Privacy, Compliance & Cookie Policy

Table of Contents

1. Overview & Scope
2. Information We Collect
3. How We Use Your Information
4. Data Sharing & Disclosure
5. Data Security
6. Data Retention
7. Your Privacy Rights
8. Cookie Policy
9. Children's Privacy
10. Changes to This Policy
11. Contact Us

1. Overview & Scope

This Privacy, Compliance, and Cookie Policy ("Policy") describes how GymPoint LLC ("GymPoint," "we," "us," or "our"), a Louisiana limited liability company, collects, uses, discloses, and safeguards information when you use our gym management software-as-a-service platform ("GymPoint Platform") available at gympoint.ai, as well as our marketing website, mobile applications, and related services (collectively, the "Services").

This Policy applies to:

• Gym Operators — businesses and individuals who create a GymPoint account to manage their facility.
• Members & End Users — individuals whose data is processed through the platform (e.g., gym members, class participants).
• Website Visitors — anyone who visits gympoint.ai or any GymPoint-operated web property.

By accessing or using GymPoint Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, please discontinue use of our Services.

Governing Law

GymPoint LLC is incorporated and operated under the laws of the State of Louisiana, United States. This Policy is governed by and construed in accordance with applicable Louisiana and federal U.S. law, including but not limited to applicable provisions of the California Consumer Privacy Act (CCPA) where applicable, and general data protection best practices aligned with international standards including GDPR principles.

2. Information We Collect

Information You Provide Directly

• Account Registration: Name, email address, phone number, business name, billing address.
• Payment Information: Credit/debit card numbers, bank account details (processed securely via our payment partners — we do not store raw card data).
• Gym Member Data (Operator-Submitted): Member names, contact information, membership tiers, check-in records, health waivers, emergency contacts, and photos — submitted by gym operators managing their members.
• Communications: Support tickets, emails, chat messages, and feedback you send to us.
• Profile & Preferences: Gym branding, class schedules, staff roles, and configuration settings.

Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, click paths, and button interactions.
• Device & Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, and referral URL.
• Log Data: Server access logs, error logs, and API request logs (retained for security and debugging).
• Cookies & Tracking Technologies: See Section 8 for full details.

Information from Third Parties

• Payment Processors: Transaction status, partial card data (last 4 digits), and dispute information from our payment processing partners.
• Authentication Providers: If you log in via a third-party provider (e.g., Google), we receive basic profile information such as name and email.
• Analytics Partners: Aggregated behavioral data to help us understand platform usage patterns.

3. How We Use Your Information

Platform Operations

• Provide, operate, and maintain the GymPoint SaaS platform and its features.
• Process payments, subscriptions, and billing for gym operators.
• Authenticate users and manage access controls.
• Power the GymPoint AI Copilot ("Pulse") features using anonymized or aggregated data where applicable.

Communications

• Send transactional emails (receipts, account alerts, password resets).
• Deliver product updates, feature announcements, and newsletters (you may opt out at any time).
• Respond to support requests and customer inquiries.

Improvement & Analytics

• Analyze usage patterns to improve features and user experience.
• Conduct internal research and A/B testing.
• Monitor platform performance, uptime, and reliability.
• Debug errors and resolve technical issues.

Legal & Security

• Detect, investigate, and prevent fraudulent transactions, unauthorized access, and abuse.
• Comply with applicable laws, regulations, and legal processes.
• Enforce our Terms of Service and other agreements.
• Protect the rights, property, or safety of GymPoint, our customers, and the public.

4. Data Sharing & Disclosure

GymPoint does not sell your personal information. We do not share personal data with third parties for their own marketing purposes without your explicit consent. We may share information as follows:

Service Providers & Subprocessors

We engage trusted third-party vendors to help us deliver the Services. These parties are contractually bound to use data only as instructed and to maintain appropriate security standards: Cloud hosting, database providers, payment processors, email services, AI partners, and monitoring tools.

Business Transfers

In the event of a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. You will be notified of any such change in ownership or control of your personal information.

Legal Requirements

We may disclose information if required by law, subpoena, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or comply with a judicial proceeding.

5. Data Security

GymPoint implements industry-standard technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

• All data in transit is encrypted using TLS 1.2+.
• Data at rest is encrypted using AES-256 or equivalent.
• Access to production systems is restricted to authorized personnel with role-based access controls.
• Payment data is handled by PCI-DSS compliant processors — GymPoint does not store raw cardholder data.
• We conduct regular security audits and dependency reviews of our codebase.
• Secrets and API keys are managed via environment variable management systems and are never exposed in application code.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Policy, or as required by law:

• Active account data: Duration of active subscription
• Inactive accounts: Up to 24 months after last activity, then deleted or anonymized
• Billing & transaction records: 7 years (legal and accounting obligation)
• Support communications: Up to 3 years
• Security & access logs: 90 days to 12 months depending on log type
• Anonymized analytics: Indefinite (cannot identify individuals)

7. Your Privacy Rights

Depending on your location and applicable law, you may have rights with respect to your personal information including access, correction, deletion, and opting out of marketing communications.

California Residents (CCPA)

• Right to know what personal information is collected, used, shared, or sold.
• Right to delete personal information (with certain exceptions).
• Right to opt out of the sale or sharing of personal information (GymPoint does not sell personal data).
• Right to non-discrimination for exercising privacy rights.
• Right to limit the use of sensitive personal information.

EEA / UK Residents (GDPR)

• Right to data portability (receive your data in a structured, machine-readable format).
• Right to restrict processing in certain circumstances.
• Right to object to processing based on legitimate interests.
• Right to withdraw consent at any time (without affecting the lawfulness of prior processing).
• Right to lodge a complaint with your local supervisory authority.

To exercise any of the above rights, contact us at privacy@gympoint.ai. We will respond to verifiable requests within 30 days of receipt.

8. Cookie Policy

GymPoint uses cookies and similar tracking technologies on our website and platform. This section explains what cookies are, what we use them for, and how you can manage your preferences.

What Are Cookies?

Cookies are small text files stored on your device by your web browser when you visit a website. They help websites remember your preferences, keep you logged in, and understand how you use the site. Similar technologies include web beacons, pixel tags, local storage, and session storage.

Categories of Cookies We Use

• Strictly Necessary: Core platform functionality — authentication sessions, CSRF protection, security tokens, and session state. Cannot be disabled without breaking core features.
• Functional: Remember your preferences such as timezone, language, dashboard layout, and sidebar state across sessions.
• Analytics: Understand how users interact with the platform — pages visited, feature adoption, and errors encountered. Data is aggregated and anonymized.
• Marketing: Used on the gympoint.ai marketing website to track campaign performance and understand how visitors arrive. Not used inside the authenticated platform.

Managing & Refusing Cookies

• Browser Settings: Most browsers allow you to block or delete cookies through their settings menu. Note that disabling cookies may impact platform functionality.
• In-Platform Preferences: A cookie consent banner is displayed on your first visit to gympoint.ai, allowing you to accept or decline non-essential categories. You can update your preferences at any time.
• Opt-Out Tools: You may use the Network Advertising Initiative opt-out tool or your browser's "Do Not Track" signal where honored.

9. Children's Privacy

GymPoint is a business-facing SaaS platform intended for use by adults and business operators aged 18 and older. We do not knowingly collect personal information directly from children under the age of 13 (or the applicable age of digital consent in your jurisdiction).

Gym operators who use GymPoint to manage youth programs are solely responsible for obtaining appropriate parental or guardian consent before inputting any personal information related to minors into the platform. GymPoint processes such data only as a data processor acting on the operator's instructions.

If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. Please contact us at privacy@gympoint.ai if you believe this has occurred.

10. Changes to This Policy

GymPoint LLC reserves the right to modify this Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the Last Updated date at the top of this page.
• Notify registered account holders via email at least 14 days before the changes take effect.
• Display a prominent notice on the GymPoint platform or website where appropriate.

Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the revised terms. We encourage you to review this Policy periodically.

11. Contact Us

For questions, concerns, or requests related to this Policy or your personal data, please contact GymPoint LLC through any of the following channels:

We are committed to resolving privacy-related questions and concerns promptly. Response time for data subject requests is typically within 5–10 business days, and no later than 30 days as required by applicable law.