Privacy policy

ENHANCE FITNESS LLC (“Enhance Fitness”, “Enhance”, “we”, “us”, “our”) is a consumer-facing fitness company based in the GCC (including the United Arab Emirates, the Kingdom of Saudi Arabia, the State of Qatar, the Kingdom of Bahrain, and other regional jurisdictions where we operate). We operate fitness facilities and related in-person services. We consider the privacy and data protection of our customers’ essential to our business and implement robust measures to safeguard its security, integrity, and confidentiality.

Data Controller. For the purposes of applicable data protection laws, Enhance Fitness LLC is the Data Controller for the personal data described in this Policy

What this Policy covers. This Policy explains how we collect, use, share, and protect personal data relating to: App users, customers, and prospective customers; Individuals booking trainers or using fitness service through the App; and individuals interacting with ou App-based marketing and communications.

What this Policy does not cover. This Policy does not apply to any software/platform operations (e.g., apps, dashboards, SaaS) governed by Enhance Tech / USA Technologies LLC or other vendors, which act as our processors only where applicable and are subject to their own privacy governance.

Applicable data protection frameworks. Our primary framework is UAE Federal Decree-Law No. 45 of 2021 (PDPL) for UAE-mainland processing, alongside Bahrain’s Personal Data Protection Law (Law No. 30 of 2018) and other relevant GCC data protection laws (including in the Kingdom of Saudi Arabia and the State of Qatar) where we operate. Where we process personal data of individuals located in other regions (e.g., the EU under the GDPR, Brazil under the LGPD, or California under the CCPA/CPRA), we apply the disclosures and rights required by those regimes only to the extent applicable to that processing. Wherever feasible, we process data in anonymized or pseudonymized form.

Continuous improvement & contact. We review and update this Policy to reflect new technologies, business practices, and legal requirements. For questions, concerns, or to exercise your rights (including access, rectification, or deletion), please contact us at [email protected]

1. PRINCIPLES AND GUIDELINES

We process Personal Data first and foremost under the UAE Personal Data Protection Law (PDPL – Federal Decree-Law No. 45 of 2021,) and under the Bahrain’s Personal Data Protection Law (Law No. 30 of 2018). Where specific processing brings us within scope of the EU GDPR or Brazil’s LGPD (“Applicable Data Protection Laws” ) we apply those regimes only to the extent applicable to that processing.

Core principles:

• Lawfulness, fairness and transparency (incl. clear notices to Data Subjects).
• Purpose limitation ("Finality") – we process only for explicit, legitimate purposes communicated to you.
• Data minimization ("Necessity") – we collect only what is necessary for the stated purposes.
• Accuracy – we keep data accurate and up to date where appropriate.
• Storage limitation – we retain data only for as long as needed for the purposes and legal requirements.
• Integrity and confidentiality ("Security") – we protect data with appropriate technical and organizational measures.
• Accountability – we can demonstrate compliance and oversee our processors.

Operational guidelines:

• Lawful bases. Processing occurs under the legal bases permitted by PDPL. Where GDPR/LGPD apply to a given activity, we may additionally rely on legitimate interests or vital interests as those laws allow.
• Data minimization & purpose fidelity. We collect only the minimum data necessary and use it strictly for the purposes communicated to you.
• No sale of Personal Data. We do not sell your Personal Data. We may share it with carefully selected processors/sub-processors under written contracts, our instructions, and appropriate safeguards. Where a partner acts as an independent controller, we will make that clear.
• Marketing. We send marketing communications with consent, Legitimate Interest, or as otherwise permitted by law, and you can withdraw consent or opt out at any time.
• International transfers. When data is transferred outside the UAE/GCC (or outside the relevant jurisdiction under GDPR/LGPD), we use legally compliant safeguards.
• Retention. We apply documented retention periods aligned to legal, fiscal, and operational needs, after which data is securely deleted or anonymized.

