Privacy Policy

Gymspace plays two different roles depending on whose data we are talking about, and your rights differ slightly in each case.

As a service provider to gyms (a processor). When a gym uses Gymspace to manage its members, the gym decides what information to collect and why. We process that member information on the gym's behalf and under our contract with them. If you are a member of a gym, your gym is the first point of contact for questions about your data, and we will support your gym in responding to your requests.

As the business you deal with directly (a controller). When you visit our website, request a demo, or use a Gymspace account as a gym owner, manager, or staff member, we decide how your information is used, and this policy governs that directly.

If you fill out our demo or contact form, we collect the information you provide, such as your name, company, email address, and any phone number or message you include. When you submit the form, we also automatically record technical information such as your IP address and browser information, and we use third-party tools to help protect our forms against spam and abuse.

Our marketing website uses analytics and tag-management tools, which may collect standard usage information (such as the pages you view and general device and location signals) and may set cookies, and we embed a third-party scheduler on our booking page so you can arrange a call.

To create and secure a Gymspace login we collect your name and email and a securely hashed version of your password. We never store your password in plain text. If you turn on two-factor authentication, we store an encrypted authenticator secret and encrypted backup codes. Each time you sign in we create a session and record your IP address, browser and device information, and the time, and we keep a security and audit log of account actions (such as sign-ins, password changes, and staff changes). We briefly store failed sign-in attempts and short-lived email sign-in codes to protect your account against abuse.

When a gym manages its members in Gymspace, the gym may store the following about each member. The exact information depends on what your gym chooses to collect:

• Identity and contact details: name (including middle name), email address, phone number, mailing address, and date of birth.
• Profile photo, if your gym adds one.
• Emergency contact name and phone number.
• Household and guardian links: members can be grouped into a household, and a member's record can be linked to a guardian's account.
• Membership and billing details: plan type and tier, start and end dates, status (such as active, paused, expired, or canceled), amounts billed, balance owed, payment dates, and any membership freezes (which can include a short note your gym enters).
• Entry and attendance: a membership barcode or fob, and a record of check-ins (the date, time, and location of each visit) and class registrations.
• Purchases: point-of-sale transactions and the items bought at the gym, and any store gift-card balances.
• Signed documents: liability waivers, including the handwritten signature captured when the waiver is signed.
• Additional information your gym adds: Gymspace gives gyms a flexible field for extra member attributes and free-text notes, so a gym may store additional details there. What goes in is controlled by your gym.

The member information stored is controlled by each gym. Where a gym enrolls a member who is a minor or stores a date of birth, the gym is responsible for obtaining any consents required to enroll that member.

Card payments are handled by our third-party payment provider. Card details are entered and processed directly by that provider, so your full card number, security code, and expiration date never reach Gymspace's servers and are never stored by us. We keep only the limited records we need to operate billing, such as transaction amounts and the related reference identifiers.

When you access or use Gymspace, we and our service providers automatically collect a broad range of information about your device, network, and activity. This may include your IP address, device and browser characteristics, unique device and session identifiers, operating system, language and locale, the pages and features you view, the links and actions you take, referring and exit pages, access times, and other usage and diagnostic data. We collect this information using cookies, log files, and similar technologies, and we may combine it with other information we hold about you. For signed-in gym staff, certain activity is retained in an audit log that gym administrators may review.

We and our analytics partners use this information to operate, maintain, secure, personalize, analyze, and improve the service. If you use our optional desktop application, it may transmit usage, performance, and diagnostic information, including crash reports, to our servers, and we may store that information together with associated identifiers and technical details.

We use the information described above to:

• provide, operate, and improve Gymspace and support our customers;
• create and secure accounts, authenticate users, and prevent fraud and abuse;
• process payments and keep billing records accurate;
• enable the core gym features a gym chooses to use, such as check-ins, classes, point of sale, and waivers;
• send important transactional messages (see below);
• respond to demo requests and communicate with prospective customers; and
• meet our legal, accounting, and security obligations.

Where the law requires a legal basis (for example under the GDPR), we rely on performing our contract with you or your gym, our legitimate interests in running and securing the service, your consent where we ask for it, and compliance with legal obligations.

We send transactional and service messages, such as password resets, staff account invitations, sign-in confirmations, and demo or lead confirmations. When a new sales lead or signup comes in, our team may receive an internal notification that includes the contact details submitted on the form.

We use cookies and similar technologies. In the logged-in application, essential cookies keep you signed in and protect your session, and we use analytics to understand product usage. On our marketing website, we and the third parties we work with may set cookies for analytics, advertising, security, and related purposes.

You can control cookies through your browser settings, including blocking or deleting them, though some features may not work without essential cookies. If you have questions about cookies, you can contact us at contact@gymspace.io.

We do not sell your personal information. We may share information with third-party service providers, vendors, and integration partners who perform functions on our behalf, such as hosting, data storage, payment processing, communications, analytics, and security. These parties are permitted to use the information only as needed to provide their services to us.

We may also share information when required by law, to protect the rights, safety, and security of Gymspace, our customers, or others, or in connection with a merger, acquisition, or sale of assets, in which case we will continue to protect your information consistent with this policy.

Gymspace is hosted in the United States. If you access the service from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for these transfers.

We take security seriously. Each gym's data is isolated so that one gym cannot access another gym's information, data is encrypted in transit, passwords are stored only as secure hashes, and sensitive secrets such as two-factor keys and signing keys are encrypted at rest. We limit internal access and keep audit logs. No system is perfectly secure, but we work hard to protect the data you entrust to us.

We keep personal information for as long as it is needed to provide the service, for as long as a gym's account is active, and as required to meet our legal, accounting, and security obligations. Some information is short-lived by design, such as failed sign-in records and one-time sign-in codes. If you are a gym member, your information is retained according to your gym's settings and instructions. When information is no longer needed, we delete or de-identify it.

Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal information, to object to or restrict certain processing, and to withdraw consent. We do not sell your personal information, and we will not discriminate against you for exercising your rights.

• If you have a Gymspace account (a gym owner, manager, or staff member) or you contacted us through our website, email us at contact@gymspace.io and we will respond as required by law. We may need to verify your identity first.
• If you are a member of a gym that uses Gymspace, your gym controls your information, so please direct your request to your gym. If you contact us, we will help your gym respond.

Gymspace is intended for use by gyms and their staff, not for direct use by children. We do not knowingly collect personal information directly from children. Where a gym enrolls a member who is a minor, the gym is responsible for obtaining any required parental or guardian consent.

Our website and product may link to or embed third-party services. Their use of your information is governed by their own privacy policies, and we encourage you to review them.

If you have any questions or requests about this policy or your information, email us at contact@gymspace.io.