A Project by Meridian Bridge Strategy
Compliance Guide

DPDP Compliance for Gyms & Fitness Centers

Running a gym? India's new DPDP Act affects how you handle customer data like membership details, he. Get expert help today.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For DPDP Compliance for Gyms & Fitness Centers, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Can I make fingerprint entry mandatory for all members?

No. You must provide an alternative, like a physical key card or a mobile QR code, for members who do not want to share biometric data.

Do I need a new contract if my trainers are independent contractors?

Yes. Your contract must legally bind the trainer to delete all client health data and progress photos from their personal devices once they stop working at your gym.

Can I use member phone numbers to send bulk SMS about new protein supplements?

Only if the member specifically opted-in to receive marketing messages. You cannot use the phone number they provided for "emergency contact" or "billing" to send sales pitches.

Real-World Examples Companies struggling with this issue

Health & Fitness

Cure.fit (cult.fit)

42

cult.fit collects intimate health data — heart rate, body measurements, workout capacity, injury history, and mental health content engagement — processing what is effectively continuous health monitoring. At 42/100, treating this health data with consumer app privacy standards instead of health data protections creates significant DPDP exposure.

⚠️ No DPDP Act 2023 reference
⚠️ Health metrics data (heart rate, calories, BMI) treated as standard app data
+5 more gaps detected
Feb 2026 View Report
Healthcare

PharmEasy

48

PharmEasy handles highly sensitive health data but its privacy policy doesn't explicitly align with the DPDP Act 2023. Key issues include non-granular consent for health information, unclear data retention, and an incomplete framework for user rights, posing significant regulatory and reputational risks.

⚠️ No explicit DPDP Act 2023 reference — still relies on older IT Act provisions
⚠️ Bundled consent for sensitive health data, not 'freely given' per Section 6
+5 more gaps detected
Apr 2026 View Report
Healthcare

Practo

53

Practo handles India's most sensitive personal data — medical records, doctor consultations, prescriptions, and health histories — scoring 53/100 on DPDP alignment. While healthcare-specific awareness is present, the lack of DPDP-specific consent granularity and retention timelines for medical data creates critical regulatory exposure.

⚠️ No DPDP Act 2023 reference — uses IT Act and MCI guidelines
⚠️ Health data processing consent not adequately granular
+4 more gaps detected
Feb 2026 View Report
Book clarity call