Privacy Policy – GymGees
Effective date: 29 May 2026
Last updated: 29 May 2026
1. About this policy
This Privacy Policy explains how Travel Gym Bros LTD (“GymGees”, “we”, “our”, “us”) collects, uses, shares and protects personal information when you use the GymGees mobile application and related services (together, the “Service”).
GymGees is a fitness app that helps you find gyms, log workouts, track nutrition, and interact with an AI training assistant (“Coach”). Because the Service handles information about your training, your body and your health, we want to be clear about exactly what we collect and why.
We are the “data controller” for the personal data described in this policy under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Who we are
- Trading name: GymGees
- Legal entity: Travel Gym Bros LTD
- Company number: 16906582
- Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
- ICO registration number: ZC145956
- Contact for privacy matters: support@travelgymbros.com
3. The information we collect
We collect the categories of information set out below. Where information falls within UK GDPR “special category data” (Article 9) — in particular data concerning health — we have flagged it clearly.
3.1 Account & profile
- Email address and authentication credentials (passwords are hashed; we never see them in plain text).
- Username, display name, avatar image.
- Date of birth (optional, used to calculate metabolic targets).
- Home gym selection, training preferences, equipment access.
3.2 Training & activity data
- Workout logs (exercises, sets, reps, weights, duration, distance).
- Personal bests, streaks, badges and achievements.
- Workout plans created by you or proposed by Coach.
- Weekly check-ins (training feedback, perceived effort, mood).
3.3 Health & nutrition data — special category (UK GDPR Article 9)
The following information is “data concerning health” under UK GDPR Article 9 and is collected only with your explicit consent, given at the point you choose to enter it. You can withdraw consent at any time by clearing the relevant field, deleting individual entries, or deleting your account.
- Weight logs and body measurements.
- Height, biological sex and age, used to calculate Basal Metabolic Rate (BMR), Total Daily Energy Expenditure (TDEE) and macro targets.
- Dietary preferences (e.g. vegetarian, vegan, halal).
- Allergies and intolerances.
- Medical conditions you choose to disclose.
- Injuries you choose to disclose, used by Coach to avoid recommending exercises that could aggravate them.
- Meal logs, calorie intake and macronutrient breakdown.
3.4 Coach (AI) conversation data
- The messages you send to Coach and the responses Coach generates.
- Structured context blocks compiled from your profile and history (recent exercises, recent volume, current program, daily adherence, etc.) that are sent with each message to give Coach situational awareness.
- Voice input is converted to text by your device’s built-in speech-recognition service; the resulting text is then sent to Coach in the same way as a typed message.
3.5 Photos, camera and barcode data
- Profile photos you choose to upload.
- Barcodes scanned from food packaging, sent to a food-database lookup service to identify products.
- The camera is used only when you actively open a camera screen; we do not run the camera in the background.
3.6 Location data
- Your approximate device location, used to surface nearby gyms on the map and to power gym recommendations.
- Location is requested only while you have the app open and only with your permission. You can revoke this at any time in your device settings.
3.7 Social & community data
- Posts, comments, reactions and chats you create in community features.
- Follow relationships, blocks, challenges and workout invitations.
- User reports you submit against other users or content (visible to our moderation team).
3.8 Subscription & payment
- Subscription tier, status and purchase confirmations.
- Payment itself is processed by the Apple App Store or Google Play. We do not receive or store your card details, bank details or full billing address.
3.9 Device, diagnostic and analytics data
- Device type, operating system and app version.
- Push notification token (so we can send notifications you have opted into).
- Crash reports and error logs (to find and fix bugs).
- Anonymous usage analytics (which screens are opened, which features are used) to help us improve the app.
- Your device’s time zone, used to show daily totals and send reminders at the correct local time.
3.10 Device health & wearables data — special category (UK GDPR Article 9)
If you choose to connect GymGees to Apple Health (HealthKit) on iOS or Health Connect on Android, we read health and fitness data from those platforms with your explicit consent, which you give in the app before any connection is made. Depending on the permissions you grant, this may include:
- Steps and walking/running distance.
