliance, we retain electronic receipt records in accordance with Bulgarian tax law.

d) Smart Lock Access Logs

We use the Nuki smart lock system to control physical access to the facility. In connection with this:

  • A unique access code (PIN) and a time-limited authorisation are created in the Nuki system for each confirmed booking.
  • The authorisation record includes: your access code, the valid time window, and a human-readable label (e.g., "John Doe — 10:00–11:00"). This data is transmitted to Nuki to program the lock.
  • Access event logs (when the lock was used) may be retained by Nuki in accordance with their own privacy policy.
  • Our own records of access codes are deleted 7 days after the session end time.

e) CCTV Surveillance

The gym premises are monitored by CCTV cameras in the training area and entrance/exit points.

  • CCTV footage is recorded continuously while the facility is in use.
  • Footage is retained for 30 days and then automatically overwritten.
  • Footage may be accessed by authorised GYM VAULT staff in connection with security incidents, personal injury investigations, property damage or theft claims, or where required by law enforcement.
  • CCTV is operated on the basis of our legitimate interest in protecting our property, ensuring safety, and supporting legal claims (Article 6(1)(f) GDPR).

f) Authentication Tokens & Cookies

When you log in, we set the following cookies in your browser:

  • access_token — an HttpOnly cookie containing a signed authentication token (JWT). It expires after 1 hour. It is not readable by JavaScript and cannot be accessed by any third-party script.
  • refresh_token — an HttpOnly cookie used to obtain a new access token when the current one expires. It expires after 7 days.
  • token_issued_at — a non-sensitive timestamp used by the frontend to schedule proactive token refresh.
  • NEXT_LOCALE — your language preference (Bulgarian or English). This contains no personal data.
  • These are strictly functional cookies required for the service to work. They do not track you across other websites.

g) Login & Security Logs

To protect your account and prevent abuse:

  • We track the number of consecutive failed login attempts per email address. After 5 failed attempts, your account is temporarily locked.
  • We apply rate-limiting by IP address on registration and authentication endpoints to prevent automated attacks.
  • IP addresses used for rate-limiting are held in temporary memory (Redis) and are not logged to persistent storage.
  • We record the timestamp of your last login and last logout.

h) Email Communications

We send transactional emails for the following purposes:

  • Email address verification at registration
  • Password reset and email change confirmation
  • Booking confirmation, access code delivery, and cancellation notices
  • Feedback request after your session
  • Account deletion warnings (30 days before scheduled deletion)
  • Newsletter (only if you have subscribed — you may unsubscribe at any time)
  • A record of all sent emails (including template, recipient, and delivery status) is retained for compliance purposes.

i) Feedback & Reviews

If you submit a feedback rating or comment after your session, we store:

  • Your numeric ratings (cleanliness, equipment, booking experience, overall)
  • Any written comment you provide (up to 2,000 characters)
  • The booking ID your feedback refers to
  • Whether your feedback was submitted via email link or in-app

j) Social Login (Google & Facebook OAuth2)

If you choose to sign in with Google or Facebook:

  • We receive from the provider: your email address, first name, last name, and a provider-specific user ID.
  • We do not receive your social media posts, contacts, or any other account data.
  • Google and Facebook act as separate, independent data controllers for data you provide to them. Their own privacy policies govern that relationship.
  • The data we receive is used only to create and maintain your GYM VAULT account.

3. Legal Basis for Processing

We process your personal data only when we have a valid legal basis to do so under Article 6 GDPR. The legal basis depends on the purpose:

  • Performance of contract (Art. 6(1)(b)): Processing your account information, booking data, access codes, payment records, and transactional communications is necessary to provide the services you have contracted for.
  • Compliance with a legal obligation (Art. 6(1)(c)): Retaining electronic receipts and accounting records for the period required under Bulgarian tax law.
  • Legitimate interests (Art. 6(1)(f)): Operating CCTV for security; applying rate-limiting and fraud prevention measures; retaining email delivery records for compliance evidence; retaining feedback. Our legitimate interests do not override your fundamental rights — we have assessed this proportionality.
  • Consent (Art. 6(1)(a)): Sending you our newsletter. You may withdraw this consent at any time by clicking "Unsubscribe" in any newsletter email or by updating your account settings. Withdrawal does not affect the lawfulness of any processing done before you withdrew consent.

4. Who We Share Your Data With

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We share data only as described below, and only to the extent necessary.

Stripe (Payment Processing)

We use Stripe, Inc. to process payments. When you pay for a booking, relevant transaction data (including your name, email, booking amount, and session details) is shared with Stripe to process the payment and issue a receipt. Stripe acts as a data processor on our behalf under a Data Processing Agreement. Stripe may use Standard Contractual Clauses or the EU-US Data Privacy Framework for international data transfers. For full details, see Stripe's Privacy Policy and Stripe's Sub-processor List at stripe.com.

Nuki (Smart Lock Access)

We use Nuki Home Solutions GmbH to operate the smart lock on our premises. For each confirmed booking, we transmit to Nuki: a unique access PIN, a human-readable session label, and a valid time window. Nuki processes this data to program the lock. Nuki is based in Austria (EU). For details, see Nuki's Privacy Policy at nuki.io.

Email Service Provider (Transactional Email)

We use a third-party SMTP email delivery provider to send transactional emails (booking confirmations, access codes, account notifications, and newsletters). This provider receives your email address and the content of each email, including any personalisation variables such as your name and booking details. They act as a data processor under a Data Processing Agreement and may not use your data for their own marketing or other purposes.

Law Enforcement & Regulatory Authorities

We may disclose your personal data to competent authorities (police, court, CPDP, tax authorities) where required by law, in connection with the investigation of a crime, or to establish, exercise, or defend legal claims. We will only share the minimum data necessary for the specific purpose.

