Privacy Policy

1. Who We Are

Max Perform Lab is an elite personal training and performance coaching facility located in the An-Narjis District, Riyadh, Saudi Arabia.

• Address: An-Narjis District, Riyadh, Saudi Arabia
• Phone: +966 55 791 0574
• Email: frontdesk001@maxperformlab.com

2. Data We Collect

We collect the minimum data needed to provide our services:

We do not store full card numbers, CVVs, or banking credentials. All payment processing is handled by Tap Payments — a PCI-DSS compliant processor.

3. Legal Basis for Processing

Under the Saudi PDPL, we process your data on the following bases:

• Contractual necessity — to book sessions, process payments, and send session confirmations.
• Consent — for health and fitness data provided voluntarily during assessments.
• Legitimate interest — for service improvement, fraud prevention, and internal analytics.
• Legal obligation — to comply with Saudi financial and consumer protection regulations.

4. How We Use Your Data

• Process and confirm bookings and payments
• Communicate session reminders and updates via WhatsApp or email
• Generate invoices and receipts
• Design personalised training and nutrition programs
• Track progress over time using assessment data
• Respond to enquiries and support requests
• Comply with legal or regulatory requirements

We do not use your data for automated decision-making that produces legal effects about you, and we do not sell your data to third parties for marketing purposes.

5. Data Sharing

We share your data only where necessary:

• Tap Payments — to process card, mada, Apple Pay, stc Pay, Tabby, and Tamara transactions. Governed by their own privacy policy.
• Hostinger — our website hosting provider. Servers are located in the EU; data transfers are protected by standard contractual clauses.
• WhatsApp Business (Meta) — used for booking confirmations and client communication. Messages are end-to-end encrypted.
• Legal authorities — only when required by Saudi law, a court order, or a regulatory body.

6. Data Retention

• Booking & payment records — retained for 5 years to comply with Saudi commercial and VAT regulations.
• Health & assessment data — retained for the duration of your membership plus 12 months, then deleted unless you request otherwise.
• Website logs — retained for 90 days, then automatically purged.
• Marketing communications — until you opt out.

7. Data Security

We protect your data using:

• TLS/HTTPS encryption for all data transmitted via our website
• Password-protected admin access with role-based permissions
• Regular security audits and software updates
• Restricted staff access — only personnel who need your data to deliver services can access it

In the event of a data breach that poses a risk to your rights, we will notify the relevant Saudi authority and affected individuals as required by the PDPL.

8. Your Rights Under the PDPL

As a data subject under Saudi Arabia's Personal Data Protection Law, you have the right to:

• Access Request a copy of the personal data we hold about you
• Correct Ask us to update inaccurate or incomplete data
• Delete Request deletion of your data where we no longer have a legal basis to retain it
• Restrict Ask us to stop processing your data in certain circumstances
• Withdraw Consent Withdraw consent for optional processing at any time, without affecting past processing
• Object Object to processing carried out on the basis of legitimate interests

To exercise any of these rights, contact us at frontdesk001@maxperformlab.com. We will respond within 30 days.

9. Cookies & Tracking

Our website uses minimal cookies:

• Strictly necessary — WordPress session and security cookies required for the booking system to function.
• Preferences — remembering language selection and dismissed banners.

We do not use third-party advertising trackers or cross-site tracking cookies.

10. Children's Privacy

Our services are intended for individuals aged 16 and above. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a minor's data has been collected without consent, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of the page. Material changes will be communicated via email or a notice on our website.