Privacy Policy
Grow HQ by GymGrow
1Introduction
GymGrow ("GymGrow", "we", "us", or "our") operates the Grow HQ platform, including the Grow HQ mobile application (the "App") and associated web-based services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By downloading, installing, or using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
2Company Information
Data Controller: GymGrow
Based in: Dubai, United Arab Emirates
Contact Email: lewis@gymgrow.ai
Website: https://gymgrow.ai
3Information We Collect
3.1 Information You Provide Directly
- Account Information: Name, email address, phone number, and password when you create an account.
- Profile Information: Profile photo, date of birth, gender, fitness goals, and health-related preferences.
- Membership & Billing Information: Membership plan details, payment card information (processed securely via our third-party payment processor — we do not store full card numbers), billing address, and transaction history.
- Communications: Messages, feedback, or support requests you send to us or to your gym through the App.
- User Content: Any content you upload, such as progress photos or notes.
3.2 Information Collected Automatically
- Device Information: Device type, operating system, unique device identifiers, mobile network information, and app version.
- Usage Data: Pages and features accessed, time spent on screens, actions taken within the App, crash reports, and performance data.
- Location Data: We may collect approximate location data (e.g. city-level) based on your IP address. We do not collect precise GPS location unless you explicitly grant permission for a specific feature.
- Log Data: IP address, browser type, access times, and referring URLs.
3.3 Information from Third Parties
- Gym Operators: Your gym may provide us with information about your membership, attendance, and engagement to deliver the Service.
- Payment Processors: We receive transaction confirmations and partial payment details from payment providers such as Stripe or GoCardless.
4How We Use Your Information
We use the information we collect for the following purposes:
- To create and manage your account and provide the Service.
- To process payments, manage memberships, and handle billing.
- To send transactional notifications (e.g. booking confirmations, payment receipts, membership updates).
- To send push notifications related to your gym activity, class schedules, and personalised updates (you can opt out via device settings at any time).
- To improve, personalise, and optimise the Service and user experience.
- To monitor usage patterns, diagnose technical issues, and perform analytics.
- To communicate with you about product updates, new features, or promotional offers (only with your consent where required by law).
- To comply with legal obligations and enforce our terms of service.
5Legal Basis for Processing
GymGrow is based in the United Arab Emirates and complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). As our Service is also used by gym operators and members in the United Kingdom and European Economic Area, we additionally comply with the UK GDPR and EU GDPR where applicable.
We process your personal data on the following bases:
| Purpose | Legal Basis |
|---|---|
| Account creation & service delivery | Performance of a contract |
| Payment processing | Performance of a contract |
| Push notifications (transactional) | Legitimate interest |
| Analytics & service improvement | Legitimate interest |
| Marketing communications | Consent |
| Legal compliance | Legal obligation |
6Third-Party Services & Data Sharing
We do not sell your personal data. We may share your information with the following categories of third parties, solely to operate and improve the Service:
6.1 Service Providers
- Firebase (Google): Push notifications, app performance monitoring, analytics, and crash reporting.
- Payment Processors (e.g. Stripe, GoCardless): Secure payment processing and billing management.
- Cloud Hosting Providers: Secure data storage and infrastructure.
- Email & Communication Providers: Transactional and marketing email delivery.
6.2 Gym Operators
If you are a gym member using the App, your gym operator (who is a GymGrow client) may access your membership data, attendance records, and engagement metrics through the Grow HQ admin dashboard. Your gym operator acts as a joint controller or processor of your data depending on the context.
6.3 Legal & Compliance
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g. a court or regulatory body).
7Push Notifications
We use Firebase Cloud Messaging (FCM) to send push notifications to your device. These may include class reminders, membership updates, motivational prompts, and promotional messages. You can manage or disable push notifications at any time through your device's notification settings.
8Analytics
We use analytics services, including Firebase Analytics and similar tools, to understand how users interact with the App. This data is aggregated and anonymised where possible and is used to improve functionality and user experience. You may opt out of analytics tracking through your device privacy settings where supported.
9Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. If you request account deletion, we will delete or anonymise your data within 30 days, except where we are required to retain it for legal, accounting, or regulatory purposes.
Aggregated, anonymised data that cannot identify you may be retained indefinitely for analytics and product improvement.
10Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS/SSL), secure authentication, access controls, and regular security reviews. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.
11Your Rights
Depending on your location, you may have the following rights under applicable data protection laws (including the UAE PDPL, UK GDPR, and EU GDPR):
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data.
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Data Portability: Request your data in a structured, commonly used, machine-readable format.
- Objection: Object to processing based on legitimate interests or for direct marketing purposes.
- Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at lewis@gymgrow.ai. We will respond within one month of receiving your request.
If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are located in the EU, you may contact your local data protection authority. If you are in the UAE, you may contact the UAE Data Office.
12Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child under 18 without verified parental consent, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal data, please contact us at lewis@gymgrow.ai.
13International Data Transfers
GymGrow is based in the United Arab Emirates. Your data may be transferred to and processed in countries outside the UAE, including the United Kingdom, the European Economic Area, and other countries where our service providers (such as Google/Firebase and cloud hosting providers) operate. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with applicable data protection laws, including Standard Contractual Clauses (SCCs) or transfers to countries with adequate levels of data protection.
14Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy within the App and updating the "Last updated" date at the top of this page. Where required by law, we will seek your consent to material changes. We encourage you to review this Privacy Policy periodically.
15Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: