Legal
Privacy Policy
Last updated: 20 June 2026 · gymostool.xyz
Short version: We collect the minimum data needed to run GymOS — your gym details, member phone numbers from Stripe, and message logs. We never sell your data. We never touch your money. Delete everything by emailing us.
1. Who we are
GymOS is a payment recovery service operated by Meraki. Contact: gymostool@gmail.com.
For EU data protection law purposes, we act as data controller for gym owner data and data processor for gym member data (processed on behalf of the gym owner).
2. What data we collect
From gym owners
- Name, business email, phone number
- Gym name, country, number of members
- Stripe Account ID (used only to connect our service to your payments)
- Payment records managed via Stripe — we never store card data
From gym members (via your Stripe integration)
- Phone number (to send WhatsApp recovery messages)
- Invoice status (to determine whether a message is needed)
- We do not collect names, emails or card details of members
Usage and technical data
- IP address and browser type (standard logs, retained 30 days)
- Pages visited on gymostool.xyz
- Message delivery logs (timestamp, recipient number, delivery status)
3. How we use your data
- To deliver the service: detecting failed payments, sending WhatsApp recovery messages, logging outcomes
- To communicate with you: onboarding, support, billing notifications
- To improve the service: aggregated, anonymised usage analysis
- Legal compliance: EU AI Act (Article 50), GDPR, tax regulations
4. Legal basis (GDPR)
- Contract performance — processing necessary to deliver GymOS (Art. 6(1)(b))
- Legitimate interests — service improvement, fraud prevention (Art. 6(1)(f))
- Legal obligation — compliance with EU law (Art. 6(1)(c))
5. Who we share data with
We do not sell personal data. We share only with:
- Stripe — payment processing
- Meta / WhatsApp Business API — message delivery
- Supabase — database hosting (EU servers)
- Render — application hosting
- Google — form submissions
6. Data retention
- Active customer data: while subscription is active
- Message logs: 12 months from send date
- Billing records: 7 years (legal requirement)
- After account closure: personal data deleted within 30 days
7. Your rights (GDPR)
You have the right to access, correct, delete, restrict, object to, or port your data. Email gymostool@gmail.com — we respond within 30 days. You can also complain to Spain's data authority: AEPD.
8. Cookies
We use minimal cookies. See our Cookie Policy.
9. Security
All data is transmitted over TLS/HTTPS. We do not store Stripe secret keys, card numbers or CVVs. Database access is protected by Row Level Security.
10. International transfers
Our hosting is in the EU (Frankfurt). Where data is processed outside the EU (e.g. via Meta), we rely on Standard Contractual Clauses or adequacy decisions.
11. Children
GymOS is a B2B service for businesses. We do not knowingly collect data from individuals under 18.
12. AI disclosure (EU AI Act, Article 50)
GymOS uses automated systems to detect failed payments and generate WhatsApp messages. In compliance with the EU AI Act (effective 2 August 2026), every message sent to gym members includes: "This is an automated message from [Gym Name]."
Our system is classified as low-risk under the EU AI Act. It performs transactional notifications only — not hiring, biometric identification, or any high-risk purpose. We do not use member data to train AI models.
13. Changes to this policy
We will notify active customers by email of material changes. The date at the top reflects the most recent revision.
14. Contact
gymostool@gmail.com