Privacy Policy - Gymwyse.fit

This Privacy Policy (“Policy”) governs the collection, use, disclosure, and protection of information by The Algorithm (“Company,” “we,” “us,” or “our”), a Colorado corporation with its principal place of business at 5031 Ashbrook Circle, Highlands Ranch, CO 80130, in connection with the GymWyse software platform and related services (collectively, the “Service”).

By accessing or using the Service, you (“User,” “Customer,” “you,” or “your”) acknowledge that you have read, understood, and agree to be bound by this Policy and our Terms of Service. If you do not agree to this Policy, you must immediately discontinue use of the Service.

1. DEFINITIONS

1.1 Personal Information: Any information relating to an identified or identifiable natural person, including but not limited to name, email address, postal address, telephone number, payment information, IP address, device identifiers, location data, and any other information defined as “personal information,” “personal data,” or similar terms under applicable privacy laws.

1.2 Processing: Any operation or set of operations performed on Personal Information, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

1.3 Controller: The entity that determines the purposes and means of Processing Personal Information.

1.4 Processor: The entity that Processes Personal Information on behalf of a Controller.

1.5 End User: Any individual whose Personal Information is submitted to the Service by Customer, including but not limited to Customer’s gym members, clients, employees, and contractors.

1.6 Applicable Privacy Laws: All federal, state, local, and international laws, regulations, and rules governing privacy, data protection, and data security, including but not limited to: the Colorado Privacy Act (CPA), California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) where applicable, Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act (GLBA), Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, state data breach notification laws, and any successor or replacement legislation.

2. SCOPE AND APPLICABILITY

2.1 This Policy applies to all Personal Information collected, processed, stored, or transmitted through or in connection with the Service, regardless of the method of collection or the location of the data subject.

2.2 This Policy supplements and does not replace any other privacy notices, policies, or agreements between Company and Customer, including but not limited to the Master Services Agreement, Data Processing Addendum, and Business Associate Agreement (if applicable).

2.3 To the extent there is any conflict between this Policy and Applicable Privacy Laws, Applicable Privacy Laws shall control.

3. DATA CONTROLLER AND PROCESSOR RELATIONSHIPS

3.1 Customer as Controller: Customer is the Controller with respect to End User Personal Information submitted to the Service. Customer is solely responsible for:

(a) Ensuring it has all necessary rights, consents, and legal bases to collect and provide End User Personal Information to Company;
(b) Compliance with all Applicable Privacy Laws in its collection, use, and disclosure of End User Personal Information;
(c) Providing required notices to End Users regarding the Processing of their Personal Information;
(d) Obtaining all necessary consents from End Users for the Processing of their Personal Information;
(e) Responding to End User requests regarding their Personal Information rights;
(f) Determining the purposes and means of Processing End User Personal Information.

3.2 Company as Processor: With respect to End User Personal Information, Company acts as a Processor on Customer’s behalf and will Process such information only:

(a) As instructed by Customer through Customer’s use of the Service;
(b) As necessary to provide the Service;
(c) As required by Applicable Privacy Laws;
(d) As otherwise authorized in writing by Customer.

3.3 Company as Controller: Company is the Controller with respect to Customer account information, including Customer employee/administrator information, billing information, and aggregated/anonymized usage data.

3.4 Nothing in this Policy restricts Company’s rights or obligations as a Controller with respect to data for which it is the Controller.

4. INFORMATION COLLECTION

4.1 Customer Account Information

We collect the following categories of Personal Information from Customer:

(a) Identification Information: Full legal name, business name, DBA name, email address, telephone number, business address, billing address;
(b) Authentication Information: Username, password (encrypted), security questions and answers, multi-factor authentication credentials;
(c) Financial Information: Payment card information (processed by third-party payment processors; not stored by Company), bank account information (for ACH payments), billing history, transaction records, tax identification numbers;
(d) Business Information: Business entity type, industry classification, number of locations, employee count, business hours, service offerings, pricing structures;
(e) Communication Records: Email correspondence, support tickets, chat transcripts, phone call recordings (where legally permitted with notice), survey responses, feedback submissions.

4.2 End User Information Collected by Customer

Customer may submit the following categories of End User Personal Information to the Service:

(a) Identification Information: Names, email addresses, phone numbers, postal addresses, dates of birth, gender, profile photographs;
(b) Membership Information: Membership types, subscription levels, membership start/end dates, membership status, contract terms, emergency contacts;
(c) Financial Information: Payment methods, billing history, payment status, outstanding balances, refund records;
(d) Activity Information: Check-in/check-out times, class attendance, personal training sessions, facility access logs, equipment usage, workout tracking data;
(e) Health Information (if provided by Customer): Medical conditions, physical limitations, injury history, fitness assessments, body measurements, health questionnaire responses (Customer acknowledges this may constitute Protected Health Information under HIPAA and agrees to comply with all applicable requirements);
(f) Communication Preferences: Email preferences, SMS preferences, notification settings, language preferences;
(g) Behavioral Data: Service usage patterns, feature utilization, session duration, navigation paths, click patterns.

4.3 Automatically Collected Information

We automatically collect the following information when the Service is accessed:

(a) Technical Information: IP address, MAC address, device identifiers (IDFA, Android ID), browser type and version, operating system, device manufacturer and model, screen resolution, time zone settings, browser plug-in types and versions, network connection type;
(b) Usage Information: Log files, pages visited, features accessed, time spent on pages, referring/exit pages, clickstream data, search queries, error logs, performance metrics, API calls;
(c) Location Information: IP-based geolocation data, GPS coordinates (if Customer enables location services), Wi-Fi access points, cell tower information;
(d) Cookie Information: Cookie identifiers, cookie preferences, tracking pixel data, web beacon data, local storage data.

