// LEGAL DOCUMENT

PRIVACY
POLICY

> Last Updated: December 19, 2025

> This Privacy Policy (the "Policy") is issued by X Fitness Centre (Business Registration No.: 2025003023755) ("the Company," "we," "us," or "our"). This Policy describes our practices regarding the collection, usage, and protection of your personal information across our Services, which include our website (https://www.xfitness.my), the X Fitness App, and our physical facilities.

> In compliance with the Personal Data Protection Act 2010 ("PDPA") of Malaysia, this notice informs you of your rights and our obligations regarding your personal data.

Introduction

This Privacy Policy (the "Policy") is issued by X Fitness Centre (Business Registration No.: 2025003023755) ("the Company," "we," "us," or "our"). This Policy describes our practices regarding the collection, usage, and protection of your personal information across our Services, which include our website (https://www.xfitness.my), the X Fitness App, and our physical facilities.

In compliance with the Personal Data Protection Act 2010 ("PDPA") of Malaysia, this notice informs you of your rights and our obligations regarding your personal data.

1. Categories of Personal Data Collected

To provide a seamless fitness experience, we collect and process the following categories of data:

• Identity & Contact Data:

Full name, NRIC/Passport number (for verification), date of birth, gender, residential address, and emergency contact details.

• Sensitive Personal Data (Biometrics):

Facial recognition templates (mathematical representations of facial features) used for secure gate access control.

• Payment & Financial Data:

Transactional data processed securely via Revenue Monster. Note: We do not store full credit card details on our local servers; all processing is PCI DSS compliant.

• Technical & Usage Data:

Gym access logs, class booking history, IP addresses, device identifiers, and operating system information stored via Supabase.

• Visual Data:

Temporary IC images for verification and 24-hour CCTV surveillance footage within our facilities for safety and security.

2. Sensitive Personal Data: Facial Recognition

Under the PDPA, biometric data is classified as Sensitive Personal Data.

• Explicit Consent:

By enrolling in our facial recognition system via the App, you provide explicit consent to the processing of your biometric templates.

• Purpose:

This data is used exclusively for secure, touchless access control to our facilities.

• Security:

We do not store raw images of your face for access; we store encrypted mathematical templates which are stored separately from your profile data to ensure maximum security.

3. The "Verify & Purge" Protocol (IC Verification)

We implement a strict "Data Minimization" policy regarding identity documents:

• Temporary Storage:

IC/Passport images are collected solely for the purpose of identity verification and are stored temporarily in Cloudflare R2.

• Automatic Deletion:

In compliance with PDPA principles, these images are automatically deleted from our cloud storage within 24-48 hours once verification (OCR or manual) is completed. We only retain the record that the verification was successful.

4. Third-Party Data Disclosures & Infrastructure

We utilize high-tier technical partners to maintain our Services. Your data may be shared with or processed by:

• Supabase:

Our primary database hosting provider.

• Revenue Monster:

Our payment processing partner.

• Cloudflare:

Our infrastructure and security provider.

• Data Localization:

You acknowledge and agree that your data may be hosted on secure servers located in Singapore. We ensure that all cross-border transfers comply with Malaysian data protection standards.

5. Data Retention & Cancellation

• Active Membership:

Your data is retained for the duration of your membership to facilitate the 12-month commitment and rolling subscription terms.

• Post-Cancellation:

Upon the formal in-person cancellation of your membership, your biometric template will be deactivated. We retain historical transaction data for up to seven (7) years to comply with Malaysian tax and audit regulations, after which it is permanently purged.

6. Your Legal Rights

Under the PDPA, you are entitled to the following rights, which X Fitness will fulfill within 21 days of a written request:

1. Right to Access:

Request a copy of the personal data we hold about you.

2. Right to Correction:

Request the update of inaccurate or incomplete information.

3. Right to Withdraw Consent:

You may withdraw your consent for biometric or marketing processing. Note: Withdrawing consent for biometric access will result in the termination of your membership, as we cannot provide automated facility access without this data.

4. Right to Request Deletion:

Subject to legal and contractual obligations (including your 12-month commitment term).

7. Changes to This Policy

We reserve the right to amend this Policy. Any material changes will be communicated with at least seven (7) days' notice via the App or our website. Continued use of the Services after such notice constitutes your acceptance of the updated Policy.

8. Contact Our Data Protection Officer

If you wish to exercise your rights, report misconduct, or have any inquiries regarding your privacy, please contact us:

Email

xfitness.my@gmail.com

Phone

(+60) 11-7260 3994

Address

33A, 33B, Jalan Bestari 12/2,
Taman Nusa Bestari,
Iskandar Puteri 79150,
Johor, Malaysia

PRIVACYPOLICY

CONTENTS