Privacy Policy

Last updated: March 2025

Governing law: Republic of North Macedonia

At Star Gym 24/7, we take your privacy seriously. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and what rights you have under the Law on Personal Data Protection of the Republic of North Macedonia (Official Gazette no. 42/20 and 294/21, “DP Law”) — which is largely harmonised with the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller responsible for your personal data is:

📍 Star Gym 24/7
Tale Hristov 2, Skopje 1000, North Macedonia
Phone: +389 75 240 430
Email: info@stargym.mk

As the data controller, Star Gym 24/7 determines the purposes and means of processing your personal data. For questions about this policy or to exercise your rights, contact us at the details above.

2. What Data We Collect

Account Data

  • Full name
  • Email address
  • Hashed password (never stored in plain text)
  • Account creation date and login activity

Membership Data

  • Active membership plan (Day Pass / Monthly / 6-Month / 12-Month)
  • Membership start and end dates
  • Membership status (active, expired, cancelled)
  • Remaining access time

Trainer Assignment Data

  • Assigned personal trainer name and contact details
  • Session history and notes entered by your trainer
  • Fitness goals (if voluntarily provided by you)

Payment Data

  • Billing history (payment dates, amounts in MKD, plan type)
  • Payment status (successful, pending, failed)

💳 Star Gym 24/7 does NOT store your full card number, CVV, or bank account details. All payment information is handled exclusively by LemonSqueezy LLC and stored on their secure servers.

Usage & Technical Data

  • IP address and browser type (collected automatically on login)
  • Pages visited and features used within the dashboard
  • Error logs and session data for platform stability

3. Legal Basis for Processing

We process your personal data on the following legal bases under the DP Law:

  • Performance of a contract — to activate your membership, manage billing, and provide dashboard access
  • Legitimate interests — to maintain platform security, prevent fraud, and improve our services
  • Consent — for optional features such as marketing emails (which you may withdraw at any time)
  • Legal obligation — to comply with financial, tax, and data protection regulations applicable in North Macedonia

4. How We Use Your Data

  • Activate and manage your gym membership
  • Provide access to your personal member dashboard
  • Process membership payments and send billing receipts
  • Connect you with your assigned personal trainer
  • Allow your trainer to track your progress and sessions
  • Send transactional emails (account creation, payment confirmations, membership expiry notices)
  • Detect and prevent unauthorised access or fraudulent activity
  • Respond to your support requests or complaints
  • Comply with our legal obligations under North Macedonian law

5. Third-Party Data Processors

We share your data with the following trusted sub-processors. Each is bound by contractual obligations to protect your data:

Supabase, Inc. (United States)

Supabase provides our authentication system and database infrastructure. Your account credentials, membership data, and dashboard information are stored on Supabase servers. Data is transferred to the US under Standard Contractual Clauses (SCCs) as approved by the European Commission, in compliance with DP Law cross-border transfer requirements.

Privacy policy: supabase.com/privacy

Lemon Squeezy LLC (United States)

LemonSqueezy processes all membership payments. They receive your name, email address, and billing details necessary to complete the transaction. Card data is processed and stored exclusively by LemonSqueezy under PCI DSS standards. Data is transferred to the US under SCCs.

Privacy policy: lemonsqueezy.com/privacy

⚠️ We do not sell your personal data to any third party. We do not use your data for advertising purposes or share it with marketing platforms.

6. Data Retention

  • Account data — retained for the duration of your account and up to 3 years after account deletion, for legal and dispute purposes
  • Membership records — retained for 5 years to comply with North Macedonian accounting and tax laws
  • Payment records — retained for 5 years as required by law
  • Trainer session notes — retained for 2 years after the client-trainer relationship ends
  • Technical/usage logs — retained for 90 days then automatically deleted

7. Your Rights Under the DP Law

Under the Law on Personal Data Protection, you have the following rights:

Right of Access (Art. 15)

You may request a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

You may request correction of inaccurate or incomplete data.

Right to Erasure — Right to be Forgotten (Art. 17)

You may request deletion of your data where it is no longer necessary for the purpose it was collected, or where you withdraw consent. Note: some data may be retained for legal compliance (see Section 6).

Right to Restriction of Processing (Art. 18)

You may request that we limit how we use your data in certain circumstances.

Right to Data Portability (Art. 20)

You may request your personal data in a structured, machine-readable format to transfer to another service.

Right to Object (Art. 21)

You may object to processing based on legitimate interests or for direct marketing purposes.

Right Not to Be Subject to Automated Decisions (Art. 22)

We do not currently use automated decision-making or profiling that produces legal or similarly significant effects on you.

📧 To exercise any of these rights, contact us at info@stargym.mk. We will respond within 30 days, as required by the DP Law.

8. Cross-Border Data Transfers

Both Supabase and LemonSqueezy are US-based companies. Transfers of your personal data to the United States are carried out under Standard Contractual Clauses (SCCs) — the legally recognised safeguard under the DP Law for transfers to third countries that do not have an adequacy decision from the North Macedonian DPA (AZLP).

We have notified AZLP of these transfers as required by the DP Law. If you wish to obtain a copy of the applicable SCCs, contact us at info@stargym.mk.

9. Security Measures

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

  • All data in transit encrypted via TLS/HTTPS
  • Database encryption at rest via Supabase infrastructure
  • Password hashing using bcrypt (passwords are never readable)
  • Role-based access control (trainers can only see their own clients)
  • Regular security reviews of our platform and infrastructure
  • Audit logging of sensitive data access

🚨 In the event of a personal data breach that poses a risk to your rights and freedoms, we are obliged to notify AZLP within 72 hours and, where required, notify affected individuals without undue delay.

10. Cookies & Analytics

Our platform uses essential cookies required for authentication and session management (e.g., Supabase session tokens). We do not currently use third-party analytics or advertising cookies.

You can control cookie settings in your browser, but disabling essential cookies may prevent you from logging in to your dashboard.

11. Children's Privacy

Our Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16 without verifiable parental consent, as required by the DP Law. If you believe a child has provided us with personal data without consent, please contact us and we will delete the data promptly.

12. Sensitive Data

Fitness goals or health-related information you voluntarily provide (e.g., injury history shared with a trainer) may constitute health data under the DP Law, which is classified as a special category of personal data. We only process such data where you have explicitly provided it and only share it with your assigned trainer. You may request deletion of such data at any time.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will update the “Last updated” date and notify registered users by email. We encourage you to review this policy periodically.

14. Contact the Data Controller

For any questions about this Privacy Policy, to exercise your rights, or to request your data:

📍 Star Gym 24/7 — Tale Hristov 2, Skopje 1000, North Macedonia
📞 +389 75 240 430
📧 info@stargym.mk

We will respond to all requests within 30 days.

15. Right to Lodge a Complaint with AZLP

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Personal Data Protection Agency of North Macedonia (AZLP):

🏛️ Personal Data Protection Agency (AZLP)
Boulevard Goce Delcev 18, 1000 Skopje, North Macedonia
Website: azlp.mk

We would appreciate the opportunity to address your concerns before you contact AZLP — please reach out to us first at info@stargym.mk.

See also: Terms of Service →