4.4 Third-Party Sources

We may collect information from third-party sources, including:

(a) Data enrichment services;
(b) Marketing partners;
(c) Social media platforms (if Customer connects accounts);
(d) Public databases and government records;
(e) Credit reporting agencies (for fraud prevention);
(f) Identity verification services.

4.5 Sensitive Personal Information

Customer acknowledges that the Service is not designed for the collection or processing of Sensitive Personal Information (as defined under Applicable Privacy Laws), including but not limited to: social security numbers, driver’s license numbers, passport numbers, financial account credentials, precise geolocation data, genetic data, biometric data used for identification, personal information concerning a consumer’s health, sex life, or sexual orientation, personal information concerning a child (under age 13 or as otherwise defined by applicable law), or any data subject to heightened protection under Applicable Privacy Laws.

If Customer nonetheless submits Sensitive Personal Information to the Service, Customer:

(a) Assumes all liability and risk associated with such submission;
(b) Agrees to indemnify and hold Company harmless for any claims, damages, or liabilities arising from such submission;
(c) Represents and warrants that it has obtained all necessary consents and legal authorizations;
(d) Acknowledges that Company’s security measures may not be sufficient for such data categories.

5. USE OF INFORMATION

5.1 Purpose Limitation

Company will use Personal Information only for the following purposes:

5.1.1 Service Provision:

(a) Account creation, authentication, and management;
(b) Processing transactions and payments;
(c) Providing core Service functionality (member check-ins, class scheduling, payment processing, reporting, communications);
(d) Storing and managing Customer and End User data;
(e) Sending transactional communications (receipts, confirmations, account notifications);
(f) Customer support and technical assistance;
(g) Service optimization and performance enhancement.

5.1.2 Business Operations:

(a) Billing, accounting, and financial reporting;
(b) Fraud detection and prevention;
(c) Security monitoring and incident response;
(d) Internal analytics and business intelligence;
(e) Product development and improvement;
(f) Quality assurance and testing;
(g) Legal compliance and regulatory reporting.

5.1.3 Communications:

(a) Service announcements and updates;
(b) Feature releases and product news;
(c) Marketing communications (with opt-in consent where required);
(d) User surveys and feedback requests;
(e) Renewal notices and payment reminders.

5.1.4 Legal and Protective Purposes:

(a) Compliance with legal obligations, court orders, and government requests;
(b) Enforcement of Terms of Service and other agreements;
(c) Protection of Company’s rights, property, and safety;
(d) Protection of users’ rights, property, and safety;
(e) Investigation of suspected fraud, violations, or illegal activity;
(f) Response to lawful requests from public authorities;
(g) Establishment, exercise, or defense of legal claims.

5.2 Automated Decision-Making

Company may use automated systems for:

(a) Fraud detection and risk assessment;
(b) Service personalization and recommendations;
(c) Anomaly detection and security monitoring;
(d) Usage analytics and reporting.

Customer and End Users have the right to request human review of automated decisions that produce legal or similarly significant effects, as required by Applicable Privacy Laws.

5.3 No Sale of Personal Information

Company does not and will not sell Personal Information to third parties. For purposes of CCPA/CPRA, “sell” means the disclosure of Personal Information to third parties for monetary or other valuable consideration.

5.4 Aggregated and Anonymized Data

Company may create aggregated, anonymized, or de-identified data from Personal Information. Such data is not Personal Information and may be used for any lawful purpose, including:

(a) Industry research and benchmarking;
(b) Product development and improvement;
(c) Marketing and promotional purposes;
(d) Public reporting and thought leadership.

Company takes commercially reasonable measures to ensure such data cannot be re-identified.

6. INFORMATION SHARING AND DISCLOSURE

6.1 Service Providers and Subprocessors

Company may share Personal Information with third-party service providers who perform services on Company’s behalf, including:

(a) Cloud Infrastructure Providers: Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure;
(b) Payment Processors: Stripe, Square, Authorize.net, PayPal;
(c) Communication Services: SendGrid, Twilio, Amazon SES, Mailgun (for email and SMS);
(d) Customer Support: Zendesk, Intercom, Help Scout;
(e) Analytics Providers: Google Analytics, Mixpanel, Amplitude;
(f) Security Services: Cloudflare, Datadog, New Relic;
(g) Backup and Disaster Recovery: Backblaze, Veeam;
(h) Professional Services: Legal counsel, accountants, auditors, consultants.

All service providers are contractually obligated to:

(i) Use Personal Information only as instructed by Company;
(ii) Implement appropriate security measures;
(iii) Comply with Applicable Privacy Laws;
(iv) Return or delete Personal Information upon termination (unless legally required to retain);
(v) Cooperate with Company in responding to data subject requests.

An updated list of subprocessors is available upon written request.

6.2 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of Company’s assets, Personal Information may be transferred to the successor entity. Company will:

(a) Provide notice of such transfer via email and/or prominent notice on the Service at least thirty (30) days prior to transfer;
(b) Require the successor entity to continue to honor this Policy or provide users with notice and choice regarding use of their Personal Information.

6.3 Legal Requirements

Company may disclose Personal Information when required or permitted by law, including:

(a) In response to valid subpoenas, court orders, or legal process;
(b) To comply with applicable laws, regulations, or governmental requests;
(c) To detect, prevent, or address fraud, security, or technical issues;
(d) To protect against harm to the rights, property, or safety of Company, users, or the public;
(e) To establish, exercise, or defend legal claims.

Where legally permitted, Company will provide notice to affected users and an opportunity to object, unless prohibited by law or court order.

6.4 With Consent

Company may share Personal Information with third parties when Customer or End User provides explicit consent for such sharing.

6.5 Public Information

Customer acknowledges that certain information submitted to the Service may be visible to other users or the public, depending on Customer’s configuration and settings. Customer is solely responsible for determining what information is made public.

