End User Privacy Policy

Gymflow End User Privacy Policy


Last Updated:May 6th, 2025


Introduction


This End User Privacy Policy describes how Gymflow handles personal information of individuals (“end users” or “members”) who use the Gymflow app or website to book classes, manage memberships, check into facilities, or make payments at gyms and studios that utilize the Gymflow platform. In this context, your gym or studio is the data controller of your personal data, and Gymflow operates as a data processor (service provider) on behalf of that gym. This means that we process your data only as instructed by your gym and for the purposes of delivering the services you or your gym request. We do not use your personal information for our own independent marketing or unrelated purposes. Our goal is to respect your privacy and help your gym manage your membership efficiently in compliance with applicable laws.


Please note that you should also refer to your gym’s own privacy notice if available, as they are responsible for explaining how they use your data as the provider of services to you. Gymflow’s role is supportive – we provide the software that your gym uses. If you have questions about your data, you can always contact your gym first, and you can reach out to Gymflow for assistance or issues (see Contact Information at the end of this policy).


Personal Data We Process

When you interact with a gym via the Gymflow platform (whether through our mobile app, a web portal, or at the gym’s front desk), certain personal information about you will be collected and processed. The exact data may vary by gym (depending on what information your gym requires for membership) and how you use the services, but it typically includes:

  • Identity Information: Your full name is collected to identify you as a member or client of the gym. Many gyms also collect your date of birth (e.g. to verify age or for birthday rewards) and possibly your gender or other profile details, depending on their registration process.
  • Contact Information: Contact details such as your email address and phone number. These are used to create your account, send booking confirmations, class reminders, receipts, or other notifications from the gym via Gymflow. In some cases, a physical address may be collected if required for contracts or billing (for example, if the gym needs an address for invoicing or identity verification).
  • Account Credentials: If you create an account on the Gymflow app/website, we collect the username and password you set. (Passwords are stored in an encrypted form for security.) If the system uses single sign-on or social logins, we may receive an authentication token from those providers instead of a password.
  • Gym Membership Details: Information related to your membership at the gym or studio. This can include your membership ID or account number, membership tier or type, start and end dates of membership, and any preferences or settings associated with your membership (e.g. preferred location or trainer).
  • Booking and Attendance Data: Records of classes or sessions you book, schedule or sign up for through Gymflow, as well as your attendance history (e.g. which classes or training sessions you attended, check-in times). For example, if you use our app to book a yoga class at your studio, we will record the booking and mark you as attended when you check in. Your gym can also track your session counts or visit frequency via this data.
  • Payment and Transaction Information: If you make payments for memberships, classes, or products through the Gymflow platform, we process information related to those transactions. This may include your payment method details (such as credit/debit card info or bank account for direct debit) and transaction records (date, amount, service purchased). Note: Gymflow typically uses third-party payment processors to handle card data securely, so we may only store tokens or references to your payment instrument rather than the full card number. We will, however, retain records of your purchases and payment history for your gym’s accounting.
  • Communication Records: Copies of communications sent to you via the Gymflow system. For instance, if your gym sends you an announcement, a class reminder, or a direct message through the platform, we may store that message and any responses. Additionally, if you contact Gymflow support for technical help with the app, we will collect the information you provide during that interaction (such as your contact info and the content of your support request).
  • Device and Usage Information: When you use the Gymflow mobile app or website, we automatically collect some technical information about your device and how you use the service. This can include your device type, operating system, unique device ID or browser identifier, IP address, and timestamps of logins or actions. We also may collect data about the app features you interact with, clicks and navigation within the app, and crash/error logs. This information helps ensure the service works correctly for you (for example, using IP to detect time zone or troubleshoot login issues) and helps us improve the app’s user experience. Where required, we ask for permission to access certain device features; for example, if you choose to upload a profile photo, the app will request access to your camera or photos, or if your gym offers location-based check-in, we might request access to your location – but those are optional and you will be prompted to allow or deny such permissions.
  • Health or Sensitive Information (if provided): Generally, Gymflow does not require any “sensitive” personal data like health conditions, biometric identifiers, or similar details about end users. However, there may be cases where you or your gym input such data into free-form fields or notes (for example, a note about an injury or a health condition relevant to your training). Any such information is solely under your gym’s control. Gymflow will treat it with the same high security as other data, but we rely on gyms to obtain appropriate consent from you if they record any sensitive personal info. We do not use this data for any purpose except to store it and make it available to the gym as needed.