5. International Data Transfers

GYM VAULT is based in Bulgaria (EU). Some of our service providers — in particular Stripe — are based outside the EU/EEA. Where your data is transferred to a third country:

  • We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or an adequacy decision.
  • Stripe relies on Standard Contractual Clauses and/or the EU-US Data Privacy Framework for transfers to the United States.
  • Nuki is based in Austria and processes data within the EU.
  • You may contact us at support@gymvault.bg to obtain more information about the specific safeguards in place for any international transfer.

6. How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purpose it was collected, or as required by law. The following retention periods apply:

  • Active user account: Retained for as long as your account is active.
  • Deleted user account: After you request deletion, your account is deactivated for 30 days (during which you may reactivate it). After 30 days, your personal data (name, email, phone number, date of birth) is anonymised — replaced with placeholder values. The anonymised record is retained for audit and tax continuity purposes and can no longer identify you. Booking transaction records and electronic receipts are retained separately for tax/legal compliance.
  • Bookings: Retained for the duration of your relationship with GymVault and for a period thereafter as required for tax, legal, and dispute resolution purposes (Article 6(1)(b) and 6(1)(c) GDPR).
  • Electronic receipts (tax records): Retained for a minimum of 7 years in accordance with Bulgarian accounting law.
  • CCTV footage: Retained for 30 days, then automatically overwritten.
  • Smart lock access codes: Deleted 7 days after the session end time.
  • Email delivery logs: Successfully delivered notification records are retained for 90 days and then deleted. Failed or pending notifications are retained until successfully delivered or resolved.
  • Authentication tokens: Access tokens expire after 1 hour; refresh tokens expire after 7 days. Tokens are immediately invalidated on logout.
  • Unverified accounts: If you register but do not verify your email within 30 days, your account and associated data are permanently deleted.
  • Feedback: Ratings and comments are retained to help us improve the facility. When your account is deleted, your user identifier is automatically disassociated from your feedback records (the feedback content is retained anonymously).

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. You may exercise any of these rights by contacting us at support@gymvault.bg. We will respond within 30 days (this period may be extended by a further 2 months for complex or numerous requests — we will inform you if this is the case). We may ask you to verify your identity before processing a request.

  • Right of access (Art. 15): You have the right to receive a copy of the personal data we hold about you and information about how we process it.
  • Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure / "right to be forgotten" (Art. 17): You have the right to request deletion of your personal data where it is no longer needed for the purpose for which it was collected, or where you have withdrawn consent. This right is subject to exceptions, including where we must retain data to comply with a legal obligation or to establish, exercise, or defend legal claims.
  • Right to restriction of processing (Art. 18): You have the right to request that we restrict processing of your personal data in certain circumstances (e.g., while a dispute about accuracy is resolved).
  • Right to data portability (Art. 20): You have the right to receive the personal data you have provided to us in a structured, commonly-used, machine-readable format, and to have it transmitted to another controller, where technically feasible. This applies to data processed on the basis of contract or consent.
  • Right to object (Art. 21): You have the right to object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You have an unconditional right to object to processing for direct marketing purposes.
  • Right not to be subject to automated decision-making (Art. 22): GYM VAULT does not use automated decision-making or profiling that produces legal or similarly significant effects on you.
  • Right to withdraw consent: Where we process your data based on consent (newsletter), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP / КЗЛД) — see Section 9 for contact details.

8. How We Protect Your Data

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These measures include:

  • Passwords are stored using bcrypt — a strong one-way cryptographic hash. We cannot retrieve or read your password.
  • All communication between your browser and our servers uses TLS/HTTPS encryption.
  • Authentication tokens (JWTs) are signed using HMAC-SHA256 and stored in HttpOnly cookies, which are inaccessible to JavaScript and third-party scripts.
  • Redis session data is password-protected and access-restricted.
  • Access to the physical facility is controlled via time-limited, unique PINs and monitored by CCTV.
  • We apply rate-limiting on authentication endpoints to prevent brute-force attacks.
  • Accounts are temporarily locked after 5 consecutive failed login attempts.
  • Card payment data is never processed or stored by GYM VAULT — Stripe handles all card data under PCI-DSS compliance.
  • Access to personal data within our systems is limited to authorised personnel on a need-to-know basis.
  • In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CPDP within 72 hours and, where required, notify you without undue delay.

9. Supervisory Authority

If you believe we have not handled your personal data in accordance with GDPR or the Bulgarian PDPA, you have the right to lodge a complaint with the Bulgarian supervisory authority:

  • Commission for Personal Data Protection (Комисия за защита на личните данни — КЗЛД / CPDP)
  • Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
  • Phone: +359 2 915 3580
  • Email: kzld@cpdp.bg
  • Website: www.cpdp.bg
  • You also have the right to bring a claim before the competent courts in Bulgaria.

10. Children's Privacy

Our services are not directed at children. You must be at least 18 years old to use GYM VAULT. We do not knowingly collect personal data from persons under 18. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe a minor has registered an account, please contact us at support@gymvault.bg.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or best practices. When we make material changes, we will update the "Last updated" date at the top of this page and notify registered users by email. Your continued use of our services after changes take effect constitutes acceptance of the updated policy. If you do not agree with the updated policy, please stop using our services and request deletion of your account.

12. Contact Us

For any questions, requests, or concerns about this Privacy Policy or how we handle your personal data, please contact us:

  • Email: support@gymvault.bg
  • Phone: +359 87 962 1721
  • Address: Plovdiv, Bulgaria
  • We aim to respond to all data subject requests within 30 days.

Questions? We're here to help.

info@gymvault.com+359 87 962 1721