6.6 No Onward Transfer

Except as expressly authorized in this Policy or in a separate written agreement, Company will not disclose, transfer, or permit access to Personal Information by third parties.

7. INTERNATIONAL TRANSFERS

7.1 Data Location

The Service is operated in the United States. Personal Information collected through the Service will be transferred to, stored in, and processed in the United States and other countries where Company or its service providers maintain facilities.

7.2 Adequacy Mechanisms

For transfers of Personal Information from the European Economic Area (EEA), United Kingdom, or Switzerland, Company relies on:

(a) Standard Contractual Clauses approved by the European Commission;
(b) Adequacy decisions issued by the European Commission;
(c) Other legally valid transfer mechanisms as approved under Applicable Privacy Laws.

7.3 User Consent to Transfer

By using the Service, users explicitly consent to the transfer of their Personal Information to the United States and other countries that may not provide the same level of data protection as users’ home countries.

7.4 Additional Safeguards

Company implements appropriate safeguards for international transfers, including:

(a) Encryption of data in transit and at rest;
(b) Access controls and authentication requirements;
(c) Contractual commitments with service providers;
(d) Regular security assessments and audits.

8. DATA SECURITY

8.1 Security Measures

Company implements and maintains commercially reasonable technical, administrative, and physical safeguards designed to protect Personal Information against unauthorized access, use, modification, disclosure, or destruction, including:

8.1.1 Technical Safeguards:

(a) Encryption of data in transit using TLS 1.2 or higher;
(b) Encryption of data at rest using AES-256 or equivalent;
(c) Secure authentication mechanisms, including multi-factor authentication;
(d) Firewalls and intrusion detection/prevention systems;
(e) Regular security patching and updates;
(f) Vulnerability scanning and penetration testing;
(g) Log monitoring and security information event management (SIEM);
(h) Data loss prevention (DLP) controls;
(i) Secure backup and disaster recovery systems.

8.1.2 Administrative Safeguards:

(a) Security policies and procedures;
(b) Employee background checks and screening;
(c) Confidentiality agreements with employees and contractors;
(d) Security awareness training programs;
(e) Incident response and breach notification procedures;
(f) Access control policies based on principle of least privilege;
(g) Regular security audits and risk assessments;
(h) Third-party security assessments and certifications.

8.1.3 Physical Safeguards:

(a) Secure data center facilities with controlled access;
(b) Environmental controls (temperature, humidity, fire suppression);
(c) 24/7 monitoring and surveillance;
(d) Redundant power and network infrastructure;
(e) Physical access logs and visitor management.

8.2 Security Limitations

Customer acknowledges and agrees that:

(a) No method of transmission or storage is 100% secure;
(b) Company cannot guarantee absolute security of Personal Information;
(c) Unauthorized access, hardware or software failure, and other factors may compromise security;
(d) Customer is responsible for maintaining security of Customer’s account credentials;
(e) Customer must notify Company immediately of any unauthorized access or security breach.

8.3 Customer Security Responsibilities

Customer agrees to:

(a) Use strong, unique passwords for all accounts;
(b) Enable multi-factor authentication where available;
(c) Maintain up-to-date security software on devices accessing the Service;
(d) Not share account credentials with unauthorized persons;
(e) Promptly report any suspected security incidents to Company;
(f) Follow Company’s security best practices and recommendations;
(g) Configure appropriate access controls and permissions for End Users.

8.4 Security Breach Notification

In the event of a security breach involving Personal Information, Company will:

(a) Conduct a prompt investigation to determine the scope and impact;
(b) Take reasonable steps to contain and remediate the breach;
(c) Notify affected Customer(s) without unreasonable delay and within timeframes required by Applicable Privacy Laws;
(d) Provide information about the breach, affected data, and remediation steps;
(e) Cooperate with Customer in fulfilling Customer’s notification obligations to End Users and regulatory authorities;
(f) Document the breach and response actions.

Customer acknowledges that notification timing and content may be subject to law enforcement or regulatory investigation needs.

9. DATA RETENTION

9.1 Retention Periods

Company retains Personal Information for the following periods:

9.1.1 Active Accounts:

Personal Information is retained for the duration of the active account relationship.

9.1.2 Terminated Accounts:

Personal Information is retained for ninety (90) days following account termination or cancellation, except as otherwise required by law or specified below.

9.1.3 Legal and Business Requirements:

Financial records: Seven (7) years from date of transaction (or longer as required by tax laws);
Contract documents: Seven (7) years from contract termination;
Legal holds: Duration of litigation or investigation;
Fraud prevention records: Five (5) years from incident;
Communication records: Two (2) years from last communication.

9.1.4 Backup Systems:

Data may persist in backup systems for up to ninety (90) days after deletion from production systems.

9.2 Deletion Procedures

Upon expiration of applicable retention periods, Company will:

(a) Permanently delete Personal Information from production systems;
(b) Render Personal Information anonymous or unrecoverable;
(c) Overwrite storage media in accordance with NIST 800-88 guidelines or equivalent;
(d) Maintain records of deletion for audit purposes.

9.3 Legal Holds

Company may suspend deletion obligations when:

(a) Required to preserve information for litigation, investigation, or audit;
(b) Subject to a legal hold or preservation order;
(c) Information is relevant to an ongoing dispute or claim;
(d) Required by regulatory authority.

9.4 Extended Retention Requests

Customer may request extended retention of Personal Information by providing written notice at least thirty (30) days prior to scheduled deletion. Company may, in its sole discretion, approve such requests and may charge reasonable fees for extended retention services.

10. INDIVIDUAL RIGHTS

10.1 Applicable Rights

Subject to Applicable Privacy Laws and verification of identity, individuals have the following rights regarding their Personal Information:

10.1.1 Right to Access:

(a) Confirm whether Company is Processing Personal Information;
(b) Obtain a copy of Personal Information in Company’s possession;
(c) Receive information about Processing activities (purposes, categories, recipients, retention periods).

10.1.2 Right to Correction:

(a) Request correction of inaccurate Personal Information;
(b) Request completion of incomplete Personal Information.

10.1.3 Right to Deletion:

(a) Request deletion of Personal Information, subject to legal exceptions including:
- (i) Completing transactions for which information was collected;
- (ii) Detecting and preventing security incidents or fraud;
- (iii) Debugging and repairing functionality;
- (iv) Complying with legal obligations;
- (v) Internal uses reasonably aligned with consumer expectations;
- (vi) Otherwise permitted by Applicable Privacy Laws.

10.1.4 Right to Data Portability:

(a) Receive Personal Information in a structured, commonly used, machine-readable format;
(b) Transmit Personal Information to another controller (where technically feasible).

10.1.5 Right to Opt-Out:

(a) Sale of Personal Information (Company does not sell Personal Information);
(b) Targeted advertising (where applicable);
(c) Certain automated profiling decisions;
(d) Marketing communications (with exception for transactional messages).

10.1.6 Right to Restrict Processing:

(a) Request temporary restriction of Processing in certain circumstances;
(b) Object to Processing based on legitimate interests.

10.1.7 Right to Object:

(a) Object to Processing for direct marketing purposes;
(b) Object to Processing based on legitimate interests;
(c) Object to automated decision-making.

10.1.8 Right to Withdraw Consent:

(a) Withdraw previously provided consent for Processing;
(b) Withdrawal does not affect lawfulness of Processing prior to withdrawal.

10.1.9 Right to Lodge Complaint:

(a) File a complaint with relevant supervisory authority or data protection authority;
(b) Pursue remedies through regulatory or judicial proceedings.

10.2 Rights Exercise Procedures

10.2.1 Requests Related to Customer Account Information: To exercise rights regarding Customer account information, submit requests to:

Email: privacy@gymwyse.com
Mail: The Algorithm, ATTN: Privacy Rights, 5031 Ashbrook Circle, Highlands Ranch, CO 80130

10.2.2 Requests Related to End User Information: End Users must direct rights requests to Customer (the Controller). Company will cooperate with Customer to facilitate End User rights requests as required by Applicable Privacy Laws.

10.2.3 Verification Requirements: Company may require verification of identity before processing rights requests, including:

(a) Matching information provided in request to information on file;
(b) Signed declaration under penalty of perjury;
(c) Government-issued identification;
(d) Additional documentation as reasonably necessary.

10.2.4 Authorized Agent Requests: Requests submitted by authorized agents must include:

(a) Written authorization signed by the individual;
(b) Proof of agent’s authority;
(c) Verification of individual’s identity.

10.2.5 Response Timeframes: Company will respond to verified requests:

(a) Within forty-five (45) days of receipt (as required by CPA/CCPA);
(b) May extend response period by additional forty-five (45) days where reasonably necessary, with notice to requestor;
(c) Within thirty (30) days for GDPR requests (extendable by additional sixty (60) days with justification).

10.2.6 Request Denials: If Company denies a request in whole or in part, Company will:

(a) Provide explanation for denial;
(b) Cite applicable legal exceptions or limitations;
(c) Provide information about appeal rights (where applicable);
(d) Provide contact information for relevant supervisory authority.

10.3 Right to Non-Discrimination

Company will not discriminate against individuals for exercising privacy rights, including by:

(a) Denying goods or services;
(b) Charging different prices or rates;
(c) Providing different quality of goods or services;
(d) Suggesting individual will receive different prices, rates, or quality.

Company may offer financial incentives for collection or use of Personal Information, provided such incentives are:

(a) Reasonably related to value provided by the data;
(b) Opt-in and revocable;
(c) Compliant with Applicable Privacy Laws.

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 Types of Technologies Used

The Service uses cookies, web beacons, pixels, local storage, and similar tracking technologies (“Tracking Technologies”). Categories include:

11.1.1 Essential/Strictly Necessary:

(a) Authentication and account access;
(b) Security and fraud prevention;
(c) Service functionality and features;
(d) Load balancing and performance;
(e) Legal compliance.

11.1.2 Functional/Preference:

(a) Language preferences;
(b) User interface settings;
(c) Feature customization;
(d) Remember user selections.

11.1.3 Analytics/Performance:

(a) Usage statistics and patterns;
(b) Feature adoption metrics;
(c) Error tracking and debugging;
(d) Performance optimization.

11.1.4 Marketing/Advertising (if applicable):

(a) Marketing campaign tracking;
(b) Conversion measurement;
(c) Retargeting (with consent where required);
(d) Interest-based advertising.

11.2 Cookie Management

Users may control cookies through:

(a) Browser settings (block all, block third-party, delete cookies);
(b) Cookie preference center (if provided);
(c) Opt-out mechanisms provided by third parties.

Disabling Essential cookies may impair Service functionality.

11.3 Third-Party Tracking

The Service may include third-party tracking technologies from:

(a) Analytics providers;
(b) Advertising networks;
(c) Social media platforms;
(d) Content delivery networks.

Company is not responsible for third-party tracking practices. Users should review third-party privacy policies.

11.4 Do Not Track

Company does not currently respond to Do Not Track (DNT) signals. If industry standards for DNT are established, Company will reassess this position.

11.5 Mobile Application Tracking

Mobile applications may collect:

(a) Device identifiers (IDFA, Android ID);
(b) App usage data;
(c) Crash reports;
(d) Location data (with permission).

Users may control mobile tracking through device settings.

12. CHILDREN’S PRIVACY

12.1 Age Restrictions

The Service is not directed to children under the age of thirteen (13) years (or sixteen (16) in the EEA). Company does not knowingly collect Personal Information from children under the applicable age threshold.

12.2 Parental Consent

If Customer collects Personal Information from children under applicable age thresholds through the Service, Customer:

(a) Is solely responsible for complying with COPPA and other applicable laws;
(b) Must obtain verifiable parental consent before collection;
(c) Must provide required notices to parents;
(d) Must honor parental rights requests;
(e) Indemnifies Company for any violations or claims related to children’s data.

12.3 Discovery of Children’s Information

If Company becomes aware that it has collected Personal Information from a child without proper consent:

(a) Company will take steps to delete such information as soon as reasonably practicable;
(b) Company will notify Customer of the issue;
(c) Customer remains responsible for any legal violations.

12.4 Parental Rights

Parents may:

(a) Review Personal Information collected from their child;
(b) Request deletion of such information;
(c) Refuse further collection or use of such information.

Contact privacy@gymwyse.com to exercise parental rights.

13. CALIFORNIA-SPECIFIC DISCLOSURES

13.1 CCPA/CPRA Rights Summary

California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

(a) Right to know what Personal Information is collected, used, and shared;
(b) Right to delete Personal Information (subject to exceptions);
(c) Right to correct inaccurate Personal Information;
(d) Right to opt-out of sale or sharing of Personal Information;
(e) Right to limit use of Sensitive Personal Information;
(f) Right to non-discrimination for exercising rights;
(g) Right to opt-in for sale of information for consumers ages 13-15.

13.2 Categories of Personal Information Collected

In the preceding twelve (12) months, Company has collected the following categories of Personal Information (as defined by CCPA):

(a) Identifiers (names, email addresses, IP addresses, account names);
(b) Customer records information (contact information, payment information);
(c) Commercial information (transaction history, purchasing behavior);
(d) Internet or electronic network activity (browsing history, interaction with Service);
(e) Geolocation data (IP-based location);
(f) Professional or employment information (business type, role);
(g) Inferences (preferences, characteristics, behavior).

13.3 Business Purposes for Collection

Personal Information is collected and used for business purposes described in Section 5 (Use of Information).

13.4 Categories of Sources

Personal Information is collected from sources described in Section 4 (Information Collection).

13.5 Categories of Third Parties

Personal Information is shared with categories of third parties described in Section 6 (Information Sharing and Disclosure).

13.6 Sale and Sharing of Personal Information

Company does NOT sell Personal Information and has not sold Personal Information in the preceding twelve (12) months.

Company does NOT share Personal Information for cross-context behavioral advertising purposes.

13.7 Sensitive Personal Information

If Company processes Sensitive Personal Information (as defined by CPRA), it is used only for:

(a) Providing requested services;
(b) Security and integrity purposes;
(c) Short-term, transient use;
(d) Performing services on behalf of Customer;
(e) Quality assurance and improvement;
(f) Purposes that do not infer characteristics about individuals.

13.8 Retention

Personal Information is retained as described in Section 9 (Data Retention).

13.9 Shine the Light Law

California residents may request information about disclosure of Personal Information to third parties for direct marketing purposes. Company does not disclose Personal Information to third parties for their direct marketing purposes.

13.10 California Minors

Registered users under age 18 may request removal of content or information posted by the user. Contact privacy@gymwyse.com for assistance. Removal may not ensure complete deletion from all systems.

14. COLORADO-SPECIFIC DISCLOSURES

14.1 Colorado Privacy Act Rights

Colorado residents have rights under the Colorado Privacy Act (CPA), including rights described in Section 10 (Individual Rights).

14.2 Opt-Out Preference Signals

Company will process universal opt-out mechanisms as required by Colorado law when such mechanisms are adopted by the Colorado Attorney General.

14.3 Profiling and Automated Decision-Making

If Company engages in profiling that produces legal or similarly significant effects, Colorado residents have the right to opt-out of such profiling.

14.4 Appeals Process

Colorado residents may appeal denial of rights requests by contacting privacy@gymwyse.com within forty-five (45) days of denial. Company will respond to appeals within forty-five (45) days. If appeal is denied, residents may contact the Colorado Attorney General.

15. VIRGINIA, CONNECTICUT, UTAH DISCLOSURES

15.1 State Privacy Law Rights

Residents of Virginia (VCDPA), Connecticut (CTDPA), and Utah (UCPA) have privacy rights substantially similar to those described in Section 10 (Individual Rights).

15.2 Processing Purpose Disclosures

Personal Information is processed for purposes described in Section 5 (Use of Information).

15.3 Opt-Out Rights

Residents may opt-out of:

(a) Targeted advertising (Company does not engage in targeted advertising);
(b) Sale of Personal Information (Company does not sell Personal Information);
(c) Profiling in furtherance of decisions that produce legal or similarly significant effects.

15.4 Sensitive Data Consent

If Company processes Sensitive Data (as defined by applicable state law), Company obtains consent as required by law.

16. EUROPEAN UNION/EEA/UK DISCLOSURES

16.1 GDPR Legal Bases for Processing

Where GDPR applies, Company processes Personal Information based on the following legal bases:

(a) Contractual Necessity: Processing necessary to perform contract with Customer or take pre-contractual steps;
(b) Legitimate Interests: Processing necessary for Company’s legitimate business interests (service improvement, security, fraud prevention), provided such interests are not overridden by data subject rights;
(c) Legal Obligation: Processing necessary to comply with legal obligations;
(d) Consent: Where explicit consent is obtained;
(e) Vital Interests: Processing necessary to protect vital interests of data subject or another person.

