FitSynQ
Legal

Privacy Policy

Last updated: May 12, 2026

This Privacy Policy explains how FitSynQ collects, uses, shares, and protects personal information across our gym management platform — the admin dashboard, member app, check-in kiosks, and supporting services. We have written it to meet our obligations under the Ghana Data Protection Act 2012 (Act 843).

1. Who This Policy Applies To

FitSynQ serves two distinct audiences. This Policy covers both, and where their treatment differs we say so explicitly.

  • Gym operators — owners, branch managers, and staff who use the FitSynQ admin dashboard to run a gym. Gym operators hold a direct contractual relationship with FitSynQ.
  • Gym members — individuals whose information is held in FitSynQ because they belong to a participating gym. Members interact with FitSynQ through the member app and check-in kiosks. Members' contractual relationship is with their gym, not with FitSynQ.

1.1 Our Role Under the Ghana DPA

  • For gym operator account data, FitSynQ acts as the data controller — we determine the purposes and means of processing.
  • For gym member personal data, FitSynQ acts as a data processor on behalf of the member's gym, which is the data controller. Gyms are responsible for obtaining lawful basis (including consent where required), responding to member requests, and meeting their own obligations under Act 843.

2. Information We Collect

2.1 Information Gym Operators Provide

  • Account information: name, email address, phone number, password (stored as a salted hash by our authentication provider)
  • Business information: gym name, branch addresses, business registration details
  • Billing information: contact details for invoicing; payment instrument information is collected and stored by Paystack, not by us
  • Communications: messages sent through the platform or to our support team

2.2 Information About Gym Members

Member information may be entered by the member themselves through the member app, or by gym staff on behalf of the member through the admin dashboard. We collect:

  • Profile information: name, email address, phone number, date of birth, gender, profile photo, address
  • Emergency contact: name and phone number of a designated contact
  • Membership information: subscription plan, start date, billing history, branch affiliation
  • Activity information: check-in and check-out times, session duration, class enrolments, ratings and feedback

2.3 Sensitive Personal Data (Section 35, Act 843)

The Ghana Data Protection Act classifies certain information as "special personal data" requiring explicit consent. We process the following sensitive categories on behalf of gyms:

  • Health and fitness data: exercise logs you record in the member app (sets, repetitions, weight, exercise type, completion status), personal records, and aggregated workout history
  • Date of birth and gender, where used to contextualise health and fitness data
  • Emergency contact information, by virtue of its safety-of-life context

We process this data only after the gym has obtained your explicit, specific consent at signup, or after you have consented yourself when first using the member app. You may withdraw consent at any time (see section 8).

2.4 Information Collected Automatically

  • Device information: device type, operating system, browser type, application version, device identifiers
  • Approximate location: derived from IP address (we do not access GPS or precise location)
  • Usage data: pages viewed, features used, action timestamps
  • Cookies and similar technologies: see section 10

2.5 QR Check-In Codes

The member app generates a QR code containing a signed token tied to your account. The token authenticates you at kiosk check-in. Each QR token expires automatically within 24 hours and a new one is issued the next time you open the member app while signed in. If your device is lost or stolen, existing QR codes will expire naturally within 24 hours; you do not need to contact us to revoke them.

3. How We Use Information

We use the information described above to:

  • Provide, maintain, and improve the FitSynQ platform
  • Process gym operator subscription payments and produce invoices
  • Facilitate member check-in, class enrolment, and access control at gyms
  • Generate analytics and operational reports for gyms (their own data only — gyms cannot see other gyms' data)
  • Send transactional and operational emails (check-in confirmations, password resets, security alerts, service notices)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations and respond to lawful requests

We do not send marketing or promotional emails to gym members. Member-facing announcements come from your gym, sent through our platform on the gym's behalf. We may send service-related notices and product update announcements to gym operators with whom we have a direct relationship; gym operators can opt out of non-essential operator communications at any time.

4. Sub-Processors and Information Sharing

FitSynQ relies on the following sub-processors to operate the platform. Each is contractually bound to process personal data only on our documented instructions and to apply appropriate technical and organisational security measures.

4.1 Sub-Processors

  • Paystack — Nigeria. Payment processing for gym operator subscription billing.
  • Supabase — European Union (Ireland / Frankfurt). Primary database, authentication, and file storage.
  • Railway — United States. Backend application hosting (API and background workers).
  • OpenAI — United States. Powers our AI Assistant feature (see section 11). Member personal data is not directly sent to OpenAI; only admin-facing queries from gym operators are processed.
  • Google Analytics — United States. Aggregate usage analytics on our landing site and applications.
  • Mixpanel — United States. Product analytics covering feature usage and funnel analysis in our applications.

We maintain Data Processing Agreements with each sub-processor and review them periodically. We will update this list when sub-processors change.

4.2 Sharing With Your Gym

If you are a gym member, your gym operator and authorised staff can access your membership profile, attendance history, subscription details, and any sensitive data you have consented to share (such as exercise logs). This access is necessary for your gym to provide its services to you.

4.3 Legal and Safety Disclosures

We may disclose personal data when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 We Do Not Sell Personal Data

We do not sell personal data to advertisers or data brokers, and we do not share personal data for advertising purposes.