- Heart rate, including during workouts, and resting heart rate.
- Active energy / calories burned.
- Heart-rate variability (HRV) and sleep, used for recovery insights.
- Workouts recorded in other apps.
- Body weight, if you choose to sync it.
We use this data only to provide and improve the Service for you — counting steps toward your daily goal, estimating your daily calorie needs, showing your heart rate and effort during and after training, generating recovery and progress insights, and tailoring guidance from Coach. Relevant fitness metrics (such as recent step averages and workout heart-rate summaries) may be included in the context sent to our AI provider, as described in section 5.
You can grant or revoke each data type at any time in iOS Settings → Privacy & Security → Health → GymGees or in the Health Connect app, and you can disconnect at any time within GymGees. GymGees works without any health permissions — you can always enter steps and other metrics manually instead.
Apple Health. Data obtained through Apple Health is used solely to provide health and fitness features within GymGees. It is never used for advertising or marketing, never sold, and never shared with third parties for their own purposes, and is not used for any purpose other than the health and fitness features you enable.
4. How we use your information and our lawful basis
Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we use your data and the basis we rely on.
| Purpose | Lawful basis |
|---|---|
| Providing core app functionality (account, workout logging, gym search). | Performance of a contract with you (Article 6(1)(b)). |
| Processing health, nutrition, allergy, medical and injury data to power Nutrition tracking and Coach personalisation. | Your explicit consent (Article 9(2)(a)), given when you choose to enter the data. Withdrawn by clearing the field or deleting your account. |
| Reading activity, heart rate, energy, sleep and related metrics from Apple Health / Health Connect to track activity, estimate calorie needs and personalise Coach. | Your explicit consent (Article 9(2)(a)), given in-app before connecting. Withdrawn in your device’s health settings or by disconnecting in the app. |
| Sending Coach messages and context to our AI provider to generate responses. | Performance of a contract (Article 6(1)(b)) and your explicit consent for the health-related context that accompanies it (Article 9(2)(a)). |
| Managing subscriptions and verifying purchases. | Performance of a contract (Article 6(1)(b)) and our legal obligations (Article 6(1)(c)). |
| Diagnostics, crash reporting and product analytics. | Our legitimate interests in maintaining a reliable and improving Service (Article 6(1)(f)). |
| Moderating community content and acting on user reports. | Our legitimate interests in keeping the Service safe and lawful (Article 6(1)(f)). |
| Responding to your support enquiries. | Performance of a contract (Article 6(1)(b)) and our legitimate interests in supporting our users (Article 6(1)(f)). |
| Complying with our legal obligations (e.g. tax, fraud prevention, responding to lawful requests). | Legal obligation (Article 6(1)(c)). |
We do not use your personal data to make any decision that produces legal effects on you or significantly affects you in a similar way (i.e. no automated decision-making under Article 22 of the UK GDPR). Coach is an assistant, not an authoriser.
5. AI features — transparency
Coach is an AI-powered training and nutrition assistant. When you send Coach a message, we send:
- The text of your message (or the speech-to-text transcription of your voice input).
- A structured snapshot of relevant context, which may include your goals, recent training, current program, recent meals, weight trend, dietary preferences, and — if you have connected a health platform — recent activity such as step averages and workout heart-rate summaries.
This data is sent to our LLM provider (currently OpenAI) which processes it to generate a response. The provider acts as a sub-processor under contract and is not permitted to use your data to train its own models.
Coach also produces suggestions based on user-supplied information (e.g. proposed workouts and macro targets). These suggestions are not medical, dietetic or professional advice. Always consult a qualified professional before acting on training, nutrition or injury-related recommendations, particularly if you have an underlying medical condition.
6. Who we share your information with
We do not sell your personal data. We share data only with the service providers (“sub-processors”) needed to run the Service, and only to the extent necessary for them to perform their function.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage, server-side functions. | EU / US |
| OpenAI | Powers Coach AI responses and gym classification. | US |
| Sentry | Crash and error monitoring. | US |
| PostHog | Anonymous product analytics. | EU / US |
| Resend | Transactional email (support replies, report acknowledgements). | EU / US |
| Expo Push / Apple Push / Google FCM | Sending push notifications. | US |
| Open Food Facts | Looking up food information by barcode. | France (EU) |
| Apple Maps / Google Maps | Rendering the map of nearby gyms (iOS uses Apple Maps; Android uses Google Maps by default). | US |
| Apple App Store / Google Play | Processing in-app subscription payments and verifying receipts. | US / global |
Apple Health and Health Connect are on-device platforms that GymGees reads from with your permission; they are not recipients of your data and we do not send your information to them (unless you separately enable writing your GymGees workouts back to them).
We may also disclose your data where required by law, regulation, court order or to protect the safety of our users.
7. International data transfers
Several of the providers listed above are based outside the UK, primarily in the United States. Where we transfer personal data outside the UK, we rely on appropriate safeguards under UK GDPR — typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an applicable adequacy decision.
8. How long we keep your data
| Data | Retention |
|---|---|
| Account and profile data | For as long as your account is active. |
| Training, nutrition and check-in data | For as long as your account is active, or until you delete the individual entries. |
| Device health & wearables data (steps, heart rate, energy, sleep) | For as long as your account is active, or until you disconnect the health platform or delete the entries. |
| Coach conversation history | For as long as your account is active, or until you delete the conversation. |
| Crash reports and diagnostic logs | Up to 90 days. |
| Anonymous product analytics | Retained in aggregated, non-identifying form indefinitely. |
| Support emails | Up to 24 months from the last reply. |
| Backups | Routinely overwritten within 30 days of deletion. |
When you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to keep it longer for legal reasons (e.g. tax records, regulatory enquiries, or to defend legal claims).
9. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access — ask us for a copy of the personal data we hold about you (Article 15).
- Right to rectification — ask us to correct inaccurate or incomplete data (Article 16).
- Right to erasure — ask us to delete your data (Article 17). You can also delete your account directly within the app.
- Right to restriction — ask us to limit how we use your data (Article 18).
- Right to data portability — ask us to provide your data in a structured, commonly used format (Article 20).
- Right to object — object to processing carried out on the basis of legitimate interests (Article 21).
- Right to withdraw consent — where we rely on your consent, you can withdraw it at any time (Article 7(3)). This does not affect the lawfulness of processing carried out before withdrawal.
- Right to complain to the ICO — if you believe we have mishandled your data, you can complain to the UK’s Information Commissioner’s Office at ico.org.uk (Article 77). We’d appreciate the chance to address your concern first.
To exercise any of these rights, email support@travelgymbros.com. We will respond within one month and may ask you to verify your identity before acting on a request.
10. Security
We use industry-standard measures to protect your data, including:
- Encryption in transit (TLS) for all network traffic between the app and our servers.
- Encryption at rest for stored data, provided by our infrastructure partners.
- Strict access controls and audit logging on administrative access.
- Row-level security on user data so users can only access their own records.
No service can guarantee absolute security. If we ever become aware of a breach that affects your personal data, we will notify the ICO and (where required by law) you, without undue delay.
11. Children’s privacy
GymGees is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at support@travelgymbros.com and we will delete the information.
12. Marketing
We do not currently send marketing emails or push notifications. If we introduce marketing communications in future, we will give you a clear opt-in choice and the ability to unsubscribe at any time.
13. Cookies and similar technologies
GymGees is a mobile app and does not use browser cookies. We do use device identifiers and push tokens for the limited purposes set out in this policy (notifications, crash reporting and analytics).
14. Changes to this policy
We may update this policy from time to time. If we make material changes, we will update the “Last updated” date at the top and, where appropriate, notify you in the app. We encourage you to review this page periodically.
15. Contact us
If you have questions about this policy or want to exercise any of your rights, please contact:
Travel Gym Bros LTD
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: support@travelgymbros.com