1. Who We Are
GymAxis AI ("we", "our", "us") operates the GymAxis AI platform. We are the data controller for the personal data processed through our services.
2. Data We Collect
We collect and process the following personal data:
- Account data: Name, email address, company name, role
- Equipment data: Serial numbers, locations, fault reports, maintenance records
- Usage data: Login times, feature usage, IP addresses
- Uploaded content: Invoice PDFs, spec sheets, fault photos/videos
- Communication data: Support messages, fault descriptions
3. Legal Basis for Processing
We process your data under the following legal bases (GDPR Art. 6):
- Contract performance: To provide the gym maintenance platform services you have subscribed to
- Legitimate interest: To improve our services, ensure security, and prevent fraud
- Consent: For marketing communications and optional AI-powered features
- Legal obligation: To maintain audit trails and comply with regulations
4. How We Use Your Data
- Provide and maintain the equipment management platform
- Process fault reports and generate AI-powered triage assessments
- Generate ERP-compatible CSV exports for your finance systems
- Match spec sheets to equipment using AI analysis
- Send service notifications and maintenance reminders
- Maintain security audit trails
5. Data Sharing
We do not sell your personal data. We share data only with:
- AI providers: Equipment descriptions and fault text are sent to OpenAI for triage analysis (no personal identifiers included)
- Cloud storage: Uploaded files are stored securely in cloud storage
- Payment processors: Stripe processes payment data under their own privacy policy
6. Your Rights (GDPR)
Under GDPR, you have the right to:
- Access: Request a copy of all data we hold about you (available in Settings > Privacy)
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your account and associated data
- Portability: Export your data in a machine-readable format (JSON)
- Restriction: Request we limit processing of your data
- Object: Object to processing based on legitimate interest
To exercise these rights, use the self-service options in your account settings or contact us at privacy@gymaxisai.com.
7. Data Retention
- Account data is retained while your account is active
- After account deletion, personal data is anonymised within 30 days
- Audit logs are retained for 12 months, then archived
- Password reset tokens are purged after 24 hours
- Uploaded files are retained for the duration of your subscription
8. Security
We implement industry-standard security measures including:
- Bcrypt password hashing
- JWT token authentication with 24-hour expiry
- Rate limiting and brute-force protection
- Security headers (HSTS, CSP, X-Frame-Options)
- Input sanitisation to prevent XSS attacks
- HTTPS encryption in transit
9. Cookies
We use only essential cookies required for authentication (JWT token stored in localStorage). We do not use tracking cookies or third-party analytics cookies.
10. Contact
For privacy-related enquiries, contact our Data Protection Officer at privacy@gymaxisai.com.