Privacy Policy

1. Who We Are

GymCRM ("we", "us", "our") is a gym management software platform built for Indian gym owners and fitness businesses. We operate at gymcrm.in.

This Privacy Policy explains how we collect, use, store, and share information when you use our platform — whether you are a gym owner, a staff member, or a gym member accessing the member portal.

2. Two Roles: Controller and Processor

For gym owners and staff — GymCRM is the Data Controller. We decide how your account information (name, email, phone, billing details) is processed.

For gym members — GymCRM is the Data Processor acting on behalf of the gym (the Data Controller). The gym is responsible for the lawful basis on which it collects and holds member data. We only process member data as instructed by the gym.

3. Data We Collect

Gym owners and staff

• Name, email address, and phone number
• Gym name, address, and business details
• Subscription and billing information (processed via Razorpay or Dodo)
• Payment method details (we do not store card numbers — payment processors handle these)
• Login activity and session information

Gym members (collected by the gym, processed by GymCRM)

• Name, email address, and phone number
• Date of birth and emergency contact information
• Profile photo (if uploaded)
• Membership plan, start/end dates, and renewal history
• Payment and invoice records
• Attendance and check-in history
• Class bookings
• Documents uploaded by the gym (waivers, ID copies, medical forms)

Automatically collected data

• Browser type, device type, and IP address
• Pages visited, features used, and session duration (via PostHog analytics)
• Error and crash reports (via Sentry)

4. Android App Permissions

The GymCRM Android app requests the following device permissions. Each permission is used solely for the core functionality described below and is never used to collect data beyond what is necessary.

• SEND_SMS— Used to send membership reminders, payment due alerts, and renewal notifications directly to gym members via SMS from the gym owner's device. SMS messages are only sent to members whose phone numbers are stored in the gym's own member database. We do not send marketing or promotional SMS to any third party.
• READ_PHONE_STATE— Used to detect the device's phone number so the gym owner does not have to manually enter it during onboarding, and to identify the device for session security purposes.
• CAMERA — Used to scan QR codes for member check-in and to capture member profile photos directly within the app.
• READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE — Used to allow gym owners to select profile photos and documents from their device gallery and to save exported reports (CSV, invoices) to their device.
• RECEIVE_BOOT_COMPLETED — Used to restart scheduled membership expiry and payment reminder notifications after the device reboots, so reminders are not lost.
• INTERNET — Required to sync member data, payments, and attendance records with the GymCRM cloud backend (Supabase).

You can revoke any permission at any time via Android Settings → Apps → GymCRM → Permissions. Revoking a permission will disable the related feature but will not affect other app functionality.

5. How We Use Your Data

• To create and manage your gym account and provide the GymCRM service
• To process subscription payments and send billing receipts
• To send transactional emails — renewal reminders, invoices, welcome messages (via Resend)
• To send WhatsApp notifications for membership renewals and alerts (via the Meta WhatsApp Business API, using your gym's connected number)
• To generate attendance reports, revenue summaries, and daily digests for gym owners
• To improve the platform — we analyse anonymised usage data to fix bugs and prioritise features
• To respond to support requests you send us

We do not use your data for advertising and we do not sell your data to any third party.

6. Data Storage and Security

All data is stored on Supabase with Row-Level Security (RLS) enabled. Every query is scoped to the authenticated user's gym — no gym can access another gym's data.

All data in transit is encrypted via HTTPS/TLS. Passwords are never stored in plain text. Sensitive credentials (Razorpay keys, WhatsApp tokens) are stored in encrypted environment variables and never exposed to the client.

While we take reasonable technical measures to protect your data, no system is completely secure. Please contact us immediately at support@gymcrm.in if you suspect unauthorised access.

7. Data Retention

• Active accounts — Data is retained for as long as the gym account remains active.
• After cancellation — We retain data for 30 days after subscription cancellation. You can export all your data (members, payments, invoices) as CSV during this window.
• After 30 days — Data is permanently deleted from our systems.
• Billing records — We may retain transaction records for up to 7 years as required under Indian tax and accounting laws.

8. Your Rights Under the DPDP Act 2023

Under India's Digital Personal Data Protection Act 2023, you have the following rights regarding your personal data:

• Right to access — Request a copy of the personal data we hold about you.
• Right to correction — Ask us to correct inaccurate or incomplete data.
• Right to erasure — Request deletion of your personal data (subject to legal retention obligations).
• Right to grievance redressal — Raise a complaint with our Grievance Officer (details below).
• Right to nominate — Nominate another individual to exercise your rights in the event of your death or incapacity.

Gym members wishing to exercise these rights should contact their gym directly, as the gym is the Data Controller for member data. Gym owners and staff should contact us directly.

9. Cookies

GymCRM uses cookies and similar technologies for authentication (keeping you logged in) and for analytics (understanding how the platform is used via PostHog). We do not use advertising or tracking cookies.

You can disable cookies in your browser settings, but this will prevent you from staying logged in to the platform.

10. Children's Privacy

GymCRM is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor's data has been submitted without appropriate consent, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered gym owners via email and update the "Last updated" date at the top of this page. Continued use of GymCRM after the effective date constitutes acceptance of the updated policy.

12. Grievance Officer

In accordance with the Information Technology Act 2000 and the DPDP Act 2023, you may contact our Grievance Officer for any data-related concerns: