Skip to main content
Back to blog
GDPRfitness privacysensitive databiometrics

Client Data Privacy in Fitness: The 2026 Guide

Gyms and personal trainers handle health and biometric data, a special category under the GDPR. Here are the legal bases, risks and compliant tools.

PP

Pietro Previtali

11 min read

Client Data Privacy in Fitness: The 2026 Guide

Gyms and personal trainers handle clients' health and biometric data, which the GDPR classifies as a special category (Art.9): weight, measurements, health conditions, injuries. Processing it carries stricter obligations than ordinary data, starting with explicit consent. This guide explains why this data is so sensitive, the legal bases for processing, the risks of running everything on unprotected WhatsApp or Excel, and how to choose genuinely compliant tools.

Important disclaimer, to read first: this article is informational material, not legal advice. The GDPR and privacy rules have many application nuances. For your specific situation — privacy notice, record of processing, whether you need a DPO — consult a lawyer or a Data Protection Officer (DPO). What follows is meant to orient you, not to replace a professional.

The short answer

Personal trainers and gyms handle data the GDPR treats as special category, i.e. sensitive: health-related data (injuries, conditions, limitations) and, when used to identify or profile someone specifically, biometric data. Article 9 of the GDPR in principle prohibits processing this data, except under exceptions: the most relevant for the sector is the data subject's explicit consent. In practice that means a clear privacy notice, specific and separate consent for health data, collecting the minimum necessary, limited retention over time and respecting the client's rights. Handling this data on unprotected chats and spreadsheets is a real risk; you need tools designed for compliance.

Why fitness data is "special category"

The GDPR distinguishes between ordinary personal data (name, email, phone) and special-category data, which enjoys reinforced protection because its misuse can seriously harm a person. This includes health-related data and biometric data processed to uniquely identify a person.

A personal trainer or a gym routinely collects information falling into this category:

  • Health data: prior injuries, conditions, limitations, medications, sports medical certificates, pain and conditions reported by the client.
  • Biometric and body-composition data: weight, circumferences, body-fat percentage, data from impedance scales, progress photos.

This data is the heart of coaching work — without it you can't program well — but for that very reason it must be handled carefully. It's not bureaucracy for its own sake: it's protecting information about the bodies and health of people who trust you.

The basics of processing: what you must own

The GDPR revolves around a few principles that, translated into a trainer's daily work, become concrete actions.

  • Correct legal basis: for ordinary data, performance of the contract may suffice; for health data, in most cases in this sector, you need the data subject's explicit and separate consent. A generic "for the service" consent isn't enough.
  • Clear privacy notice: the client must know what data you collect, why, how long you keep it and to whom you disclose it. In plain language, not incomprehensible legalese.
  • Minimization: collect only what you genuinely need for coaching. If you don't need a data point, don't collect it.
  • Storage limitation: don't keep data forever. Define how long you keep it and delete it when no longer needed.
  • Data subject rights: the client can access their data, correct it, request its deletion (the "right to be forgotten") and obtain its export. You must be able to respond to these requests.
  • Security: data must be protected with adequate measures (controlled access, encryption, backups). An Excel file on the desktop or an unprotected chat are not adequate measures.

The risks of unprotected WhatsApp and Excel

Very many trainers, at the start, run everything on WhatsApp and Excel spreadsheets. It's understandable, but it's also the most common weak point on the privacy front. Here's why.

  • Health data in chats not designed for it: sending injuries, conditions or progress photos into a generic chat mixes sensitive data with personal conversations, with no control over where it ends up and who accesses it.
  • Unprotected Excel files: files scattered across devices, without encryption or access control, often shared via email or personal cloud. If the laptop is stolen or the account compromised, the clients' sensitive data is exposed.
  • No rights management: if a client asks to delete all their data, how do you respond if it's scattered across ten chats, three spreadsheets and a personal cloud? Fragmentation makes honoring rights nearly impossible.
  • No proof of consent: without consent collected and recorded properly, you have no way to demonstrate the legal basis for processing in case of an inspection.
  • Opaque non-EU transfers: many generic tools host data on non-EU servers, with international-transfer implications the trainer often doesn't even know about.

The point isn't to demonize messaging, but to understand that sensitive data requires tools built to protect it, not apps designed for something else.

How to choose GDPR-compliant tools

A tool suited to handling sensitive fitness data should cover a few key requirements. Here's a best-practice checklist.

Best practice Why it matters
Data hosting in the EU Reduces the complexity of international data transfers
Explicit, separate consent for health Covers the Art.9 legal basis for biometrics and health data
Recorded privacy notice and consents Demonstrable legal basis in case of inspection
Minimization by design The tool collects only what coaching needs
Data export on request Honors the client's right to portability
Full deletion on request Honors the right to be forgotten verifiably
Controlled access and encryption Technical security adequate to the data's level
Data centralized in one place Makes data subject rights manageable

Athleex is designed with this logic: data hosting in the EU on Hetzner servers in Germany, a GDPR-first approach, biometrics management with explicit Art.9 consent collected separately, and data export and deletion on the client's request. Centralizing athlete data in a single platform — instead of scattering it across chats and spreadsheets — is in itself a measure that makes respecting data subject rights far easier. Even communication can be tidy: the unified inbox brings in-app chat, WhatsApp and Instagram into one traceable place, instead of leaving sensitive data scattered across personal conversations. You'll find the feature picture on the features page, a focus on the trainer's work in for trainers, the implications for members in how it works and the dedicated gyms area. On the overall management side, the guide on gym management software for small gyms can help too.

Why this sets you apart

A trainer or gym that handles client data seriously communicates professionalism and builds trust. In a sector where many run everything loosely, being able to say "your health data is processed with explicit consent, hosted in the EU, and you can request its export or deletion whenever you want" is a real differentiator, not just compliance. Privacy done well is also honest marketing.

Disclaimer

This article is purely informational and educational and does not constitute legal advice. The GDPR guidance is simplified and general; concrete application depends on your specific situation and on the interpretations of the competent authorities. For your privacy notice, record of processing, assessment of whether you need a DPO, and every privacy obligation, consult a lawyer or a qualified Data Protection Officer.

Conclusion

The data you collect as a trainer or gym — health, injuries, biometrics — is special category and must be handled with explicit consent, minimization, security and respect for the client's rights. Running it on unprotected WhatsApp and Excel is an avoidable risk: GDPR-first, EU-hosted tools make compliance the easiest path, not an obstacle. If you want to handle your clients' data seriously from day one, try Athleex free and set up consent, export and deletion as part of the flow, not as an afterthought.

FAQ

Is the data I collect as a personal trainer sensitive data? Very often, yes. Weight, measurements, body-fat percentage, injuries, conditions, limitations and medical certificates fall under health-related data, which the GDPR classifies as special category under Article 9, i.e. sensitive data with reinforced protection. Biometric data, when used to identify or profile someone specifically, also falls into this category. It's the heart of coaching work, but for that very reason it must be handled with obligations stricter than ordinary data like name and email. This article is informational: for your specific situation consult a lawyer or a DPO, because concrete application has many nuances.

Do I need client consent to process health data? In most cases in the fitness sector, yes, and it's a special kind of consent. For ordinary data, performance of the contract may suffice as a legal basis, but for health data Article 9 of the GDPR typically requires the data subject's explicit, specific and separate consent: a generic "for the service" consent isn't enough. The consent must be accompanied by a clear notice on what data you collect, why, how long you keep it and to whom you disclose it. It must also be collected and recorded in a demonstrable way. To set up your notice and consents correctly, get support from a privacy professional.

Is it a problem to manage client data on WhatsApp and Excel? It's the most common weak point on the privacy front. Sending injuries, conditions or progress photos into generic chats mixes sensitive data with personal conversations, with no control over where it ends up. Unprotected Excel files, scattered across devices without encryption or access control, expose data if a laptop is stolen or an account compromised. Moreover, with data fragmented across ten chats and three spreadsheets, it becomes nearly impossible to honor a deletion or export request. It's not about demonizing messaging, but understanding that sensitive data requires tools built to protect it.

What should I check in a tool to be compliant? A few key requirements. Data hosting in the EU, to reduce the complexity of international transfers. Explicit, separate consent for health data, covering the Article 9 legal basis. The ability to export and fully delete data on the client's request, to honor the rights to portability and erasure. Controlled access and encryption as adequate technical security. And centralizing data in one place, which makes data subject rights manageable instead of scattering them everywhere. Athleex is built this way: EU-hosted on Hetzner, Art.9 consent for biometrics, export and deletion on request. It remains orientation material, though: validate your choices with a DPO or lawyer.

Does the GDPR apply even if I'm a freelance trainer with few clients? Yes. The GDPR applies to the processing of personal data regardless of the size of the activity: even a freelancer with few clients processes health data and has the same basic obligations on notice, consent, minimization, security and respect for rights. Some obligations are scaled to the nature and risks of the processing, but the principles hold for everyone. In fact, for a small professional, setting up good practices from the start is easier than fixing things later, when data is already scattered across chats and spreadsheets. This article is informational: to understand exactly what you need in your case, consult a lawyer or a DPO.

#GDPR#fitness privacy#sensitive data#biometrics#consent
Athleex

Liked this article?

Try Athleex today. No credit card required.

Start free