Privacy Policy — Nexicat (Arkemius Solutions Pvt. Ltd.)
Effective date: April 30, 2025 Last updated: August 28, 2025
Arkemius Solutions Pvt. Ltd. ("Arkemius", "we", "us", "our") operates Nexicat — our gym and studio management software — including our websites, the Nexicat web application, mobile applications, and related services (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use the Services.
This Policy is intended to comply with applicable Indian law, including the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"). If your use is subject to other laws (e.g., EU/UK), see Section 17.
If you do not agree with this Policy, please do not use the Services. By using the Services, you acknowledge that you have read and understood this Policy.
1) Who we are and how roles work
- Data Fiduciary (Controller): For our own marketing sites, your account with us, billing, support, and direct communications, Arkemius Solutions Pvt. Ltd. is the Data Fiduciary.
- Data Processor: For data that gyms/studios (our Customers) enter into Nexicat about their members, staff, and operations, we process such data on behalf of the Customer according to our contract and their instructions. Customers are responsible for their notices and consents to their end‑users.
Brand name: Nexicat Legal name: Arkemius Solutions Pvt. Ltd. Privacy contact: Use the in‑product Help & Support → Privacy option to reach our privacy team and submit requests.
2) What we collect
We collect the following categories of personal data, depending on your relationship with us and how you use the Services:
a) Visitor & marketing data
- Contact details you submit (name, email, phone), company name and role, interests, demo/booking details.
- Device and usage data (IP address, browser, device identifiers, pages viewed, referring URLs, timestamps, cookies and similar technologies).
b) Customer account & billing data
- Account owner/admin details (name, email, phone), authentication data, organization profile, role/permissions.
- Billing contact, transaction metadata, plan and invoice history. Payment card/bank data is processed by our payment partners; we do not store full card details on our servers.
c) Member & staff data processed for Customers (processor role)
- Member profile data (name, contact, gender, date of birth/age), membership details (plan, start/end, attendance, bookings), interactions (notes, messages), identifiers assigned by the Customer.
- Optional data if enabled by the Customer: fitness goals, injuries/health notes, measurements, photos, location check‑ins, device IDs.
- Staff details (role, shifts, attendance/clock‑ins).
d) Integrations & communications
- WhatsApp/SMS/Email: phone numbers and message metadata to send approved templates and transactional/marketing messages per consent.
- Connected accounts (e.g., Google Business Profile): limited tokens/keys and profile/review data per permissions granted.
We collect data directly from you, automatically from your device when you use the Services, and from third parties (e.g., payment providers, sign‑in providers) as permitted by law.
3) Lawful grounds & how we use data
We process personal data as allowed under the DPDP Act: with consent, to perform a contract, for legitimate uses permitted by law (e.g., fraud prevention, network security), and to comply with legal obligations.
Purposes include:
- Provide, operate, secure, and improve the Services.
- Create and manage accounts; authenticate and authorize users.
- Process payments and prevent fraud.
- Enable gym workflows: member onboarding, attendance, bookings, scheduling, staff management, messaging, analytics, and reports.
- Send service/transactional messages; with consent, send product updates, offers, and surveys (opt‑out anytime).
- Provide support, resolve issues, and enforce terms.
- Comply with laws and respond to lawful requests.
We do not sell personal data.
4) Cookies & similar technologies
We use cookies and similar technologies to keep you signed in, remember preferences, analyze usage, and measure campaigns. You can manage preferences via your browser settings and (where available) our on‑site controls. Blocking some cookies may impact core functionality.
5) WhatsApp, SMS, and email communications
If you share your phone/email with us or with a Customer using Nexicat:
- You may receive transactional messages and, with consent, marketing messages via WhatsApp/SMS/email using approved templates.
- You may opt out at any time (reply STOP where supported, use unsubscribe links, or submit a request via Help & Support → Privacy).
- Customers using Nexicat must obtain any required consents from their end‑users before initiating messages through our platform.
6) Children’s data
Our Services are intended for businesses. We do not knowingly collect data from children without verifiable parental consent. Under Indian law, a child is under 18. If you are a Customer processing children’s data (e.g., teen memberships), you must ensure lawful consent and notices.
7) Data sharing and recipients
We share personal data only as needed:
- Service providers / processors: cloud hosting, security, analytics, email/SMS/WhatsApp, payment partners, customer support tools, and other sub‑processors under contract.
