GDPR Compliance

1. Data Controller & Processor Roles

• Neorimia SRL (NeoFit) is the data controller for trainer/gym account data.
• For client data submitted via intake forms:
  • Trainer/Gym = Data Controller
  • NeoFit = Data Processor, acting on behalf of the trainer.
• In some cases, NeoFit may act as a joint controller (e.g., analytics, communications).

2. Legal Bases for Processing

We process personal data under the following GDPR legal bases:

• Contract Performance (Art. 6(1)(b)) → To deliver SaaS services to trainers/gyms.
• Consent (Art. 6(1)(a)) → For processing sensitive health data and communications (e.g., WhatsApp reminders).
• Explicit Consent (Art. 9(2)(a)) → For processing health-related data provided by clients.
• Legitimate Interests (Art. 6(1)(f)) → To improve platform security and performance.
• Legal Obligation (Art. 6(1)(c)) → To comply with tax, accounting, and regulatory requirements.

3. Data Subject Rights

Under GDPR, all users have the following rights:

• Right of Access (Art. 15) → Request a copy of your data.
• Right to Rectification (Art. 16) → Correct inaccurate data.
• Right to Erasure (Art. 17) → Request deletion ("right to be forgotten").
• Right to Restrict Processing (Art. 18) → Limit how we use your data.
• Right to Data Portability (Art. 20) → Obtain your data in a structured format.
• Right to Object (Art. 21) → Opt out of processing based on legitimate interest.
• Right to Withdraw Consent (Art. 7) → Revoke consent at any time.

Requests can be sent to privacy@neofit.io. We respond within 30 days.

4. Data Processing Agreements (DPAs)

• A DPA is included in our Terms & Conditions for trainers and gyms.
• Trainers are responsible for having lawful grounds to process client data.
• NeoFit ensures all subprocessors (OpenAI, Twilio, Resend, Cloudinary, Neon, Vercel, n8n Cloud) are bound by GDPR-compliant agreements.

5. International Data Transfers

Some services we use may process data outside the EU (e.g., OpenAI, Twilio, Resend).

• Transfers are safeguarded using Standard Contractual Clauses (SCCs) and additional technical measures.
• We monitor compliance with EU adequacy decisions and updated transfer frameworks.

6. Technical & Organizational Measures (TOMs)

We apply strong security controls to protect personal data:

• Encryption at rest and in transit.
• Access Control with role-based permissions.
• Regular Security Audits and vulnerability monitoring.
• Data Minimization → only essential data collected.
• Logging & Monitoring trainer access to client data.

7. Data Retention

• Trainer account data → retained as long as the subscription is active.
• Client data → retained as instructed by trainers, or deleted upon request.
• Backups may be kept for up to 30 days for disaster recovery.

8. Data Breach Procedures

• All suspected breaches are logged and investigated immediately.
• In case of a confirmed breach, we notify the Romanian Data Protection Authority (ANSPDCP) within 72 hours and affected users without undue delay.

9. Supervisory Authority

If you believe your data protection rights have been violated, you may file a complaint with:

10. Contact

For GDPR-related questions or requests: