Data Protection Compliance

Privacy Policy

GymOS is committed to protecting your gym's data and keeping your member information secure. This policy outlines how we handle data as a data processor and controller.

Last updated: July 4, 2026

1. Introduction

GymOS ("we", "us", "our") operates the software-as-a-service gym management platform available at GymOS and associated services. We value the privacy of our subscribers (gym owners, managers, administrators) and their members.

This Privacy Policy details the types of information we collect, how we use it, how we secure it, and your rights in connection with this data. GymOS acts as a Data Processor for member data uploaded or managed by gym owners (the Data Controllers). GymOS acts as a Data Controller for account setup, billing, and transactional details of gym owners who subscribe directly to our service.

By registering for an account or using our platform, you consent to the practices described in this Privacy Policy.

2. Information We Collect

We collect information in the following categories to provide a fully operational dashboard:

Subscriber Profile Data

When a gym signs up, we collect personal and organizational details: Gym Name, Contact Name, Email, Phone Number, GSTIN/Business Identifiers, and billing details.

Gym Member Data

Provided directly by the gym owner or dashboard operator: member name, email, phone number, physical measurements (if logged), check-in logs, and photos for authorization.

Billing & Payment Metadata

We record details of invoices, payment status, amount paid, and subscription history. Payment instruments (cards, UPI) are handled securely by Razorpay or Stripe; we do not store raw credentials.

Usage & Technical Logins

IP addresses, login timestamps, platform activity logs, browser types, and cookie session details to guarantee account security and prevent unauthorized access.

3. How We Use Information

GymOS uses data strictly to fulfill our contractual and business commitments:

  • Service Provision: Managing memberships, classes, check-ins, invoice generation, and reports.
  • Transactional Alerts: Sending auto-alerts for membership expiry, billing payments, invoices, or critical system notices via email/SMS.
  • Payment Processing: Reconciling Razorpay transactions, generating branded PDF invoices, and calculating gym payouts/reports.
  • Platform Optimization: Analyzing platform metrics (speed, page views, error rates) to fix bugs and improve performance.
  • Compliance & Safety: Validating user accounts, preventing fraud, and enforcing our Terms and Conditions.

4. Data Sharing & Subprocessors

We value your trust. We do not sell, rent, or distribute any personal data to advertisers. Information is only shared under the following conditions:

With Subprocessors: We use infrastructure providers to host GymOS and perform billing, transactional emails, and system queries. All subprocessors are vetted for compliance:
  • Supabase: Database hosting, user authentication, and file storage (SSL-encrypted).
  • Firebase: Analytics and page event metrics.
  • Razorpay: Indian payment processing and subscription billing.
With Gym Owners / Admins: Gym owners have complete access to the records of their own registered gym members.
Legal Requirements: We may disclose data if legally required by search warrants, courts of law, or regulatory bodies in India under applicable laws.

5. Data Security & Row-Level Security (RLS)

We employ industry-leading protection to ensure data integrity and confidentiality:

  • Database Isolation: Every record belongs to a distinct `tenant_id`. We implement strict database **Row-Level Security (RLS)** policies that restrict any tenant (gym operator) from querying, modifying, or viewing data belonging to any other gym.
  • Encryption: All data is encrypted during transmission using HTTPS/TLS protocols and encrypted at rest in our secure database engines.
  • Access Limits: Authentication token rotation and secure session checks prevent unauthorized access. Gym staff access is strictly filtered by roles (SUPERADMIN, GYM_ADMIN, STAFF, TRAINER, MEMBER).

6. Data Retention & Deletion

We retain data for as long as a gym account remains active. If a subscription is terminated, we store backing configuration files and database entries for 90 days to allow for retrieval, after which all tenant data is permanently deleted from our live databases.

Gym members who wish to delete their profile details must submit a request to their respective gym administrator. Upon instructions from the gym administrator, GymOS will purge the individual's records immediately.

7. Your Rights & Choices

Under relevant data regulations, you have the following rights over your data:

  • Right to Access: You can download or view all profiles, rosters, billing logs, and check-in schedules directly from the GymOS dashboard.
  • Right to Rectification: You can update user emails, numbers, and settings inside the App Settings or via the admin console at any time.
  • Right to Erasure: Gym owners can request full deletion of their tenant account data by contacting us.
  • Consent Withdrawal: You may close your account to withdraw consent for processing, though past transactional financial documents may be retained for accounting and tax requirements in India.

8. Cookies & Tracking

We use cookies and equivalent browser storage tokens strictly for operational purposes:

  • Session Cookies: Storing authenticated sessions so operators do not have to sign in repeatedly.
  • Performance Tracking: Keeping record of dashboard preference selections (like dark/light theme state or search parameters).
  • Analytics: Generating aggregated insights on site page views and feature performance.

9. Contact & Grievance

For any questions regarding your data, security, or this Privacy Policy, please contact our support team.

Grievance Support Email

We resolve data privacy queries within 15 working days.

contact.gymos@gmail.com