GymGrid Privacy Policy

Last updated: 2026-05-13 Effective date: 2026-05-07

This Privacy Policy describes how GymGrid ("we," "us," "our") collects, uses, discloses, and protects personal information in connection with the GymGrid software-as-a-service platform (the "Service"). It is incorporated into and governed by the GymGrid Terms of Service.

1. Scope and Two Roles

GymGrid serves two kinds of people. Our role differs depending on which one you are:

1.1 You are a Customer admin or owner

If you signed up for GymGrid on behalf of a gymnastics club ("Customer"), you are the person we contract with. We are the controller of your account credentials, billing information, and our communications with you. This Policy applies directly to your information.

1.2 You are a staff member of a Customer's club

If a Customer has invited you into its GymGrid account as a staff member ("Authorized User"), the Customer determined what information about you to enter into the Service. The Customer is the controller of your personal information; we act as a service provider / processor on the Customer's behalf.

This means:

• For questions about what information about you is in the Service, why it is there, and how to correct or delete it, you should contact your club directly.
• We will support the Customer in responding to your access, correction, or deletion requests.
• We can confirm whether you have a GymGrid login and help you reset that login, but we cannot independently disclose to you the data your club has uploaded about you without the club's involvement, because we are not the controller of that data.

1.3 We are also a controller for limited categories

Even when serving Authorized Users on the Customer's behalf, we are the controller of:

• Your authentication credentials (email, password hash, session tokens) — needed for us to let you log in across multiple clubs in the future.
• Diagnostic and security telemetry (IP address, browser type, last login).

2. Legal Bases — PIPEDA and Alberta PIPA

We collect, use, and disclose personal information in accordance with:

• The federal Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to personal information collected, used, or disclosed in the course of commercial activity in Canada;
• The Alberta Personal Information Protection Act (PIPA) for personal information of individuals located in Alberta and for our operations as an Alberta-based business; and
• Equivalent provincial private-sector privacy legislation in British Columbia (PIPA-BC) and other Canadian jurisdictions where it applies.

Our legal bases for processing are:

1. Consent — for processing your account, billing, and direct communications with us as a Customer admin.
2. Necessary for the performance of our contract with the Customer — for processing on the Customer's instruction, including data the Customer enters about its staff.
3. Legitimate interest — for security monitoring, fraud prevention, abuse detection, and product improvement using aggregated or de-identified data.
4. Legal obligation — where retention or disclosure is required by law.

3. Geographic Scope — Quebec and the U.S.

The Service is currently offered to Customers operating in Canada outside the Province of Quebec. If you are a resident of Quebec, the Service is not intended for you; please contact us at the address in Section 12 if you have nonetheless interacted with the Service so that we can discuss your options.

We do not currently market or actively sell the Service in the United States. If a U.S.-based individual interacts with the Service, your information may be transferred to and stored in Canada and the United States under the safeguards described in Section 7. The Service is not currently configured to provide CCPA/CPA-style notices and rights; we expect to add these before we begin actively marketing to U.S. customers.

4. Information We Collect

4.1 Information you give us as a Customer admin / owner

• Name, email address, phone number (optional), and password.
• Club name, address, time zone, and configuration choices.
• Billing information (name, billing address, last 4 digits of card, expiry, country). Full payment card numbers are processed and stored by Stripe; we receive only a token.

4.2 Information a Customer enters about its staff (Authorized Users)

• Name, email, phone, and (optional) profile photo or icon.
• Qualifications and certifications (e.g., NCCP level, First Aid expiry, internal program qualifications).
• Availability (hours of work, time-off requests).
• Class assignments, rotation assignments, shift blocks, hours-target settings.
• Notes the Customer chooses to enter about the staff member.

We do not ask Customers to enter any of the following, and you should not enter them:

• Athlete (child) records of any kind.
• Government identification numbers (SIN, driver's licence, etc.).
• Medical information beyond what is implicit in a staff certification (e.g., "Standard First Aid expires 2027-04-01").
• Banking or payroll details (this is not a payroll product in v1).

