This privacy policy (“Privacy Policy”) provides you with an overview of 24-7FITNESS CLUB OÜ (“Club” or “we”) about the data processing involved in our activities and its details.
In more detail, the Privacy Policy describes the following important facts:
The Privacy Policy contains important information for you, especially if you visit our website (https://24-7fitness.ee; “Website”), use the services we offer, or apply for a job vacancy at our clubs.
We highly value your privacy and right to privacy, which is why we consistently comply with the requirements set out in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other legislation when processing any personal data. Making the privacy policy available and constantly updating it helps us to best fulfill our information obligation under Articles 13 and 14 of the GDPR.
The controller of your personal data is 24-7fitnessklubi OÜ;
Register code: 14045006;
Address: Laki põik 4, Tallinn 12919, Republic of Estonia;
If you have any questions related to the processing of personal data, please contact us at info@24-7fitness.ee.
We process your personal data only to the minimum extent necessary to achieve the purposes described in this section of the Privacy Policy. Any processing of personal data has a specific and limited purpose and legal basis, which is described in more detail below.
To provide services and carry out related supporting activities (e.g. reservation management), we process the following customer personal data:
The legal basis for such data processing is the preparation of a contract between the Club and you or the performance of a contract already concluded (Article 6(1)b) of the GDPR).
If you have given us your consent, for example by entering your email address in the newsletter recipient list on the Website, we will occasionally send you newsletters, including information related to our services and activities that may be of potential interest to you. Depending on the content of your consent, we may process your first and last name, data on your preferred language of communication, and contact information (telephone number, email address) during marketing activities.
The legal basis for sending newsletters as a processing of personal data is your consent as the data subject (Article 6(1)a) of the GDPR).
You can withdraw your consent at any time by clicking the “unsubscribe” or “unsubscribe from newsletters” button next to each newsletter. You can also unsubscribe from newsletters by sending us an email with your request to the email address specified in Chapter 2 of the Privacy Policy.
When you send us an email or contact us by other methods, you generally provide us with personal data in the course of this activity, such as your first and last name, email address, and any additional personal data that may be reflected in the content of your message. The legal basis for the processing of personal data provided by you on your own initiative, including the processing of personal data for the purpose of responding to inquiries and questions, is, depending on the content of the inquiry, either the consent of the data subject (Article 6(1)a) of the GDPR), the need to take steps prior to entering into a contract / the performance of a contract (Article 6(1)b)) or our legal obligation as the controller, for example when responding to inquiries regarding the processing of personal data (Article 6(1)c)). If the legal basis for processing your personal data is consent, you can withdraw it at any time by sending us a notification to that effect at the email address specified in Chapter 2 of the Privacy Policy.
Please note that the withdrawal of consent does not affect the lawfulness of data processing carried out on the basis of prior, valid consent.
From time to time and as needed, we seek additional staff to fill vacant positions. For this purpose, we may organize competitions that we publish on personnel search portals (e.g. CV-online, CV-keskus) and/or on the Website.
If you decide to participate in a competition to fill a vacant position, we will process the following personal data about you as a candidate:
The data processing described above is necessary for the preparation of a potential employment contract or other similar contract between us and you as the data subject (Article 6(1)b) of the GDPR).
In certain cases, we need to process personal data to fulfill obligations arising from legislation (including, for example, the Accounting Act and tax legislation), which it is not reasonable to list specifically in the Privacy Policy.
Such data processing also includes, for example, responding to requests from authorities and providing supervisory and investigative authorities with information requested by them, including the release of video surveillance recordings within the framework of various procedures.
The legal basis for such data processing is the need to comply with a legal obligation to which we, as the controller, are subject (Article 6(1)c) of the GDPR).
In the context of certain data processing, we must also rely on our legitimate interest or that of third parties in processing personal data. This includes data processing for the following four purposes:
Within the framework of all data processing activities based on legitimate interest, only such data shall be processed as is minimally necessary to achieve the purpose in question. This means that, for example, during the development of services, aggregated and anonymized usage statistics (e.g. visit and booking logs) are processed without personal profiling of customers. No sound is recorded during video surveillance, the camera layout is well thought out, marked, and video surveillance areas are limited. When resolving claims and disputes, membership/visit logs, relevant recordings and customer communications are processed only on a case-by-case basis and no data is collected for any customer on a “just in case” or proactive basis.
We have conducted a legitimate interest analysis for data processing based on legitimate interest using the methodology set out in the relevant guidelines of the Data Protection Inspectorate and implement protective measures (e.g. data anonymization, access logging in technical environments, cryptography, limited retention periods, physical protective measures), as a result of which it has been determined that our data processing does not disproportionately affect the interests, fundamental rights or freedoms of any data subject.
To inform clients and other persons interested in our services and activities, we have created a Website that provides comprehensive information about the services offered by the Club. It is also possible to use self-service, purchase subscription packages, and book training sessions via the Website. To enable the self-service functionalities of the website, we process personal data that enables login (user account data, authentication data, in the case of login with an ID card, its authentication data and the connection to the customer's user account).
The legal basis for such data processing is the preparation of a contract to be concluded between the Club and you or the performance of a contract already concluded (Article 6(1)b) of the GDPR).
In addition to the above, we use cookies on the Website, the purpose of which is to provide you with a better, faster and more secure user experience. Web cookies are small text files that are stored on your computer, smartphone, tablet or other device that you use to visit the Website. Web cookies provide us with information about how the Website is used, allow us to compile statistics about the number of visitors to the Website, display marketing content that may be of interest to you, and ensure the functionality and user-friendliness of the Website.
Web cookies are divided into persistent and session cookies based on their retention period. Persistent cookies remain on your device until their retention period expires (or until you decide to delete them), even after you close your browser or turn off your device. However, session cookies are deleted immediately when you close your web browser.
Based on the purpose of use, a common four-part classification of web cookies is as follows:
The cookies used on the website may change over time. By visiting the website, you agree to the use of cookies that are strictly necessary for the functionality of the website, and no separate consent is requested for the use of such cookies. The Website asks for your consent to use other cookies, which you can change and withdraw at any time.
Detailed information about the cookies used on the Website, including a complete list of cookies, can be found on the Cookies Information Page, which is accessible by clicking on the cookies icon displayed in the lower left corner of the Website.
The personal data we process comes from:
We retain personal data only for the time necessary to fulfill the processing purposes set out in Chapter 3 of the Privacy Policy.
Data related to the conclusion and performance of customer contracts is retained for the duration of the customer contract and for 3 years from the end of the customer contract.
The relevant personal data will be stored until the need for processing ceases, but no longer than until the withdrawal of consent, which was the legal basis for specific marketing activities.
The employment contract and pre-contractual information concluded with the successful candidate will be retained for 10 years from the end of the contract in accordance with the Employment Contracts Act.
Application data will be stored for 1 year from the end of the relevant competition (in accordance with the limitation period set out in § 25 of the Equal Treatment Act), unless the candidate consents to the further storage of their data.
Visit and booking data is retained for the duration of the customer contract and for 3 years from its end. Video surveillance recordings are stored for a maximum of 30 days from the date the corresponding recordings were made. If the storage capacity is filled earlier, the retention period of recordings will also be shorter (earlier recordings will be overwritten). Data related to the submission of legal claims, the exercise and defense of the Club's rights, and the collection of arrears of fees will be retained until the respective legal dispute is resolved.
To comply with legal obligations and in other exceptional cases, we may retain personal data for a longer period than the above, including:
(a) to comply with legal obligations;
(b) for accounting reasons;
(c) for reasons related to the realization of potential claims.
For example, to enable us to file claims or to object to potential claims against us, we may retain personal data for a maximum of 10 years in accordance with the statute of limitations for claims and, in the case of ongoing disputes, until their final resolution.
We may transfer your personal data to third parties only if there is a corresponding legal basis (for example, to authorized processors with whom a data processing agreement has been concluded that complies with the requirements of Article 28 of the Data Protection Act or, at your request, to your insurance provider).
The Club will not transfer your personal data to recipients located outside the European Economic Area. However, if it is absolutely necessary to provide you with services, for example due to the characteristics of the cookies and technological tools used to operate the website, your personal data will only be transferred to recipients outside the European Economic Area whose country of residence ensures an adequate level of protection of personal data and/or the corresponding level of protection can be achieved by implementing appropriate safeguards (e.g. standard data protection clauses).
We have implemented IT, organizational, and physical security measures (cryptography, access rights management, physical locking systems) to ensure the security of personal data. Access to any personal data is strictly need-based and job-based.
Our employees have access to personal data strictly on a need-to-know basis in accordance with their employment contract or job description for the purpose of performing their job duties. In certain cases, partners and service providers who provide specific services to us (e.g. security services) may also have limited access to personal data.
The website may contain references and links to other websites controlled by third parties. Please note that if you click on the relevant link or navigate on your own initiative to another website that may be referenced on our Website, you will be on a third-party website through which the data processing is not under our control. Therefore, we recommend that you also read the privacy policies and information regarding cookies of the respective third parties.
Pursuant to the GDPR, you have the following data protection rights:
You have the right to request information about whether and what personal data we process about you, and on what legal basis and in what manner. You also have the right to request a copy of the personal data processed about you.
You have the right to request that we correct any errors in the personal data we process about you (for example, if the personal data has changed). You also have the right, in certain cases, to request that we delete the personal data we process about you.
Please note that we may have the right or obligation to refuse to delete specific personal data, for example if continued processing is necessary to secure potential claims or to comply with legal obligations.
You have the right to request that we restrict the processing of your personal data. In such a situation, we retain the right to process your personal data only to a limited extent, for example to secure possible claims or to comply with legal obligations.
If the legal basis for processing your personal data is our legitimate interest, you have the right to object to the processing of your personal data. You also have the right to object to any automated decision-making by us and the processing of personal data related to direct marketing.
If we process your personal data based on consent or an obligation arising from a contractual relationship, you have the right to request that we provide you with your personal data in a structured, commonly used and machine-readable format. If technically feasible, you also have the right to request that we transfer your personal data to another controller indicated by you.
If the legal basis for processing your personal data is consent, you have the right to withdraw that consent at any time. Please note that the withdrawal of consent does not affect the lawfulness of data processing based on previous, valid consent.
To exercise the rights described above, please contact us at the email address provided in Chapter 2 of the Privacy Policy.
Please note that data protection rights are not absolute and we must assess for each request whether and to what extent data protection legislation allows us to satisfy your request. We will respond to your request within one month of receiving it. If it is not possible to respond to the request within one month, we may extend the response deadline by two months, informing you of the extension of the deadline and the reason for it within one month of receiving the request.
If you have any questions or complaints regarding the processing of personal data, please contact us at the email address provided in Chapter 2 of the Privacy Policy. We will respond to you within one month of receiving your question or complaint.
If you do not agree with the response you receive, you have the right to file a complaint with the Data Protection Inspectorate (address: Tatari 39, Tallinn 10134; e-mail: info@aki.ee ; phone: +372 627 4135).
We constantly strive to ensure that both the data processing we perform and the related documentation are simple, clear and transparent, and meet all legal requirements and best data protection practices.
Accordingly, we regularly update, clarify and improve the Privacy Policy. You can always find the latest version on our website (https://24-7fitness.ee/privacypolicy). We will also inform customers of changes via email.
Last updated: 21.10.2025
