Privacy Policy

Information We Collect

Personal Information (Gym Operators & Staff):

• Full name, email address, and phone number
• Business name and address
• Login credentials (username and hashed password)
• Payment information for subscription billing

Member Information (End Users, collected by Gym Operators through the Service):

• Full name, email address, and phone number
• Date of birth and physical address
• Emergency contact information
• Payment information (credit card or bank account details, processed via Stripe)
• Photographs (member profile photos)
• Electronic signatures
• Membership and billing history
• Check-in records

Usage Data (collected automatically):

• IP address, browser type, and operating system
• Pages visited, features used, and time spent on the Service
• Device identifiers and screen resolution
• Referring URLs and search terms that led you to our site

How We Collect Information

We collect information through the following methods:

• Directly from you: When you create an account, set up your gym, enroll members, process transactions, or contact us for support.
• Automatically: When you access the Service, we automatically collect certain technical and usage data through server logs.
• From payment processors: Stripe provides us with transaction confirmations, subscription statuses, and limited payment details (such as the last four digits of a card number) necessary to display billing information within the Service.
• From communication providers: Twilio (SMS) and Resend (email) may provide delivery status information for messages sent through the Service.

How We Use Information

We use the information we collect to:

• Provide and maintain the Service: Operate the platform, manage accounts, process member enrollments, and facilitate check-ins.
• Process payments: Charge subscription fees, process member payments via Stripe, and manage billing records.
• Send communications: Deliver transactional messages (payment receipts, failed payment notices, welcome emails), system notifications, and account-related updates.
• Improve the platform: Analyze usage patterns to identify bugs, improve features, and enhance the user experience.
• Ensure security: Detect and prevent fraud, unauthorized access, and other harmful activities.
• Comply with legal obligations: Respond to legal requests and fulfill regulatory requirements.
• Provide support: Respond to your inquiries, troubleshoot issues, and provide technical assistance.

We do not use member data for advertising purposes. We do not sell personal information to third parties.

Data Sharing & Third Parties

We share data only with the following third-party service providers, solely to operate the Service:

• Stripe (stripe.com) — Payment processing for subscriptions and member transactions. Stripe receives payment card details, bank account information, and billing addresses. Stripe's privacy policy governs their handling of payment data.
• Twilio (twilio.com) — SMS messaging for member notifications. Twilio receives phone numbers and message content.
• Resend (resend.com) — Email delivery for transactional emails (receipts, notifications, welcome messages). Resend receives email addresses and message content.
• Vercel (vercel.com) — Application hosting and deployment. Vercel processes web requests and may log IP addresses and request metadata.
• Supabase (supabase.com) — Database hosting (PostgreSQL). All application data is stored in Supabase-managed databases with encryption at rest.

We do not sell, rent, or trade your personal information to any third party.

We may disclose information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Multi-Tenant Data Isolation

Better Gym Management uses a multi-tenant architecture where each gym operates within its own isolated data environment. This means:

• Each gym's data (members, billing, check-ins, contracts, POS transactions) is tagged with a unique tenant identifier and is only accessible to that gym's authorized staff.
• No gym can view, access, or modify another gym's data through the Service.
• Database queries are filtered by tenant at the application level, and row-level security policies are enforced at the database level.
• Staff accounts are scoped to their gym's tenant and cannot access data outside their organization.

Leighds LLC personnel may access data across tenants solely for the purpose of providing technical support, investigating reported issues, or complying with legal obligations. Such access is logged and restricted to authorized personnel.

Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Active accounts: All data is retained for the duration of your subscription.
• Cancelled accounts: After cancellation, data is retained for 30 days to allow for account reactivation or data export. After 30 days, data is permanently deleted.
• Deletion requests: You may request deletion of your data at any time by contacting us. We will process deletion requests within 30 days, subject to legal retention requirements.
• Backups: Data may persist in encrypted backups for up to 90 days after deletion from the live system.
• Legal obligations: We may retain certain data longer if required by law (e.g., financial records for tax purposes).

Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
• Encryption at rest: Database storage is encrypted at the infrastructure level by our database provider (Supabase).
• Password hashing: All passwords are hashed using bcrypt before storage. We never store passwords in plain text.
• Authentication: Access to the Service is secured through JWT (JSON Web Token) based authentication with token expiration.
• Tenant isolation: Row-level security policies prevent cross-tenant data access at the database level.
• Payment security: We do not store full credit card numbers or bank account details. Payment information is handled directly by Stripe, which is PCI-DSS Level 1 certified.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Data Portability: Request your data in a structured, commonly used, machine-readable format (CSV or JSON).
• Restriction: Request that we restrict processing of your data under certain circumstances.
• Objection: Object to processing of your personal data for specific purposes.

For Gym Operators: You can access, update, and delete most of your data directly through the Service dashboard. For requests that cannot be handled through the dashboard, contact us at support@bettergms.com.

For Gym Members: Your data is controlled by the gym you are a member of. Please contact your gym directly for data requests. If the gym is unable or unwilling to assist, you may contact us and we will work to facilitate your request.

We will respond to all verified data requests within 30 days.

Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent.

Gym operators may enroll minors as members with the consent of a parent or legal guardian. In such cases, the gym operator is responsible for obtaining and maintaining appropriate parental consent in compliance with applicable laws, including the Children's Online Privacy Protection Act (COPPA).

If we become aware that we have collected personal information from a child under 13 without appropriate consent, we will take steps to delete that information promptly. If you believe a child's information has been collected improperly, please contact us at support@bettergms.com.

Cookies & Local Storage

The Service uses a minimal set of browser storage mechanisms:

• JWT Authentication Tokens: We store JSON Web Tokens in localStorage to maintain your authenticated session. These tokens contain your user ID and tenant ID, are encrypted, and expire automatically.
• Session Preferences: We may store user interface preferences (such as sidebar state or selected views) in localStorage for convenience.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising networks.

You can clear localStorage and cookies through your browser settings at any time. Note that clearing authentication tokens will require you to log in again.

California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, quality, or service levels.
• Right to Opt Out of Sale: We do not sell personal information. As such, there is no need to opt out, but we honor this right should our practices ever change.

To exercise your CCPA rights, contact us at support@bettergms.com. We will verify your identity before processing any request. You may also designate an authorized agent to make requests on your behalf.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you by email or through a prominent notice within the Service
• Provide at least 30 days' notice before material changes take effect

Your continued use of the Service after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Leighds LLC
Operating as Better Gym Management
Website: bettergms.com
Email: support@bettergms.com

For data protection inquiries or to exercise your privacy rights, please email support@bettergms.com with the subject line "Privacy Request."