← Back to GymFlow

Privacy Policy

Effective from 27 April 2026 · gymflow.app

GymFlow ("we", "our", or "us") is a coaching platform that lets personal trainers manage their clients' workouts, nutrition, and check-ins. This policy explains what personal data we collect, why we collect it, and what rights you have over it. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

GymFlow is operated from the United Kingdom. The data controller for the information described in this policy is the GymFlow team. You can contact us at hello@gymflow.coach.

2. What we collect

Account information

• Name, email address, username, and password (hashed — we never store the plaintext).
• Your role on the platform (trainer or client) and the trainer–client relationship between users.
• Optional: profile photo, business name, bio, social handles (trainers only).

Coaching data

• Workout plans, nutrition plans, and check-in forms assigned by trainers.
• Logged workout sessions, weight measurements, meal consumption, and check-in answers submitted by clients.
• Progress photos, if you choose to upload them as part of a check-in.

Payment information

We use Stripe as our payment processor. Card details are entered directly into Stripe's hosted checkout — they never reach our servers and we cannot see them. We store only the Stripe customer ID, subscription ID, status, and billing dates required to manage your subscription. See Stripe's privacy policy.

Email

We use Resend to deliver transactional emails (magic links, subscription notifications, password resets). Resend processes the email address and message content needed to deliver these messages.

Technical data

• IP address, device type, browser, OS — used for security and to debug errors.
• Session cookies and CSRF cookies required for the dashboard to function.

3. Why we use it

• Deliver the coaching service — show your trainer the workouts you've logged, deliver plans they've assigned, and route subscription payments to them.
• Account security — verify logins, prevent fraud, send password resets.
• Service operation — debug errors, prevent abuse, maintain backups.
• Notifications — let trainers know when a client subscribes, cancels, or has a failed payment.

4. Who we share it with

• Your trainer — your check-ins, weight, photos, and workout logs are visible to the trainer you signed up with. That's the entire point of the service.
• Stripe — to process payments and manage your subscription.
• Resend — to deliver emails.
• Render — our hosting provider (the data lives on Render's UK/EU infrastructure).
• Cloudflare — DNS, edge caching, and email routing.
• Law enforcement — only when legally required.

We do not sell your data. We don't share it with advertisers.

5. How long we keep it

We keep your data for as long as your account is active. If you delete your account (or your trainer deletes you), we wipe the associated workout/nutrition/check-in data within 30 days. Subscription billing records may be retained longer as required by UK tax law (typically 6 years).

6. Your rights

Under UK GDPR you have the right to:

• Access — get a copy of the personal data we hold about you.
• Rectify — correct any inaccurate data.
• Erase — request that we delete your data ("right to be forgotten").
• Object — to specific uses of your data.
• Portability — receive your data in a machine-readable format.
• Withdraw consent — at any time, where consent is the legal basis.
• Complain — to the UK Information Commissioner's Office (ico.org.uk) if you believe we've mishandled your data.

To exercise any of these, email hello@gymflow.coach. We'll respond within one month.

7. Cookies

We use session cookies (to keep you logged in) and CSRF cookies (to protect form submissions from cross-site forgery). We don't use third-party advertising or analytics cookies.

8. International transfers

Some of our processors (Stripe, Resend, Cloudflare) operate globally and may transfer data outside the UK/EEA. We rely on Standard Contractual Clauses or equivalent safeguards approved under UK GDPR to protect those transfers.

9. Children

GymFlow is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we'll delete the account.

10. Changes to this policy

If we make material changes, we'll update the "effective from" date at the top of this page and notify active users by email at least 14 days before the change takes effect.

11. Contact

Questions about this policy or about your data? Email hello@gymflow.coach.

---

Questions? Email hello@gymflow.coach. See also our Privacy Policy and Terms of Service.