Privacy policy

Privacy Policy

Effective Date: 1 October 2026

Company: GYM3000.com LIMITED, registered in England and Wales

Markets covered: Worldwide, with dedicated provisions for the United Kingdom Ā· European

Union Ā· United States Ā· Canada Ā· Australia

Contact: via the contact form on our website

Contents

1. Scope and Who We Are

2. Data We Colect

3. How and Why We Use Your Data

4. Sharing Your Data

5. International Transfers

6. Cookies and Similar Technologies

7. Data Retention

8. Security

9. Children’s Privacy

10. Your Rights

11. Regional Provisions

12. Automated Decision-Making

13. Changes to This Policy

14. Contact

1. Scope and Who We Are

This Privacy Policy explains how GYM3000.com LIMITED (ā€œweā€, ā€œusā€) colects, uses, shares, and

protects personal data when you visit our website, use the My FitButlrā„¢ application (the ā€œAppā€),

purchase our products, or otherwise interact with us. For purposes of this Policy, ā€œServicesā€ means

colectively our website, the App, our products (including FitButlrā„¢), gym deployment solutions,

subscriptions, and related services. This Policy addresses consumers. Business customers (such

as gym operators) are engaged under a separate written agreement, and data processing under

those engagements is governed by the data protection terms of that agreement. It applies to

customers worldwide, with Regional Provisions in Section 11 addressing the United Kingdom, the

European Economic Area, the United States, Canada, and Australia specificaly; those Regional

Provisions supplement, and prevail over, the general text to the extent of any conflict. If you are

located elsewhere, Section 11.5 explains how we protect your rights.

For data colected through our website, App, and direct sales, GYM3000.com LIMITED is the

controler (in California, the ā€œbusinessā€; in Australia, the organisation responsible for handling

personal information).

GYM3000.com LIMITED Ā· Privacy PolicyGym deployments: where a gym offers FitButlrā„¢ towels under a business subscription, towel-

rental operational data — which may include NFC scan events, timestamps, gym location, towel

identifiers, activation records, rental transactions, and, where applicable, device pairing information

and operational usage events — is processed under a written business data agreement.

Depending on the deployment model, GYM3000.com may act as an independent controler, joint

controler, or processor on behalf of the gym operator, as reflected in the applicable agreement and

the parties’ respective roles under applicable data protection law. The gym may receive

aggregated, de-identified, or otherwise appropriately limited operational statistics depending on the

deployment model and applicable agreement; identity-linked personal data is shared with the gym

only where permitted by law and clearly disclosed to you in advance. Your gym membership

records belong to your gym and its own privacy notice; this Policy does not reach them.

2. Data We Collect

2.1 Data you provide

Name, email, phone, shipping and biling address, and account credentials. Order history and

delivery and refund records — card details are processed by PCI-DSS certified payment

processors; we do not hold ful card numbers. Support correspondence and optional preferences

you choose to share.

2.2 Data from your device and your use of the Services

IP address, device identifiers, operating system, App version, crash logs, and session data,

colected via cookies and similar technologies (see Section 6). NFC scan events and related towel-

rental data (see Section 1, Gym deployments) where you use FitButlrā„¢ towels in participating

gyms. Approximate location derived from your IP address or gym check-in. We do not colect

continuous GPS location.

2.3 What we do not collect

We do not colect health data, biometric data, genetic data, neural data, precise geolocation trails,

your contacts, photographs, or microphone data, and we do not purchase data about you from data

brokers. If we introduce a feature involving health-related data (such as sweat-based physiological

signals), it wil be governed by a dedicated privacy notice, wil proceed only on your prior explicit

consent, and wil be announced in advance. Nothing in your current use of our Services involves

such data.

2.4 Sources

You; your device; and a closed set of third parties: payment processors (transaction status), fraud-

prevention services, delivery carriers (delivery status), and app-store platforms (subscription

status).

3. How and Why We Use Your Data

Purpose Data used Legal basis (UK / EU GDPR)

Fulfil orders, payments,

returns, refunds

Identity, contact, transaction data Contract

Operate your account and

the App

Identity, contact, device data Contract

GYM3000.com LIMITED Ā· Privacy Policy Ā· Page 2 of 5Customer support Identity, contact, correspondence Contract; legitimate interest

Fraud prevention and

security

Transaction, device data Legitimate interest; legal obligation

Product improvement and

analytics

Device, usage data (aggregated) Legitimate interest; consent for

cookies

Marketing communications Contact data, preferences Consent where required under

applicable electronic marketing law;

otherwise legitimate interest where

localy permitted

Legal and regulatory

compliance

Transaction, identity data Legal obligation

We do not use your data for purposes materialy different from those stated here without notifying

you and, where required, obtaining your consent.

4. Sharing Your Data

We share personal data only with:

• service providers acting on our instructions under written contracts — payment processing,

delivery and logistics, cloud hosting, customer support tooling, and analytics;

• professional advisers, insurers, and regulators, where necessary;

• a buyer or successor in the event of a merger, acquisition, or sale of assets, subject to

continued protection of your data;

• law enforcement or public authorities, where required by law or a valid legal process,

folowing our internal legal review;

• business subscribers, limited to aggregated, de-identified statistics as described in Section

1.

We do not sel your personal data for money. Where applicable US state law defines certain

analytics or advertising cookies as a ā€œsaleā€ or ā€œsharingā€ of personal information, we provide the opt-

out described in Section 11.3.

5. International Transfers

We are based in the United Kingdom and use service providers located in the European Economic

Area, the United States, and other countries. Where we transfer personal data out of the UK or

EEA, we rely on adequacy decisions where available, or the UK International Data Transfer

Addendum and the EU Standard Contractual Clauses, together with supplementary technical and

organisational measures where required.

6. Cookies and Similar Technologies

Our use of cookies and similar technologies, including your controls and choices, is described in ful

in our Cookie Policy, available on our website. This Privacy Policy governs the personal data those

technologies may generate; the Cookie Policy governs the technologies themselves.

GYM3000.com LIMITED Ā· Privacy Policy Ā· Page 3 of 57. Data Retention

We retain personal data only for as long as necessary for the purposes described in Section 3, and

in any event no longer than applicable law requires or permits. