Privacy Policy
Last updated: 29 May 2026
1. Who we are
Gymsearch is a directory of gyms and personal trainers in the Netherlands. We act as the data controller when you visit this site or submit a form. Contact: [email protected].
2. What we process
- Visit data: IP address, browser version, pages viewed, referrer. Used for analytics (see §4).
- Form data: name, email, phone, message when contacting a gym or PT, or creating an account.
- Payment data: when buying a training or nutrition plan, name, email and payment method are processed by Stripe. We only receive the transaction confirmation — never your card details.
- Account data: email, company name, phone and account type (gym or PT) for owner accounts. Stored in Supabase (Postgres, EU region).
3. Legal basis (GDPR art. 6)
- Contract performance (art. 6(1)(b)): purchases, account management, form notifications.
- Consent (art. 6(1)(a)): analytics and advertising cookies. Asked via the cookie banner. To withdraw, clear your browser data for gymsearch.nl — the banner reappears on the next visit.
- Legitimate interest (art. 6(1)(f)): essential site functioning, fraud prevention, API rate limiting.
4. Analytics and advertising pixels
We use the following services only after you accept the cookie banner. Before that, they send no identifiable data (Google Consent Mode v2 stays at "denied").
| Service | Purpose | Cookies? | Country |
|---|---|---|---|
| Google Tag Manager + Google Analytics 4 | Anonymous visitor stats, conversion measurement | Yes (`_ga`, `_gid`) | US (DPF) |
| Meta Pixel + Conversions API | Conversion attribution for Facebook/Instagram ads | Yes (`_fbp`, `_fbc`) | US (DPF) |
| Google Maps | Display gym locations | Yes (Google-set) | US (DPF) |
| LinkPizza | Affiliate link tracking for partner gyms | Yes | EU |
5. Server-side conversion tracking (Meta CAPI)
Alongside the browser pixel, we forward relevant conversion events
(PageView, Lead, Purchase, CompleteRegistration) server-to-server to
Meta via the Conversions API. Email and optional phone number are
SHA-256 hashed on our server before transmission —
Meta never receives your raw contact details. Both channels share a
common event_id so Meta counts them as a single
conversion and not twice.
This server-side processing falls under the same consent as the browser pixel: no event is sent — not even server-side — without your consent.
6. Who we share data with
- Hosting: Cloudflare Pages (Cloudflare, Inc. — US, DPF). Edge CDN + worker runtime.
- Database: Supabase (Supabase, Inc. — EU region for our project database).
- Payments: Stripe Payments Europe (Ireland).
- Email: Resend (US, DPF) for transactional email.
- Analytics: Google LLC (GA4, GTM), Meta Platforms (Pixel, CAPI). Both via the Data Privacy Framework.
- Gym / PT owners when you submit their contact form — only then are your name and email forwarded to them.
7. Retention
- Contact-form inquiries: 24 months in our database, unless you request deletion sooner.
- Owner accounts: as long as the account is active.
- Stripe purchases: 7 years (Dutch tax law requirement).
- Analytics events: 14 months (GA4 default), Meta 2 years.
8. Your rights
Under the GDPR you have the right to:
- Access the data we hold about you
- Rectification or erasure
- Restriction of processing + objection
- Data portability (machine-readable export)
- Withdraw consent (via the cookie banner or
localStorage.removeItem('gymsearch:consent')) - Lodge a complaint with the Dutch Data Protection Authority
Send a request to [email protected]. We respond within 30 days.
9. Security
HTTPS connection (TLS 1.3) with a strict Content Security Policy. Passwords are hashed by Supabase Auth. Server-side APIs are rate-limited. Database access is enforced with Row-Level Security so owners only see their own data.
10. Changes
Material changes are announced via a banner at the top of this page. The version date at the top shows when this policy was last revised.