compliance

GDPR and PCI for Studios

Also called: GDPR, PCI, data privacy fitness, PCI DSS studio

GDPR is the EU/UK data-privacy law that applies to any studio with European members; PCI DSS is the payment-card industry rulebook for handling credit-card data. Both apply to small studios; neither requires a lawyer if you use compliant software.

This is not legal advice — talk to a lawyer for jurisdiction-specific questions. But the practical shape is straightforward. GDPR requires that you handle EU and UK personal data (names, emails, attendance) with a stated purpose, member consent where required, the right to access and delete on request, and a breach-notification process if data leaks. The biggest day-to-day GDPR obligations for a studio: a privacy policy on your website, a way for members to download their own data, and a way to fully delete a member on request.

PCI DSS governs credit-card data. The compliance level a small studio needs is the lowest tier (SAQ-A or SAQ-A-EP), which mostly means: don't store full card numbers on your own systems. Use a payment processor (Stripe, Square, Adyen) that handles storage on their side. Your studio software should hold a token, not a card number.

The single biggest compliance trap for studios is migrating member data. If you export a CSV with member emails and addresses, then email that CSV around your staff over personal Gmail, that's a GDPR violation. The fix is simple: keep the file in your studio software, restrict who can export it, and delete the exports once the migration is done.

If your members are mostly local and your processor handles cards, you're 90% covered just by using compliant software. The remaining 10% is policy: a written privacy notice, a clear delete-on-request process, and instructor/staff training on not sharing exports outside the system.

Example

A London yoga studio with 400 members runs Chronix Hub. Stripe processes all cards (no card numbers ever touch the studio's systems — PCI handled). The privacy policy on the website lists what data the studio collects (name, email, attendance, payments) and how to delete it. A member emails asking for a copy of their data; the studio exports the member's record from Chronix Hub and emails it via password-protected attachment. Total compliance lift: about 4 hours of setup once.

Related

More terms in compliance

Chargeback
A chargeback is when a member disputes a credit-card charge through their bank — the studio is debited the original amount plus a $15–25 chargeback fee until the dispute is resolved.