This Policy explains how Gymaginario collects, uses, and protects personal data when you visit or use the website gymaginario.com or purchase/receive our digital services.

This information is provided in accordance with the transparency requirements of the GDPR (in particular Article 13) and must be clear, accessible, and easy to understand.

1) Data Controller – Contact Details

Data Controller: PAZIOU CHRISTINA
Registered Address: MENEXEDON 15, KIFISIA, P.C. 14564, Greece
VAT Number: 069741720 / Tax Office: KEFODE ATTIKIS
Email: contact@gymaginario.com

WhatsApp: +30 6976926278
Viber: +30 6976926278

2) What Data We Collect

Depending on how you use the website/services, we may collect:

A. Account & Contact Data

Full name, email address, phone number

Login credentials (e.g. username/password in encrypted/hashed form)

B. Order & Billing Data

Purchase/package details, transaction history, invoices/receipts

For bank transfer payments: proof of deposit (if you send it to us), IBAN/details appearing on the receipt

For card payments: your card details are not stored by us; they are submitted directly to the payment provider [worldline.com]. We only receive payment confirmation and transaction identifiers.

C. Onboarding Data for Program Personalization

Training goals, fitness level, preferences

Nutrition habits/preferences

Information you provide regarding limitations or injuries (only to the extent you choose to provide such information)

If you request or provide information that may be considered health data, such data are classified as sensitive and are processed with increased care and solely for the purpose of providing our services.

D. Communication & Support Data

Messages/emails, contact forms, support requests, reviews/feedback

E. Technical Data & Cookies

IP address, device/browser type, logs, security data

Cookies and similar technologies (see section 9)

3) Purposes of Processing & Legal Bases

We process personal data for the following purposes, based on the corresponding legal bases under the GDPR (Article 6):

• Account creation & access provision
  Legal basis: Performance of a contract (Article 6(1)(b))
• Order management, payments & provision of digital services (30/90/180 days)
  Legal basis: Performance of a contract (Article 6(1)(b))
• Personalized training, nutritional guidance & mindset coaching
  Legal basis: Performance of a contract (Article 6(1)(b))
  Where required and where sensitive data are collected: explicit consent (Article 9(2)(a)) or another appropriate legal basis, as applicable.
• Customer support, communication & resolution of technical issues
  Legal basis: Performance of a contract (Article 6(1)(b)) and/or legitimate interest (Article 6(1)(f)) for service improvement
• Issuance of invoices & compliance with tax/accounting obligations
  Legal basis: Legal obligation (Article 6(1)(c))
• System security, fraud prevention & audits
  Legal basis: Legitimate interest (Article 6(1)(f))
• Marketing / Newsletter (if applicable)
  Legal basis: Consent (Article 6(1)(a)), where required

You may opt out at any time (via the unsubscribe link or by email to: contact@gymaginario.com

4) Data Recipients

We may share personal data only where necessary, with:

• Card payment provider (receives card details for payment execution)
• Hosting/infrastructure providers (website/database hosting)
• Email delivery platform / CRM (if used)
• Analytics/statistics providers (if used)
• Accountant/tax advisor (for invoicing and legal obligations)
• Legal advisors and/or authorities, where required by law

All processors are bound by contracts that include confidentiality and data security obligations.

5) Transfers Outside the EEA

If a service provider is located outside the European Economic Area (e.g. cloud or analytics services), data transfers may take place with appropriate safeguards, such as Standard Contractual Clauses (SCCs), where required.

6) Data Retention Period

We retain personal data only for as long as necessary:

• User account: for as long as it remains active and for a reasonable period after deactivation for support or legal defense purposes
• Order/invoicing data: for the period required by tax and accounting legislation
• Support communications: for a reasonable period for record-keeping and service improvement
• Marketing data: until consent is withdrawn or you opt out

(The GDPR requires specifying retention periods or the criteria used to determine them.)

7) Data Subject Rights

You have, where applicable, the right to:

• Access, rectification, and erasure
• Restriction of processing
• Objection
• Data portability
• Withdrawal of consent (where processing is based on consent)

To exercise your rights, please email contact@gymaginario.com
with the subject line “GDPR Request.”
The Company is obliged to facilitate the exercise of your rights and respond in accordance with applicable law.

8) Right to Lodge a Complaint

If you believe your rights have been violated, you may lodge a complaint with the Hellenic Data Protection Authority (HDPA).

9) Cookies & Similar Technologies

The website may use cookies for:

• Strictly necessary purposes (functionality, login, security)
• Statistics/analytics (if enabled)
• Marketing (if enabled)

10) Data Security

We implement appropriate technical and organizational measures (e.g. encryption in transit/HTTPS, access controls, permission limitations, backups). No system can guarantee 100% security, but we continuously work to improve our safeguards.

11) Minors’ Data

Our services are intended for individuals over the age of 18. If we become aware that we have collected personal data from a minor without a valid legal basis or parental consent, we will delete such data where feasible.

12) Changes to This Policy

We may update this Policy from time to time. The most recent version will always be available on the website with a “Last updated” date.