Gymflow aims to minimize data collection to only what is necessary for providing our services. If you ever have concerns about the information being collected, please contact your gym or Gymflow for clarification. Also, note that if you choose not to provide certain information (or ask your gym to remove it), some functionalities—such as booking classes or processing payments—might become unavailable.


How We Use Your Information

Since Gymflow acts on behalf of your gym, we use your personal data only to deliver the services that your gym provides to you through our platform. In particular, Gymflow uses end user data in the following ways, under instruction from the gym:

  • Facilitating Bookings and Membership Management: We process your provided information so you can book classes or appointments and so the gym can manage your membership. For example, when you reserve a class, we use your name and membership credentials to secure your spot and later update your attendance record. Your gym’s staff can view your profile and booking history to manage your relationship (like seeing how often you attend or which services you’ve used).
  • Processing Payments on the Gym’s Behalf: If you pay for a service or membership through Gymflow, we use your payment information to execute that transaction and record it for the gym’s accounts. This might involve sending your payment details to a payment gateway and then confirming back that your payment was successful, so your gym knows you’ve paid. Receipts or invoices can be emailed to you as needed. All payment processing is done securely and in compliance with applicable payment standards (e.g. PCI-DSS for card payments). Gymflow does not use your payment information for anything other than processing transactions you authorize.
  • Communicating with You (on behalf of your Gym): The Gymflow platform may send you various types of communications, typically initiated by or in agreement with your gym. Examples include: booking confirmations or reminders via email/SMS, notifications of schedule changes or class cancellations, membership renewal notices, or messages from instructors (if the platform has a messaging feature). We use your contact data to deliver these messages. In some cases, the gym may also send marketing or promotional communications through Gymflow (such as a special offer on a new class package); Gymflow will send out such communications only as instructed by the gym, who is responsible for making sure they have any necessary consent from you. If you opt-out of the gym’s communications, we will honor that through our platform settings.
  • Operating the Gymflow App/Website: We use your data to ensure the app and website function properly for your use. For example, your login credentials are used to authenticate you and personalize your experience (showing your upcoming bookings, etc.), and device information might be used to tailor the interface or troubleshoot issues (like using your locale to display dates in the correct format).
  • Customer Support and Technical Assistance: If you or your gym contact Gymflow for support that involves your account (for instance, if you email us saying you cannot log in or your class isn’t showing up), we will use the information provided to help resolve the issue. This might involve accessing your profile or bookings in our system to troubleshoot. We only access end user accounts for support purposes when necessary and authorized, and we keep such access logs.
  • Analytics and Improvements (Aggregated Data): Gymflow may use data about how end users as a whole are using the app to improve the service. This generally does not involve identifying you personally. For example, we might measure how many total bookings happen each day, which app features are most popular, or common errors users encounter. This helps us and the gym optimize the user experience. When we do analytics like these, we typically use aggregated and anonymized data. If we ever needed to analyze a specific user’s usage (e.g. to fix a unique bug you reported), we would only do so as part of support and with the same care as any other support activity.
  • Security and Fraud Prevention: To protect everyone’s data, Gymflow may use certain information (like device identifiers, IP addresses, and usage patterns) to detect and prevent suspicious or fraudulent activity. For example, we might detect if multiple failed login attempts occur for your account, and take steps to protect it. If we detect potential fraud (such as someone using stolen cards to make purchases), we might alert your gym and take protective measures. These actions are meant to secure your account and the platform; they do not involve using your data for any purpose other than security maintenance.
  • Legal Compliance and Protection: If required by law, we may use or disclose your information (for instance, to respond to a court order or legal process). Additionally, if it’s necessary to enforce our terms of service or to protect the rights, property, or safety of Gymflow, our client gyms, or others, we may use personal data as needed. This could include cooperating with law enforcement investigations (after proper validation) or using data to address disputes (like proving a booking was made if there’s a billing disagreement).

