Skip to content

Consent for Health Data Processing

Effective date: 11 June 2026

Data Controller

Viborg Fitness Gym
CVR no.: 42029130
Address: Falkevej 16, 8800 Viborg, Denmark
Phone: +45 20 98 55 76
Email: info@viborgfitnessgym.dk / kontakt@vfg.dk
Website: https://viborgfitnessgym.dk
General privacy policy: Privacy Policy

1. What this page covers

DocumentCovers
Privacy PolicyMembership, billing, check-ins, cookies, general rights
This pageOptional health and fitness data in the member app (health data, GDPR Article 9)

Membership and gym access are processed on the basis of your membership agreement (GDPR Art. 6(1)(b)). Optional tracking in the app (weight, nutrition, health/lab, wearables, progress photos) is not a condition of membership and requires your separate, explicit consent for each domain.

Health and fitness data are special categories of personal data (health data). We process them solely on the basis of:

  • GDPR Art. 9(2)(a) — your explicit consent, and
  • GDPR Art. 6(1)(a) — consent as the lawful basis,
  • supplemented by the Danish Data Protection Act (Act No. 502 of 23 May 2018, as amended).

Your consent is freely given, specific, informed, and unambiguous (GDPR Art. 7). You may withdraw it at any time — as easily as you gave it (Art. 7(3)). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. Declining consent has no consequences for your membership.

Each domain has its own consent, given in the app before you log data or open the domain for the first time — through an active action (checkbox, never pre-ticked). The time of your consent is recorded by our server at the moment you accept and cannot be altered or backdated by the app. Progress photos are not covered by the body consent and require separate acceptance.

Body (weight, height, circumferences, composition)

  • Purpose: Your personal overview of body measurements and trends over time
  • Data: Weight, height, BMI, circumferences, body fat, etc.
  • Retention: While your account is active and consent has not been withdrawn
  • Withdrawal: New entries stop immediately; existing data in the domain is deleted automatically — see section 4
  • Purpose: Your daily nutrition and hydration overview
  • Data: Water intake, calories, macronutrients
  • Retention and withdrawal: Same as the body domain
  • Purpose: Your own overview of health and lab values — not a diagnosis or medical advice
  • Data: Self-logged test results and health information
  • Wellness disclaimer: For your personal overview only — not a diagnosis. Contact a doctor with questions.
  • Retention and withdrawal: Same as the body domain
  • Purpose: Activity and device data linked to your health profile
  • Data: Steps, heart rate, sleep, etc. from connected devices and imports
  • Retention and withdrawal: Same as the body domain
  • Purpose: Optional visual documentation of your progress
  • Classification: We treat photos as health data (Article 9), as they may reveal your physical condition
  • Separate consent: Requires its own acceptance — body consent is not sufficient
  • Retention and withdrawal: Same as the body domain; the image files themselves are deleted from our secure file storage together with the records

4. Retention and deletion

EventAction
Active account + valid consentData is retained for as long as the purpose exists
You withdraw consent for a domainNew entries are rejected immediately; an automatic deletion job removes the domain’s data — normally the same day and within 30 days at the latest
You delete your accountAll your health data (incl. progress photos) is deleted automatically immediately after account deletion
24 months of inactivityIf you do not log, change, or export health data for 24 months, we automatically delete all your health data. You receive an email notice after 18 months of inactivity and at least 14 days before deletion; any new entry resets the period
Proof of consentTimestamps of consent given/withdrawn are retained for up to 5 years as proof of valid consent (GDPR Art. 7(1))

Deletion covers both database records and image files in file storage. Copies in security backups subsequently expire through routine backup rotation.

5. Access and data portability

You can order a complete copy of your health data directly in the app at any time (GDPR Arts. 15 and 20):

  • The export is delivered as a ZIP file in machine-readable JSON format and covers all five domains plus progress photo metadata
  • The download link is personal and expires after 15 minutes; you can always request a new one
  • For security reasons, you can request at most 5 exports per 24 hours
  • The export works regardless of your consent choices — your right of access is never conditional on consent

6. Staff access and logging

Access to your health data is technically restricted. When an administrator exceptionally needs to view health information (e.g. to help you following your request), the system requires a written reason (at least 10 characters), and the access is recorded in an audit log with who, when, and why.

7. Processors and security

  • Health data is stored in a separate database, isolated from membership and payment data, and identified only by an internal user ID (pseudonymisation) — without name, email, or civil registration number
  • Progress photos and export files reside in secure, access-restricted file storage on our own operations infrastructure and are only delivered via personal, time-limited links
  • All transport is encrypted (TLS); hosting and operations are provided by a European hosting provider under a data processing agreement (GDPR Art. 28)
  • We do not disclose your health data to third parties for marketing or analytics

8. Your rights

Under GDPR Chapter III you have the right to:

  • Access the data we process about you (Art. 15)
  • Rectification of inaccurate data (Art. 16) — you can correct your own entries in the app
  • Erasure (Art. 17) — via per-domain withdrawal or account deletion
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20) — see section 5
  • Withdrawal of consent at any time (Art. 7(3))

We make no automated decisions and perform no profiling based on your health data — it is used solely to display your own overviews.

Contact us at kontakt@vfg.dk to exercise your rights or if you have questions. You also have the right to lodge a complaint with the supervisory authority:

Datatilsynet (Danish Data Protection Agency)
Carl Jacobsens Vej 35, 2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
www.datatilsynet.dk

9. Changes

We may update this page, e.g. for new features or changes in legislation. For material changes we will inform you in the app and obtain renewed consent where required by law. The effective date at the top is always updated.

Train when you want
Strong community
Quality equipment
Since 1995
Old school vibes
Personal training
Always help available
Fitness for everyone
Great location
Free trial session
No commitment period
Wide range of machines
Experienced staff
Cozy atmosphere
Train when you want
Strong community
Quality equipment
Since 1995
Old school vibes
Personal training
Always help available
Fitness for everyone
Great location
Free trial session
No commitment period
Wide range of machines
Experienced staff
Cozy atmosphere