← Back

Privacy Policy

Last updated: April 11, 2026

GymFlow CRM (“GymFlow,” “we,” “us,” or “our”) is committed to protecting the privacy of gym members, staff, and visitors whose information is processed through our platform. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. Data We Collect

When a gym uses GymFlow to manage its operations, the following categories of data may be collected:

  • Personal information: Name, email address, phone number, date of birth, emergency contact.
  • Membership information: Plan, status, join date, payment history, attendance records.
  • Biometric data: Facial geometry descriptors used for check-in (see Section 4 below).
  • Photos: Member avatar photos, uploaded voluntarily.
  • Device data: IP address, browser type, and device identifiers when using the platform.

2. How We Use Your Data

We use collected data solely to operate the GymFlow platform on behalf of the gym. Specifically:

  • To manage gym memberships, billing, and attendance.
  • To provide facial recognition check-in services.
  • To generate analytics and reports for gym operators.
  • To communicate with members on behalf of the gym (email, SMS).
  • To improve and maintain the platform.

We do not sell, lease, trade, or otherwise disclose your personal or biometric data to third parties for marketing, advertising, or any purpose unrelated to operating the gym.

3. Legal Basis for Processing

We process personal data based on: (a) your explicit consent (particularly for biometric data), (b) the performance of the membership agreement between you and the gym, and (c) the legitimate business interests of the gym operator.

4. Biometric Data Policy

GymFlow offers optional facial recognition check-in. When a member enrolls in this feature, we collect and store the following:

  • What we collect: A mathematical representation of facial geometry (a “face descriptor”), which is a 128-dimensional numerical vector derived from a photograph. This is not a photograph of your face — it is a set of numbers that cannot be reverse-engineered into an image.
  • How it is stored: Face descriptors are stored in our encrypted database, associated with the member's profile. Data is encrypted at rest and in transit.
  • How it is used: Solely for the purpose of automated member check-in and identity verification at the gym's physical location.
  • Who has access: Only the gym that enrolled the member and GymFlow's platform infrastructure. We do not share biometric data with any third party.
  • Consent: Biometric data is collected only after the member provides explicit written consent. Consent may be withdrawn at any time.

State-Specific Biometric Compliance

GymFlow is designed to comply with the following biometric privacy laws:

  • Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14: We obtain informed written consent before collecting biometric identifiers. We provide notice of the specific purpose and duration of collection. We do not sell, lease, trade, or otherwise profit from biometric data. Data is permanently destroyed within 30 days of membership termination or upon written request.
  • Texas Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code § 503.001: We do not capture biometric identifiers for commercial purposes without prior consent. We store, transmit, and protect biometric data using reasonable care and in a manner that is the same as or more protective than the manner in which we store other confidential information.
  • Washington My Health My Data Act, RCW 19.373: We provide clear notice of the categories of health data (including biometric data) we collect and the purpose of collection. We obtain consent before collection. We honor deletion requests within 30 days.

5. Data Retention

  • Biometric data: Permanently deleted no later than 30 days following membership termination, or immediately upon written request from the member.
  • Personal and membership data: Retained for the duration of the membership plus up to 3 years for legal and accounting purposes, unless the member requests earlier deletion.
  • Payment records: Retained as required by applicable tax and financial regulations.

6. Your Rights

You have the right to:

  • Request access to the personal and biometric data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your biometric data at any time.
  • Request deletion of your personal data (subject to legal retention requirements).
  • Withdraw consent for biometric data collection at any time.
  • Receive a copy of your data in a portable format.

To exercise any of these rights, contact us at privacy@gymflow.app. We will respond within 30 days.

7. Security

We implement industry-standard security measures including encryption at rest and in transit, access controls, and regular security reviews. Our database is hosted on SOC 2 compliant infrastructure.

8. Children's Privacy

GymFlow does not knowingly collect biometric data from children under 13 without verifiable parental consent. For members under 18, biometric consent must be provided by a parent or legal guardian.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to gym operators, who are responsible for notifying their members. The “Last updated” date at the top of this page reflects the most recent revision.

10. Contact Us

If you have questions about this Privacy Policy, your data, or your rights, contact us at:

GymFlow CRM

Email: privacy@gymflow.app