Privacy Policy

1. Who is the controller

For data submitted by a gym owner about their gym (lead form, billing details, business address), IronPath is the data controller under GDPR. For data about members of a gym (name, workout history, check-in records), the gym is the controller and IronPath acts as a data processor on the gym's behalf under a Data Processing Addendum that is part of the Terms of Service.

2. What we collect

• Account data: name, email address, gym name, hashed password, optional phone number.
• Billing data: last four digits of your card, billing address, country. Full card numbers are handled directly by Stripe and never reach our servers.
• Member data (processed for the gym): name, email, workout logs, attendance, optional body metrics if the gym enables them.
• Usage data: pages visited, features used, device type, IP address, approximate location derived from IP.
• Support data: messages you send to support, attachments, screenshots you upload.

3. How we use it

We use personal data to run the service, bill for it, communicate with you about it, prevent fraud and abuse, comply with legal obligations, and improve the product. We do not sell personal data, we do not rent contact lists, and we do not run third-party advertising on the service.

4. Who we share it with

We share data with subprocessors who need it to deliver the service: a database host (Supabase), a payment processor (Stripe), an email-delivery provider (Resend), a hosting platform (Vercel), and an error-monitoring service (Sentry). Each is bound by a data processing agreement and we maintain a current list at ironpath.health/subprocessors.

5. Cookies

We use a small number of strictly necessary cookies to keep you logged in and to remember your preferences. We use first-party analytics that does not set cross-site tracking cookies. We do not use marketing or advertising cookies.

6. Your rights (GDPR)

If you are in the European Economic Area, the UK, or Switzerland, you have the right to access the personal data we hold about you, correct it if wrong, ask us to delete it, restrict or object to processing, port it to another provider, and withdraw consent at any time. To exercise any of these rights email privacy@ironpath.health and we will respond within 30 days.

7. Your rights (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete it, the right to correct it, the right to opt out of any sale or sharing (we do neither), and the right not to be discriminated against for exercising those rights. Submit a verifiable request to privacy@ironpath.health.

8. Data retention

Active account data is retained for as long as the account is active. After cancellation we retain a frozen copy for 90 days so you can change your mind. After 90 days we delete it from production systems and from backups within a further 35 days, except where we are required to retain billing records under tax law (typically 7 years).

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Production access is restricted to a small number of engineers and every action is logged. We run an annual penetration test and publish a summary on request.

10. International transfers

Our primary data center is in the United States. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses and equivalent UK and Swiss instruments.

11. Children

IronPath is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Contact

Email privacy@ironpath.health for any privacy question or to exercise any right described above. For data protection inquiries from the EEA, you may also contact our EU representative at the address listed in our Subprocessors page.