Skip to content

GymBuddy legal

Privacy Policy

Effective date: July 8, 2026.

This Privacy Policy explains how GymBuddy handles personal information and operational gym data in the GymBuddy mobile app and web portal. It is written for the actual GymBuddy implementation: Supabase authentication and database, gym-scoped member/trainer/owner workflows, Razorpay payments, Firebase Cloud Messaging push notifications, Twilio phone OTP verification, optional Google sign-in, and media uploads for gym and community features.

GymBuddy does not sell personal information. We use data to operate the app, secure accounts, process gym workflows, support payments, send relevant notifications, and comply with law.

Who this policy covers

This policy covers members, trainers, gym owners, super administrators, website visitors, and anyone who contacts GymBuddy support. A gym owner or trainer may also enter member information into GymBuddy to operate the gym. In those cases, the gym is responsible for having authority to add and manage that member information.

Information we collect

  • Account and profile information: name, email address, phone number, role, avatar URL, gym code, gym affiliation, account approval status, phone verification status, and authentication identifiers.
  • Gym operations data: gym name, gym code, owner profile, address, timings, facilities, capacity, rules, support preferences, subscription status, offers, products, membership pricing, and gym gallery images.
  • Member and trainer records: member/trainer names, contact details, joined date, approval status, assigned trainer, membership status, diet preference, and active/inactive status.
  • Attendance and training data: attendance logs, notes, workout plans, workout logs, diet plans, plan templates, plan assignments, plan date ranges, and plan progress information.
  • Payments and commerce data: membership plan purchases, product orders, payment orders, payment status, payment method category, Razorpay order/payment IDs, transaction verification details, refund status, and accounting notes. GymBuddy does not store full card numbers, CVV, UPI PINs, or net-banking credentials.
  • Community and support content: posts, comments, likes, uploaded photos/videos, link previews, feedback tickets, complaint/suggestion category, ticket status, and support messages.
  • Device and notification data: Firebase Cloud Messaging device token, platform, app version where available, last seen time, in-app notification records, unread/read status, and notification routing data.
  • Permission-based data: optional camera/photo library access for gym gallery, products, offers, and community media; optional location access for gym owners to auto-fill gym map/location details; notification permission for push alerts.
  • Technical and security data: session state, authentication events, server logs, request metadata, diagnostics needed to protect the service, and local cache data stored on the device for login/session continuity.

Permissions GymBuddy uses

  • Internet access is required for login, Supabase data sync, payments, media upload, and notifications.
  • Location is requested only when a gym owner uses location-assisted gym profile/map setup. GymBuddy does not use background location tracking.
  • Camera and photo library access are requested only when a user chooses to capture or upload gym, product, offer, or community media.
  • Push notification permission is used to send app-related alerts such as approvals, attendance, plan assignments, membership updates, support updates, community activity, and payment status.
  • GymBuddy does not request contacts, SMS inbox, call logs, microphone recording, health platform permissions, or advertising ID permissions in the current implementation.

How we use information

  • Create, authenticate, verify, and secure user accounts.
  • Route users to the correct role workspace: member, trainer, owner, or super administrator.
  • Operate gym workflows including approvals, attendance, memberships, trainer assignment, plans, diet, workouts, reports, products, offers, and support tickets.
  • Process payments through Razorpay and record payment outcomes in gym ledgers.
  • Send OTPs, transactional emails or SMS, in-app notifications, and push notifications related to the service.
  • Host and display uploaded images/videos where users choose to upload them.
  • Prevent abuse, debug issues, maintain security, and comply with legal or regulatory obligations.
  • Improve product reliability and support quality based on operational signals and user reports.

How information is shared

  • Within a gym: owners and authorized trainers can see data needed to operate their gym, such as assigned members, attendance, memberships, plans, and support tickets. Members can see their own plans, membership, payment status, gym information, and community content available to their gym.
  • With service providers: GymBuddy uses Supabase for authentication, database, storage, edge functions, and realtime features; Razorpay for payment checkout and verification; Firebase Cloud Messaging for push delivery; Twilio for phone OTP verification; and Google sign-in where users choose that login method.
  • With payment processors and banking partners: payment identifiers and transaction details are shared as necessary to initiate, verify, settle, refund, or investigate transactions.
  • With legal authorities or advisors when required by law, to enforce terms, to protect users, or to respond to lawful requests.
  • During a business transfer, restructuring, or acquisition, subject to appropriate confidentiality and user notice where required.

Data storage and security

GymBuddy stores application data in Supabase with role-based access controls and row-level security policies. Data is transmitted using HTTPS/TLS. Payment credentials are handled by Razorpay and are not stored by GymBuddy. Access to operational data is restricted by role and gym membership. No system can be guaranteed perfectly secure, but GymBuddy uses reasonable technical and organizational measures to protect user data.

Retention

We retain account and operational data while the account or gym workspace remains active. We may retain limited records after deletion where required for payment reconciliation, tax, accounting, fraud prevention, dispute handling, security, or legal compliance. Community content may be deleted, anonymized, or retained in limited form if needed to preserve audit trails, enforce guidelines, or protect other users.

Your choices and rights

  • You can update certain profile and gym details in the app or portal depending on your role.
  • You can disable push notifications in your device settings.
  • You can deny camera, photo, or location permissions; affected upload or location-assisted features may not work.
  • You can request access, correction, export, deletion, or restriction of your personal information by contacting support.
  • For account or data deletion, use the Account Deletion page or email support@gymsbuddy.org.

Children

GymBuddy is designed for gyms and their members, trainers, and staff. It is not directed to children under 13. If a gym adds a minor member, the gym is responsible for obtaining any required parental or guardian consent and for using GymBuddy lawfully.

International processing

Service providers may process data in countries other than where a user lives. Where required, GymBuddy relies on appropriate contractual, operational, and security measures for such processing.

Contact

Questions, privacy requests, security concerns, and deletion requests can be sent to support@gymsbuddy.org. Include the email/phone number used for GymBuddy, your role, gym name or gym code if available, and the request type.