← Back to blog

The EU Personal Trainer's Guide to GDPR-Compliant Coaching Software

By Ollie

gdprprivacytrainerseucompliance

--- title: "The EU Personal Trainer's Guide to GDPR-Compliant Coaching Software" description: "EU-based trainer? Here's what GDPR actually means for your coaching tools, client data, and which platforms keep you compliant by design." ---

The EU Personal Trainer's Guide to GDPR-Compliant Coaching Software

If you're a personal trainer based in the EU, GDPR isn't optional. It applies to you — even if you're a solo coach with 10 clients and no office.

Most trainers don't think about data protection until something goes wrong. But the platforms you use to manage clients, generate workouts, and track progress are making data decisions on your behalf. Some of those decisions could put you at risk.

Here's what you actually need to know.

What GDPR Means for Personal Trainers

GDPR (General Data Protection Regulation) governs how you collect, store, and process personal data of EU residents. As a personal trainer, you handle:

  • Health data (injuries, medical conditions, physical limitations)
  • Fitness data (weight, body measurements, workout history)
  • Personal identifiers (name, email, phone, payment info)

Health data is classified as "special category data" under GDPR Article 9. This is the strictest protection level — the same category as genetic data and biometric data.

What this means practically: You need explicit consent to process health data, and it must be stored securely with appropriate safeguards.

The Platform Problem

Here's where most trainers unknowingly create risk: the coaching platform you use determines where your clients' data goes.

US-Hosted Platforms

Most popular coaching tools — Trainerize, TrueCoach, Everfit — are US-based with US data centres. When you use them:

  • Client health data is transferred to the United States
  • This triggers GDPR's cross-border data transfer rules (Chapter V)
  • You need a valid legal basis for the transfer (typically Standard Contractual Clauses)
  • If the platform's SCCs are invalid or incomplete, you are liable — not just the platform

The 2020 Schrems II ruling invalidated the Privacy Shield framework, making US data transfers legally complex. Most trainers using US platforms are technically non-compliant and don't know it.

Cloud AI Platforms

If your platform uses cloud-based AI (OpenAI, Anthropic, Google) for workout generation:

  • Your client's fitness goals, injuries, and limitations are sent to a third-party AI provider
  • That provider may store, log, or use the data for model training
  • You may not have explicit consent for this specific processing purpose
  • The AI provider's data centre location adds another transfer layer

What Compliant Looks Like

A GDPR-compliant coaching setup has three properties:

1. EU data residency. Your clients' data is stored in an EU data centre. No cross-border transfer, no SCCs needed, no Schrems II risk.

2. Minimal third-party processing. Health data isn't sent to external AI providers unless absolutely necessary, with explicit consent, and with appropriate safeguards.

3. Clear data processing agreements. You have a DPA (Data Processing Agreement) with every tool that handles client data, specifying what data is processed, why, and how long it's retained.

How PumplAI Handles This

We built PumplAI for EU trainers specifically:

EU-hosted database. Supabase, Frankfurt region. Client data stays in the EU. No cross-border transfers.

On-device AI. Workout generation runs on the client's device via Qwen3 (Ollama). Health data never leaves the phone for AI processing. There's no transfer to protect against.

Browser-side form checking. MediaPipe Pose runs in the browser. Video data is processed locally and never sent to any server.

No third-party AI data sharing. We don't send client data to OpenAI, Anthropic, or any external model provider.

This isn't a policy choice — it's an architecture decision. Privacy by design, not by afterthought.

Your GDPR Checklist as a Trainer

Whether you use PumplAI or not, here's what every EU trainer should verify:

  • [ ] Where is client data stored? Ask your platform. If the answer is "US" or "we don't know," that's a red flag.
  • [ ] Do you have explicit consent for health data? A checkbox in your intake form isn't enough — it needs to be specific, informed, and freely given.
  • [ ] Is there a Data Processing Agreement? Every tool that handles client data should provide one.
  • [ ] Can clients request data deletion? GDPR gives clients the "right to be forgotten." Your platform must support this.
  • [ ] Are you notified of data breaches? Your platform must notify you within 72 hours of a breach. You must notify your supervisory authority within 72 hours of learning about it.
  • [ ] Is AI processing disclosed? If your platform uses AI to generate workouts, clients should know their data is being processed by AI — and by which provider.

The Bottom Line

GDPR compliance isn't about ticking boxes on a privacy policy page. It's about where data physically lives, who processes it, and whether your clients genuinely consented to each processing purpose.

Most coaching platforms treat GDPR as a legal document problem. We treat it as an engineering problem. The safest data transfer is the one that never happens.

---

PumplAI is EU-hosted, on-device AI, with real-time browser-side form checking. Built for trainers who take their clients' privacy seriously.

Join the early access waitlist →

Ready to find your perfect trainer match?

Join the waitlist — early access is opening soon.

Join Waitlist