Importantly, Gymflow does not use your end user data for independent marketing or sell your information to third parties. All processing of your data is strictly limited to providing the service to you and your gym, as outlined above. In legal terms, under regulations like GDPR, we only process your data under the instructions and legal authority of the data controller (your gym), and under laws like CCPA we act as a “service provider” that is contractually forbidden from using personal data for any purpose other than the gym’s business purpose. This means your data is never used for Gymflow’s own purposes such as advertising or profiling you beyond what the gym needs.


Disclosure of Your Data (Who We Share It With)

In the course of operating the platform and facilitating gym services, Gymflow may share your personal data with the following parties, strictly on a need-to-know basis and under appropriate safeguards:

  • Your Gym or Studio: First and foremost, your information is accessible to the gym or studio you are a member of (and which is our client). Gym staff (such as managers, trainers, or front-desk personnel) can view and update your member profile, see your bookings and attendance, process your payments, and communicate with you via the platform. In many cases, the data we have was originally provided by your gym. We simply ensure it is available to them through our software. Any questions about how the gym uses that data internally should be directed to your gym. Gymflow only enables the sharing that is inherent in the service (for example, showing your instructor your name on a class roster).
  • Service Providers (Sub-Processors): Gymflow relies on certain reputable third-party providers to assist in delivering the service to you and your gym. These providers act as sub-processors , meaning they handle data on our behalf (and ultimately on behalf of your gym) and are contractually bound to strict privacy and security obligations. Key examples include:
    • Payment Processors: As mentioned, a payment gateway or processor (e.g., Stripe, PayPal, or other) may receive your payment details to complete a transaction. They will use this information solely to process payments and comply with applicable financial regulations.
    • Email/SMS Delivery Services: We may use services like SendGrid, Mailgun, Twilio or similar to send emails or text messages to you (for confirmations, alerts, etc.). These services get access to your contact info and the content of the message, but only for the purpose of sending on our behalf.
    • Cloud Hosting and Data Storage: Our application and database may be hosted on cloud platforms (for example, Amazon Web Services or Microsoft Azure). Your personal data is stored on their secure servers, but always under Gymflow’s control. The cloud provider acts only as an infrastructure provider — they do not access your data except potentially for maintenance of the storage (and even then, personnel would not normally view content).
    • Analytics/Crash Reporting Tools: To maintain app quality, we might use third-party analytics or error tracking services (like Google Analytics for Firebase, Sentry, etc.) which could incidentally collect some device or usage data. These tools are configured to respect privacy: for instance, we avoid sending them directly identifying information whenever possible, and they are used only to improve performance and fix issues.
    • Other Integrations Required by Your Gym: Sometimes, your gym might integrate other apps or services with Gymflow (for example, linking Gymflow with their Mailchimp account for newsletters, or connecting to a third-party access control system for gym entry). In such cases, Gymflow will share data with those integrations only as directed by the gym. For instance, if the gym has set up an email marketing integration, your name and email might be synced to that external system so the gym can send newsletters. Gymflow facilitates these transfers but the external service’s use of your data is governed by the gym’s arrangement with that service and their privacy policy.

We ensure that all third-party sub-processors we engage are subject to data protection agreements and adhere to standards like GDPR, CCPA, etc. They are not allowed to use your data for any purposes other than providing services to Gymflow and your gym. We also do not share or disclose end user personal data to any third parties besides your gym and the sub-processors category above, except in the following special cases:

  • Legal Requirements and Safety: If we are compelled by a valid legal order (such as a subpoena, court order, or equivalent legal process) to disclose certain information, we may do so. We will attempt to notify your gym (and you, if appropriate) unless the law forbids us. Additionally, if disclosure is necessary to prevent a serious threat to personal safety, investigate fraud, or protect our rights or the rights of other users, we may share information with the appropriate authorities or organizations. This is done only after careful review and in line with applicable laws.
  • Business Transfers: If Gymflow were to undergo a major business change, such as a merger, acquisition by another company, or sale of assets, your personal data might be transferred to the successor entity. If that happens, we will ensure the new owner has to honor the commitments we have made in this policy, and we will notify your gym (who in turn can notify you) of the change. You would of course have the opportunity to discontinue using the service if you object to the new entity.

