// LEGAL DOCUMENT

PRIVACY
POLICY

> Last Updated: January 2025

> This policy describes how XFitness collects, uses, and protects your personal information in compliance with the Personal Data Protection Act 2010 (PDPA) of Malaysia.

CONTENTS

Introduction

This site and all services offered herein are owned and operated by X FITNESS CENTRE (Business Registration No.: 202503023755, Old Registration No.: IP0604759-X) ("the Company," "we," "our," or "us").

While the official registered name is X FITNESS CENTRE, the brand is commonly referred to as XFitness across all signage, marketing materials, and social media platforms.

Company: X FITNESS CENTRE (Brand: XFitness)
Business Registration No.: 202503023755
Location: 33A, 33B, Jalan Bestari 12/2, Taman Nusa Bestari, Skudai, Johor Bahru 79100, Malaysia
Effective Date: January 2025
Last Updated: January 2025

By using our services, you agree to the collection and use of information in accordance with this policy. We comply with the Personal Data Protection Act 2010 (PDPA) of Malaysia.

Information We Collect

We collect several types of information to provide and improve our services:

Personal Information

  • Full name
  • Email address
  • Phone number
  • IC Number (NRIC)
  • Date of birth
  • Gender
  • Address
  • Emergency contact information

Payment Information

Payment information is processed securely through Revenue Monster. We do not store your full credit card details on our servers. Revenue Monster handles all payment processing in compliance with PCI DSS standards.

Biometric Data

Facial recognition templates for gate access control. This data is encrypted and stored securely. You provide explicit consent during the enrollment process.

IC Images (Temporary)

IC images are collected temporarily for identity verification purposes. These images are automatically deleted after verification is complete, in compliance with PDPA "Verify & Purge" principles.

Usage Data

  • Class bookings and attendance records
  • Gym access logs
  • Membership history
  • Personal training session records

Device Information

For mobile app users, we may collect device information including device type, operating system, unique device identifiers, and mobile network information.

How We Use Your Information

We use the collected information for the following purposes:

  • Membership Management: Process memberships, renewals, and manage your account
  • Class Bookings: Enable class reservations, cancellations, and attendance tracking
  • Payment Processing: Process payments for memberships, classes, and personal training sessions
  • Access Control: Enable facial recognition for secure gym entry
  • Communication: Send notifications, promotions, class reminders, and important updates
  • Service Improvement: Analyze usage patterns to improve our services and user experience
  • Legal Compliance: Comply with legal obligations, respond to legal requests, and protect our rights
  • Safety & Security: Ensure the safety of our facilities and members

Data Sharing & Third Parties

We may share your information with the following third parties:

Revenue Monster

Payment processing service. They handle all payment transactions securely. Review their privacy policy at revenuemonster.my/privacy-policy

Supabase

Database hosting and backend services. Your data is stored securely in their infrastructure. Review their privacy policy at supabase.com/privacy

Cloudflare R2

Temporary image storage for IC verification. Images are automatically deleted after verification. Review their privacy policy at cloudflare.com/privacy

Service Providers

We may share data with trusted service providers who assist in operating our services, including hosting, analytics, and customer support. These providers are contractually obligated to protect your data.

Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our members.

Data Security

We implement industry-standard security measures to protect your personal information:

  • Encryption: Data is encrypted both at rest and in transit using SSL/TLS protocols
  • Secure Authentication: Multi-factor authentication and secure password hashing
  • Access Controls: Role-based access controls limit data access to authorized personnel only
  • Regular Security Audits: We conduct regular security assessments and updates
  • IC Image Deletion: IC images are automatically deleted after verification, complying with PDPA "Verify & Purge" principles
  • Biometric Data Protection: Facial recognition templates are encrypted and stored separately from other personal data

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Your Rights (PDPA Compliance)

Under the Personal Data Protection Act 2010 (PDPA) of Malaysia, you have the following rights:

Right to Access

You have the right to request access to your personal data that we hold. We will provide you with a copy of your data within 21 days of your request.

Right to Correction

You may request correction of any inaccurate or incomplete personal data. We will update your information promptly upon verification.

Right to Withdraw Consent

You may withdraw your consent for data processing at any time. Note that withdrawing consent may affect your ability to use certain services.

Right to Request Deletion

You may request deletion of your personal data, subject to legal and contractual obligations. We will delete your data where legally permissible.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format.

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@xfitness.my or use the contact information provided below. We will respond to your request within 21 days.

Cookies & Tracking

We use cookies and similar tracking technologies to enhance your experience:

Types of Cookies

  • Essential Cookies: Required for the website to function properly
  • Analytics Cookies: Help us understand how visitors use our website
  • Functional Cookies: Remember your preferences and settings

Managing Cookies

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of our website.

Third-Party Analytics

We may use third-party analytics services to understand website usage. These services may use cookies and tracking technologies.

Facial Recognition & Biometric Data

We use facial recognition technology for secure gym access:

Purpose

Facial recognition is used exclusively for gate access control, providing a secure and convenient way to enter the gym without physical cards or keys.

Storage

Biometric templates (mathematical representations of facial features) are encrypted and stored securely. We do not store actual images of your face.

Security Measures

  • Encryption of biometric templates
  • Secure transmission protocols
  • Access restricted to authorized systems only
  • Regular security audits

Consent

You provide explicit consent during the facial enrollment process. You may withdraw consent at any time, which will require alternative access methods.

Deletion Rights

You may request deletion of your biometric data at any time. Upon request, we will permanently delete your facial recognition template.

IC Verification & Data Retention

We implement a "Verify & Purge" approach in compliance with PDPA:

Temporary Storage Policy

IC images are collected temporarily for identity verification purposes only. Images are stored securely in Cloudflare R2 during the verification process.

Automatic Deletion

Once verification is complete (either automatic via OCR or manual review), IC images are automatically deleted. We only retain the verification status and date, not the images themselves.

Manual Verification Process

If automatic OCR verification fails, authorized staff may review the IC image manually. Upon approval, the image is immediately deleted.

Retention Period

IC images are retained only for the duration necessary to complete verification, typically within 24-48 hours. After verification, images are permanently deleted.

PDPA Compliance

This "Verify & Purge" approach complies with PDPA principles by minimizing data retention and eliminating unnecessary storage of sensitive identity documents.

Children's Privacy

Our services are not intended for individuals under the age of 16:

  • Age Restriction: You must be at least 16 years old to use our services
  • Parental Consent: If you are under 18, parental or guardian consent may be required for certain services
  • No Collection: We do not knowingly collect personal information from children under 16
  • Removal: If we discover that we have collected information from a child under 16, we will delete it immediately

Changes to This Policy

We may update this Privacy Policy from time to time:

  • Notification: We will notify you of any material changes via email or prominent notice on our website
  • Effective Date: The "Last Updated" date at the top of this policy indicates when changes take effect
  • Review: We encourage you to review this policy periodically to stay informed about how we protect your information
  • Continued Use: Your continued use of our services after changes become effective constitutes acceptance of the updated policy

Contact Information

If you have questions, concerns, or wish to exercise your rights under PDPA, please contact us:

Address

33A, 33B, Jalan Bestari 12/2,
Taman Nusa Bestari,
Skudai, Johor Bahru 79100,
Malaysia

Response Time

We aim to respond to all privacy inquiries within 21 days, as required by PDPA. For urgent matters, please call us directly.