Legal
Privacy Policy
Last Updated: March 2026
Effective Date: March 2026
1. Introduction
Moden Fitness ("we," "us," or "our") operates a multi-tenant gym management software-as-a-service platform (the "Service") that enables fitness facilities ("Facilities") to manage memberships, class bookings, payments, and member engagement.
This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you visit our website, register as a member or staff user, use our portals, make payments, or interact with our Service.
We are committed to protecting your privacy and complying with applicable data protection laws, including the Protection of Personal Information Act (POPIA) of South Africa, and where applicable, the General Data Protection Regulation (GDPR) of the European Union.
2. Information We Collect
2.1 Information You Provide Directly
Account Registration Data
- Full name (first name, last name)
- Email address
- Password (stored in encrypted/hashed form)
- Date of birth
- Phone number (optional)
- Gender (optional)
Profile Information
- Profile photograph (optional)
- Emergency contact details (optional)
Fitness & Health Data
- Workout scores (benchmark WODs, lift records)
- Class attendance history
- Performance notes (user-entered)
- Body weight measurements (optional, user-entered)
- Injury reports (body area, description, dates — optional, user-entered)
Payment Information
- Payment card details processed by third-party providers (Paystack, Yoco)
- We only store: last 4 digits, card type, authorization tokens
- Billing history (invoices, payment dates, amounts)
Agreement & Consent Data
- Full legal name (typed)
- Digital signature
- IP address and browser information at time of signing
- Signature timestamp and document version
2.2 Information Collected Automatically
- Technical Data: IP address, browser type, device information, operating system, access timestamps
- Usage Data: Class booking history, portal navigation, feature usage
- Session Data: Authentication tokens, session identifiers, facility context
- Push Notification Tokens: Device tokens for delivering push notifications via Firebase Cloud Messaging (FCM). Tokens are stored per device and automatically cleaned when they become stale.
- Camera & Photo Library: If you choose to upload a profile photo, whiteboard photo, or gallery image, we access your device camera or photo library only at the moment of capture or selection. Photos are processed (resized, converted to WebP) and stored securely. We do not access your photo library in the background.
2.3 Information from Third Parties
We receive transaction confirmations and payment status updates from our payment processors (Paystack, Yoco). Facility staff may also provide your information when adding you as a member.
3. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Account Creation & Authentication | Contract performance |
| Membership Management | Contract performance |
| Class Booking & Scheduling | Contract performance |
| Payment Processing | Contract performance |
| Service Communications | Contract / Legitimate interest |
| Fitness Tracking Features | Consent (voluntary use) |
| Security & Fraud Prevention | Legitimate interest |
| Legal Compliance | Legal obligation |
4. Data Sharing and Disclosure
4.1 Facility Access
Your Facility's authorized staff can access your profile information, membership status, booking history, payment history, and signed agreements. Each Facility operates as a separate data controller for their members.
4.2 Third-Party Service Providers
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Cloud storage (images, documents) | AWS (varies) |
| Resend | Email delivery | United States |
| Paystack | Payment processing | Nigeria (PCI-DSS compliant) |
| Yoco | Payment processing | South Africa (PCI-DSS compliant) |
| Vercel | Application hosting | Global CDN |
| Twilio | WhatsApp messaging | United States |
| Firebase (Google) | Push notifications (FCM) | United States |
| Google Gemini | AI-powered workout generation | United States |
| Replicate | AI-powered image editing | United States |
4.3 Legal Disclosures
We may disclose personal information when required to comply with laws, respond to legal requests, protect our rights, or investigate security issues.
4.4 No Sale of Personal Information
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Active Account Data | Duration of account + 7 years |
| Inactive Account Data | 3 years after last activity |
| Payment Records | 7 years |
| Signed Agreements | 10 years |
| Class Booking History | 5 years |
| Workout Scores | Duration of account |
6. Data Security
We implement industry-standard security measures including:
- Encryption in transit (HTTPS/TLS 1.2+)
- Password security (bcryptjs hashing with salt)
- JWT authentication with configurable expiration
- Role-based access control (Member, Staff, Admin)
- Multi-tenancy isolation (facility-scoped queries)
- PCI-DSS compliant payment processors
- Webhook signature verification (HMAC-SHA512)
- Input validation on all API endpoints
- Encryption at rest (AES-256-GCM) for sensitive facility credentials
- Row-level security on all database tables
- Audit logging for sensitive operations
Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals within 72 hours and report to relevant authorities as required by law.
7. Your Rights
Under POPIA and GDPR (where applicable), you have the following rights:
Access
Request confirmation and access to your personal information
Correction
Request correction of inaccurate or incomplete data
Deletion
Request deletion of your personal information
Object
Object to processing based on legitimate interests
Withdraw Consent
Withdraw consent where processing is based on consent
Data Portability
Receive your data in a structured, commonly used format
To exercise these rights, contact us using the details in Section 13. We will respond within 30 days.
8. Account Deletion
You may request deletion of your account and associated personal data at any time. To delete your account:
- Navigate to your Profile page in the app and use the account deletion option, or
- Email us at bezuidenhoutluvan@gmail.com with the subject "Account Deletion Request"
Upon receiving your request, we will delete your account within 30 days. The following data will be permanently removed:
- Profile information and profile photo
- Workout scores and performance data
- Class booking history
- Push notification tokens
- Notification preferences
Certain data may be retained for legal compliance purposes as outlined in Section 5 (Data Retention), including payment records (7 years) and signed agreements (10 years).
9. Push Notifications
Our mobile app may send push notifications to your device using Firebase Cloud Messaging (FCM). These notifications include:
- Class booking confirmations and cancellations
- Day-before class reminders
- Payment confirmations and reminders
- Trial expiration warnings
- Waitlist promotions
- Shop and invoice notifications
You can manage push notification preferences in your Profile > Notifications settings within the app. You may also disable push notifications entirely through your device's system settings. Disabling push notifications does not affect your ability to use the Service.
10. Cookies and Tracking
We use minimal cookies necessary for the Service to function:
| Cookie Type | Purpose | Essential |
|---|---|---|
| Session Cookie | Authentication (JWT token) | Yes |
| Facility Context | Remember selected facility | Yes |
| UI Preferences | Sidebar state (localStorage) | No |
We do not use third-party tracking, analytics platforms, advertising cookies, or social media tracking pixels.
App Tracking Transparency (iOS)
Moden Fitness does not track you across other companies' apps or websites. We do not participate in advertising networks or share data with data brokers. Our app does not request the iOS App Tracking Transparency (ATT) permission because we do not engage in any form of cross-app tracking.
11. International Data Transfers
Your personal information may be transferred to and processed in countries outside South Africa, including the United States, Nigeria, and various AWS regions. For transfers outside South Africa or the EEA, we ensure adequate protection through Standard Contractual Clauses, adequacy decisions, or your consent.
12. Children's Privacy
Our Service is not intended for individuals under 13. We do not knowingly collect personal information from children under 13. Users aged 13–17 may create accounts with parental or guardian consent as determined by the Facility.
13. Contact Information
For questions, concerns, or requests regarding this Privacy Policy:
bezuidenhoutluvan@gmail.com
Phone
+27 72 218 4268
Supervisory Authority
If you are not satisfied with our response, you may lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za or by email at complaints.IR@justice.gov.za.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or prominent notice on our Service. For material changes, we will provide at least 30 days' notice before changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
Document Version: 2.0
Last Review Date: March 2026