16.2 Data Subject Rights

Data subjects in the EU/EEA/UK have rights described in Section 10 (Individual Rights), including:

(a) Right of access;
(b) Right to rectification;
(c) Right to erasure (“right to be forgotten”);
(d) Right to restriction of processing;
(e) Right to data portability;
(f) Right to object;
(g) Rights related to automated decision-making and profiling.

16.3 International Transfers

Transfers of Personal Information outside the EEA/UK are protected by appropriate safeguards described in Section 7 (International Transfers).

16.4 EU Representative

If required by GDPR, Company will appoint an EU representative. Contact details will be provided upon request.

16.5 UK Representative

If required by UK GDPR, Company will appoint a UK representative. Contact details will be provided upon request.

16.6 Supervisory Authority

Data subjects have the right to lodge complaints with relevant supervisory authorities:

(a) EEA data subjects: Supervisory authority in Member State of habitual residence, place of work, or place of alleged infringement;
(b) UK data subjects: Information Commissioner’s Office (ICO).

16.7 Data Protection Officer

If required to appoint a Data Protection Officer (DPO) under GDPR, contact details will be provided here. Currently, no DPO is appointed as Company does not meet mandatory appointment thresholds.

17. ADDITIONAL STATE-SPECIFIC RIGHTS

17.1 Nevada

Nevada residents have the right to opt-out of the sale of covered information. Company does not sell covered information as defined by Nevada law. To exercise Nevada rights, contact privacy@gymwyse.com.

17.2 Other States

As additional states enact comprehensive privacy laws, Company will update this Policy to reflect applicable rights and obligations.

18. COMMUNICATION PREFERENCES

18.1 Transactional Communications

Certain communications are necessary for Service operation and cannot be opted out of, including:

(a) Account verification and security notices;
(b) Service updates affecting functionality;
(c) Billing and payment notifications;
(d) Responses to support requests;
(e) Legal notices and policy updates.

18.2 Marketing Communications

Customers may opt-out of marketing communications by:

(a) Clicking “unsubscribe” in marketing emails;
(b) Adjusting email preferences in account settings;
(c) Contacting privacy@gymwyse.com.

18.3 SMS Communications

Customers who provide phone numbers consent to receive SMS messages. To opt-out:

(a) Reply STOP to any SMS message;
(b) Contact privacy@gymwyse.com;
(c) Adjust settings in Customer dashboard.

18.4 Push Notifications

Mobile application users may disable push notifications through device settings.

19. THIRD-PARTY WEBSITES AND SERVICES

19.1 External Links

The Service may contain links to third-party websites, services, or applications. Company is not responsible for privacy practices of third parties. Users should review third-party privacy policies before providing Personal Information.

19.2 Third-Party Integrations

Customer may integrate the Service with third-party platforms. Customer is responsible for:

(a) Reviewing third-party privacy policies;
(b) Ensuring compliance with Applicable Privacy Laws;
(c) Obtaining necessary consents for data sharing;
(d) Configuring integrations appropriately.

19.3 Social Media Features

The Service may include social media features (e.g., “Like” buttons, “Share” buttons). These features may collect information about users and may set cookies. Social media features are governed by the privacy policies of the respective social media companies.

19.4 Single Sign-On

If Customer uses single sign-on (SSO) authentication, information may be shared with the identity provider according to the provider’s privacy policy.

20. PRIVACY POLICY CHANGES

20.1 Modification Rights

Company reserves the right to modify this Policy at any time, in its sole discretion. Changes become effective upon posting to the Service unless otherwise specified.

20.2 Notice of Material Changes

For material changes that reduce privacy protections or expand data use, Company will provide notice by:

(a) Email notification to Customer’s registered email address at least thirty (30) days prior to effective date;
(b) Prominent notice in Customer dashboard for at least thirty (30) days;
(c) Updated “Last Updated” date at top of Policy.

20.3 Materiality Determination

Company determines, in its sole discretion, whether changes are material. Examples of material changes include:

(a) New categories of Personal Information collected;
(b) New purposes for Processing Personal Information;
(c) New categories of third-party recipients;
(d) Material reductions in data protection or security measures;
(e) Changes to retention periods that significantly extend retention;
(f) Changes to individual rights procedures that limit rights.

20.4 Continued Use Constitutes Acceptance

Continued use of the Service after Policy changes become effective constitutes acceptance of the modified Policy. If Customer does not agree to changes, Customer must discontinue use and may terminate account.

20.5 Version History

Previous versions of this Policy are available upon written request.

21. DATA PROTECTION IMPACT ASSESSMENTS

21.1 Company-Initiated DPIAs

Company conducts Data Protection Impact Assessments (DPIAs) when:

(a) Implementing new technologies or Processing activities;
(b) Processing is likely to result in high risk to individuals’ rights and freedoms;
(c) Required by Applicable Privacy Laws.

21.2 Customer-Requested DPIAs

Customer may request Company’s cooperation in conducting Customer’s own DPIAs related to the Service. Company will provide commercially reasonable assistance, subject to confidentiality limitations and for reasonable fees for extensive assistance.

22. CUSTOMER OBLIGATIONS AND REPRESENTATIONS

22.1 Customer Representations and Warranties

Customer represents, warrants, and covenants that:

(a) Customer has all necessary rights, consents, and legal bases to collect and provide Personal Information to Company;
(b) Customer complies with all Applicable Privacy Laws in its use of the Service;
(c) Customer provides required privacy notices to End Users;
(d) Customer obtains necessary consents from End Users;
(e) Customer accurately classifies data sensitivity and implements appropriate controls;
(f) Customer does not submit Sensitive Personal Information unless specifically authorized;
(g) Customer promptly notifies Company of any data protection concerns or incidents;
(h) Customer maintains its own privacy policy that accurately describes data practices;
(i) Customer indemnifies Company for Customer’s violations of Applicable Privacy Laws.

