Privacy Policy

1. Scope and Applicability

This Policy applies to all members, visitors, trainers, employees, and other individuals ("you") whose personal data is processed by 1Fit in the course of operating its gym, mobile application, member portal, kiosks, access-control systems, and any other digital or physical service (collectively, the "Services").

We are the "Controller" of your personal data within the meaning of the PDPL.

2. Personal Data We Collect

We collect and process the following categories of personal data, including some categories that are considered Sensitive Personal Data under Article 1(11) of the PDPL:

• Identity data: full name, gender, date of birth, national ID or Iqama number, photograph for membership card.
• Contact data: email address, mobile number, postal address, and emergency contact.
• Account data: username, hashed password, language and notification preferences.
• Membership and attendance data: contracts, classes booked, check-ins, gate access logs, locker assignments.
• Health and fitness data (Sensitive): self-declared medical conditions, fitness goals, body measurements, training history.
• Biometric data (Sensitive, where used): fingerprint or facial templates used solely for gym access — collected only with your explicit, separate consent and never shared.
• Financial data: billing address, payment-method tokens (we do not store full card numbers), invoices, and ZATCA-compliant tax records.
• Technical data: device identifier, IP address, browser type, operating system, application interaction logs.
• Communications data: messages exchanged with our staff, support tickets, feedback forms, recorded calls (where lawfully recorded with prior notice).

3. Purposes of Processing

We process your personal data for the following purposes:

• To register and manage your membership, verify identity, and grant gym access.
• To schedule classes, personal training sessions, and facility bookings.
• To process payments, issue invoices, and meet our tax-record obligations under ZATCA regulations.
• To personalise your training programme and provide health-and-fitness recommendations.
• To communicate service notices, freezes, renewals, and security alerts.
• To prevent fraud, secure our facilities and systems, and investigate misuse.
• To comply with legal, regulatory, and law-enforcement obligations in Saudi Arabia.
• With your separate, explicit consent: to send marketing communications and personalised offers.

4. Legal Basis for Processing

We rely on the following legal bases under Articles 5–7 of the PDPL:

• Your consent — you have freely, specifically, and unambiguously consented (e.g. marketing, biometric access, sensitive health data).
• Performance of a contract — processing necessary to deliver the membership and services you have purchased.
• Legal obligation — processing required to comply with Saudi law (tax invoicing, anti-money-laundering, regulator requests).
• Legitimate interests — operating, securing, and improving the Services where this does not override your rights.
• Vital interests — processing strictly necessary to protect your life or physical integrity in a medical emergency on our premises.

5. Disclosure and Sharing

We may disclose your personal data to:

• Service providers acting on our instructions: PerfectGym (gym-management platform), payment service providers licensed by the Saudi Central Bank (SAMA), cloud and infrastructure providers, communications providers, and analytics partners.
• Trainers, instructors, and gym staff: limited to data needed to deliver your sessions and to ensure your safety.
• Group entities and franchise partners: where required to operate the 1Fit network.
• Authorities and regulators: including SDAIA, ZATCA, the Ministry of Commerce, the Communications, Space and Technology Commission (CST), law-enforcement bodies, and competent courts when legally required.
• Successors: in connection with a merger, acquisition, or restructuring, with prior notice where required by law.

We require all processors to enter into written data-processing agreements that meet the requirements of the PDPL Implementing Regulations.

6. Cross-Border Data Transfers

Personal data is hosted primarily within the Kingdom of Saudi Arabia. Where transfer outside the Kingdom is necessary (e.g. cloud-services regions, international payment networks), we comply with Article 29 of the PDPL by relying on one of the lawful transfer mechanisms recognised by SDAIA — including adequacy decisions, standard contractual clauses, or your explicit informed consent — and we apply appropriate technical and organisational safeguards.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by Saudi law:

• Active membership records: while the contract is active and for two (2) years after termination, to handle disputes and renewals.
• Tax-relevant financial records (invoices, payments): ten (10) years, in line with the Saudi Commercial Books Law and ZATCA regulations.
• Marketing consent records: until consent is withdrawn, plus a short audit retention period.
• Biometric templates: deleted within thirty (30) days of membership termination or earlier upon request.
• Security logs and CCTV footage: as required by applicable law, typically not longer than ninety (90) days unless related to a security incident.

After the retention period elapses we delete or anonymise the data securely.

8. Your Rights under the PDPL

Subject to PDPL Articles 4 and 21–28, you have the right to:

• Be informed about the legal basis and purpose of processing.
• Access the personal data we hold about you and obtain a copy in a readable format.
• Correct or update data that is inaccurate or incomplete.
• Request destruction of your data when it is no longer needed for the purposes for which it was collected, subject to overriding legal obligations.
• Withdraw consent previously granted at any time, without affecting the lawfulness of prior processing.
• Restrict or object to specific processing activities, including direct marketing.
• Lodge a complaint with the competent regulator: the Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa.

To exercise these rights please contact our Data Protection Officer at [email protected] or [email protected]. We respond within thirty (30) days of receiving a verifiable request.

9. Minors

Membership is generally restricted to individuals aged 18 years or above. Where we lawfully accept members under 18, processing of their personal data is conducted only with the explicit consent of their guardian, and only for the purposes strictly necessary to deliver the Services and protect the minor's safety.

10. Security

We implement technical and organisational measures aligned with the National Cybersecurity Authority (NCA) Essential Cybersecurity Controls and the PDPL Implementing Regulations, including:

• encryption of personal data in transit (TLS) and at rest;
• role-based access control, least-privilege, and multi-factor authentication for staff;
• regular security testing, vulnerability management, and patching;
• secure development practices, logging, and continuous monitoring;
• incident-response procedures, including notification to SDAIA and to affected individuals where required by law.

11. Cookies, Tracking, and Connected Devices

Our website, member portal, and mobile applications use cookies and similar technologies for essential functioning, analytics, and (with consent) advertising measurement. Connected gym equipment, kiosks, and access gates collect attendance and performance data tied to your membership. You can manage non-essential cookies through your browser settings and your account preferences.

12. CCTV and Premises Monitoring

Closed-circuit cameras operate in our facilities for safety and security purposes only, in compliance with Saudi regulations on visual monitoring. Cameras are not installed in changing rooms, prayer rooms, or any private area. Footage is retained for a limited period and accessed only by authorised personnel.

13. Updates to This Policy

We may update this Privacy Policy from time to time. We will publish the revised Policy at the same URL and, where the change is material, notify you in advance through the application or by email. Your continued use of the Services after the effective date of an update constitutes acceptance of the revised Policy.

14. Language

This Policy is published in Arabic and English. In the event of any conflict between the two language versions, the Arabic version shall prevail in accordance with the laws of the Kingdom of Saudi Arabia.

15. Contact Us

Questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data should be addressed to our Data Protection Officer:

• Email: [email protected]
• General privacy enquiries: [email protected]
• Postal: 1Fit Gym, Jeddah, Kingdom of Saudi Arabia

If you are not satisfied with our response, you may lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa.