Privacy Policy

This policy applies to FitnessCRM Ltd., a Cyprus-registered company (HE 412088) operating the FitnessCRM platform at fitnesscrm.app and the FitnessCRM Member mobile applications for iOS and Android.

For the purposes of the EU General Data Protection Regulation (GDPR), we operate as both a data Controller (for our website visitors and direct customers) and a data Processor (for personal data that customers and their gym members enter into the platform).

Where we act as Processor, our Data Processing Addendum (DPA) governs the relationship and the rights of your members.

From you (the operator)

• Account details — name, email, phone, country, role
• Billing details — VAT number, billing address, card token (held by the payment processor, not us)
• Usage data — login events, device, browser, IP, pages visited, actions performed
• Support conversations — tickets, chat transcripts, attachments

From your members (on your behalf)

• Identity — name, date of birth, photo, emergency contact
• Contact — email, phone, address
• Membership — plan, classes attended, bookings, payments
• Health-related — optional medical notes, PAR-Q questionnaire, allergies, biometric measurements (where you choose to record them)
• Access & device — QR-code check-ins, door-reader events, attached wearables (if enabled)

From third parties

Payment processors (Viva Wallet) share transaction status; the Greek MyData service confirms invoice submissions; Meta's WhatsApp Business API reports delivery state for messages you send.

• Provide the Services — host data, deliver features, send transactional emails, run AI assistants
• Billing & payments — invoice you, collect Subscription fees, handle disputes
• Customer support — answer your questions, troubleshoot issues, train operators
• Security & fraud prevention — detect suspicious activity, enforce rate limits, audit access
• Improvement & analytics — measure feature adoption, fix bugs, improve performance (always on aggregated or pseudonymised data)
• Legal & compliance — comply with Greek tax law (MyData), respond to lawful requests, defend our rights

We share data with the following carefully vetted sub-processors, each under a Data Processing Agreement and reviewed at least annually:

The current sub-processor list is maintained at fitnesscrm.app/legal/subprocessors. We notify customers in advance of material changes.

Member and operator data is stored primarily in the EU (Frankfurt and Athens). Some sub-processors (e.g. Anthropic for AI inference) may process data in the US under appropriate transfer mechanisms, including the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) where applicable. Customers may opt out of any feature that requires non-EU processing.

We use industry-standard administrative, technical and physical safeguards including:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Multi-factor authentication (MFA) — enforced for all platform admins, optional for operators
• Role-based access control with least-privilege defaults
• Annual third-party penetration tests with remediation SLAs
• SOC 2 Type II controls in progress (target 2026 H2)
• 24/7 security monitoring with automated anomaly detection
• Quarterly disaster-recovery drills with documented RTO/RPO

No system is perfectly secure. If you suspect a vulnerability, please contact security@fitnesscrm.app. We operate a coordinated disclosure programme.

As an operator and EU/EEA/UK resident, you have the right to:

• Access the data we hold about you
• Rectify inaccurate data
• Erase ("right to be forgotten") — subject to legal retention obligations
• Restrict processing in certain circumstances
• Portability — receive your data in JSON or CSV
• Object to processing based on legitimate interest
• Withdraw consent for activities relying on consent (e.g. marketing)
• Lodge a complaint with your local supervisory authority — for Cyprus, the Office of the Commissioner for Personal Data Protection

Submit any request to privacy@fitnesscrm.app or via Settings → My Account. We respond within 30 days.

If you are a gym member, your data is controlled by the gym, not by FitnessCRM. Direct requests (access, deletion, etc.) to your gym. We will support the gym in honouring your request as their Processor.

You may also exercise rights directly through the FitnessCRM Member app under Settings → Privacy.

Our AI assistant helps operators run their gym. We design it with privacy in mind:

• No training on your data. Member and operator data is never used to train external models.
• PII anonymisation. Names, contacts and identifiers are replaced with tokens before prompts are sent to the AI provider.
• Tenant isolation. Each AI request is scoped to a single tenant; no cross-tenant data leakage is possible.
• EU regional endpoints. Where available, AI inference is performed in EU regions.
• Opt out per feature. Owners can disable AI features individually in Settings → Integrations.
• Audit log. Every AI call is logged with prompt category and result, retained for 90 days.

The FitnessCRM web app uses a minimal set of strictly necessary cookies for authentication, session state, security and preference persistence. We do not use third-party advertising cookies.

The marketing website fitnesscrm.app uses privacy-respecting analytics (with IP anonymisation) and a customer chat widget — both with a cookie-consent banner.

FitnessCRM is intended for use by adults running fitness businesses. Members under 16 (or under 13, depending on jurisdiction) may be recorded only with explicit parental or guardian consent provided by your gym. We do not knowingly collect data directly from children.

Health-related data (medical notes, PAR-Q questionnaire, biometric measurements) is classified as special category data under GDPR Art. 9. You, the gym, are responsible for collecting valid explicit consent before recording such data. We store it encrypted, with stricter access controls and shorter default retention.

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance by email and in-app banner. Continued use of the Services after the effective date constitutes acceptance.

For any privacy-related question, request or concern:

Data Protection Officer
FitnessCRM Ltd.
5 Olympou Str., 3036 Limassol, Cyprus
privacy@fitnesscrm.app
dpo@fitnesscrm.app

You also have the right to lodge a complaint with the Commissioner for Personal Data Protection of the Republic of Cyprus or any EU supervisory authority of your habitual residence, place of work or place of alleged infringement.