Privacy Policy – OrO Gym SL
Introduction
OrO Gym SL, located in Moraira, highly values your privacy and the protection of your personal data. In this Privacy Policy, we provide clear and transparent information about how we handle personal data.We are committed to ensuring your privacy and therefore treat personal data with care. OrO Gym SL complies with applicable laws and regulations, including the General Data Protection Regulation (GDPR). This means we:
· Process your personal data for specific purposes, as described in this Privacy Policy.
· Limit processing to the data necessary for those purposes.
· Obtain your explicit consent when required.
· Implement appropriate technical and organizational measures to secure your personal data.
· Do not share personal data with third parties unless necessary for the stated purposes or legally required.
· Acknowledge and respect your rights regarding your personal data.
Controller and Contact
· Controller: OrO Gym SL
· Address: Ctra. Moraira Calpe, 121, F, Bloque C
· Email: info@oro-gym.com
· If you have questions after reading this Privacy Policy, or wish to exercise your rights, please contact us via the above details.
We reserve the right to amend this Privacy Policy at any time. The most current version will always be available on our website. We advise you to check it regularly.
Legal Bases We Rely OnDepending on the processing activity, we rely on one or more of the following GDPR legal bases:
· Contract (Art. 6(1)(b)) – e.g., to manage your membership and provide services.
· Legal obligation (Art. 6(1)(c)) – e.g., tax and accounting retention obligations.
· Legitimate interests (Art. 6(1)(f)) – e.g., to ensure security, prevent fraud, and promote our services, provided your interests do not override ours.
· Consent (Art. 6(1)(a)) – e.g., for newsletters or certain promotional images. You can withdraw consent at any time.
Processing Personal Data of Members, Customers, and Suppliers
Purposes· Administrative purposes
· Communication regarding assignments and/or invitations
· Execution or issuance of an assignment
· Implementation of the membership agreement
· Reservation of group lessons
· Use of the OrO Gym app
· Interaction with OrO Gym SL
Legal bases
· Contract, legitimate interests, and where applicable, consent.
Categories of data
· First name; Prefix; Last name; DNI; (Business) Telephone number; (Business) Email address; Date of birth; Photograph; Gender; IBAN bank account number.
Retention
· Stored for the duration of the agreement and/or membership and thereafter only in the financial administration for a maximum of 7 years (or longer if required by applicable law).
Processing Personal Data of Newsletter Subscribers
Purpose· Informing the individual through newsletters.
Legal bases
· Consent via the newsletter registration form, oral permission, or membership enrollment (where soft opt-in is permitted).
Categories of data
· First name; Prefix; Last name; Email address.
Retention
· For the duration of your newsletter subscription or until you unsubscribe/withdraw consent.
Processing Personal Data of Prospects and/or Interested PartiesPurpose
· Providing information through newsletters and/or targeted contacts.
Legal bases
· Consent or legitimate interests based on your request for information (e.g., verbal consent, digital info request, business card exchange, website contact form, social media interactions).
Categories of data
· First name; Prefix; Last name; Telephone number; Email address.
Retention
· For the period during which you are considered a prospect and/or interested party, or until you object or withdraw consent.
CCTV and Camera Surveillance
Purposes· To ensure safety and security in and around our facilities.
· To prevent, detect, and investigate incidents, theft, vandalism, or other unlawful acts.
· To support incident response and cooperate with competent authorities.
Legal bases
· Legitimate interests (Art. 6(1)(f)) to maintain a safe environment, protect people and property, and handle incidents.
· Where required by law, we may process or disclose footage to comply with legal obligations (Art. 6(1)(c)).
Scope and categories of data
· Video footage and related metadata (time, location) in and around our premises.
· No CCTV in changing rooms, showers, or saunas.
Retention
· We retain CCTV footage only as long as necessary for the above purposes, typically no longer than 30 days, unless footage must be retained longer in connection with a specific incident, legal claim, or lawful request from competent authorities.
Recipients and sharing
· Processors providing CCTV maintenance/hosting under a data processing agreement.
· Competent authorities where legally required or in the context of (suspected) unlawful acts.
Your rights regarding CCTV
· You may request information about whether you appear in footage and, where feasible, request access. We may need to verify your identity and may apply masking of third parties or provide a description/screenshot where appropriate to protect others’ privacy and security.
Promotional Photo/Video Content
Purposes· To create and publish promotional content for OrO Gym SL (e.g., website, social media, newsletters, digital/print advertising).
Legal bases
· Legitimate interests (Art. 6(1)(f)) to promote our services and community.
· Consent (Art. 6(1)(a)) where appropriate, such as for close-up identifiable images, featuring minors, or where local practice requires consent. You may withdraw consent at any time.
Scope and categories of data
· Photographs and video recordings in and around the club (never in changing rooms, showers, or saunas).
· Social media handles if you interact with our channels.
Choices and opt-out
· If you prefer not to appear in promotional materials, please inform staff upon entry or email info@oro-gym.com . We will take reasonable steps to avoid capturing you or to blur/withhold images where feasible.
· If you wish to request removal or anonymization of published materials in which you appear, contact info@oro-gym.com . We will accommodate requests where reasonably possible and without disproportionate effort.
Retention
· Promotional content is retained for the duration of its marketing relevance. We periodically review published content and remove or archive material that is no longer needed.
Recipients and sharing
· Processors (e.g., photographers, marketing agencies, cloud storage) under data processing agreements.
· Publication platforms (e.g., social media, our website, newsletters). Content published on third-party platforms is subject to those platforms’ terms and may be re-shared.
Minors
· We only process personal data of minors (persons under 16 years of age) with written consent from a parent, guardian, or legal representative.
· Identifiable images of minors for promotional purposes will only be used with verifiable consent from a parent/legal guardian.
Sharing Data with Third Parties
We may share your data with third parties if necessary for the purposes described above, for example:· Managing our IT environment (including GDPR compliance tools and hosting).
· Handling our (financial) administration.
· Managing group lesson reservations via the app.
· Producing and distributing newsletters and invitations.
· Maintaining CCTV and security systems.We do not share personal data with third parties without a processing agreement when they act as processors. We will also not share your data with other parties unless legally required and permitted (e.g., police investigation) or with your explicit consent.
International Data Transfers
Our aim is to process and store personal data within the European Economic Area (EEA). However, some processors or platforms (e.g., certain cloud, CRM, newsletter, or social media services) may be located outside the EEA. Where personal data is transferred outside the EEA, we ensure appropriate safeguards in accordance with GDPR Chapter V, such as:· An adequacy decision by the European Commission; or
· The European Commission’s Standard Contractual Clauses and additional measures where necessary.
Retention Periods
We store personal data no longer than necessary for the purpose for which it was provided or as required by law. Examples:· Membership/contract data: for the duration of the contract and then retained in financial administration for up to 7 years (or longer if legally required).
· Newsletter data: for as long as you are subscribed or until you withdraw consent.
· Prospect data: for as long as you are considered a prospect/interested party or until you object/withdraw consent.
· CCTV footage: typically up to 30 days, longer if required due to a specific incident or legal claim.
· Promotional content: for as long as it remains relevant for our marketing purposes, subject to periodic review.
Security Measures
We have taken appropriate technical and organizational measures to protect your personal data against unlawful processing, loss, or misuse, including:· Confidentiality obligations for personnel and partners with access to data.
· Role-based access, usernames and passwords, and (where appropriate) multi-factor authentication.
· Pseudonymization and encryption of personal data where necessary.
· Regular backups and recovery procedures for physical or technical incidents.
· Regular testing, assessment, and evaluation of the effectiveness of our security measures.
· Staff training on the importance of data protection.
Website and Cookies
Our website uses cookies to enhance your experience, adjust the website to your preferences, and analyze website traffic. Our Cookie Policy provides detailed information about the types of cookies we use and how you can manage your preferences. You can control cookie settings in your browser and withdraw consent for non-essential cookies at any time.
Your Rights Regarding Your Data
Under the GDPR, you have the following rights (subject to conditions and exceptions):· Right of access to your personal data.
· Right to rectification if your data is inaccurate or incomplete.
· Right to erasure (“right to be forgotten”).
· Right to restriction of processing.
· Right to data portability.
· Right to object to processing based on our legitimate interests, including direct marketing.
· Right to withdraw consent at any time where processing is based on consent.
· Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (we do not perform such processing in the ordinary course of our services).
To exercise your rights, contact us at info@oro-gym.com . We may ask for identification to verify your identity. We aim to respond within one month of receiving your request, extendable in complex cases as permitted by law.
Complaints
If you have a complaint about how we process your personal data, please contact us so we can try to resolve it together. You also have the right to file a complaint with the Agencia Española de Protección de Datos (AEPD), the Spanish supervisory authority for data protection:· Website: www.aepd.es
Changes to This Policy
We may amend this Privacy Policy from time to time. The latest version will be published on our website, with the effective date. We recommend reviewing it regularly.
Contact Details
OrO Gym SLCtra. Moraira Calpe, 121, F, Bloque CMoraira, SpainEmail: info@oro-gym.com
Cookie Policy (Summary)
Our website uses cookies to enhance functionality and tailor content to your preferences. Our Cookie Policy provides more information about the types of cookies we use and their purposes. You have the right to control cookie settings in your browser and to request, correct, or delete personal data associated with cookies by contacting us.