2. FUNDAMENTAL CONCEPTS

See below some fundamental concepts for understanding this document, as well as the processing of your personal data:

Applicable Data Protection Frameworks: Collectively refers to: (i) the United Arab Emirates Personal Data Protection Law (PDPL – Federal Decree-Law No. 45 of 2021) and related executive regulations; (ii) the European Union General Data Protection Regulation (GDPR); (iii) the Brazilian General Data Protection Law (LGPD) and (iv) Bahrain's Personal Data Protection Law (PDPL, Law No. 30 of 2018). PDPL is our primary framework for UAE-mainland activities; GDPR/LGPD (and other regimes) apply only to the extent applicable to the relevant processing.

Supervisory / National Authority: The public authority responsible for monitoring and enforcing the applicable data protection law.

• UAE: the UAE Data Office.
• Bahrain: the Personal Data Protection Authority (PDPA).
• Brazil: the Autoridade Nacional de Proteção de Dados (ANPD).
• European Union: the competent Supervisory Authority in each Member State (e.g., CNIL in France, AEPD in Spain, CNPD in Portugal).

Personal Data: Any information relating to an identified or identifiable natural person (a Data Subject). Examples include name, identification numbers, contact details, online identifiers, and information relating to physical, economic, cultural, or social identity.

Sensitive / Special Category Personal Data: Personal data requiring enhanced protection.

• Under PDPL/GDPR, this typically includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for uniquely identifying a person, health data, and data concerning sex life or sexual orientation. (Under GDPR, information about criminal convictions/offences is subject to separate safeguards.)
• Under LGPD, Sensitive / Special Category Personal Data ("dados pessoais sensíveis") follows a substantially similar list (including health, genetic and biometric data).

Data Subject: The natural person to whom the Personal Data relates.

Controller (GDPR/PDPL) / Controlador (LGPD): The person or entity that determines the purposes and means of processing Personal Data.

Processor (GDPR/PDPL) / Operador (LGPD): A person or entity that processes Personal Data on behalf of the Controller and under its instructions (for example, IT hosting providers, payment service providers, HR/recruitment platforms, marketing tools). Processors/Operators must adopt appropriate security, confidentiality, and compliance controls.

Processing: Any operation or set of operations performed on Personal Data, whether by automated means or not, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, extraction, or any other handling.

Anonymization: Irreversible processing by which Personal Data can no longer be associated with, or used to identify, a Data Subject (directly or indirectly), considering reasonable technical means likely to be used.

Pseudonymization: Processing that reduces the linkability of Personal Data to a specific Data Subject by replacing identifiers with codes or tokens; while risk is reduced, re-identification remains possible with additional information kept separately under appropriate controls.

3. PURPOSE

This Policy aims to establish the guidelines and principles for the protection of personal data that allow ENHANCE to process personal data in accordance with Applicable Data Protection Laws, as well as the best market practices:

1. Providing guidance on the adoption of technical and administrative controls to meet the requirements for personal data protection, according to current legislation;
2. Safeguarding the data subjects whose personal data are processed by ENHANCE, in defense of their fundamental rights of freedom and privacy and the free development of the personality of the natural person;
3. Preventing possible causes of personal data breaches and information security incidents related to the processing of personal data;
4. Minimizing risks of negative impacts on the financial, reputational, market share and customer trust as a result of data breaches.

For effective compliance with the guidelines set forth in this Policy, the Data Protection Officer ("DPO"), with the support of ENHANCE's Privacy Committee, will adopt all appropriate measures so that this Policy is properly communicated, understood and followed at all levels of ENHANCE. Periodic reviews will be carried out to ensure their continued relevance and suitability to ENHANCE's needs, as well as compliance with current legislation.

4. RULES ON PROCESSING

4.1. General rules for the protection of personal data

We process personal data only when permitted by UAE Federal Decree-Law No. 45 of 2021 (PDPL) and relevant GCC laws. Whenever processing data abroad, Enhance also considers GDPR and LGPD standards. Typical bases include consent (especially for marketing), contract performance (e.g., class bookings, memberships), legal obligations (tax, accounting, health & safety), and legitimate interests (service improvement, fraud/security), as allowed by PDPL. See UAE PDPL overview and controls.

All processing of personal data at ENHANCE must meet the following requirements:

1. Collection for a purpose: Personal data may be collected only for legitimate and defined purposes.
2. Purpose and use specified at the time of collection: The purposes for which the personal data is collected will be specified at the time of data collection. The further processing of the personal data collected may not be done in a manner that is incompatible with the initial stated purposes.
3. Limit to necessary processing: Personal data must always be limited to the minimum necessary and relevant for the fulfilment of the purposes of the data processing. Personal data should not be kept for a period longer than necessary to fulfill the established purpose.
4. Security, integrity and confidentiality: All personal data must be treated in such a way that its security is ensured, including protection against unauthorized or unlawful access and processing and against accidental loss, destruction or damage, applying the appropriate technical or organizational measures.
5. Transparency: All processing of personal data must be done in a transparent manner for the Data Subject.

4.2. Requirements for the processing of personal data

Certain situations require specific legal bases that justify the processing of personal data:

4.2.1. Data on Incapacitated and Minors

Our services, platforms and fitness offerings are not directed to individuals under 18 years of age. Enhance Fitness does not knowingly allow persons under 18 to create accounts, book services or use the Enhance Fitness app in their own name, and we do not assume any responsibility or liability for use of the services by minors. Responsibility for any such use lies with the adult who provides access, registers or pays for the services.

5. INTERNATIONAL DATA TRANSFER

According to the Applicable Data Protection Laws, the international transfer of personal data is only allowed in restricted cases, which may include obtaining specific consent from the data subject, adopting contractual clauses previously defined for this purpose, or when the transfer is carried out to a country that offers a level of protection similar to or higher than the Applicable Data Protection Laws, thus recognized by the National Authority.

Cases like this must be evaluated together with Compliance, Legal and the DPO, for the proper verification of compliance with requirements by the Applicable Data Protection Laws.

Whenever data is transferred outside the UAE, Bahrain, or other GCC jurisdictions (for example, to IT service providers), we use PDPL-compliant or Bahrain PDPL-compliant transfer mechanisms (e.g., adequate jurisdictions, contractual safeguards, or other permitted grounds). For GCC operations, we also consider local PDPL equivalents for cross-border transfers.

5.1 Data Subject Rights

Every Data Subject whose personal data is processed by ENHANCE has the following rights:

1. Access to personal data /information: each data subject may require information about personal data processed in relation to him/her, its origin and the purpose. The data subject also has the right to information about the identity of the data controller and information about the sharing of personal data;
2. Confirmation of the existence of processing: the data subject has the right to confirm the existence of processing of his or her data;
3. Information about which entities the controller has made the shared use of data;
4. Correction of incomplete, inaccurate or outdated data: the data subject has the right to demand the correction of their data if they are incomplete, inaccurate or outdated;
5. Anonymization, blocking or deletion of unnecessary, excessive or non-compliant data;
6. Deletion of personal data processed with the consent of the data subject: the data subject has the right to request the deletion of their data processed with consent. However, the deletion of data does not apply in case of compliance with a legal or regulatory obligation by the controller; study by a research body, ensuring, whenever possible, the anonymization of personal data; transfer to third parties and in compliance with the data processing requirements set out in the legislation; exclusive use of the controller, its access by third parties is prohibited and provided that the data is anonymized;
7. Portability: the data subject has the right to data portability to another service or product provider, by means of an express request, provided that commercial and industrial secrets are observed;
8. Revocation of consent: Information about the possibility of not providing consent and what the consequences of this refusal are;
9. Objection: the data subject may object to irregular processing;
10. Automated decision review: the data subject has the right to request clear and adequate information about the criteria used in automated decisions.

All communication with the data subject must be done in clear and transparent language. The response to requests for rights from data subjects must follow the "Personal Data Subject Rights Management Procedure".

For legal reasons, some requests may not be granted, such as in cases of:

• Compliance with a legal or regulatory obligation by the controller;
• Existence of a contract that is valid and effective;
• If the law determines minimum deadlines for data retention.

