Privacy Policy

Last updated: 22 June 2026

This Privacy Policy explains how GymRank ("we", "us", "our") collects, uses, and shares your personal information when you use the GymRank mobile app (the "App"), the GymRank website at gymrank.co.za (the "Website"), and the GymRank gym administration panel (the "Admin Panel", together the "Services").

1. Who we are

GymRank is operated from South Africa. For any privacy question or request, email info@gymrank.co.za or use our support page.

2. Information we collect

2.1 Identity & contact

• Email address — used for sign-in, verification codes, account recovery, and Paystack checkout receipts.
• Username — your public handle on leaderboards and referrals.
• First and last name (optional) — only provided when you sign in with Google or Apple and you choose to share your profile name.
• Profile image (optional) — only provided via Google/Apple sign-in or when you set an avatar through Clerk.

We do not collect phone numbers.

2.2 Authentication & sessions

• Account credentials — passwords are hashed and managed by our authentication provider, Clerk; we never see or store your plain password.
• Session information — device type, browser, approximate city/country, and IP address of active sessions, managed by Clerk. You can review and revoke sessions from your profile in the App.
• Account role & gym association — stored as part of your account so we can route you to the correct gym.

2.3 Fitness activity

• Check-ins — gym and timestamp, one per day, used for attendance and points.
• Workouts — session type, exercises, sets, reps, weight, duration, distance, taxonomy tags, and any free-text notes you enter.
• Points, streaks, badges, and leaderboard rankings — derived from your check-ins and workouts.

2.4 Referrals

• Your referral code and the referral relationships created when someone redeems your code (or you redeem theirs).
• Invite codes redeemed to join a gym.

We do not access your address book or contacts. Referrals are shared out-of-band (e.g. via your phone's share sheet); the recipient enters the code themselves.

2.5 Payments

• Wallet top-ups (gym managers funding their gym's referral wallet) — your email and the amount are sent to our payment provider, Paystack.
• Payout recipient details (referrers receiving payouts) — account holder name, account number, and bank code are sent to Paystack. We store only the masked account number (last four digits); the full account number is held by Paystack.
• Transfer records — Paystack references and statuses for reconciliation.

2.6 Support requests

When you submit the support form, your name, email, subject, and message are forwarded to our inbox at info@gymrank.co.za via our email relay provider, Simple Bulk Emailer. We do not store support messages in a GymRank database.

2.7 Admin actions

Actions taken by gym managers and system admins (member management, payout runs, configuration changes) are attributed to that admin's account ID for audit purposes.

3. Information we do not collect

• Photos or media uploads — the App has no camera or photo library access.
• Precise device location — the App does not request GPS location.
• Push notification tokens — we do not send push notifications.
• Marketing or advertising cookies — the Website and Admin Panel use no analytics, advertising, or cross-site tracking SDKs.
• Address book / contacts — never imported.

4. How we use your information

• To authenticate you and keep your account secure.
• To record check-ins, workouts, points, streaks, and badges.
• To display leaderboards and your profile to you and other members of your gym.
• To attribute referrals and process payouts.
• To operate gym management tools for your gym's administrators.
• To respond to support requests.
• To comply with legal obligations.

5. Third parties who process your data

• Clerk (clerk.com) — authentication, user identity, sessions, MFA, email verification. Receives email, username, password hash, optional OAuth profile, and session device/IP/city/country.
• Google and Apple — sign-in providers used through Clerk. They share the profile information you consent to (typically email, name, avatar).
• Paystack (paystack.com) — card payments and bank transfers for wallet top-ups and referral payouts. Receives email, amount, and bank account details for the relevant transaction.
• Encore (encore.dev) — backend hosting and managed PostgreSQL database. Service logs may include request metadata and member IDs.
• Simple Bulk Emailer — relays support form submissions to our inbox. Receives the form fields you submit.
• Apple App Store and Google Play — app distribution and platform services governed by their own policies.

We do not sell your personal information.

6. Legal basis (POPIA & GDPR)

GymRank is operated from South Africa and processes personal information in line with the Protection of Personal Information Act, 2013 (POPIA). For users in the European Union, the lawful bases we rely on include contract (providing the Services you signed up for), legitimate interests (operating leaderboards, audit logs, and security), and consent (where you explicitly opt in, e.g. OAuth profile sharing).

7. Data retention

We retain your personal information only as long as needed for the purposes described above. When you close your account, we delete or anonymise your data across our services, except where retention is required for legal, accounting, or dispute-resolution purposes (for example, Paystack transaction records retained for tax/audit compliance).

8. Your rights

You have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion of your account and associated data.
• Request a copy (export) of your data.
• Withdraw consent for optional processing (e.g. OAuth profile data).
• Object to or restrict certain processing.

To exercise any of these rights, email info@gymrank.co.za with "Privacy Request" in the subject line. We'll verify your identity and respond within 30 days. There is no charge for these requests.

9. Security

• Passwords are hashed by Clerk; we never store plain passwords.
• All API requests are authenticated with short-lived JWTs.
• Bank account numbers are masked in our database; full numbers live only with Paystack.
• Payment card data never touches GymRank servers — Paystack handles card data under its PCI-DSS scope.

No method of transmission or storage is fully secure. If a breach occurs that is likely to affect your rights, we'll notify you and the relevant regulator as required by law.

10. International transfers

Your data may be processed by our providers (Clerk, Paystack, Encore, Simple Bulk Emailer) in jurisdictions outside South Africa. We rely on these providers' standard contractual clauses and safeguards for such transfers, and we only share the minimum data each provider needs.

11. Children

The Services are not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe we have done so, contact info@gymrank.co.za and we'll delete it.

12. Changes to this policy

We may update this Privacy Policy. When we do, we'll revise the "Last updated" date at the top. Material changes will be highlighted in the App or via email where appropriate.

13. Contact

Questions about this policy or your data? Email info@gymrank.co.za or use our support page.