Privacy Policy
GYM ED Pty Ltd ACN 688 364 285 as Trustee for the Steffen Trust ('we', 'us', 'our') operates GymEd (the 'Platform'), a software-as-a-service platform for schools, exercise professionals, and allied health providers to create, deliver, and manage exercise programs, fitness testing, and progress tracking. The platform provides tools for exercise libraries, program building, fitness assessment, reporting, and user management for use with students, clients, and professional staff.
Our business is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Our business is an APP entity as defined in s 6(1) of the Act.
Information We Collect
We may collect and hold personal information including but not limited to:
- account and profile information for professional users, administrators and other authorised users, such as names, email addresses, phone numbers, organisation details, usernames and login credentials;
- organisation and billing information, such as school or clinic name, billing contact details, subscription details and payment-related records;
- end user records entered into or generated through the Platform, including program data, fitness testing results, progress records, assessment data, notes and related service delivery records;
- health information and other sensitive information where reasonably necessary for the operation of the Platform, including body composition data, physical assessment results, and information about health conditions, injuries, physical limitations or exercise restrictions;
- communications and support records, including enquiries, helpdesk requests, troubleshooting records and incident reports; and
- website and usage information, including analytics data, device and browser information, cookie data, and website enquiry or marketing contact information.
Personal information is collected from our clients in the following ways:
- by providing it to us directly;
- by authorising third parties to provide it to us; and
- by schools, clinics, or other organisations providing it to us on behalf of their students, clients, or staff in connection with their use of the Platform.
We hold personal information in electronic records, databases and cloud-based systems used to operate the Platform and our business, including infrastructure hosted with Amazon Web Services. We take reasonable steps to protect the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure, including through access controls, authentication measures and other reasonable technical and organisational safeguards.
Why We Collect Personal Information
The purposes for which we collect, hold, use and disclose personal information are:
- to provide, maintain, support and improve the Platform;
- to create and administer user accounts and organisation accounts;
- to enable schools, clinics and professional users to manage exercise programs, assessments, reporting and related records;
- to provide onboarding, training, implementation support, technical support, maintenance and platform updates;
- to communicate with users and customer organisations about the Platform, subscriptions, support matters and service changes;
- to monitor platform usage, security, performance and reliability;
- to conduct analytics, marketing measurement and campaign performance tracking;
- to comply with legal obligations, dispute resolution, audit, accounting and record-keeping requirements; and
- to protect the security, integrity and lawful use of the Platform.
Accessing or Correcting Your Information
You may request access to the personal information we hold about you, and request correction of that information if it is inaccurate, out of date, incomplete, irrelevant or misleading, by contacting us at privacy@gymed.com.au. We may need to verify your identity before granting access or making a correction. We will respond within a reasonable period and, in any event, as required by applicable law.
Disclosure Outside Australia
GymEd is primarily hosted using Amazon Web Services (AWS), with core infrastructure deployed in the AWS Asia Pacific (Sydney) region. We may also disclose personal information to service providers and sub-processors that assist us with hosting, analytics, CRM, communications, customer support, security and related business operations. Some of those providers may process limited personal information outside Australia. Where this occurs, it is likely that personal information will be disclosed to recipients located in the United States of America.
Privacy Complaints
If you have a complaint about how we have handled your personal information, you may contact us at privacy@gymed.com.au. We will generally acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days, unless the matter is unusually complex and requires more time, in which case we will keep you informed. If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner (OAIC).
Data Breaches
We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. If we become aware of a data breach involving personal information, we will assess the incident promptly and, where required by the Privacy Act 1988 (Cth), notify affected individuals and the Office of the Australian Information Commissioner.
Health and Sensitive Information
Some information collected through the Platform may constitute health information or other sensitive information as defined under the Act. Health information is a category of sensitive information under the APPs and attracts additional protections.
We will only collect sensitive information where it is reasonably necessary for the delivery of the Platform and with appropriate consent, or where another exception under the APPs applies. We handle all health and sensitive information with heightened care and do not use it for marketing, profiling, or any purpose beyond the delivery of the Platform.
Personal Information Relating to Minors
The Platform may be used in school environments and may involve personal information relating to individuals under 18 years of age. GymEd does not ordinarily collect personal information directly from minors without the involvement and authority of the relevant school, clinic or supervising professional user. Customer organisations and professional users are responsible for ensuring they have obtained any notices, consents and authorisations required under applicable law before providing student or minor-related personal information to GymEd or enabling access to the platform.
We do not use personal information relating to minors for marketing, profiling, or any purpose beyond the delivery of the Platform to the relevant school or Professional User. If a parent or guardian believes their child's personal information has been handled inappropriately, they should contact the relevant school or Professional User in the first instance, or contact us directly using the details below.
Cookies and Website Analytics
Our website uses cookies and similar technologies to improve functionality, remember user preferences, support authentication, and collect information about website traffic and usage. We use analytics and tracking tools including Google Analytics and analytics within our CRM and marketing systems, such as GoHighLevel, to measure website traffic, enquiries and campaign performance. You may configure your browser to refuse cookies, but some website or platform functionality may then be limited.
Data Retention
We retain personal information only for as long as reasonably necessary for the purposes for which it was collected, and as otherwise required or permitted by law. In particular:
- Professional User account data is retained for the duration of the subscription and then deactivated after cancellation or termination and is deleted once it is no longer required;
- end user fitness, assessment and health-related data is retained for the duration of the customer relationship and for up to 7 years after the relevant record is last actively used or the relevant account is terminated, unless earlier deletion is requested and retention is not otherwise required by law or for dispute resolution purposes;
- organisation account and administrative data is retained for the duration of the customer relationship and for up to 7 years after termination for contractual, tax, accounting, audit and compliance purposes;
- support correspondence and incident logs are retained for up to 7 years after creation; and
- website enquiry and marketing contact data is retained for 7 years after the last interaction unless the individual unsubscribes or requests earlier deletion, or continued retention is otherwise required or permitted by law.
Anonymous and Pseudonymous Interaction
Visitors may browse public parts of our website without identifying themselves. However, users cannot access the Platform or use account-based features anonymously or pseudonymously because account creation, user authentication, service delivery, security, support and record management require identification of the relevant user and organisation.
Linking of Personal Information
GymEd links personal information within the relevant customer organisation's account environment so that authorised professional users and administrators can manage students, clients, programs, fitness testing results and progress records within their organisation. GymEd does not combine personal information across unrelated customer organisations for marketing, profiling or shared analytics purposes.
Updates to This Policy
This Privacy Policy is available at gymed.com.au. We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. Where we make material changes, we will notify users by email and update this document accordingly. The updated Privacy Policy will apply from the date it is published on our website.
If you would like any further information about our privacy practices, please contact us at privacy@gymed.com.au.