Privacy Policy

Who we are

GymSeen is operated by Erik Maniccia, an individual based in Arizona, USA. For the purposes of data protection law, Erik Maniccia is the data controller. You can reach us at hello@gymseen.com.

What we collect

• Email address — used only for sign-in (magic code). We never share it.
• Display name & profile photo — visible to other members at your gym.
• Profile details — optional fields including tagline, age, and height.
• Social links — optional handles (Instagram, TikTok, etc.), only shown to members at your gym.
• Location (GPS) — collected once during check-in to verify you're at the gym. See "How location works" below.
• Gym memberships — which gyms you've saved (max 3).
• Presence sessions — check-in timestamps and session duration (90-minute auto-expiry).
• Nod data — anonymous nods you've sent or received, including mutual nods.
• Blocks & reports — who you've blocked and any reports you've filed, used to enforce safety.
• Device & log data — IP addresses, browser type, and request logs collected automatically by our hosting infrastructure.

What we do NOT collect

• No passwords (we use passwordless sign-in)
• No continuous location tracking
• No check-in history or gym schedule records
• No browsing history or device fingerprinting
• No third-party analytics or ad trackers
• No selling of data to anyone, ever

How location works

When you tap CHECK IN, your browser asks for location permission. We send your coordinates to our server to verify you're within 500 meters of the gym. Your GPS coordinates are not persisted to your user record. They may appear in server logs retained for up to 30 days. The heartbeat pings that keep your session alive contain zero location data.

AI photo moderation

When you upload a profile photo, it is automatically screened by an AI system (Anthropic Claude) to check for inappropriate content, non-face images, and policy violations. The AI makes an accept/reject decision. Rejected photos are deleted immediately.

If your photo is rejected and you believe the decision was wrong, you can upload a different photo or contact us at hello@gymseen.com to request a manual review.

Third-party processors

We use the following services to operate GymSeen. They process your data only as needed to provide the service:

• Supabase (AWS) — database hosting, authentication, and file storage (US regions)
• Vercel — application hosting and edge network
• Anthropic — AI photo moderation (profile photos only)
• OpenStreetMap / Nominatim — reverse geocoding for gym name lookups during search

We do not sell your data to any of these providers or anyone else.

Who sees your data

Only members at the same gym can see your name, photo, profile details, and social links. If you turn off Visible on GymSeen, you disappear from all member lists. If you set Gymteractions to "not right now," people at your gym know to give you space. You can block any user instantly — blocks are mutual and permanent until you undo them.

Our third-party processors access your data only to the extent needed to operate their respective services.

Data storage & security

Your data is stored on Supabase (hosted on AWS) with Row Level Security (RLS) policies ensuring users can only access data they're authorized to see. All data is encrypted in transit (TLS) and at rest. Authentication tokens are stored in secure, HTTP-only cookies.

Data retention

• Account & profile data — retained until you delete your account
• Presence sessions — auto-expire after 90 minutes
• Nod data — retained while your account is active, deleted with your account
• Blocks — retained until unblocked or account deletion
• Reports — retained for up to 12 months for safety review
• Server logs (including IP addresses) — up to 30 days
• GPS coordinates — not persisted to user records; may exist in server logs for up to 30 days

Your rights (EEA / UK / Switzerland — GDPR)

If you are located in the European Economic Area, UK, or Switzerland, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data
• Portability — receive your data in a portable format
• Restriction — limit how we process your data
• Objection — object to processing based on legitimate interests
• Automated decisions — contest decisions made solely by automated processing (including AI photo moderation)

To exercise these rights, email hello@gymseen.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

Your rights (California — CCPA)

If you are a California resident:

• We do not sell personal information.
• Right to know — you can request what personal information we've collected and why.
• Right to delete — you can request deletion of your personal information.
• Non-discrimination — we will not treat you differently for exercising your rights.

To exercise these rights, email hello@gymseen.com.

Data deletion

You can delete your account through the app or by emailing hello@gymseen.com. We will process your request within 30 days.

What gets deleted: your profile, photos, gym memberships, nod history, and social links.

What may persist: encrypted database backups (up to 30 days), server logs (up to 30 days), and anonymized block/report records retained for safety enforcement.

Children's privacy

GymSeen is for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a minor, we will delete it promptly. If you believe a minor has created an account, please contact us at hello@gymseen.com.

Changes to this policy

We may update this policy as the product evolves. Significant changes will be communicated through the app and posted with a new effective date. Continued use after changes constitutes acceptance.

Contact

Questions? Email us at hello@gymseen.com.