6. BREACH AND INCIDENT MANAGEMENT

Breaches to our systems that compromise Personal Data or Data Protection Incidents that jeopardize the security and/or confidentiality of the data, including breaches or incidents that may result in destruction, accidental or unlawful loss, alteration, unauthorized disclosure of, or access to personal data transmitted or stored, will be evaluated in accordance with ENHANCE's "Personal Data Breach and Leakage Incident Response Plan". All reports to the Data Protection Authority or the data subject about breaches and incidents must be made by the DPO.

7. TRAINING

We train relevant personnel on data protection and information security appropriate to their roles. Internally, we maintain governance to ensure PDPL compliance, vendor oversight, and privacy by design. Details of internal roles and procedures are documented in our internal privacy governance materials and are available upon regulatory request.

8. AI GOVERNANCE, COMPLIANCE AND PRIVACY

Scope of our AI use: Enhance Fitness LLC may use AI-enabled tools in limited ways (for example: anti-fraud checks during payments, capacity/booking optimization and basic audience segmentation for consent-based marketing). We do not sell personal data and we do not conduct AI uses that are unlawful in the UAE or otherwise prohibited. Where we rely on third-party vendors, they act as our processors under contract and our instructions.

UAE/Bahrain/GCC regulatory: We design, deploy and review any AI-enabled processing in line with UAE Federal Decree-Law No. 45 of 2021 (PDPL), Bahrain's Personal Data Protection Law (Law nº 30 of 2018) and other applicable GCC data protection laws. In particular, individuals have the right to object to decisions resulting from automated processing (including profiling) that produce legal or similarly significant effects, and to request human review; we provide suitable safeguards, transparency and a simple way to exercise these rights.

We also take into account UAE AI guidance, including Dubai's AI Ethics Principles & Guidelines and the UAE Charter for the Development and Use of AI (fairness, accountability, transparency/explainability, and safety).

EU AI Act: Where our operations or vendors bring us within scope of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689)—for example, if an AI system is placed on the EU market, is used in the EU, or its output is used in the EU—we will meet the applicable obligations for our role (typically as a deployer/user of AI). We will avoid prohibited AI uses, follow transparency duties for limited-risk AI, and—if any tool qualifies as high-risk—ensure required risk management, data/technical documentation, logging, human oversight and accuracy/robustness controls. The AI Act entered into force on 1 August 2024 with phased application through 2026–2027 (including early prohibitions from 2025 and most obligations applying from 2 August 2026, with certain GPAI legacy model obligations by 2 August 2027).

AI and Privacy:

1. Lawful basis & purpose limitation. We use personal data in AI-enabled processes only where a lawful basis applies (e.g., contract performance for bookings, legal obligation, or consent—particularly for direct marketing), and only for specified purposes.
2. Notice & transparency. We explain material AI-enabled uses in plain language in this Policy or activity-specific notices (e.g., recruitment or marketing), including how to exercise your rights.
3. Automated decision-making & profiling. We do not rely on solely automated decisions that produce legal or similarly significant effects without appropriate safeguards and meaningful human involvement. Individuals may object and request human review.
4. Data minimisation & quality. We minimise personal data used in AI workflows and apply accuracy, security and access controls proportionate to risk (including vendor obligations).
5. Training data & model improvement. If we (or our processors) propose to use personal data to train or fine-tune AI models, we will ensure a valid legal basis, apply de-identification/pseudonymisation where feasible, respect retention limits, and implement transfer safeguards if data leaves the UAE, Bahrain, or GCC.
6. Vendor management. We assess AI vendors/processors for PDPL compliance and (where applicable) EU AI Act duties, and require contracts that address instructions, confidentiality, sub-processing, security, incident notice, data location/transfer, training-data restrictions, testing/monitoring, and prompt cooperation on rights requests and audits.
7. Impact assessments & oversight. For higher-risk AI uses, we conduct and keep records of risk/impact assessments and adopt human-oversight measures commensurate with the risk and local law/guidance (e.g., DIFC Reg. 10, Dubai AI Ethics)

9. POLICY MANAGEMENT

The Corporate Privacy Policy is approved by the DPO, with the support of ENHANCE's Legal, Compliance and IT.

10. REVIEWS

This Policy is revised whenever necessary, in case of material changes in ENHANCE's business or as seen in the opinion of the DPO.