22.2 Customer Configuration Responsibilities

Customer is responsible for:

(a) Configuring privacy settings appropriately;
(b) Implementing access controls and permissions;
(c) Training Customer personnel on privacy practices;
(d) Monitoring compliance with this Policy and applicable laws;
(e) Promptly reporting suspected violations or security incidents.

22.3 End User Relationship

Customer is solely responsible for its relationship with End Users, including:

(a) Contract terms and conditions;
(b) Privacy notices and disclosures;
(c) Consent management;
(d) Responding to End User requests and inquiries;
(e) Disputes with End Users regarding privacy or data protection.

23. DISPUTE RESOLUTION

23.1 Informal Resolution

Before initiating formal proceedings, parties agree to attempt informal resolution by contacting privacy@gymwyse.com and providing detailed description of the dispute.

23.2 Mediation

If informal resolution fails within thirty (30) days, parties agree to participate in mediation before a mutually acceptable mediator in Denver, Colorado. Mediation costs will be shared equally.

23.3 Binding Arbitration

If mediation fails, disputes shall be resolved through binding arbitration in accordance with:

(a) Commercial Arbitration Rules of the American Arbitration Association;
(b) Single arbitrator selected by mutual agreement or AAA appointment procedures;
(c) Arbitration venue: Denver, Colorado;
(d) Each party bears its own costs and attorneys’ fees unless arbitrator awards fees to prevailing party;
(e) Arbitrator’s decision is final and binding;
(f) Judgment on award may be entered in any court of competent jurisdiction.

23.4 Exceptions to Arbitration

Arbitration requirement does not apply to:

(a) Claims for injunctive or equitable relief;
(b) Small claims court matters (if within jurisdictional limits);
(c) Intellectual property disputes;
(d) Claims by regulators or government entities.

23.5 Class Action Waiver

TO THE MAXIMUM EXTENT PERMITTED BY LAW, PARTIES WAIVE ANY RIGHT TO PURSUE DISPUTES ON A CLASS, COLLECTIVE, OR REPRESENTATIVE BASIS. Each party may bring claims only in an individual capacity.

23.6 Governing Law

This Policy and any disputes are governed by the laws of the State of Colorado and applicable federal laws, without regard to conflicts of law principles.

23.7 Venue

For matters not subject to arbitration, exclusive venue is the state and federal courts located in Denver, Colorado. Parties consent to personal jurisdiction in these courts.

24. LIMITATION OF LIABILITY

24.1 Disclaimer

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, SECURITY, ACCURACY, OR ERROR-FREE OPERATION.

COMPANY DOES NOT WARRANT THAT:

(a) THE SERVICE WILL MEET CUSTOMER’S REQUIREMENTS;
(b) THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE;
(c) DATA WILL BE COMPLETELY SECURE FROM UNAUTHORIZED ACCESS;
(d) DEFECTS OR ERRORS WILL BE CORRECTED;
(e) THE SERVICE IS FREE FROM VIRUSES OR OTHER HARMFUL COMPONENTS.

24.2 Limitation of Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL COMPANY BE LIABLE FOR:

(a) INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES;
(b) LOSS OF PROFITS, REVENUE, DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES;
(c) DAMAGES RESULTING FROM:
- (i) USE OR INABILITY TO USE THE SERVICE;
- (ii) UNAUTHORIZED ACCESS TO OR ALTERATION OF DATA;
- (iii) STATEMENTS OR CONDUCT OF THIRD PARTIES;
- (iv) DATA BREACHES OR SECURITY INCIDENTS;
- (v) SYSTEM FAILURES OR INTERRUPTIONS;
- (vi) CUSTOMER’S VIOLATION OF APPLICABLE PRIVACY LAWS.

24.3 Liability Cap

COMPANY’S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THIS POLICY OR THE SERVICE SHALL NOT EXCEED THE GREATER OF:

(a) $1,000 USD; OR
(b) AMOUNTS PAID BY CUSTOMER TO COMPANY IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

24.4 Exceptions

Liability limitations do not apply to:

(a) Company’s gross negligence or willful misconduct;
(b) Death or personal injury caused by Company’s negligence;
(c) Fraud or fraudulent misrepresentation;
(d) Liabilities that cannot be limited by applicable law;
(e) Company’s indemnification obligations.

24.5 Essential Purpose

Customer acknowledges that liability limitations reflect allocation of risk and are essential elements of the bargain between parties. Service pricing reflects these limitations.

25. INDEMNIFICATION

25.1 Customer Indemnification Obligations

Customer agrees to indemnify, defend, and hold harmless Company, its affiliates, officers, directors, employees, agents, licensors, and service providers (collectively, “Company Parties”) from and against any and all claims, liabilities, damages, losses, costs, expenses, or fees (including reasonable attorneys’ fees) arising from or related to:

(a) Customer’s use or misuse of the Service;
(b) Customer’s violation of this Policy or Terms of Service;
(c) Customer’s violation of Applicable Privacy Laws;
(d) Customer’s collection, use, or disclosure of End User Personal Information;
(e) Lack of proper consents, authorizations, or legal bases for Personal Information;
(f) Customer’s failure to provide required privacy notices;
(g) Claims by End Users regarding privacy or data protection;
(h) Customer’s breach of representations and warranties;
(i) Customer’s infringement of third-party intellectual property rights;
(j) Customer’s violation of third-party rights;
(k) Customer’s submission of Sensitive Personal Information without authorization;
(l) Customer’s negligence or willful misconduct.

25.2 Indemnification Procedures

Company will:

(a) Promptly notify Customer of any claim subject to indemnification;
(b) Provide Customer with reasonable cooperation and information;
(c) Allow Customer to control defense and settlement (subject to restrictions below).

Customer shall not settle any claim in a manner that:

(a) Admits fault or liability on behalf of Company Parties;
(b) Imposes obligations on Company Parties without Company’s written consent;
(c) Does not provide complete release of Company Parties.