To summarize, your data primarily stays between your gym and Gymflow , with a few trusted service partners helping us in the background. We do not rent or sell your information. Any company that assists us must follow the same level of care and use limitations that we do.


Data Retention

Gymflow retains end user personal data for only as long as necessary to fulfill our obligations to your gym and to comply with law. Since we process your data on behalf of your gym, our retention practices are generally aligned with the gym’s instructions. Key points about retention:

  • Active Membership Data: For as long as you are an active member or customer of a gym that uses Gymflow, your personal data will be stored in our systems so that the gym can continue to use it. This includes your profile information, membership details, and ongoing booking/payment records. This data will be updated over time (e.g. new bookings added) but not removed unless directed by the gym or as described below.
  • Terminated Membership or Inactive Users: If you leave the gym or your membership expires, your profile may be marked as inactive in Gymflow. The gym can choose to delete or anonymize your personal data in their discretion. Gymflow’s policy is not to delete end user data without the gym’s action or consent, because it is the gym’s responsibility to determine how long they need to keep member records. We encourage gyms to purge data they no longer need. If the gym chooses to delete your data (or upon their request to us), we will securely delete or anonymize your personal data from our production systems, except for any information we are required to retain (such as payment transaction logs required for financial audits).
  • Data on Backups: As part of our disaster recovery and backup procedures, your data might persist for a limited time in encrypted backups even after deletion in the live system. These backups are securely stored and only accessed if needed for restoration purposes. We have retention limits for backups, after which they are overwritten or destroyed. Thus, any deleted data will be fully purged from all systems, typically within [X] days (for example, 30-60 days) after initial deletion from the live database.
  • Gym Contract Termination: If a gym ceases to use Gymflow entirely (for example, the gym closes or switches to a different software and our contract with them ends), we will handle all end user data from that gym per our agreement with the gym. Usually, this means we either return the data to the gym and/or delete it from our systems after a grace period. We may retain minimal information about the gym’s account (for example, the fact that a certain email was associated with a gym account) for our business records, but we will not retain the detailed personal data of gym members beyond the termination, except as required for legal compliance. We will ensure that any retained data is protected and used only as necessary (e.g. invoices kept for accounting).
  • Legal Requirements: In certain cases, we might need to keep specific information for a longer period if mandated by law. For instance, financial transaction records might be kept for a number of years to satisfy tax or accounting rules; or if a dispute or legal issue arises, we might retain relevant data until it is resolved. In all such cases, your data will continue to be protected and will not be used for new purposes.

In summary, Gymflow does not keep your personal information indefinitely by default. We align with the data retention policies of your gym and legal obligations. If you want your data removed from Gymflow, the most direct route is usually to ask your gym to delete your profile or request us to do so through the gym. You can also contact us directly (see Contact Information ) if needed, and we will coordinate with your gym to handle the request. (See the next section on Your Rights for more on deletion requests.)


Your Privacy Rights as an End User

Because your personal data in Gymflow is essentially under the control of the gym you belong to, you have rights both under the gym’s privacy policy and, in many cases, directly under the law . Gymflow is committed to helping our client gyms honor those rights. Below, we outline your key data protection rights and how you can exercise them in the context of our service:

  • Right to Access: You have the right to know what personal data is collected about you and to obtain a copy of that information. Under GDPR, this is called a Subject Access Request. Under CCPA, it’s the right to know and access information. Practically, you can exercise this by asking your gym for a copy of your records (since they can pull reports or view your data in Gymflow). Gymflow, as a processor, will assist your gym in providing a complete and clear response. If needed, you may contact us directly and we will work with your gym or provide you with a summary of data we hold about you on behalf of the gym.
  • Right to Rectification (Correction): It is important that your information is accurate. You have the right to correct any incorrect or incomplete personal data. The simplest way is usually to update your profile via the Gymflow app (for fields that are editable, like your contact info) or ask gym staff to update their records. If something is not editable or you face an issue, you can request correction through your gym or directly from us. For example, if your name was misspelled or your contact number changed, you are entitled to have that updated.
  • Right to Deletion: Also known as the “Right to Erasure” or “Right to be Forgotten,” you can request that your personal data be deleted when it’s no longer necessary for the purposes it was collected. In the gym context, this often means if you are no longer a member and there’s no compelling reason for the gym to keep your data, you can ask for it to be removed. Under CCPA, you can request deletion of the data a business holds about you (with certain exceptions). We ask that you first direct any deletion request to your gym – they will authorize us to delete your data from Gymflow if appropriate. If you send the request to Gymflow directly, we may need to confirm with the gym before deleting, since the gym might need certain records. Once approved, we will permanently delete or anonymize your personal data from our systems (except any data we are required by law to retain, as noted in the retention section). Do note, if you request deletion, it may involve closing your account on Gymflow such that you can no longer use the app through your gym unless you re-register.
  • Right to Restrict or Object (EU/UK specific): If you are subject to GDPR/UK GDPR, you have the right to restrict processing of your data in certain cases (for example, you contest the data’s accuracy or object to processing). You also have the right to object to processing done under legitimate interests. Given Gymflow’s role, most processing is done under contract with your gym or with your consent (e.g., you consent to receiving communications by signing up). If you have an objection to how your data is being used (say, you don’t want your app usage data to be used in analytics), you can raise this with your gym or us. We will accommodate objections and restrictions to the extent possible – for instance, we could disable certain data collection for your account if technically feasible. However, some data use is integral to providing the service (like using your data to book classes), so in those cases the only way to completely stop processing may be to discontinue the service. We will happily discuss and try to find a solution that addresses your concerns.
  • Right to Data Portability (EU/UK specific): You can request to receive your personal data in a structured, commonly used, machine-readable format, so you can transfer it to another service. For example, you might want a CSV or JSON file of all your bookings and profile info if you move to a new gym. We can assist the gym in providing such exports if requested. Typically, your gym can export your data from our system and give it to you, but if needed, we can generate a data export for you directly.
  • Right to Opt-Out of Sale (California specific): Under the CCPA, California residents have the right to opt-out of the sale or sharing of personal information. Gymflow does not sell personal data of end users, and we do not share it for cross-context behavioral advertising. Therefore, this right may not be directly applicable as there is no sale to opt out of. Nonetheless, if you have any concerns about your data being shared beyond what’s described, you can contact your gym or us to clarify or place further restrictions.
  • Rights regarding Sensitive Information (California CPRA): If any sensitive personal information is collected (like precise geolocation or certain health info), California law allows you to limit its use/disclosure. Gymflow doesn’t use sensitive info except as necessary for the core service (and usually at the instruction of your gym). For instance, if location data is used for check-in, it’s only used for that functionality. If you want to restrict any such optional feature, you can simply decline to grant permission in the app or not use that feature.
  • Right to Non-Discrimination: We will never discriminate or retaliate against you for exercising any privacy rights. Exercising your rights will not affect the service you receive, except of course that we may not be able to provide certain features you ask us to delete or disable.
  • Complaints: If you believe your privacy rights have been violated, you have the right to lodge a complaint. EU/UK individuals can complain to their data protection supervisory authority. Australian individuals can complain to the OAIC. California residents can contact the California Privacy Protection Agency or the state Attorney General’s office. We encourage you to contact us or your gym first, so we have a chance to address the issue directly.

How to Exercise Your Rights: In most cases, since your gym is the controller, we recommend sending your request to your gym (e.g., the gym’s manager or via whatever contact method they provide in their privacy notice). They can validate your request and then instruct us to take appropriate action in Gymflow. Gymflow will assist the gym promptly to fulfill your request (usually we have contractual obligations with the gym to help with data subject requests in a timely manner).

If you prefer to contact Gymflow directly, you may do so using the contact information below. Please clearly state what right you wish to exercise and details to identify your account (such as the email associated with your Gymflow account, the name of the gym you attend, etc.). Keep in mind, since we are a processor, we may need to notify your gym or get their approval before taking action (for example, we wouldn’t want to delete your profile without letting the gym know, as it might be unexpected from their perspective). We will inform you of the progress and make sure your request is handled as required by law.

