Privacy Policy | Gym Primer

1. Who we are

Gym Primer is a coaching software product operated by Trueblood Labs LTD for personal trainers and their clients. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our website, dashboards, mobile-friendly app surfaces, billing features, and support channels.

Throughout this policy, 'Gym Primer', 'we', 'our', and 'us' refer to Trueblood Labs LTD as the operator of Gym Primer. 'Coach' refers to the trainer or fitness business using Gym Primer to manage clients. 'Client' refers to a person invited into a coach's workspace.

2. When Gym Primer is a controller and when we act for a coach

For account creation, platform administration, authentication, security, support, website analytics, and Gym Primer billing, we generally act as the controller of the personal data we process.

For coaching records that a coach creates or manages inside Gym Primer, such as workout programs, training logs, habits, nutrition targets, intake forms, check-ins, notes, and client progress history, Gym Primer generally acts as a processor or service provider on the coach's behalf. In those situations, the coach remains responsible for deciding why the data is collected, what is entered into the platform, and what lawful basis or consent is relied on for that coaching relationship.

If you are a client and your question is mainly about the coaching relationship or information your coach entered about you, your coach is usually your first point of contact.

3. The data we collect

The information we collect depends on how you use Gym Primer and whether you use the platform as a coach, client, admin, or website visitor.

Account and profile data, such as name, email address, password hash, role, profile image, and account status.

Authentication and security data, including sign-in events, password reset tokens, verification tokens, session data, and social sign-in identifiers where enabled.

Coaching and client data, such as plans, workouts, exercise history, habits, nutrition targets, onboarding responses, check-ins, service packages, notes, and access controls.

Usage and device data, such as browser information, IP address, timestamps, page interactions, and operational logs used for security and performance.

Support and communications data, such as emails you send us, support requests, or administrative correspondence.

Billing and accounting data, such as subscription tier, invoice status, payment activity, refund entries, fees, and expenses. Payment card details are processed by Stripe rather than stored directly by Gym Primer.

4. Health-related and special category data

Some information used in a coaching product can reveal details about health, injury status, physical condition, wellbeing, nutrition, or similar matters. In UK data protection law, some of that information may be special category data.

Where coaches collect or upload this type of information, they are responsible for ensuring they have an appropriate lawful basis and any additional condition required for handling special category data. Gym Primer provides the software infrastructure, but coaches are responsible for deciding what information they collect from clients and whether explicit consent or another valid condition is required.

Gym Primer limits access to this information within the product, but no internet service can promise absolute security or confidentiality.

5. How we use personal data

To create and manage accounts, authenticate users, and keep the platform working.

To provide coaching features, including program delivery, client onboarding, progress tracking, habits, nutrition support, check-ins, and business operations.

To process Gym Primer coach subscriptions, facilitate coach-to-client billing flows where enabled, and keep invoice and accounting records accurate.

To respond to support requests, service notices, security alerts, and account-recovery messages.

To secure the platform, investigate misuse, detect fraud, monitor reliability, and improve product performance.

To comply with legal obligations, enforce our Terms of Service, and protect Gym Primer, coaches, clients, and the public.

6. Lawful bases

Depending on the context, we rely on one or more lawful bases such as performance of a contract, legitimate interests, legal obligation, and consent where appropriate.

If special category data is involved, an Article 6 lawful basis on its own is not enough. An additional condition is also required for that category of data.

For coach-managed client data, the coach is usually responsible for choosing and documenting the right lawful basis and any required special-category condition.

7. Who we share data with

With the relevant coach and client within the same workspace, based on the features they use and the permissions they grant.

With service providers that help us run the platform, such as hosting, authentication, email delivery, analytics, and payment infrastructure providers.

With Stripe where billing, invoices, checkout, connected accounts, or payment portals are involved.

With professional advisers, regulators, law enforcement, or courts where required by law or reasonably necessary to protect rights, safety, or the platform.

With a buyer, investor, or successor if Gym Primer is involved in a merger, acquisition, reorganisation, or sale of assets, subject to appropriate protections.

8. International transfers

Some of our service providers may process data outside the UK. Where that happens, we aim to use appropriate safeguards, such as adequacy regulations, contractual protections, or equivalent transfer mechanisms supported by the provider.

9. How long we keep data

We keep personal data for as long as needed to operate accounts, provide the service, maintain security, comply with legal or tax obligations, resolve disputes, and enforce agreements.

If an account is deleted or a coach removes a client, some information may remain in backups, audit trails, or accounting records for a reasonable period where required for security, billing, or legal compliance.

10. Your rights

Depending on your location and the context of the processing, you may have rights to access your data, correct inaccurate information, request deletion, restrict or object to certain processing, request portability, or complain to a supervisory authority.

If you are in the UK, you can also complain to the Information Commissioner's Office (ICO). We would appreciate the chance to address concerns first.

Clients should usually contact their coach first for rights requests about coach-managed records. For Gym Primer account, billing, website, or support data, contact support@gymprimer.co.uk.

11. Security

We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, disclosure, misuse, loss, or destruction. These measures include access controls, authentication safeguards, and the use of third-party infrastructure providers for core platform services.

Even so, no system is perfectly secure, and you should keep your login details confidential and notify us promptly if you believe your account has been compromised.

12. Children

Gym Primer is not directed to children under 16 and is intended for coaches, adult clients, and authorised business users. If a coach uses Gym Primer in a setting involving younger clients, that coach is responsible for ensuring they have the authority and safeguards required to do so lawfully.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect product changes, legal requirements, or operational improvements. When we make material updates, we will post the updated version on this page and change the 'Last updated' date.

14. Contact us

For privacy questions, rights requests, or data protection concerns about Gym Primer, contact support@gymprimer.co.uk.

This Privacy Policy is designed to reflect how coaching platforms typically separate platform operations from coach-managed client records. It should still be reviewed against your final operating model, launch jurisdiction, and any health-data workflows you add later.