4.3 Information collected automatically

• IP address, browser type, device type, operating system, referring URL.
• Pages viewed, features used, errors encountered, time of access.
• Cookies and similar technologies — see Section 8.

4.4 Information from third-party services

• If a Customer signs in via a third-party identity provider in the future, we will receive the basic profile information that provider returns (typically name and email).
• Stripe returns subscription and payment status events to us.

5. How We Use Personal Information

We use personal information to:

1. Provide the Service — authenticate users, deliver scheduling and rotation features, send transactional emails (password reset, account changes, schedule notifications).
2. Bill and collect payment — process Subscription fees through Stripe.
3. Support and communicate — respond to support requests; send service announcements and (if you opt in as a Customer admin) product updates.
4. Secure the Service — detect, investigate, and prevent fraud, abuse, and security incidents.
5. Improve the Service — diagnose performance issues; analyze aggregated or de-identified usage patterns to improve features.
6. Comply with law — respond to lawful requests, retain records where required, and enforce our Terms.

We do not sell personal information. We do not use Customer Data or Authorized User personal information to train AI/ML models. (See Section 6.3 for our use of AI subprocessors at inference time only.)

6. Subprocessors — Who We Share With

We share personal information with the following categories of subprocessors, all under contractual confidentiality and security obligations.

6.1 Current subprocessors

6.2 Other recipients

• Government, regulators, and courts — where required by law, subpoena, or court order, with notice to the Customer where legally permissible.
• Successor in a corporate transaction — if we are involved in a merger, acquisition, financing, or sale of assets, your personal information may be transferred to the successor under equivalent confidentiality protections.

6.3 AI features — what we send to Anthropic

Two features (AI schedule generation and AI staff assignment) send the following to the Anthropic API at the moment of inference:

• Class names, time slots, durations, and program metadata.
• Staff first names (or initials only — final choice pending), qualifications, hours targets, and availability.

Anthropic processes this data on a transient inference basis and, under our agreement with them, does not use it to train their models. We do not send any of the categories listed in Section 4.2's "do not enter" list to Anthropic, because we do not collect them.

6.4 Error monitoring — what we send to Sentry

To detect and diagnose errors in the Service, we use Sentry. When an error or unhandled exception occurs in your browser or on our servers, Sentry receives:

• A stack trace and source code location of the error.
• The URL of the page where the error occurred.
• Browser type, operating system, and device information.

We do not send your IP address: Sentry's "Prevent Storing of IP Addresses" setting is enabled at the organization level, which drops IPs at ingestion before they are stored against your event.

We have session replay disabled in Sentry, so Sentry does not record video-like reconstructions of your browsing session. Sentry receives only error events and a small sample of performance traces (currently 10%); it does not receive Customer Data uploaded by Customers (such as staff names, qualifications, or schedules) unless that data appears inside an error message or stack trace.

To reduce the chance that Customer Data leaks through error messages or breadcrumbs, our application applies a redaction layer before each event leaves your browser or our servers. The redaction layer removes:

• email addresses (replaced with [email redacted]),
• Bearer authorization headers and JWT-shaped tokens (replaced with Bearer [redacted] and [jwt redacted]),
• Stripe-, Anthropic-, OpenAI-, and Supabase-style API keys (replaced with [api key redacted]).

In addition, Sentry's server-side Data Scrubber is enabled at the organization level with the default scrubber rules, so common sensitive field names (such as password, secret, creditcard) are also masked at ingestion.

7. Data Location and Cross-Border Transfer

Your personal information is stored on infrastructure located in Canada and the United States, depending on the subprocessor (Section 6.1). Any transfer outside Canada is subject to the laws of the destination country, which may differ from Canadian privacy laws and may permit lawful access by foreign government authorities.

We rely on contractual safeguards (data processing agreements with each subprocessor) and technical safeguards (encryption in transit and at rest) to protect your information during these transfers.

