Business Privacy Policy

Gymflow Business Privacy Policy

 

Last Updated: May 6th, 2025

 

Introduction

This Business Privacy Policy explains how Gymflow collects, uses, and protects personal data of our business clients (gym or studio owners) and their staff when they use Gymflow to manage their business. This policy is intended for gyms and studios using Gymflow’s software, not for individual gym members (if you are a gym member or mobile app user, please see our End User Privacy Policy. Gymflow acts as a data controller for the business-related personal information described here, determining the purposes and means of processing this data in accordance with applicable laws.

 

Data We Collect from Business Users

We collect and process various types of information from gym/studio owners and staff in order to provide our services and run our operations. This may include:

  • Business Contact Details: Names, work emails, phone numbers, and job titles of owners, managers, and authorized staff members who register or are added to the Gymflow platform.
  • Business Account Information: Gym or studio name, business address, industry type, and account credentials (such as usernames and passwords for staff accounts).
  • Billing and Payment Information: Financial details needed for subscription billing, such as credit card information or bank account details, billing address, and transaction records. (Payment details may be processed by third-party billing providers and not stored directly by Gymflow, for security).
  • Service Usage Data: Information on how you and your staff use the Gymflow system, including feature usage analytics, login dates/times, IP addresses, device information, and settings preferences. This helps us monitor system performance and improve our services.
  • Support and Communication Records: Contents of communications with us – for example, emails, chat logs, or phone call notes from customer support interactions, feedback, and any other information you provide when contacting us for help or giving input.
  • Uploads and Integrations: If you choose to integrate other services with Gymflow or upload data into the system, we will process any personal data contained in those inputs (for instance, if you upload a list of staff members or connect a calendar with personal names). We assume you have the authority to provide any such personal data to us.

We collect this information either directly from you (e.g. when you fill out forms, sign up, or communicate with us) or indirectly through our platform (e.g. automatic collection of usage data). All personal data we collect is limited to what is necessary for the purposes described in this policy.

 

Purpose and Legal Basis for Processing

Gymflow uses business user data only for legitimate business purposes in connection with providing and improving our gym management software. The main purposes and corresponding legal bases for our processing include:

  • Providing the Service (Contractual Necessity): We use business contact and account data to create your Gymflow account, authenticate users, and deliver the features of our platform (scheduling, membership management, billing, etc.). This processing is necessary to perform our contract with you as a user of Gymflow. For example, we’ll use your contact information to log you in and send you service-related communications (like payment receipts or important account notices).
  • Billing and Payments (Contractual and Legal Necessity): We process billing information and payment transactions to bill for subscriptions or services you purchase. This is part of our contract fulfillment. We may also retain transaction records as required for financial reporting and tax compliance (legal obligation).
  • Customer Support and Communications (Legitimate Interests/Contract): If you reach out with support requests or questions, we will use your contact and support data to respond and resolve issues. We may also send you important updates about the service (e.g. software changes, security alerts). These communications are necessary to perform the service and are in our mutual legitimate interests to ensure you are informed.
  • Service Improvements and Analytics (Legitimate Interests): We analyze usage data and feedback to understand how our clients use Gymflow and to make improvements or develop new features. We rely on our legitimate interests in improving our services for this processing. Wherever possible, we use aggregated or anonymized data for analytics so it no longer identifies individuals.
  • Marketing to Business Clients (Consent or Legitimate Interest): We might use business contact details to send occasional product updates, newsletters or offers that may be relevant to running your gym (separate from essential service notices). We will do this only in accordance with applicable laws – for example, with your consent (opt-in) where required. You can opt out of marketing emails at any time.
  • Security and Fraud Prevention (Legitimate Interests): We may process personal data (like logging account activities or investigating suspicious usage) to maintain the security of our platform, prevent unauthorized access, and reduce fraudulent behavior. This is in the legitimate interests of both Gymflow and our clients to protect data and ensure a safe service.
  • Compliance with Laws: In some cases we need to process or disclose data to comply with legal obligations, such as responding to lawful requests by public authorities or keeping records required by regulations.

Gymflow will not process business users’ personal data for purposes that are incompatible with those above without first notifying you and, if required, obtaining your consent.

