← Back to Home

Privacy Policy

Last updated: 1st December 2025

1. Introduction

GymLeadHub ("we", "our", or "us") operates gymleadhub.co.uk (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered lead management platform for fitness businesses.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. GymLeadHub is the data controller for the personal data we collect about gym owners and administrators.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, gym/business name, and password
  • Billing Information: Payment card details (processed securely via Stripe), billing address
  • Business Information: Gym details, address, timetable, programmes, pricing
  • Communications: Messages you send to our support team

2.2 Information Collected Automatically

  • Usage Data: Log files, IP address, browser type, device information, pages visited, time spent on pages
  • Cookies: Session cookies for authentication, preference cookies for settings
  • AI Agent Data: Conversation logs, message content, token usage, API interactions

2.3 Lead Data You Process

When you use our AI agents to communicate with your leads, we process:

  • Lead names, email addresses, phone numbers
  • SMS and form submission content
  • Conversation history between AI agents and leads
  • Calendar booking information

Important: You act as the data controller for your leads' personal data. We act as a data processor on your behalf. You are responsible for obtaining necessary consents from your leads and complying with GDPR when using our Service.

3. How We Use Your Information

We use the collected information for:

  • Service Provision: Operating and maintaining the GymLeadHub platform, processing AI conversations
  • Billing: Processing payments, managing subscriptions, sending invoices
  • Communication: Sending service updates, security alerts, support responses
  • Improvement: Analyzing usage patterns to improve AI performance and features
  • Security: Detecting fraud, preventing abuse, securing accounts
  • Legal Compliance: Meeting legal obligations and enforcing our Terms of Service

Legal Basis for Processing (UK GDPR)

  • Contract Performance: Processing necessary to provide the Service you've signed up for
  • Legitimate Interests: Improving our Service, preventing fraud, ensuring security
  • Legal Obligation: Compliance with tax, accounting, and data protection laws
  • Consent: Marketing communications (you can opt-out anytime)

4. Data Sharing and Third Parties

We share data with:

  • Anthropic: AI model provider (Claude) - conversation data for AI responses
    Data Processing Agreement in place, GDPR compliant
  • Stripe: Payment processing - billing information for transactions
    PCI DSS Level 1 compliant, GDPR compliant
  • Supabase: Database hosting - all platform data storage
    EU-based servers, ISO 27001 certified, GDPR compliant
  • Vercel: Application hosting - logs and usage data
    EU deployment available, GDPR compliant
  • GoHighLevel (Optional): If you connect your GHL account - lead data syncing
    Your GHL API key, calendar data - DPA in place

We do NOT:

  • Sell your personal data to third parties
  • Use your lead data to train AI models for other customers
  • Share data with advertisers or data brokers
  • Transfer data outside the UK/EU without adequate safeguards

5. Your Data Protection Rights (UK GDPR)

You have the following rights:

  • Right of Access: Request a copy of your personal data
    Settings → Export Data or email sam@gymleadhub.co.uk
  • Right to Rectification: Correct inaccurate or incomplete data
    Update directly in Settings or contact support
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
    Settings → Delete Account or email sam@gymleadhub.co.uk
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a machine-readable format
    CSV/JSON export available in Settings
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: For marketing communications
    Click "unsubscribe" in any email

How to Exercise Your Rights:
Email: sam@gymleadhub.co.uk
We will respond within 30 days (as required by UK GDPR)

6. Data Retention

  • Account Data: Retained while your account is active + 30 days after deletion
  • Conversation Logs: Retained for 12 months (or as configured by you)
  • Billing Records: Retained for 7 years (UK tax law requirement)
  • Usage Logs: Retained for 90 days
  • Backup Data: Encrypted backups retained for 30 days

7. Data Security

We implement industry-standard security measures:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Control: Role-based access, multi-factor authentication available
  • Infrastructure: EU-based servers, ISO 27001 certified hosting
  • Monitoring: 24/7 security monitoring, automated threat detection
  • Backups: Daily encrypted backups with 30-day retention
  • Incident Response: Data breach notification within 72 hours (UK GDPR requirement)

8. Cookies and Tracking

We use the following cookies:

  • Essential Cookies: Authentication session (required for Service)
  • Functional Cookies: User preferences, language settings
  • Analytics Cookies: Usage statistics (anonymized, opt-out available)

You can control cookies through your browser settings. Disabling essential cookies will prevent you from using the Service.

9. International Data Transfers

Our primary data storage is within the UK/EU (Supabase EU region). Where data is transferred outside the UK/EU (e.g., Anthropic API in the US), we ensure:

  • Standard Contractual Clauses (SCCs) are in place
  • Adequate data protection safeguards per UK GDPR Article 46
  • Data minimization - only necessary data is transferred
  • Encryption during transfer and at rest

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

11. Your Responsibilities as a Data Controller

When you use GymLeadHub to process your leads' data, you must:

  • Obtain valid consent from leads before collecting their data
  • Provide leads with your own privacy notice
  • Inform leads that AI is used to communicate with them
  • Honor leads' data rights (access, deletion, etc.)
  • Have a lawful basis for processing lead data
  • Implement appropriate security measures

See our Data Processing Agreement (DPA) for full details of our processor responsibilities.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via:

  • Email notification to your registered email address
  • Prominent notice on the Service
  • Update to the "Last updated" date at the top of this page

Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

Data Controller: GymLeadHub

Email: sam@gymleadhub.co.uk

Address: 57 Thomas Drive, Killinghall, HG3 2FA

UK Information Commissioner's Office (ICO):

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the ICO:
Website: ico.org.uk
Helpline: 0303 123 1113

View Terms & Conditions →
GymLeadHub - Gym Management Platform