Privacy Policy

This Privacy Policy explains how GymLeb (“we”, “us”, “our”) collects, uses, stores, and protects personal data when gym owners and staff use our platform (GymLeb Dashboard and admin interfaces), gym members use the member portal and mobile applications, and when devices and gateways connected to GymLeb (for example, access control machines, GymLeb Gateway) process data for check-in and access control.

By using GymLeb, you agree to this Privacy Policy. If you do not agree, you must stop using the services.

We may collect and process the following categories of data:

Identification & Contact Information: full name, email address, phone number, address or city/country (if provided), and profile photo (if uploaded).

Account & Membership Data: username and authentication identifiers, gym membership details (plans, start/end dates, freezes, cancellations), attendance history (check-ins/check-outs, classes attended, PT sessions), assigned trainers or staff, and member notes entered by the gym (for example, internal notes, preferences).

Biometric & Access Control Data (if enabled): biometric identifiers (for example, fingerprint templates, facial templates, card/tag IDs), access device identifiers (card number, key fob, etc.), and door access logs (time, device, granted/denied status). Where required by applicable law, biometric data is treated as special category data and is processed only with explicit consent or another valid legal basis and only for access-control purposes.

Payment & Billing Data: billing contact information, subscription details (plan, price, billing cycle), partial payment information (for example, last 4 digits of card, card brand) depending on the payment provider, and payment status, invoices, and transaction history. We do not store full credit card numbers or CVV; payment data is processed by third-party payment processors compliant with PCI-DSS.

Technical & Usage Data: IP address, device information (device type, operating system, browser type, app version), log data (timestamps, pages visited, actions taken, error logs), session identifiers and authentication tokens, and approximate location based on IP where allowed.

Communication Data: support tickets, emails or in-app messages, notification preferences, and feedback or surveys (if submitted).

We use personal data for the following purposes:

To create and manage user accounts (gym admins, staff, and members).

To provide the core GymLeb services, including membership management, check-ins and access control, PT session scheduling and tracking, and member portal access.

To synchronize data between local devices (for example, fingerprint readers, access terminals) and our cloud backend.

To process payments and subscriptions for gyms and, where applicable, for members.

To communicate with users (service notifications, password resets, critical updates).

To provide customer support and resolve issues.

To perform analytics and service improvement using aggregated or pseudonymized data where possible.

To enforce our Terms of Service, prevent fraud, abuse, or security incidents, and to comply with legal obligations and respond to lawful requests from authorities.

We will not use your data for purposes that are materially different from those described here without informing you and, where required, obtaining your consent.

Where applicable (for example, in the European Economic Area, UK, or other jurisdictions with similar laws), we process personal data based on one or more of the following legal grounds:

Performance of a contract: to provide GymLeb services to gyms and their members.

Legitimate interests: to maintain and improve our services, secure our systems, and support normal business operations, provided those interests are not overridden by your rights.

Consent: particularly for biometric data, certain marketing communications, and cookie-based tracking where required. You may withdraw consent at any time, without affecting the lawfulness of prior processing.

Compliance with legal obligations: to meet accounting, tax, anti-fraud, and other legal requirements.

Payments related to GymLeb subscriptions or integrated services are typically processed by third-party payment providers.

We do not store full payment card details on our own servers. We receive and store limited payment metadata (for example, payment status, transaction ID, plan details, partial card information) that is used for billing history and support.

These processors handle your payment information according to their own privacy and security policies and are generally required to comply with PCI-DSS or similar industry standards.

Where a gym manages offline payments (cash, bank transfer, etc.), GymLeb may store payment records but not bank credentials unless explicitly provided by the gym for documentation purposes.

Where gyms use biometric or access control devices integrated with GymLeb (for example, fingerprint scanners, access cards):

Biometric data (such as fingerprints or facial templates) may be captured and stored either on the device, a local gateway, or in encrypted form in our systems, depending on the specific integration.

This data is used solely for identity verification and access control, such as to grant or deny entry to the gym.

We do not use biometric data for marketing, profiling, or unrelated analytics.

Where required by law, we obtain explicit consent from the data subject (member) before processing biometric data.

Biometric data is retained only as long as necessary for access-control purposes or until the membership is terminated and applicable retention periods expire.

If a gym disables or does not use biometric features, GymLeb may rely on non-biometric identifiers, such as card IDs, PIN codes, or QR codes.

Some gyms may use a local gateway (for example, a small server or device) that synchronizes with the GymLeb cloud:

The gateway temporarily stores member identifiers, access permissions, and logs to allow offline operation when internet connectivity is lost.

When connectivity is available, the gateway syncs changes (new members, expired memberships, access logs, etc.) to the cloud backend.

Access logs may include: member ID, device ID, timestamp, and access result (granted/denied).

Data stored on the gateway is protected with reasonable technical and organizational measures, such as restricted network access, authentication, and encryption where feasible.

If the gym stops using GymLeb, the gateway should be wiped or reset according to our offboarding instructions so that local data is removed.

We do not sell personal data.

We may share personal data with the following categories of recipients:

Gym owners and authorized staff: member information related to their gym (registrations, attendance, subscription status, PT sessions, payments, etc.).

Service providers and subprocessors who help us operate GymLeb, such as hosting providers and cloud infrastructure, payment processors, email/SMS/push notification providers, analytics and monitoring services, and support and ticketing tools.

Device vendors or integrators where data may flow through or be stored on devices or vendor platforms integrated with GymLeb.

Professional advisors, such as legal, accounting, or consulting firms, under confidentiality obligations.

Authorities and regulators where required by law or necessary to protect our rights, users, or others.

We require third parties to process personal data only for specified purposes and in accordance with contractual and legal obligations, including appropriate data protection and security measures.

We may use cookies and similar technologies on our website and web applications for authentication and session management, security and fraud prevention, remembering preferences, and basic analytics and performance monitoring.

Where required by law, we will ask for your consent before setting non-essential cookies and will provide tools to manage your preferences.

In the mobile apps, we may use secure storage for access tokens or session data, device identifiers to improve security and prevent abuse, and optional analytics SDKs (where enabled) to understand app performance and errors. You can control some tracking settings via your device’s system settings.

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration, including use of reputable cloud providers with strong security practices, access controls and authentication for staff and admins, encryption in transit (HTTPS/TLS) and, where appropriate, encryption at rest, regular software updates and security patches, logging and monitoring of critical systems, and internal policies for handling personal data.

No system is 100% secure. However, we take reasonable steps to reduce risks and respond to incidents. In the event of a data breach affecting personal data, we will notify affected parties and regulators where required by applicable law.

We retain personal data only for as long as necessary to provide GymLeb services, fulfill the purposes described in this policy, comply with legal, accounting, or reporting obligations, and resolve disputes and enforce our agreements.

Membership and attendance records are typically retained while the membership is active and for a reasonable period afterward in line with local regulations or gym policies.

Biometric data (where applicable) is retained only while access-control is in use and membership is active, and deleted or irreversibly anonymized when no longer needed or when legally required.

Payment records are retained according to tax and financial regulations.

Upon request from a gym or, where applicable, directly from a member, we will delete or anonymize personal data, subject to legal and contractual constraints.

Depending on your location and local law (for example, GDPR in the EU/EEA, UK GDPR, some US state laws), you may have some or all of the following rights with respect to your personal data: right of access, right to rectification, right to erasure (“right to be forgotten”), right to restriction of processing, right to data portability, right to object, and right to withdraw consent.

For end users (gym members), many requests should be directed first to your gym, which acts as the primary controller of your membership data in relation to your gym. We support gyms in responding to such requests and will handle direct requests as appropriate.

To exercise your rights, use the contact details in the Contact Information section below. We may need to verify your identity before fulfilling your request.

GymLeb is typically provided as a B2B service to gyms and fitness businesses. In many cases, GymLeb acts as a processor for member data on behalf of the gym, which acts as a controller under applicable data protection laws.

Gyms are responsible for providing their own privacy notices to members, ensuring they have a lawful basis for collecting and uploading member data to GymLeb, managing consent for biometric data, marketing, or other local requirements, and handling data subject requests from their members and informing us where our assistance is required.

Where GymLeb acts as an independent controller for certain data (for example, its own admin accounts, platform analytics, billing for gyms), this will be clearly indicated by our contractual documents and this policy.

Our services may involve transferring, storing, or processing personal data in countries other than the country where the data was originally collected. This may include hosting on servers in another country or using third-party providers located globally.

Where required by law, we implement appropriate safeguards for international data transfers, such as Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized transfer mechanisms.

By using GymLeb, you acknowledge that your data may be processed in countries with different data protection rules, but we will take steps to protect your information in line with this policy and applicable laws.

Gyms may register members who are minors, depending on their own policies and local laws. It is the responsibility of the gym to ensure that parental or guardian consent is obtained where required for processing minors’ personal data.

GymLeb processes such data only as necessary to provide the services and under the instructions of the gym. We do not knowingly offer direct services to children without the involvement of a gym or responsible adult.

If you believe we have collected personal data directly from a child in violation of applicable law, please contact us so we can investigate and take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our services and features, legal or regulatory updates, or security and operational improvements.

When we make material changes, we will notify gyms and, where appropriate, end users via email, in-app notification, or a prominent notice on our website or portals.

The “Last updated” date at the top of this page indicates the latest revision. Continued use of GymLeb after changes become effective constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us at:

GymLeb – Privacy & Data Protection

Email: ajaxity2@gmail.com

Website: https://www.gym-leb.com

Where required by local law, you may also have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can try to resolve any concerns.