Your wellness business does not just manage appointments. It stores health, body and image data every day.
From membership forms and appointment apps to body measurements, health notes, skin/hair consultations, customer photos, WhatsApp campaigns, staff phones and old customer records — gyms, salons and spas handle personal data at every step. This 3-minute scan shows where DPDPA exposure may arise in your customer-data workflows. It collects no customer photos, health notes or records — only your answers about your processes.
Most wellness businesses don't have an appointment problem — they have a photo, health and customer-data control problem.
Your customer & wellness-data risk map
The free scan scores your firm across these five areas. Here is what each one looks at.
Customer & membership data risk
Member name, contact, address and emergency contact; membership/appointment history; payment and wallet details; service preferences; family/couple bookings.
First move: Map customer data across booking apps, walk-in forms, WhatsApp, Instagram DMs and staff notes, and define who can access it.
Health, body & consultation data risk
Fitness goals, weight, BMI and body measurements; medical conditions, injuries and allergies; skin, hair, body and therapy consultation notes.
First move: Treat health/body data as high-impact; limit access to staff who need it and keep it out of uncontrolled WhatsApp/notes.
Photos, marketing & WhatsApp risk
Customer photos, before-after images, bridal photos, transformation posts and testimonials; WhatsApp/SMS promotional campaigns and reminders.
First move: Get separate consent before using customer photos, offer a removal route, and add a marketing opt-out separate from reminders.
App, staff & vendor access risk
Appointment apps, gym/salon software, CRM, payment tools, WhatsApp platforms, fitness/biometric devices, CCTV and marketing agencies; staff and ex-staff access.
First move: Move to role-based, reviewed access; stop personal-phone/WhatsApp use for customers; remove ex-staff and old vendor access.
Retention & incident readiness risk
Old member records, photos, consultation notes, body metrics and WhatsApp chats kept for years; no plan for a wrong-photo share or exposed health note.
First move: Set retention + removal rules for photos and records, and write a simple wrong-recipient/breach response.
How the 3-minute scan works
Answer 10 quick questions
About your business type, customer data, health/body data, intake, photo consent, channels, apps/vendors, staff access and retention. ~3 minutes.
See your readiness score + risk map
A 0–100 DPDPA readiness score, your risk band, and five wellness-specific risk areas.
Get your priority fixes + checklist
The five controls to start with, plus the Gym / Salon / Spa DPDPA Starter Checklist.
What the scan checks
Ten plain-English questions across your real customer-data workflows. The scan collects no customer photos, health notes or records.
Gym, salon & spa DPDPA questions
Does the DPDPA apply to gyms, salons and spas?
Yes. Gyms, salons, spas and wellness studios collect personal data that can reveal health, body, appearance and lifestyle — membership details, fitness goals, body measurements, health declarations, consultation notes and customer photos — which makes them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. Obligations apply regardless of size, even though you are not a medical provider.
Do we need consent to post customer before-after photos or testimonials?
Yes. Customer photos, before-after images, bridal photos and testimonials are personal data, and using them for social media or ads needs separate, documented consent plus a way for the customer to ask for removal. Posting transformation results without specific consent is one of the most common DPDPA exposures in this sector.
Is fitness, body or consultation data really high-impact if we're not a clinic?
Yes. Weight, BMI, body measurements, injuries, allergies, skin/hair concerns and therapy notes are health and body data — high-impact even without a medical diagnosis. Limit who can access it, avoid keeping it in WhatsApp or staff notes without controls, and don't use it for promotion without clear consent.
What about staff using personal phones and WhatsApp for customers?
Staff using personal phones or personal WhatsApp to message customers, store photos or keep notes puts customer data outside any access control — a major risk, especially with shared logins or ex-staff access. Move customer communication to business channels and role-based, reviewed access, and remove ex-staff and old vendor access promptly.
How long can we keep old member records, photos and consultation notes?
The DPDPA expects data to be kept only as long as the purpose requires. Wellness businesses often keep old customer records, photos and consultation notes indefinitely for repeat bookings or marketing — that's the main exposure. Define a retention period, archive or delete past it, and offer customers a way to request removal of their photos and records.
Take the free scan
10 questions · 3 minutes · free · no login. Get your firm's DPDPA readiness score.
Start Gym / Salon / Spa Risk Scan →Related Briefings
Need advice?
Request Consultation →Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.
This page is for educational purposes and does not constitute legal advice.