For access or deletion requests, we will verify your identity to ensure we’re providing data to the correct person (this might involve contacting you through your registered email or asking the gym to verify you). We strive to respond to all valid requests within the timeframe required by applicable law – often sooner. If we need more time or cannot comply with a request, we will let you know the reason (for example, if an exemption applies or if the request is overly complex).


International Data Transfers and Storage

Your personal data may be stored and processed in countries other than your own. Gymflow and its sub-processors have servers and operations in multiple jurisdictions (notably the UK, EU, USA, and Australia). We understand that privacy laws differ around the world, and we take steps to ensure that adequate protections travel with your data wherever it goes:

  • For Users in the UK/European Economic Area (EEA): If your data is collected within the UK or EEA, it might be transferred to and processed on servers located outside of that region (for example, in the United States). To comply with the GDPR’s international transfer requirements, we ensure such transfers are covered by appropriate safeguards. Typically, this means we have Standard Contractual Clauses (SCCs) in place between Gymflow (as a data exporter) and any non-EU data importer (including our U.S. entity or cloud providers). These SCCs are legal contracts approved by the European Commission that guarantee your data will be given an equivalent level of protection as under EU law. In addition, we assess any extra risks and may implement supplementary measures (like encryption in transit and at rest, access restrictions, etc.) so that your data remains secure. If the transfer is to one of our entities like Gymflow USA, Inc., that entity is also bound by our internal policies and the commitments in this privacy policy and the contracts with your gym. You can contact us if you’d like more information about cross-border safeguards for EU data.
  • For Users in Australia: Data of Australian users may be processed in countries outside Australia. Under Australian Privacy Principle 8, before disclosing personal information overseas, we take reasonable steps to ensure the recipient will handle it in accordance with the APPs (or we otherwise ensure the transfer is permitted by law). Gymflow’s Australian operations may involve transferring data to our systems in the UK or USA for processing. We ensure that such recipients (for example, our UK company or a cloud service provider) are subject to privacy protections substantially similar to Australian standards. In the event that Australian data is stored overseas, Gymflow AUS Pty Ltd remains accountable for its protection under the Privacy Act.
  • For Users in the United States and Other Countries: Your data may be stored on servers in the U.S. or transmitted to the UK or other regions. Gymflow complies with applicable data transfer and privacy rules in all locations we operate. For example, if you are in a country with data localization or export restrictions, we will follow those rules as applicable via our agreements with your gym. In the U.S., although there is no federal GDPR equivalent, we abide by state laws (like CCPA for Californians, as described) and good industry practices to protect your data.

Regardless of location, Gymflow maintains a high standard of data protection . We use encryption, access control, and other security measures globally. All our worldwide staff are trained on privacy duties and are obligated to protect data. If we transfer data, we do so in a manner that is transparent and compliant with law. Should any future data transfer framework (such as an EU–US agreement) come into effect, we will adopt it if applicable.

By using the Gymflow app or services, you acknowledge that your personal information will be transferred and stored as described, and consent to this transfer, where such consent is required. We understand this is a complex area – please feel free to contact us or your gym if you have specific questions about where your data is stored or how it’s protected across borders.


Data Security Measures

Gymflow employs robust security measures to ensure that your personal information remains protected while it’s in our care. We understand that as an end user, you trust not only your gym but also us to keep your data safe from unauthorized access or breaches. Here are key aspects of our security program:

