Introduction
Welcome to GymFast ("we," "our," or "us"). GymFast is operated by Acasa Labs, a company registered in India.
We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our gym management platform at gymfast.app, including our web dashboard, staff mobile app, and member mobile app (collectively, the "Service").
By using GymFast, you agree to the collection and use of information as described in this policy.
1. Information We Collect
1.1 Information You Provide
- Account Information: Name, email address, phone number (calling and WhatsApp), and password when your account is created by a gym administrator.
- Profile Information: Profile photo, date of birth, gender, address, and emergency contact details.
- Gym & Membership Data: Gym name, locations, membership plans, billing details, and payment history.
- Health & Fitness Data: Body measurements, fitness assessments, workout plans, and diet plans as entered by trainers or staff.
- Attendance Records: Check-in/check-out times, class attendance, and QR scan logs.
- Enquiry Information: Details provided during enquiry submissions, including fitness goals and preferred contact methods.
- Communication Data: Messages, notes, and follow-up records created by gym staff.
- Payment Information: Invoice details, payment amounts, payment methods (cash, UPI, card, bank transfer), and transaction records. We do not store full credit card numbers.
1.2 Information Collected Automatically
- Device Information: Device type, operating system, app version, and unique device identifiers.
- Usage Data: Features accessed, pages viewed, actions taken, timestamps, and session duration.
- Log Data: IP address, browser type, referring/exit pages, and crash reports.
1.3 Information from Third Parties
- Gym Administrators: Your gym administrator may provide your information when creating your account or managing your membership.
- Payment Processors: Transaction confirmations and payment status updates.
2. How We Use Your Information
We use the collected information for:
- Service Delivery: Managing gym memberships, processing payments, tracking attendance, scheduling classes, and enabling communication between gym staff and members.
- Account Management: Creating and maintaining user accounts, authenticating access, and managing role-based permissions.
- Notifications: Sending membership reminders, payment due alerts, class schedules, and other gym-related notifications via in-app notifications, email, or WhatsApp.
- Analytics & Improvement: Understanding usage patterns to improve our platform, fix bugs, and develop new features.
- Security: Detecting and preventing fraud, unauthorized access, and other security threats.
- Legal Compliance: Meeting legal obligations, enforcing our terms, and protecting our rights.
3. How We Share Your Information
We do not sell your personal information. We may share your data in these limited circumstances:
3.1 Within Your Gym
Your gym's owner, administrators, and authorized staff can access your membership data, attendance records, billing information, and other data necessary to manage your gym membership. Trainers assigned to you can access your fitness assessments, body measurements, and training data.
3.2 Service Providers
We use trusted third-party services to operate our platform:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, gym data, all operational data |
| Vercel | Web hosting and deployment | IP address, usage data |
| Sentry | Error tracking and monitoring | Error logs, device info, anonymized usage data |
| Expo | Mobile app updates and notifications | Device tokens, app metadata |
3.3 Legal Requirements
We may disclose your information if required by law, court order, or government request, or to protect the rights, safety, or property of GymFast, our users, or the public.
3.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
4. Data Storage and Security
- Storage Location: Your data is stored on Supabase infrastructure in the Asia Pacific (Singapore) region.
- Encryption: All data is encrypted in transit (TLS/SSL) and at rest.
- Access Control: We implement row-level security (RLS) policies ensuring users can only access data they are authorized to view. Role-based access controls limit what each staff member can see and do.
- Authentication: Passwords are hashed using industry-standard algorithms. We support secure token-based authentication for mobile apps.
While we implement commercially reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
5. Data Retention
- Active Accounts: We retain your data for as long as your account is active and your gym maintains an active subscription.
- After Deletion: When you or your gym administrator requests account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., financial records may be retained for up to 7 years per Indian tax regulations).
- Gym Closure: If a gym closes its GymFast account, all associated member data will be deleted within 90 days unless members request earlier deletion.
- Backups: Automated backups may retain deleted data for up to 30 additional days before being purged.
6. Cookies and Tracking
6.1 Web Dashboard
Our web dashboard uses essential cookies for:
- Authentication: Session cookies to keep you signed in.
- Preferences: Storing your selected gym location and dashboard preferences.
We do not use advertising cookies, third-party analytics trackers, or cookie consent banners, as we only use strictly necessary cookies.
6.2 Mobile Apps
Our mobile apps use:
- Secure Storage: Encrypted local storage for authentication tokens and user preferences.
- No Third-Party Trackers: We do not embed third-party advertising or analytics SDKs in our mobile apps.
7. Your Rights
Depending on your jurisdiction, you may have the following rights:
7.1 All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data (subject to legal retention requirements).
- Export: Request your data in a portable, machine-readable format.
7.2 GDPR Rights (European Users)
If you are in the European Economic Area (EEA), you additionally have the right to:
- Restrict Processing: Request limitation of how we process your data.
- Object to Processing: Object to processing based on legitimate interests.
- Withdraw Consent: Withdraw consent at any time where processing is based on consent.
- Lodge a Complaint: File a complaint with your local data protection authority.
Legal Basis for Processing (GDPR):
- Contract: Processing necessary to provide the Service.
- Legitimate Interest: Analytics, security, and service improvement.
- Legal Obligation: Compliance with applicable laws.
- Consent: Where explicitly obtained.
7.3 CCPA Rights (California Users)
If you are a California resident, you have the right to:
- Know: What personal information we collect and how it is used.
- Delete: Request deletion of your personal information.
- Non-Discrimination: We will not discriminate against you for exercising your rights.
We do not sell personal information as defined under the CCPA.
7.4 Indian Users
Under the Digital Personal Data Protection Act, 2023 (DPDPA), you have the right to:
- Access: Obtain a summary of your personal data and processing activities.
- Correction & Erasure: Request correction of inaccurate data or erasure of data no longer necessary.
- Grievance Redressal: Contact our grievance officer for any data protection concerns.
- Nominate: Nominate another person to exercise your rights in case of death or incapacity.
8. Children's Privacy
GymFast is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If a gym administrator creates an account for a minor, the gym is responsible for obtaining appropriate parental or guardian consent. If we learn that we have collected data from a child under 16 without proper consent, we will delete that information promptly.
9. International Data Transfers
Your data is primarily stored in Singapore (Asia Pacific). If you access our Service from outside this region, your data may be transferred to and processed in a jurisdiction with different data protection laws. By using the Service, you consent to such transfers. We ensure appropriate safeguards are in place for any international transfers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will notify gym administrators via email or in-app notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
- Email: support@gymfast.app
- General Inquiries: contact@gymfast.app
- Company: Acasa Labs, India
For DPDPA-related grievances, please contact our Grievance Officer at support@gymfast.app. We will acknowledge your grievance within 24 hours and resolve it within 30 days.
This privacy policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts in Surat, Gujarat, India.