8. Cookies and Similar Technologies

We use a small number of first-party cookies and similar technologies (such as browser local storage) on our public website and the Service. We use two categories:

• Strictly necessary — keep you signed in, maintain session security, and store your cookie-consent choice itself. These cannot be disabled while using the Service.
• Analytics — aggregated, de-identified usage measurement. Off by default. We do not currently use any analytics provider; if we add one, your stored consent choice controls whether it loads.

Our full Cookie Policy, including the list of specific items we set and how to change your preferences, is published at gymgrid.ca/cookies.

You can change your cookie preferences at any time using the "Cookie preferences" link in our website footer.

We do not currently respond to "Do Not Track" browser signals; there is no settled industry standard for them.

9. Retention

We retain personal information only as long as we need it for the purpose for which it was collected, or as required by law.

When you delete an Authorized User from a Customer's account, the underlying personal information is removed from the active records within seven days, except for audit-log entries we are required to retain for security and compliance.

10. Your Rights

Subject to the role distinction in Section 1, you have the following rights:

1. Access — to know what personal information we hold about you and to receive a copy.
2. Correction — to ask us to correct inaccurate or incomplete personal information.
3. Deletion — to ask us to delete your personal information, subject to legal retention obligations and the controller-vs-processor distinction in Section 1.
4. Withdrawal of consent — to withdraw any consent on which we rely, on a forward-looking basis. Withdrawing consent may limit or end our ability to provide the Service to you.
5. Portability — to receive your data in a structured, machine-readable format. Customer admins can export data directly from within the Service; Authorized Users should request through their club.
6. Complaint — to lodge a complaint with the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca) or the Office of the Privacy Commissioner of Canada (priv.gc.ca).

To exercise any right, contact us using the details in Section 12. We will respond within 30 days of receiving a verifiable request, except where the law permits a longer period and we have given you notice.

We may need to verify your identity before responding to a request. We do not charge a fee for routine requests.

11. Security

We use commercially reasonable physical, technical, and organizational safeguards designed to protect personal information, including:

• TLS encryption in transit and AES-256 encryption at rest (provided by Supabase / AWS).
• Row-level security in our database to enforce multi-tenant isolation between Customers.
• Server-authoritative profile creation and least-privilege access for our infrastructure.
• Periodic review of access logs and dependency-security advisories.
• Confidentiality obligations for any contractor or employee with access to personal information.

No system is completely secure. If we become aware of a security breach affecting personal information that creates a real risk of significant harm to an individual, we will:

1. Notify the affected Customer without undue delay so the Customer can fulfil its own breach-notification obligations under PIPEDA, PIPA, or other applicable law;
2. Notify the Office of the Privacy Commissioner of Canada and other applicable regulators where required;
3. Document the incident in our records.

12. Privacy Officer and Contact

GymGrid Privacy Officer: Carly Balfour Email: [email protected] Mailing address: 12 Groat Crest Spruce Grove, AB T7X 1Z7 Canada

(GymGrid is currently operated by Carly Balfour as a sole proprietorship in Alberta, Canada; the Privacy Officer designation will be reassigned to a corporate role at incorporation.)

13. Children's Information

The Service is not designed to collect or store information about athletes, including minor athletes. Customers must not enter athlete records into the Service.

The Service may incidentally contain the contact information of staff members who happen to be minors (for example, an assistant coach aged 16 hired by the Customer). For those individuals, the Customer is responsible for obtaining any consents required under applicable employment standards or privacy law before entering their information into the Service.

If we become aware that a Customer has entered information about a minor athlete in violation of these terms, we will work with the Customer to remove that information promptly and may terminate the Customer's account under the Terms of Service.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

1. We will update the "Last updated" date at the top of this document.
2. For material changes (such as a new category of subprocessor, a new purpose of processing, or a new category of personal information collected), we will provide at least fifteen (15) days' notice by email to Customer admins and/or by in-app notice before the change takes effect.
3. For non-material changes (clarifications, formatting, contact updates), changes are effective on posting.

Continued use of the Service after the effective date of a change indicates acceptance.

15. Effective Date and Versioning