 

Third-Party Service Providers

To run our operations efficiently, Gymflow uses trusted third-party services who may process business user data on our behalf, strictly for the purposes described above. Key categories of third-party processors we engage include:

  • Payment and Billing Processors: We partner with payment gateways or processors (for example, credit card processing services or direct debit providers) to handle your subscription payments securely. These providers receive billing information as needed to process transactions.
  • Customer Relationship Management (CRM) and Support Tools: We use CRM software to organize client accounts and communications, and support ticketing systems to manage support inquiries. Your contact info and communication history may be stored in these systems to help us provide you with assistance and account management.
  • Cloud Hosting and IT Infrastructure: Gymflow is a cloud-based platform. We host data and our software on reputable cloud service providers (for example, data centers or hosting services) that store and back up your information. Personal data may thus be stored on their secure servers, but always under Gymflow’s control and instructions.
  • Email and Communication Services: We use email delivery services and, if applicable, SMS or push notification providers to send out service-related messages (like email notifications or verification codes). These providers process the necessary contact data (email address or phone number and message content) to deliver communications on our behalf.
  • Analytics and Monitoring Tools: We may utilize analytics platforms that help us monitor system performance or usage patterns (e.g. to see which features are most used by clients). Such tools might collect usage data or technical identifiers (like IP, device ID) to provide aggregated insights. Wherever feasible, we configure these tools to minimize identification (for example, anonymizing IP addresses) and we do not allow these tools to use your data for their own purposes.

Each third-party service provider is vetted for strong security and privacy practices. We have data processing agreements in place with them to ensure they only process your data for Gymflow’s specified purposes and in compliance with applicable privacy laws. They are not permitted to use your data for their own marketing or other independent uses. Gymflow does not sell or share business user personal information with third parties for any purpose other than the ones stated in this policy.

 

Data Security

Gymflow takes the security of your personal data seriously. We implement appropriate technical and organizational measures to safeguard the information we hold against unauthorized access, alteration, disclosure, or destruction. These measures include, for example, encryption of sensitive data (both in transit and at rest), access controls to limit who on our staff can see personal information, and regular security audits of our systems. We also require our third-party processors to protect data with strong security standards. While we strive to protect all information, please note that no method of transmission over the Internet or electronic storage is 100% secure. We continuously monitor for potential risks and will inform you of any significant breaches affecting your data, as required by law.

 

Data Retention

We retain personal data of our business clients and their staff only for as long as necessary to fulfill the purposes outlined in this policy or as required by law. In practice, this means:

  • Account Data: For the duration of your contract or active use of Gymflow services, we will keep your account information on file. If you discontinue using Gymflow or your subscription ends, we will either delete or anonymize personal data in your account within a reasonable period after closure, unless we are required to keep it longer for legal reasons. For example, financial records (invoices, payment history) may be retained for a certain number of years to comply with tax and accounting laws.
  • Communications and Support Records: We may retain support emails or chat logs for a period of time after resolution to ensure we have a history of what was done, in case of follow-up issues. These will typically be purged or anonymized periodically, provided they are not needed for ongoing support or legal purposes.
  • Backups and Archives: Personal data may persist in routine backups for short durations even after deletion from our active database, but we have processes to eventually delete or render such data unusable when we rotate backups. We do not use backup data except for legitimate restoration needs.

When determining retention periods, we consider the volume, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes of processing, and whether those purposes can be achieved by other means. If you request deletion of your data (see Your Rights below), we will also delete applicable data from our systems, subject to any legal obligations to retain it.

 

Your Privacy Rights

As a business user of Gymflow, you (or your staff, if applicable) may have certain rights regarding your personal data that we hold. Gymflow is committed to respecting these rights and has procedures to ensure compliance. These rights may vary depending on the laws that apply based on your country or state, but in general, include:

  • Right to Access: You can request a copy of the personal information we hold about you, and information on how we process it. We will provide this, save for some exceptions (e.g. if providing certain information would adversely affect the rights of others).
  • Right to Rectification: If any personal data we have is inaccurate or incomplete, you have the right to request that we correct or update it. For example, you can update your contact details in your account settings or by contacting us for assistance.
  • Right to Erasure: You may request that we delete your personal data when it’s no longer needed for the purposes we collected it, or if you withdraw consent (where applicable), or if you believe we are unlawfully processing it. We will honor valid deletion requests and erase your data, unless we are required to keep it for legal reasons.
  • Right to Restrict Processing: In certain circumstances (for example, if you contest the accuracy of your data or object to our processing), you can ask us to restrict further processing of your personal data until the issue is resolved. We will mark the data as restricted and only use it for certain purposes (like legal claims or with your consent) during that period.
  • Right to Data Portability: For data you provided to us and which we process based on contract or consent, you have the right to obtain a reusable electronic copy in a structured, commonly used format, so you can transfer it to another service provider if you wish.
  • Right to Object: Where we process your data based on legitimate interests, you have the right to object to that processing on grounds relating to your particular situation. For example, you can object to certain use of your data for analytics or marketing. If you do, we will consider your objection and will stop or adjust the processing unless we have compelling legitimate grounds to continue (or if it’s needed for legal claims). If we are using your email to send marketing, you can always opt out via the unsubscribe link in those emails.
  • Rights under Specific Jurisdictions: We also comply with region-specific privacy rights:
    • European Union/United Kingdom: If you are located in the EU or UK, you have all the rights above under the GDPR (and UK Data Protection Act). This includes the right to lodge a complaint with your country’s data protection supervisory authority if you believe we have violated your data rights. Gymflow’s lead supervisory authority is in the UK, but you can contact your local authority.
    • California (CCPA): If you are a California resident, the California Consumer Privacy Act (as amended by CPRA) provides you rights to know, access, delete, and correct personal information, as well as the right to opt-out of “sale or sharing” of personal info. However, please note that in this context Gymflow is a service provider for your business data (we provide services to your company, not directly to consumers), so CCPA rights might apply in a limited way. We do not sell personal information of our customers. Still, you or your business may contact us to exercise access or deletion rights to any personal data we hold about you as an individual in a business context. We will honor such requests in accordance with CCPA. We will also not discriminate against anyone for exercising their privacy rights.
    • Australia: If you are in Australia, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) apply. You have the right to access the personal information we hold about you and to request corrections if needed. We will provide access or make corrections upon request, in accordance with APP 12 and 13. If you have a concern about our handling of your data, you can contact us to resolve it, and you also have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

