Privacy Policy

1. Who we are

GymApp ("we", "us", "our") is a multi-tenant fitness management platform. Your data controller is the gym or studio you signed up with. GymApp acts as a data processor on their behalf.

2. Data we collect

• Account data: name, email, phone number
• Usage data: class bookings, attendance check-ins, membership history
• Payment data: processed by Stripe or Razorpay — we do not store card details
• Communication data: emails sent via Resend; SMS via Twilio

3. Legal basis (GDPR Article 6)

• Contract performance — to deliver your membership and class bookings
• Legitimate interests — platform security, fraud prevention, analytics
• Consent — marketing emails (you may withdraw at any time)

4. Third-party processors

• Supabase — database and authentication (EU-hosted, ISO 27001)
• Resend — transactional email delivery
• Twilio — SMS OTP authentication
• Stripe / Razorpay — payment processing (PCI-DSS compliant)
• Vercel — application hosting (edge network)

5. Your rights (GDPR)

• Access — download your data from your profile page
• Portability — export as JSON from your profile
• Erasure — delete your account from your profile page
• Rectification — update your details in your profile
• Objection — unsubscribe from marketing in your profile

6. Data retention

Active account data is retained for the duration of your membership plus 12 months. Anonymised usage statistics may be retained indefinitely. Audit logs are deleted after 90 days.

7. Cookies

We use essential cookies for authentication. With your consent we use anonymous analytics cookies. You can change your cookie preferences at any time via the banner at the bottom of the page.

8. Contact

For privacy requests contact: privacy@gymapp.io