  • Encryption: We use encryption technologies to protect personal data during transmission and at rest. When you use the Gymflow app or website, any personal data exchanged is encrypted using HTTPS/TLS (which secures data between your device and our servers). Sensitive data (like passwords and payment information) is additionally encrypted or tokenized in the database. For example, as mentioned, we do not store actual credit card numbers in plaintext – we use secure tokenization via payment processors.
  • Access Controls: Gymflow operates on a principle of least privilege. This means only those personnel who absolutely need access to personal data to perform their duties can access it, and even then only the minimum amount necessary. Gym staff (your gym’s employees) have access to your data through our platform’s user interface based on their role (for instance, a trainer might only see class attendee names, whereas an admin can see billing info). Within Gymflow’s company, our technical and support teams have controlled access to the database and are only allowed to use it for maintenance, support, or as otherwise required to provide the service. All access to production systems is logged and monitored.
  • Employee Training and Policies: All Gymflow employees and contractors with potential access to personal data undergo privacy and security training. We have internal policies in place to prevent misuse of data. For example, support engineers are trained not to view personal details unless necessary to resolve an issue, and never to share data externally.
  • Security Testing and Audits: We regularly test our platform for vulnerabilities. This includes internal code reviews, penetration testing by third-party security experts, and use of automated security scanning tools. We promptly address any findings to strengthen our security. We also comply with any security audit requirements that might be stipulated by laws or our enterprise clients.
  • Data Integrity and Availability: Beyond keeping data confidential, we also ensure it remains intact and available to your gym when needed. We maintain backups and have disaster recovery procedures so that your data is not lost. Our systems have redundancy and failover mechanisms to minimize downtime. In the event of any outage or issue, we have 24/7 processes to restore service quickly.
  • Third-Party Security: When we use sub-processors (third-party providers) as described earlier, we also vet their security practices. We choose industry-leading providers known for strong security. We have agreements that require them to maintain adequate protections. For example, our hosting providers are likely ISO 27001 or SOC 2 certified, meaning they meet internationally recognized security standards.
  • Incident Response: In the unlikely event of a data breach or security incident involving your personal data, Gymflow has a documented incident response plan. We will notify your gym without undue delay so that they, in turn, can inform you and any regulators if required. We will also take immediate steps to mitigate the issue and prevent further unauthorized access. Our aim is transparency and swift action in such situations, in line with our legal obligations under GDPR, CCPA, and other laws.

We continually update and refine our security measures as new technologies and threats emerge. While no system can be guaranteed 100% secure, we are committed to doing our utmost to protect your information. You also play a role in security: we encourage you to use a strong unique password for the Gymflow app, keep your login credentials confidential, and notify your gym or us if you suspect any unauthorized activity on your account.


Changes to This Policy

(This section informs how we handle updates to the privacy policy.)
Gymflow may update this End User Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will notify your gym in advance so they can inform you as needed, and we will post the updated policy with a new effective date. We may also provide an in-app notification or email to end users for significant changes, where required by law. We encourage you to review this policy periodically when using the Gymflow app to stay informed about how we protect your data. Your continued use of the Gymflow services after an update constitutes your acknowledgment of the revised policy. If you do not agree to any changes, you should stop using the app and contact your gym to discuss alternatives.

Contact Information

Gymflow is dedicated to protecting your privacy. If you have any questions, concerns, or requests regarding this End User Privacy Policy or how your data is handled in the Gymflow platform, please feel free to contact us. While your first point of contact for privacy matters as an end user will often be your gym, we are available to assist or handle inquiries as well. You can reach us at the relevant Gymflow entity below:

  • Gym Flow Ltd. – a company registered in England and Wales under company number 12109568, with its registered office at 483 Green Lanes, London, England, N13 4BS.
  • Gymflow USA, Inc. – a corporation organized under the laws of Delaware, USA, with an office at 1111B S Governors Ave STE 23249, Dover, DE 19904.
  • Gymflow AUS Pty Ltd. – an Australian proprietary limited company, with a registered office at 32 Clifford Street, Goulburn, NSW 2580, Australia.
  • Other Regions: If you are located outside of the UK, US, or Australia, Gym Flow Ltd. (UK) will be the entity responsible for your personal data, unless we have informed you otherwise.

When contacting us, please specify that you are an end user (gym member) and mention the gym or studio you are associated with, so we can quickly identify the relevant data. You can send us a letter at the appropriate address above. If you prefer email, you may send your inquiries to our support or privacy email (as provided on our website). We will respond as soon as possible.

If you feel that we have not adequately addressed your privacy questions or concerns, you have the right to seek further recourse. EU/UK individuals can contact their data protection authority, California residents can contact the California Attorney General or CPPA, and Australian individuals can reach out to the OAIC. However, we genuinely welcome the opportunity to work with you first to resolve any issue. Your privacy is important to us, and we are committed to ensuring your personal data is handled safely and lawfully.