Privacy Policy

1. Introduction

Welcome to ClearGym. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our gym management platform.

ClearGym is a SaaS platform that enables gym owners to manage their facilities, members, payments, and communications. We process personal data on behalf of gym operators (our customers) and for members of those gyms.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, and password when you register
• Organization Information: Gym name, address, contact details, and business information
• Payment Information: Payment details processed securely through Stripe (we do not store full card details)
• Member Health Data: PAR-Q responses, medical conditions, and liability waiver signatures (encrypted using AES-256-CBC)
• Communications: Messages, emails, and support requests you send to us

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, and interaction patterns
• Device Information: IP address, browser type, operating system, and device identifiers
• Cookies: Session cookies for authentication and functionality (see Section 7)

3. How We Use Your Information

We use collected information for:

• Service Delivery: Providing and maintaining the ClearGym platform
• Payment Processing: Processing platform subscriptions and member payments via Stripe
• Communications: Sending transactional emails, notifications, and support responses
• Security: Protecting against fraud, unauthorized access, and security threats
• Compliance: Meeting legal obligations including GDPR, data protection laws, and tax requirements
• Service Improvement: Analyzing usage patterns to improve features and user experience
• Marketing: Sending promotional emails (with your consent, which you can withdraw anytime)

4. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All sensitive medical data is encrypted using AES-256-CBC encryption
• Secure Transmission: All data transmitted over HTTPS/TLS protocols
• Access Controls: Role-based access controls limit data access to authorized personnel only
• Database Security: PostgreSQL databases with encrypted connections and regular backups
• Payment Security: PCI-DSS compliant payment processing via Stripe
• Infrastructure: Hosted on secure cloud infrastructure with regular security updates

5. Data Sharing and Disclosure

We do not sell your personal data. We share data only in the following circumstances:

• Service Providers: Stripe (payment processing), email service providers, and hosting infrastructure
• Legal Requirements: When required by law, court order, or regulatory authority
• Business Transfers: In the event of a merger, acquisition, or sale of assets (with notice to you)
• With Your Consent: When you explicitly authorize us to share your information

6. Your Data Rights (GDPR)

Under GDPR and UK data protection laws, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing for direct marketing or legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)

To exercise these rights, please contact us at [email protected]. We will respond within 30 days.

7. Cookies and Tracking

We use cookies for:

• Essential Cookies: Required for authentication and platform functionality (cannot be disabled)
• Session Management: Maintaining your logged-in state securely
• CSRF Protection: Preventing cross-site request forgery attacks

You can control cookies through your browser settings, but disabling essential cookies may affect platform functionality.

8. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active
• Financial Records: Retained for 7 years for tax and accounting purposes
• Medical Data: Retained per GDPR requirements and gym liability needs (typically 7 years after last attendance)
• Backups: Deleted data may remain in backups for up to 90 days

Upon account deletion, we will delete or anonymize your data within 90 days, except where retention is required by law.

9. Third-Party Services

We integrate with third-party services that have their own privacy policies:

• Stripe: Payment processing and Connect accounts (Stripe Privacy Policy)
• Email Service Providers: Transactional and marketing email delivery

We encourage you to review the privacy policies of these third parties.

10. International Data Transfers

Your data may be transferred to and processed in countries outside the UK/EEA. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the EU Commission
• Processing within jurisdictions with adequate data protection laws
• Encryption and security measures during transfer and storage

11. Children's Privacy

ClearGym is not intended for children under 16. We do not knowingly collect data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.

For gym members under 18, parental consent must be obtained by the gym operator before processing personal data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification to registered users
• Displaying an in-app notification upon login

Continued use of ClearGym after changes indicates acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Email: [email protected]
• Support: [email protected]
• Data Protection Officer: [email protected]

14. Supervisory Authority

If you are located in the UK/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

• UK: Information Commissioner's Office (ICO) - ico.org.uk