Data Controller
Tradegroup Swiss GmbH, Riestrasse 30, 8152 Glattbrugg, Switzerland. Email: contact@gymalia.com. Controller under the Swiss Federal Act on Data Protection (revFADP) and — for visitors from the EEA — under the EU General Data Protection Regulation (GDPR).
What Data We Process
We process the following personal data:
- When visiting the website: IP address, browser type, language, access time, pages requested (for security and troubleshooting, stored for a maximum of 30 days)
- On registration: email address, name (optional), profile picture (optional), login provider (Google or password), password stored as a hash
- During use: reviews, uploaded photos, helpful votes, search history (not persisted), selected language, cookie preferences
Cookies and similar technologies
We use technically necessary and optional cookies. You can consent or decline via the cookie banner.
| Cookie | Zweck / Purpose | Dauer / Duration |
|---|
| authjs.session-token | Authentication (login session) | Session |
| gymalia-cookie-consent | Stores your cookie consent | 1 year |
| gymalia-country | Stores your selected country for filtering | 1 year |
| _ga, _ga_* | Google Analytics (anonymized, with consent only) | 2 years |
| _clck, _clsk | Microsoft Clarity heatmaps (with consent only) | 1 year |
Third-Party Services
We use the following service providers, which process data on our behalf (processors under FADP/GDPR):
- Google Sign-In (Google Ireland Ltd.) — for login with a Google account. Data transmitted: email, name, profile picture. Privacy: policies.google.com/privacy
- Google Analytics (Google Ireland Ltd.) — pseudonymized usage statistics, only with consent. IP masking enabled.
- Microsoft Clarity (Microsoft Ireland) — anonymized UX heatmaps and session recordings, only with consent.
- OpenStreetMap / CartoDB — map tiles. When the map is loaded, your IP address is transmitted to the tile servers (CARTO BV, Netherlands).
- Cloudflare (Cloudflare Inc., USA) — DDoS protection and CDN. Standard Contractual Clauses (SCC) applied. Privacy: cloudflare.com/privacypolicy
- Stripe (Stripe Payments Europe Ltd., Ireland) — payment processing for premium plans. Privacy: stripe.com/privacy
- Resend (Resend, Inc., USA) — delivery of transactional emails (password reset, owner outreach). Standard Contractual Clauses (SCC) applied for transfers to third countries.
- Meilisearch (self-hosted on our Swiss infrastructure) — search index, no transfer to third parties.
- Azure OpenAI (Microsoft Switzerland GmbH) — AI-assisted generation of gym descriptions. Only public gym data is processed, no personal data.
- Vercel (Vercel Inc., USA) — frontend hosting and CDN. Standard Contractual Clauses (SCC) applied. Privacy: vercel.com/legal/privacy-policy
- Cloudflare R2 (Cloudflare Inc., USA) — storage of uploaded photos. SCC applied.
Your Rights
You have the following rights vis-à-vis us at any time:
- Access to the data we hold about you
- Rectification of inaccurate data
- Deletion of your account and the related data
- Objection to processing
- Data portability (export of your data)
- You can delete your account yourself at any time in the settings. Reviews are either retained anonymized or fully removed — at your request.
Legal Basis
Processing is carried out on the basis of: performance of a contract (Art. 6(1)(b) GDPR / Art. 31(2)(a) FADP) for account features, legitimate interest (Art. 6(1)(f) GDPR / Art. 31(1) FADP) for operating and securing the platform, and consent (Art. 6(1)(a) GDPR / Art. 31(1) FADP) for analytics and optional cookies.
Supervisory Authority
Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern. EU: the data protection authority of your country of residence.
Data Retention
We store personal data only as long as necessary: account data until you delete your account, reviews may be kept anonymized on request, server logs for a maximum of 30 days, cookie consent records for 12 months.
Minors
Gymalia is intended for persons aged 16 and over. We do not knowingly process data of persons under 16 without parental consent.
Changes to this Policy
We may update this privacy policy. The current version is always available at gymalia.com/datenschutz. We will notify registered users by email of material changes.
Contact for Privacy Requests
For all privacy-related requests, you can reach us at:
contact@gymalia.com
