Privacy Policy

1. Introduction

GymSupervise (“GymSupervise”, “we”, “us”, “our”) provides a mobile application for iPhone and iPad that helps gym owners, managers and staff run the day-to-day operations of their gym (the “Service”).

This Privacy Policy describes how we collect, use, disclose and protect personal information when you create an account, use the Service, or visit our website at gymsupervise.com.

By using GymSupervise you agree to this policy. If you do not agree, please do not use the Service.

2. Who is the data controller

For information about you (the gym operator who creates an account), GymSupervise is the data controller. You can reach us at graburapps@gmail.com.

For information about your gym's members, classes, transactions and other operational records that you enter into GymSupervise, you (the gym) are the data controller and GymSupervise acts as a data processor on your behalf. A data processing addendum is available on request.

3. Information we collect

3.1 Account information

When you sign up with email, Sign in with Apple or Sign in with Google, we collect:

• Your name (display name)
• Your email address
• An account password hash (only for email/password sign-up; we never store the plain password)
• An optional profile photo
• An optional phone number
• The authentication provider you used (Apple, Google or email)
• Authentication tokens issued by the provider

3.2 Gym & operational data you enter

As part of running your gym, you enter information about your business and your members, such as:

• Gym name, currency, timezone, language, logo, invoice / company billing details
• Member records — name, email, phone, gender, member code, optional profile photo, notes, marketing opt-in preferences
• Membership plans, prices, durations, session balances
• Transactions — amount, payment method, status, discount codes used
• Classes & programs, schedules, coaches, capacity, registrations, attendance
• Staff records — name, email, phone, role, permissions, salary type / amount
• Expenses, products and inventory
• Communication campaigns and member opt-in / opt-out preferences

This data is stored in a per-gym workspace and is only accessible to the owner and the staff that the owner has explicitly granted access.

3.3 Device permissions used by the app

The GymSupervise mobile app uses the following device permissions, only when you choose to use the feature:

• Camera — to take a member profile photo (only when you tap to take one).
• Photo Library — to pick a member profile photo (only when you tap to select one).

GymSupervise does not request location, contacts, calendar, microphone, biometric (Face ID / Touch ID) or health permissions.

3.4 Diagnostic & usage information

To keep GymSupervise reliable and secure, we collect limited diagnostic information:

• Firebase Analytics — anonymous app usage events (for example: app configured, deep link opened, user engagement signals built into Firebase). When you are signed in we associate these events with your user ID and your default gym ID so that we can debug account-specific issues.
• Sentry — crash diagnostics and unhandled errors. Reports may include your user ID, email, display name, role, default gym ID, the device model, OS version, and a stack trace. We never send passwords, authentication tokens, payment card numbers or full document payloads to Sentry.

3.5 Information we do not collect

• We do not collect health, biometric or fitness data from your members.
• We do not collect location data.
• We do not process payment card numbers (no card data is stored on our systems).
• We do not use third-party advertising SDKs and do not run ads inside the app.

4. How we use information

• To create and operate your account and your gym workspace.
• To authenticate you and keep your account secure.
• To synchronise the data you enter across your devices.
• To diagnose crashes and improve the reliability of the Service.
• To prevent fraud, abuse and unauthorised access.
• To respond to your support requests.
• To send essential service notifications (for example: account changes, deletion confirmations).
• To comply with applicable laws.

We do not sell your personal information. We do not use your personal information for behavioural advertising.

5. Legal bases for processing (GDPR & UK-DPA)

• Performance of a contract — to deliver the Service to you under our Terms & Conditions.
• Legitimate interest — to keep the Service secure, prevent fraud, fix bugs and improve quality.
• Consent — for any optional analytics or marketing communications that we ask you to opt into.
• Legal obligation — to comply with applicable laws, tax requirements and lawful requests from authorities.

6. Sharing & sub-processors

We do not sell personal information. We share information only with the service providers (“sub-processors”) we need to run the Service:

• Google LLC (Firebase) — authentication, database (Cloud Firestore), serverless functions, file storage, analytics and crash reporting. Data is stored in Google Cloud regions and protected under the Google Cloud Data Processing Addendum. See Firebase's privacy & security.
• Apple Inc. — when you choose Sign in with Apple. See Apple's privacy policy.
• Google LLC (Google Sign-In) — when you choose Sign in with Google. See Google's privacy policy.
• Functional Software, Inc. d/b/a Sentry — crash reporting and error monitoring. See Sentry's privacy policy.