Company reserves the right to participate in defense with its own counsel at its own expense.

25.3 Company Indemnification

Company agrees to indemnify Customer from third-party claims alleging that the Service infringes third-party intellectual property rights, subject to:

(a) Customer promptly notifying Company of the claim;
(b) Company having sole control of defense and settlement;
(c) Customer providing reasonable cooperation.

Company’s indemnification obligations do not apply if infringement arises from:

(a) Modification of the Service by Customer or third parties;
(b) Customer’s combination of Service with other products;
(c) Customer’s use of Service contrary to documentation or agreements;
(d) Content or data provided by Customer.

26. SEVERABILITY

If any provision of this Policy is found to be unenforceable, invalid, or illegal by a court of competent jurisdiction:

(a) Such provision shall be reformed to the minimum extent necessary to make it enforceable, valid, and legal while preserving original intent;
(b) If reformation is not possible, such provision shall be severed from this Policy;
(c) All other provisions shall remain in full force and effect;
(d) Unenforceability in one jurisdiction does not affect enforceability in other jurisdictions.

27. WAIVER

27.1 No Waiver by Conduct

Company’s failure or delay in exercising any right, power, or privilege under this Policy does not constitute a waiver of such right, power, or privilege.

27.2 Written Waiver Required

No waiver shall be effective unless in writing and signed by an authorized representative of Company.

27.3 No Continuing Waiver

Any waiver granted by Company applies only to the specific instance and does not constitute a continuing waiver or waiver of other provisions.

28. ASSIGNMENT

28.1 Customer Assignment Restrictions

Customer may not assign, transfer, or delegate this Policy or any rights or obligations hereunder without Company’s prior written consent. Any attempted assignment in violation of this provision is void.

28.2 Company Assignment Rights

Company may assign, transfer, or delegate this Policy or any rights or obligations hereunder without Customer’s consent in connection with:

(a) Merger, acquisition, or sale of assets;
(b) Corporate reorganization or restructuring;
(c) Assignment to an affiliate or subsidiary.

28.3 Binding on Successors

This Policy is binding upon and inures to the benefit of parties’ respective successors and permitted assigns.

29. ENTIRE AGREEMENT

29.1 Complete Agreement

This Policy, together with the Terms of Service, Master Services Agreement, and other referenced agreements, constitutes the entire agreement between parties regarding the subject matter hereof and supersedes all prior or contemporaneous understandings, agreements, representations, and warranties, whether written or oral.

29.2 Modification

No modification, amendment, or waiver of this Policy is effective unless in writing and signed by authorized representatives of both parties, except that Company may modify this Policy unilaterally as provided in Section 20 (Privacy Policy Changes).

29.3 Order of Precedence

In the event of conflict between this Policy and other agreements, the order of precedence is:

Signed Data Processing Addendum or Business Associate Agreement
Master Services Agreement
This Privacy Policy
Terms of Service

30. SURVIVAL

The following sections survive termination or expiration of the Service or Customer’s account: Sections 3 (Data Controller and Processor Relationships), 7 (International Transfers), 8 (Data Security), 9 (Data Retention), 10 (Individual Rights), 21 (Customer Obligations), 22 (Dispute Resolution), 23 (Limitation of Liability), 24 (Indemnification), and all other provisions which by their nature should survive.

31. FORCE MAJEURE

Company shall not be liable for any failure or delay in performance due to causes beyond its reasonable control, including but not limited to:

(a) Acts of God, natural disasters, epidemics, pandemics;
(b) War, terrorism, civil unrest, governmental actions;
(c) Labor disputes, strikes, lockouts;
(d) Internet or telecommunications failures;
(e) Power outages or equipment failures;
(f) Cyber attacks, hacking, or malicious activities;
(g) Changes in laws or regulations.

During force majeure events, Company will use commercially reasonable efforts to mitigate effects and resume normal operations.

32. CONTACT INFORMATION

32.1 Privacy Inquiries

For questions, concerns, or complaints regarding this Policy or Company’s privacy practices:

Email: privacy@gymwyse.com
Mail: The Algorithm
ATTN: Privacy Officer
5031 Ashbrook Circle
Highlands Ranch, CO 80130
United States

32.2 Data Protection Inquiries

For data protection or security inquiries:

Email: security@gymwyse.com
Mail: The Algorithm
ATTN: Security Team
5031 Ashbrook Circle
Highlands Ranch, CO 80130
United States

32.3 Legal Department

For legal notices, subpoenas, or law enforcement requests:

Email: legal@gymwyse.com
Mail: The Algorithm
ATTN: Legal Department
5031 Ashbrook Circle
Highlands Ranch, CO 80130
United States

33. ACKNOWLEDGMENT AND ACCEPTANCE

BY ACCESSING OR USING THE SERVICE, CUSTOMER ACKNOWLEDGES THAT:

(a) Customer has read and understood this Privacy Policy in its entirety;
(b) Customer agrees to be bound by all terms and conditions contained herein;
(c) Customer has authority to bind its organization to this Policy;
(d) Customer will ensure its employees, contractors, and agents comply with this Policy;
(e) Customer understands its obligations as a Data Controller;
(f) Customer accepts risks associated with data Processing and international transfers;
(g) Customer acknowledges limitations on Company’s liability;
(h) This Policy may be updated from time to time in accordance with Section 20.

THE ALGORITHM

Last Updated: October 13, 2025
Effective Date: October 13, 2025

Document Version: 1.0
Document ID: GYMWYSE-PP-2025-001

Piyoosh Rai

The Guy The Buck Stops With

The Algorithm

Your Technology Partner From “What if” to “Done!”

Phone: (720) 334-7249

www.the-algo.com