To exercise any of your rights or make a privacy-related request, please contact us using the details in the Contact Information section. We may need to verify your identity (for example, by confirming your email address or asking for additional verification) before fulfilling certain requests. We will respond to your request within the timeframe required by law (for instance, within 30 days for GDPR requests, or 45 days for CCPA requests, with the possibility of an extension). Note that some rights may be subject to exemptions or limitations; if we cannot fulfill a request, we will explain the reason in our response.

 

International Data Transfers

Gymflow is a global service – the data we collect may be transferred to or stored in multiple countries, including the United Kingdom, countries in the European Union (EU), the United States, and Australia. We want to assure you that regardless of where your data is processed, we protect it to the highest standard and in line with applicable privacy laws.

  • Transfers from the UK/EEA: If we transfer personal data from the UK or European Economic Area to a country that is not deemed “adequate” by the European Commission (for EU) or by the UK government (for UK), we rely on appropriate safeguards. Typically, we use Standard Contractual Clauses (SCCs) approved by the EU/UK, which are contractual commitments that bind the recipient of the data to protect it according to EU/UK privacy standards. These SCCs, combined with supplementary measures as needed, ensure your data receives a level of protection equivalent to that in Europe.
  • Transfers from Australia: For Australian personal information, we adhere to the requirements of APP 8 (Cross-border disclosure of personal information). This means before transferring your data overseas, we take reasonable steps to ensure the overseas recipient will handle the information in accordance with the Australian Privacy Principles. In practice, this is achieved through contractual agreements similar to the SCCs and by working only with organizations that have robust privacy and security practices. You can be confident that your data, if sent outside Australia, will still be safeguarded under standards comparable to Australian law.
  • United States and Other Regions: Data may be processed on servers located in the United States or other jurisdictions where Gymflow or its service providers operate. Gymflow USA, Inc. abides by applicable U.S. state and federal privacy laws. If you are in a jurisdiction like California, we handle your data under the service provider provisions of CCPA (as described earlier). For any international transfers, we ensure compliance with all relevant regulations and that your data remains protected.

By using Gymflow as a business client, you acknowledge that your personal information may be transferred and stored internationally as described, and you agree to us doing so provided we uphold the safeguards described in this policy. If you have questions about cross-border data transfer or require more specifics on our transfer mechanisms, please contact us.

 

Contact Information

If you have any questions, concerns, or requests regarding this Business Privacy Policy or your personal data, please reach out to us. We are here to help and will address your inquiries promptly. You can contact the appropriate Gymflow entity based on your location or contract:

  • Gym Flow Ltd. – a company registered in England and Wales under company number 12109568, with its registered office at 483 Green Lanes, London, England, N13 4BS.
  • Gymflow USA, Inc. – a corporation organized under the laws of Delaware, USA, with an office at 1111B S Governors Ave STE 23249, Dover, DE 19904.
  • Gymflow AUS Pty Ltd. – an Australian proprietary limited company, with a registered office at 32 Clifford Street, Goulburn, NSW 2580, Australia.
  • Other Regions: For clients in any other jurisdictions, Gym Flow Ltd. (UK) will serve as the contracting entity and primary point of contact, unless otherwise notified.

Please address your correspondence to “Privacy Officer” at the relevant entity above. You may also contact us via email or through our website contact form (if available) for privacy inquiries. We will do our best to resolve any issues and answer your questions. If you feel that we have not satisfactorily addressed your privacy concerns, you have the right to contact your local data protection authority or regulator.