GymBuddy legal
Security Policy
Effective date: July 8, 2026.
GymBuddy protects gym and user data through role-based access, secure transport, controlled service providers, and payment-provider handling of sensitive payment credentials.
Security controls
- HTTPS/TLS for network communication.
- Supabase authentication and row-level security policies for gym-scoped access.
- Role boundaries for members, trainers, owners, and super administrators.
- Payment credential handling by Razorpay; GymBuddy stores transaction identifiers and payment status, not full card/UPI credentials.
- Firebase Cloud Messaging tokens are used only for push delivery and are removable on logout/account deletion.
- Operational logs and security records are used for abuse prevention, diagnostics, and compliance.
Responsible disclosure
Report suspected vulnerabilities to support@gymsbuddy.org with the subject “Security report”. Include affected feature, steps to reproduce, impact, screenshots/logs if safe, and your contact information. Do not access, modify, download, or disclose data that does not belong to you. We will acknowledge reports and prioritize issues based on severity.
User security responsibilities
- Keep your email/phone and device secure.
- Do not share OTPs or login sessions.
- Gym owners should remove staff access when staff leave.
- Report suspicious activity promptly.