Privacy Policy — Elysium Gym

Privacy Policy of Elysium Gym

This privacy policy describes which personal data we collect from members, trial trainers and visitors, why we process that data, how long we keep it, and which rights you have under the General Data Protection Regulation (GDPR).

Data Controller: Elysium Gym — 34 Rangwee 2412 Luxembourg
Contact: info@elysium-gym.lu — 621632795

1. Scope

This policy applies to all personal data processed by Elysium Gym from (potential) members, visitors, employees and suppliers. For specific services (such as online booking, newsletters or memberships via partners), additional terms may apply; in those cases you will be informed beforehand.

2. Data we collect

Depending on the service and your relationship with us, we may collect the following categories of personal data:

CategoryExamplesPurpose
Identification dataName, date of birth, address, email, phone numberContract execution, communication and billing
Payment & billing dataBank account, payment history, invoicesMembership payment and administration
Health & medical informationMedical statements, injuries, dietary preferences (optional)Safe coaching during training; only with explicit consent or when necessary for safety
Usage & activityVisit times, reservations, class participation, training schedulesFacilitating reservations, statistics, service improvement
Technical dataIP address, device, cookie IDWebsite functionality and analytics
Marketing preferencesCommunication preferences, newsletter subscriptionsTargeted communication (with consent where required)

Note: health data are special categories of personal data under the GDPR. We only process these when strictly necessary and usually only with explicit written consent.

3. Purposes & legal basis

We process personal data for the following purposes, based on the legal grounds below:

  • Contract performance (Article 6(1)(b) GDPR): execution of membership, facility access, and billing.
  • Legal obligations (Article 6(1)(c)): for example, tax record retention for invoices.
  • Legitimate interest (Article 6(1)(f)): on-site safety, fraud prevention, improving our services, and maintaining member administration. We balance our interests against your privacy.
  • Consent (Article 6(1)(a) and Article 9 for health data): for newsletters, marketing, and when processing health data requiring consent.

4. Data retention

We do not retain personal data longer than necessary for the purposes for which they were collected, unless longer storage is legally required. Indicative retention periods:

  • Financial administration: 7 years (in line with tax regulations).
  • Membership data: as long as the membership is active + 2 years after termination.
  • Visitor logs: 30 days, unless needed for security investigations.
  • Marketing data: until consent is withdrawn.
  • Medical statements: usually deleted within 1 year after membership termination.

5. Sharing and third parties

We only share personal data when necessary and with appropriate safeguards:

  • External processors: payment processors, accountants, IT hosting providers, email platforms and booking systems. We sign data processing agreements that comply with GDPR.
  • Legal obligations: data may be shared with authorities when legally required.
  • Anonymous data: we may share anonymized or aggregated statistics for analysis and reporting.

If we transfer data outside the EU/EEA, we ensure appropriate safeguards (such as EU Standard Contractual Clauses).

6. Cookies & tracking

Our website uses cookies and similar technologies for:

  • Necessary functionality (e.g. login, shopping cart)
  • Analytics and website improvement (e.g. Google Analytics — anonymized when configured)
  • Marketing and remarketing (only with your consent)

You can manage your cookie preferences via the cookie settings on our website. Blocking essential cookies may affect functionality.

7. Security

We take appropriate technical and organizational measures to secure personal data against loss and unlawful processing. Examples:

  • Data encryption during transmission (TLS/HTTPS)
  • Role-based access limitation
  • Secure hosting and regular backups
  • Data minimization and periodic reviews

No method is 100% secure. In case of a security incident, we will notify affected individuals and the supervisory authority in accordance with the GDPR.

8. Your rights

Under the GDPR, you have the following rights:

  • Access: request which data we process about you.
  • Rectification: correct inaccurate data.
  • Erasure: request deletion of data under certain conditions.
  • Restriction: request limitation of processing.
  • Portability: receive your data in a structured format.
  • Objection: to processing based on legitimate interest or for direct marketing.
  • Withdrawal of consent: if processing is based on consent.

Requests can be sent to info@elysium-gym.lu. We respond within one month in accordance with the GDPR.

9. Complaints

Do you have a complaint about our processing of your personal data? Please contact us at info@elysium-gym.lu so we can investigate. You may also file a complaint with the Data Protection Authority.

10. Changes

We may update this privacy policy. In case of significant changes, we will inform members via email or in our facility. The effective date is shown at the top of this document.

11. Contact

For questions about this privacy policy or your personal data, please contact:

Elysium Gym
34 Rangwee
2412 Luxembourg
Email: info@elysium-gym.lu
Tel: 621632795