5. International Data Transfers

Some of our sub-processors operate outside Ghana. This means your personal data may be transferred to, stored in, and processed in:

  • The European Union (Supabase)
  • The United States (Railway, OpenAI, Google Analytics, Mixpanel)
  • Nigeria (Paystack, for gym operator payment processing)

Where we transfer data outside Ghana, we rely on a combination of: (a) contractual safeguards in our agreements with each sub-processor, including Standard Contractual Clauses where applicable; (b) your consent at signup to such transfers; and (c) where relevant, the necessity of the transfer to perform our contract with you or your gym. We declare destination countries to the Ghana Data Protection Commission as part of our registration.

6. How We Protect Your Information

We apply technical and organisational measures appropriate to the sensitivity of the data we process. These include:

  • Encryption of data in transit (TLS) and at rest
  • Row-level security policies in our database that enforce tenant isolation between gyms
  • Role-based access control with scoped permissions across system, organisation, and branch levels
  • Audit logging of access to and changes in personal data
  • Multi-factor authentication for sensitive administrative accounts
  • Regular security reviews, dependency updates, and vulnerability monitoring
  • Staff confidentiality obligations and security training

No method of transmission over the internet or method of electronic storage is fully secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

7. How Long We Keep Your Information

7.1 Active Accounts

We retain personal data for as long as your account (or your gym's account) is active, plus the periods described below.

7.2 When You Delete Your Account

When a member account is deleted, we immediately anonymise identifying fields (name, email, phone number, date of birth, photo, address, emergency contact). Anonymised records — used to maintain gym analytics and historical integrity — are hard-deleted within 90 days of the original deletion request, unless we are legally required to retain them for longer.

7.3 Financial and Audit Records

We retain payment records, invoices, and security audit logs for up to 6 years after the related transaction or event, in line with typical tax, accounting, and statute-of-limitations requirements in Ghana. These records may include limited identifying information that we cannot remove without breaking their evidentiary value.

7.4 Legal Holds

If we receive a valid legal request, court order, or regulatory directive that requires us to retain specific data, we will preserve that data for the duration of the legal hold.

8. Your Rights Under the Ghana DPA

The Ghana Data Protection Act grants you the following rights in respect of your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right of rectification — request correction of inaccurate or incomplete information
  • Right of erasure — request deletion of your personal data, subject to lawful retention requirements
  • Right to object — object to certain types of processing
  • Right to withdraw consent — withdraw any consent you previously gave (including for sensitive data) at any time, without affecting the lawfulness of processing carried out before withdrawal
  • Right to data portability — receive your data in a structured, commonly used format
  • Right to lodge a complaint — file a complaint with the Ghana Data Protection Commission (see section 13)

8.1 How to Exercise Your Rights

Send your request to fitsynq@proton.me. We will respond within 30 days of receiving a verified request. We may need to verify your identity before processing requests that involve sensitive data or could affect another person's rights. If we cannot fulfil your request (for example, because we are legally required to retain the data), we will explain why.

8.2 Gym Members

If you are a gym member, your gym is the data controller for your information. You may exercise your rights through your gym directly. If your gym is unable or unwilling to assist, you may contact us, and we will work with your gym to help fulfil your request.

9. Children's Privacy

FitSynQ is not intended for children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child under 16 has provided personal information through FitSynQ, please contact us at fitsynq@proton.me and we will take steps to delete the information promptly.

Gyms enrolling members under 18 are responsible for obtaining parental or guardian consent where required by Ghanaian law.

10. Cookies, Analytics, and Tracking

We use cookies and similar technologies to:

  • Keep you signed in and remember your preferences
  • Maintain security and detect abuse
  • Understand aggregate usage of our landing site and applications
  • Improve product features and resolve issues

Our analytics rely on two third-party tools:

  • Google Analytics — sets cookies to measure visitor traffic and behaviour on our landing site and applications. Data is sent to and processed by Google in the United States.
  • Mixpanel — collects product-usage events to help us understand how features are used. Data is sent to and processed by Mixpanel in the United States.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of our services, including keeping you signed in.

11. The FitSynQ AI Assistant

Our admin dashboard includes an AI Assistant that lets authorised gym operators ask natural-language questions about their own gym's data. The Assistant is built on OpenAI's models and is subject to the following safeguards:

  • Only authenticated gym operators with appropriate permissions can use the Assistant
  • The Assistant executes only read-only queries scoped to the gym operator's tenant
  • Member personal data is not used to train or improve OpenAI's models; we operate under OpenAI's enterprise/API terms which disable training on customer inputs
  • Audit logs are kept of every query and response
  • The Assistant is intended for operational insight only; AI-generated outputs should not be treated as professional advice

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our sub-processors, or applicable law. When we make material changes, we will:

  • Post the updated Policy on this page and update the "Last updated" date
  • Notify gym operators by email at least 30 days before material changes take effect, where reasonably practicable
  • For members, surface a notice in the member app on next sign-in

Your continued use of FitSynQ after a change takes effect constitutes acceptance of the revised Policy.

13. Contact Us

For privacy questions, data subject requests, or concerns about how we handle personal data:

13.1 Right to Complain to the Regulator

You have the right to lodge a complaint with the Ghana Data Protection Commission if you believe we have not handled your personal data lawfully. You can reach the Commission at dataprotection.org.gh. We would appreciate the opportunity to address your concern directly before you escalate, but you are not required to contact us first.