We may also disclose information when required by law, to enforce our Terms, or to protect the rights, property or safety of users and the public.

7. International data transfers

Our sub-processors may store and process data in countries outside your country of residence, including the United States. Where transfers occur from the European Economic Area, the United Kingdom or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.

8. How long we keep your data

• We keep your account and gym data for as long as your account is active.
• If you delete your account, we honour a 30-day cancellable grace period (see Account deletion) and then permanently delete your personal data and your gym data.
• Soft-deleted records (members, transactions, etc.) are retained inside your gym workspace until you permanently delete them or until your account is deleted.
• Diagnostic data (crash reports, analytics events) is retained according to the sub-processor's standard retention policy and is regularly purged.
• We may retain limited information for longer where required by law (for example, tax records).

9. Your rights (GDPR / UK-DPA)

If you are in the European Economic Area, the United Kingdom or Switzerland, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Have your personal information deleted (subject to legal retention obligations).
• Restrict or object to certain processing.
• Receive a copy of your information in a portable format.
• Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Lodge a complaint with your local data protection authority.

To exercise any right, email graburapps@gmail.comor use the in-app “Delete account” flow. We respond within 30 days.

10. California rights (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose and share.
• Delete personal information we have collected about you.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information. GymSupervise does not sell or share personal information for cross-context behavioural advertising.
• Limit the use of sensitive personal information.
• Not be discriminated against for exercising any of these rights.

To exercise these rights, email graburapps@gmail.com.

11. Data security

We protect your data with industry-standard measures:

• All communication between the app and our backend is encrypted with TLS.
• Data is encrypted at rest in Google Cloud.
• Firebase Security Rules enforce strict per-gym access: no user can read or write another gym's data.
• Sensitive actions are gated by Cloud Functions that re-verify authorisation server-side.
• Profile photos are stored in private storage and are only accessible to authorised staff of your gym.
• Firebase App Check is used to verify that requests come from our legitimate app.
• Sentry is configured to never receive passwords, tokens or full payment data.

No system is 100% secure. If we ever become aware of a security incident affecting your personal data, we will notify you promptly and in accordance with applicable law.

12. Children

GymSupervise is a tool for gym operators (business users). It is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us at graburapps@gmail.com and we will delete it.

13. Push notifications

GymSupervise currently does not send push notifications. If we add push notifications in the future, we will update this policy and ask for your permission inside the app before sending any.

14. Cookies & web tracking on this site

The gymsupervise.com marketing website is static and does not set tracking cookies. We do not use third-party analytics or advertising scripts on this site. If we add an analytics tool in the future we will update this section and, where required, present a consent banner.

15. Marketing communications

GymSupervise includes tools that let gym operators send communications to their own members. The gym operator is the data controller of those communications and is responsible for collecting valid consent and honouring opt-outs. GymSupervise stores the opt-in / opt-out preference on each member record and is the processor for that data.

Separately, GymSupervise may send essential service emails to you (the account holder) about your account, security, and material changes to the Service. We will only send you marketing or product-update emails after you opt in.

16. Account deletion

You can delete your account at any time from inside the GymSupervise app (Settings → Account → Delete account). When you submit a deletion request:

• You are signed out of the app immediately.
• Your account enters a 30-day grace period. During this time you can sign back in and cancel the deletion if you change your mind.
• After 30 days, your account, your gym(s) and all related data — members, memberships, transactions, classes, attendance, staff, expenses, products, photos in Storage — are permanently deleted from our systems.
• If you were the owner of a gym, that entire gym workspace is removed. Staff accounts that have no other gym affiliation are also deleted.

This process complies with Apple's App Store Review Guideline 5.1.1(v) on in-app account deletion.

You can also request deletion at any time by emailing graburapps@gmail.com.

17. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Effective date” at the top of this page. If the changes are material we will notify you inside the app or by email before they take effect. Continued use of the Service after the changes take effect means you accept the updated policy.

18. How to contact us

For any privacy question, request or complaint, contact:

• GymSupervise
• Email: graburapps@gmail.com
• Website: gymsupervise.com