- Integrations: where you connect third‑party accounts, we share data per your configuration and their policies.
- Corporate events: business transfers, mergers, acquisitions (with continued protection of data).
- Legal & safety: to comply with law, enforce agreements, or protect rights, safety, and property.
We require recipients to protect personal data and use it only for the purposes disclosed.
8) International transfers
We may process and store data in India and in other countries where we or our service providers operate. Cross‑border transfers occur subject to applicable law. Where required, we use contractual safeguards to protect personal data.
9) Security
We implement reasonable security practices and procedures, including encryption in transit, access controls, logging, and periodic reviews. However, no system is perfectly secure. If we become aware of a data breach affecting you, we will notify you and applicable authorities as required by law and our contracts.
10) Retention
We retain personal data for as long as necessary for the purposes described, including:
- Customer account records: for the life of the account and a reasonable period thereafter to meet legal/contractual obligations and resolve disputes.
- Member data we process for Customers: as instructed by the Customer (we delete or return it at contract end, subject to legal holds).
- Marketing data: until you withdraw consent or we no longer need it (we will delete or de‑identify within a reasonable period).
11) Your choices and rights (India)
Subject to law, you may:
- Access information about how we process your personal data.
- Request correction of inaccurate or incomplete data.
- Request erasure of personal data when no longer necessary or when consent is withdrawn.
- Withdraw consent at any time (this will not affect processing already carried out).
- Nominate another individual to exercise your rights if you are unable to do so.
If you are an end‑user of a Customer (e.g., a gym member), please contact your gym/studio first; we support Customers in responding to requests. You can also submit requests via Help & Support → Privacy in the product.
12) Legal bases under other laws (summary)
If other laws apply (e.g., GDPR/UK GDPR), our legal bases include consent, performance of a contract, legitimate interests (e.g., to secure our Services, prevent fraud, and improve features), compliance with legal obligations, and establishment/defense of legal claims. See Section 17.
13) Third‑party links and services
The Services may contain links to third‑party websites, apps, and services. Their privacy practices are governed by their own policies. Please review them before providing personal data.
14) Automated decision‑making / Do‑Not‑Track
Our Services do not respond to browser Do‑Not‑Track signals. We do not engage in automated decision‑making that produces legal or similarly significant effects without human involvement.
15) Changes to this Policy
We may update this Policy from time to time. The updated version will be indicated by the "Last updated" date. Material changes will be notified via email or prominent in‑product notice. Continued use after updates means you accept the revised Policy.
16) India‑specific disclosures
- Notice & consent: We provide clear notices and obtain consent where required. You may withdraw consent via the methods described in Section 11.
- Sensitive personal data (SPDI Rules): Where we process data categorized as "sensitive" under Indian rules (e.g., passwords, financial details, health information), we use additional safeguards and share only under lawful conditions.
- Grievance redressal: Submit grievances through Help & Support → Privacy. We will acknowledge and address them within timelines required by Indian law.
17) Additional rights for EU/UK users (if applicable)
If you are in the EU/UK, you may have additional rights under the GDPR/UK GDPR: right to data portability, to object, to restrict processing, and to lodge a complaint with a supervisory authority. Cross‑border transfers rely on appropriate safeguards.
18) Contact & exercising your rights
Use the in‑product Help & Support → Privacy option to contact our privacy team or to submit access/correction/erasure/withdrawal requests. If you cannot access the product, use the general contact form on our website and mention "Privacy Request" in your message.
19) Key definitions
- "Personal data": data about an individual who is identifiable by or in relation to such data (DPDP Act).
- "Processing": any operation performed on personal data, including collection, storage, use, sharing, and deletion.
- "Data Fiduciary": the person who determines the purpose and means of processing personal data; "Data Processor": processes personal data on behalf of a Data Fiduciary.
- "Customer": a gym, studio, or business that subscribes to Nexicat.
20) Country/region addenda (optional)
If you serve users outside India, add country/region addenda here (e.g., EU/UK, Singapore, Australia, U.S.).
Quick reference
- We are the Data Fiduciary for our own marketing, accounts, and billing; we are the Data Processor for Customer data.
- You can opt out of marketing and withdraw consent at any time.
- We do not sell personal data.
- We use reasonable security practices and contracted service providers.