Privacy Policy

1. Who We Are

Grappll ("we", "our", "us") is a gym management software platform operated from Burnaby, British Columbia, Canada. This Privacy Policy explains how we collect, use, and protect personal information in accordance with British Columbia's Personal Information Protection Act (PIPA) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, phone number, and gym details. This is necessary to provide the Service.

Member Data

Gym owners may input personal information about their gym members, including names, email addresses, phone numbers, membership details, attendance records, and payment information. You are responsible for ensuring you have appropriate consent to collect and process this data.

Payment Information

Payment processing is handled by Stripe. We do not store full payment card details. Stripe may collect and store payment information in accordance with their privacy policy.

Usage Data

We automatically collect information about how you use the Service, including log data, IP addresses, browser type, and pages visited. This helps us improve the Service and maintain security.

Contact Form Submissions

When gym members submit a contact form, we collect their name, email, phone number, and message content on behalf of the gym owner.

3. How We Use Your Information

• To provide, maintain, and improve the Service
• To process payments and manage subscriptions
• To send transactional emails (receipts, password resets, account notices)
• To send retention nudge emails on behalf of gym owners (only to their members)
• To generate AI-powered summaries of contact form submissions using Anthropic's Claude API
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not sell your personal information to third parties.

4. Third-Party Services

We use the following third-party services to operate the platform. Each has their own privacy policy:

• Supabase — database and authentication hosting (supabase.com/privacy)
• Vercel — application hosting and content delivery (vercel.com/legal/privacy-policy)
• Stripe — payment processing (stripe.com/privacy)
• Resend — email delivery (resend.com/privacy)
• Anthropic — AI summaries of contact form messages (anthropic.com/privacy)

Data may be stored on servers located outside Canada, including in the United States. We take reasonable steps to ensure your data is protected in accordance with applicable Canadian privacy laws when transferred internationally.

5. Data Retention

We retain your account data for as long as your account is active. If you cancel your subscription, we will retain your data for 30 days to allow for reactivation, after which it may be permanently deleted.

You can request deletion of your account and associated data at any time by contacting us.

6. Security

We implement industry-standard security measures including:

• TLS encryption for all data in transit
• Row-level security ensuring each gym can only access their own data
• Payment card data never stored on our servers
• Rate limiting and bot protection on all public endpoints
• Security headers on all responses (CSP, HSTS, X-Frame-Options)

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

Under PIPA and PIPEDA, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Withdraw consent for collection or use of your information
• Request deletion of your personal information
• File a complaint with the Office of the Information and Privacy Commissioner for BC

To exercise any of these rights, contact us at grappll.app@gmail.com. We will respond within 30 days.

8. Cookies

We use essential cookies to maintain your session and keep you logged in. We do not use third-party tracking or advertising cookies.

9. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The updated policy will be effective upon posting.

11. Contact Us

For privacy-related questions or to exercise your rights, contact our Privacy Officer: