Privacy Policy

We at Gympass know you care about how your personal data is used and shared, and we take your privacy seriously. Please read the following to learn more about our Privacy Policy. By accepting our Terms and Privacy Policy to use the Services, you acknowledge that you accept the practices and policies outlined in this Privacy Policy, and you hereby consent that we will collect, use, and share your data in the following ways.

Remember that your use of the Gympass Services is at all times subject to the Terms of Use, which incorporates this Privacy Policy. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Use.

What does this Privacy Policy cover?

Welcome to Gympass. Gympass acts as an intermediary between gyms, health clubs and fitness entities (the “Gyms”) who have entered into partnership agreements with Gympass and individuals who desire to purchase the fitness services offered by such Gyms (“you”). We then enable you to purchase and make use of the fitness, sporting and health services offered by the Gyms (our “Services”).

Gympass is owned and operated by GPBR PARTICIPAÇÕES LTDA., CNPJ: 15.664.649/0001-84, with registered address at Av. Brigadeiro Faria Lima, 1306, 1 e 2 andares, 01451-001, São Paulo – SP, Brazil (“Gympass,” “we” and “us”). This Privacy Policy covers our treatment of personal data ("Personal Data") that we gather when you are accessing or using our Services (either individually or through your employer) and applies where we act as a data controller – that is to say, in the cases where we determine why and how your Personal Data is being treated. This Policy does not apply to the practices of companies we don’t own or control, or people that we don’t manage, to the extent that we don’t share your Personal Data with such companies or people.

If you have any questions, comments, or concerns regarding this Privacy Policy, please contact us at contato@gympass.com, Av. Brigadeiro Faria Lima, 1306, 1 e 2 andares, 01451-001, São Paulo - SP. Our data protection officer’s contact details are: Rafael Yoshihara and dpo@gympass.com.

We gather various types of Personal Data from our users, as explained in more detail below, and we use this Personal Data internally in connection with our Services, including to personalize, provide, and improve our services, to allow you to set up a user account and profile, to contact you and allow other users to contact you, to fulfill your requests for certain products and services, and to analyze how you use the Services. In certain cases, we may also share some Personal Data with third parties, but only as described below.

As noted in the Terms of Use, we do not knowingly collect or solicit personal data from anyone under the age of 16. If you are under 16, please do not attempt to register for the Services or send any personal data about yourself to us. If we learn that we have collected personal data from a child under age 16, we will delete that data as quickly as possible. If you believe that a child under 16 may have provided us personal data, please contact us at contato@gympass.com.

Will Gympass ever change this Privacy Policy?

We’re constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time as well, but we will alert you to changes by placing a notice on the Gympass website, by sending you an email, and/or by some other means. Please note that if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you decide to use the Services after any changes to the Privacy Policy have been posted, you will be requested to agree to the changes in its conditions.

What Data does Gympass Collect?

Data Your Employer Provides to Us:

To offer our Services, we receive and store Personal Data about you which your employer may share with us. This data entails your full name, your corporate e-mail address, and, in some cases, you employee ID number.

We may use this data to contact you, to cross-reference it with other Personal Data we may hold about you in accordance with this Policy, and to share it with the Gym you choose to go to and to our commercial partners, as provided in this Policy.

You hereby acknowledge that we receive Personal Data about you from your employer, and consent to our treatment and sharing of such data in the terms of this Policy. The legal basis for this processing is the consent you are giving through this Policy.

Data You Provide to Us:

We receive and store any data you knowingly provide to us. Specifically, through the account registration process and/or through your account settings, we collect your full name, email address, phone number, debit/credit card data, direct debit account data, third-party account credentials (for example, your log-in credentials for Facebook) and non-required fields of birthdate, address, gender, personal websites and favorite classes. If you provide sign in to the Services through a third-party site or service (such as Facebook), you understand some content and/or data in those accounts (“Third Party Account Data”) may be transmitted into your account with us, and that Third-Party Account Data transmitted to our Services is covered by this Privacy Policy. Certain data may be required to register with us or to take advantage of some of our features.

We may communicate with you if you’ve provided us the means to do so. For example, if you’ve given us your email address, we may send you promotional email offers on behalf of other businesses or email you about your use of the Services. By providing us with your wireless phone number, email address or Facebook account credentials, you confirm that you want Gympass to send you data we think may be of interest to you, including but not limited to Pass offers, promotions and updates regarding Gympass Partners, and you agree to receive emails, SMS, push notifications and messages on social networks.  If you do not want to receive communications from us, please indicate your preference by clicking the unsubscribe link that will appear in all emails or by contacting contato@gympass.com. Gympass will use all reasonable efforts to perform your unsubscribe request within 72 hours of receipt of such request.

We may use this data to contact you, to cross-reference it with other Personal Data we may hold about you in accordance with this Policy, and to share it with the Gym you choose to go to and to our commercial partners, as provided in this Policy.

We may also share your data with booking partners that you chose to book classes with, but that will only happen if you agree, each time, to book for a class.

We currently use MindBody as a booking partner and the terms and privacy policy of such partner can be found at https://www.mindbodyonline.com/terms-of-service and https://www.mindbodyonline.com/privacy-policy.

Data Collected Automatically

Whenever you interact with our Services, either on our website or through a mobile app, we automatically receive and record data on our server logs from your browser or device, which may include your IP address, geolocation data, device identification, “cookie” data (please see below), the type of browser and/or device you’re using to access our Services, the page or feature you requested and time of access.

We may use this data to provide a customized experience for you, based on your usage patterns, or for remarketing, report printing, management, or other analysis. We may also use it to improve the Services - for example, this data can tell us how often users use a particular feature of the Services and we are able to use that knowledge to enhance our user experience.

Cookies

“Cookies” are identifiers we transfer to your browser or device that allow us to recognize your browser or device and tell us how and when pages and features in our Services are visited and by how many people.

Through cookies, we may collect data about your online activity after you leave our Services. Just like any other usage data we collect, this data allows us to improve the Services and customize your online experience, and otherwise as described in this Privacy Policy. Our Services do not support “Do Not Track” requests at this time, which means that we collect data about your online activity while you are using the Services.

Specifically, we use cookies for the following purposes:

  1. Authentication and login status - we use cookies to identify you when you open our website and to know whether you’re logged in to our website or not;
  2. Advertising – we use cookies to help us identify your usage patterns of our website and app and to help us display advertisements which are relevant to you;

We use Google Analytics to analyze the use of our website and of our app. Google collects data about website and app use through cookies and uses this data to create reports about the use of our website and app.

Google's privacy policy is available at: https://www.google.com/policies/privacy/, and by using the link https://www.google.com/settings/ads, a user may configure or unlink certain of these collection methods.

You may be able to change the preferences on your browser or device to prevent or limit your device’s acceptance of cookies, but this may prevent you from taking advantage of some of our features. Again, this Privacy Policy does not cover the use of cookies by any third parties, and we aren’t responsible for their privacy policies and practices. Please be aware that cookies placed by third parties may continue to track your activities online even after you have left our Services, and those third parties may not honor “Do Not Track” requests you have set using your browser or device.

Will Gympass Share Any of the Personal Data it Receives?

We do not rent, sell or transfer your Personal Data form to anyone, except as expressly provided below.  We may share your Personal Data with third parties as described in this below:

Gyms. We may share some of your Personal Data with Gyms so that they can register you in their systems and allow you to attend to them for exercising. The only data we share with Gyms is your full name, telephone number, e-mail address and the daily pass (check-in) information generated by our system.

Data that has been de-identified. We may de-identify your Personal Data so that you are not identified as an individual and provide that data to the Gyms or a corporate client (i.e., your employer). We may also provide aggregate usage data to the Gyms or corporate clients (or allow Partners or corporate clients to collect that data from you), who may use such data to understand how often and in what ways users use our Services, so that they, too, can provide you with an optimal experience. However, we never disclose aggregate usage or de-identified data to a Gym or corporate client in a manner that would identify you as an individual, either directly or indirectly.

Reports/Analytics: Gympass stores data that is used in the form of aggregated and generic statistics or reports to obtain a better understanding of user profiles for the improvement of Products and Services offered by Gympass.

Advertisers: We may, from time to time, allow advertisers and/or merchant partners (“Advertisers”) to choose the demographic data of users who will see their advertisements and/or promotional offers and you agree that we may provide any of the data we have collected from you in non-personally identifiable form to an Advertiser, for that Advertiser to select the appropriate audience for those advertisements and/or offers. For example, we might use the fact you are located in San Francisco to show you ads or offers for San Francisco businesses, but we will not tell such businesses who you are. Or, we might allow Advertisers to display their ads to users with similar usage patterns to yours, but we will not disclose usage data to Advertisers except in aggregate form, and not in a manner that would identify you personally. Note that if an advertiser asks us to show an ad to a certain audience or audience segment and you respond to that ad, the advertiser may conclude that you fit the description of the audience they were trying to reach.

We use Google Tag Manager, Facebook, and LinkedIn to communicate with users, with data collected by such ad partners, and Intercom to communicate with users with data we collect in our website and or through a mobile app.

The privacy policy of such partners are available at: https://www.intercom.com/terms-and-policies#terms, https://www.linkedin.com/help/linkedin/answer/67513/linkedin-conversion-tracking-overview?lang=en, https://www.facebook.com/business/help/742478679120153?helpref=faq_content.

Affiliated Businesses: In certain situations, businesses or third-party websites we’re affiliated with may, from time to time, sell or provide products or services to you through or in connection with the Services (either alone or jointly with us). You can recognize when an affiliated business is associated with such a transaction or service, and we will share your Personal Data with that affiliated business only to the extent that it is related to such transaction or service. We have no control over the policies and practices of third party websites or businesses as to privacy or anything else, so if you choose to take part in any transaction or service relating to an affiliated website or business, please review all such business’ or websites’ policies.

Our Agents: We employ other companies and people to perform tasks on our behalf and need to share your data with them to provide products or services to you; for example, we use a payment processing company to receive and process your credit card transactions for us. Unless we tell you differently, our agents do not have any right to use the Personal Data we share with them beyond what is necessary to assist us.

User Profiles and Submissions: Certain account data, including your name, location, and any video or image content that such user has uploaded to the Services, may be displayed to other users to facilitate user interaction within the Services or address your request for our services. Please remember that any content you upload to your public user profile, along with any Personal Data or content that you voluntarily disclose online in some manner other users can view (on discussion boards, in messages and chat areas, etc.) becomes publicly available, and can be collected and used by anyone. Your user name may also be displayed to other users if and when you send messages or comments or upload images or videos through the Services and other users can contact you through messages and comments. Additionally, if you sign into the Services through a third party social networking site or service, your list of “friends” from that site or service may be automatically imported to the Services, and such “friends,” if they are also registered users of the Services, may be able to access certain non-public data you have entered in your Services user profile. Again, we do not control the policies and practices of any other third-party site or service.

Business Transfers: We may choose to buy or sell assets and may share and/or transfer customer data in connection with the evaluation of and entry into such transactions. Also, if we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Data could be one of the assets transferred to or acquired by a third party. 

Protection of Gympass and Others: We reserve the right to access, read, preserve, and disclose any data that we believe is necessary to comply with law or court order; enforce or apply our Terms of Use and other agreements; or protect the rights, property, or safety of Gympass, our employees, our users, or others.

Is Personal Data about me secure?

Your account is protected by a password for your privacy and security. If you access your account via a third-party site or service, you may have additional or different sign-on protections via that third-party site or service. You must prevent unauthorized access to your account and Personal Data by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

We endeavor to protect the privacy of your account and other Personal Data we hold in our records, but unfortunately, we cannot guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user data at any time.

Gympass B.V.: is a company based in Amstelveen, Netherlands and the data we collect is governed by EU law.

Gympass US LLC is a company based in the United States of America (USA).

GPBR Participações Ltda. is a company based in Brazil.

Gympass servers are hosted at Amazon.com (AWS) services facilities in the USA.

By accessing or using the Gympass Services or otherwise providing data to us, you consent to the processing, storage and transfer of data in and to the U.S. and Brazil. In particular, your data may be accessible to Gympass’ staff in the USA or Brazil or stored on Gympass servers in the USA.

All data is encrypted in transit using TLS 1.2 and AES 256 for data at rest.

What Personal Data can I access?

Through your account settings, you may access and edit the data you’ve provided to us. If you wish to exercise any of your rights over your data (for a summary of them, please check below), and that option is not yet available through your account settings, please contact us at the e-mail below and we will address your request as soon as we can.

 The data you can view and update may change as the Services change. If you have any questions about viewing or updating data, or to request that we delete Personal Data that we have on file about you, please contact us at contato@gympass.com.  Please note that we own and may use aggregated and anonymized data derived from or incorporating your Personal Data after you provide it to us but will delete any specific Personal Data upon request. 

What rights do I have?

You can always opt not to disclose data to us, but keep in mind some data may be needed to register with us or to take advantage of some of our features.

You may be able to add, or update data as explained above. When you update data, however, we may maintain a copy of the unrevised data in our records. You may request the cancellation of your account by email (contato@gympass.com) or chat support. Some data may remain in our records after you request the deletion of such data from your account in the manner described above. We own and may use any aggregated data derived from or incorporating your Personal Data after you update or delete it, but not in a manner that would identify you personally.

Below, we have summarized all the rights you have under the European General Data Protection Regulation (the “GDPR”). The main rights you have over your data under the GDPR are:

  1. the right to access;
  2. the right to rectification;
  • the right to erasure;
  1. the right to restrict processing;
  2. the right to object to processing;
  3. the right to data portability;
  • the right to complain to a supervisory authority; and
  • the right to withdraw consent.

If you have any questions or concerns regarding our privacy policies, or regarding how to exercise any of your rights, please send us a detailed message to contato@gympass.com, and we will try to resolve your concerns.

Last Modified: May 23, 2018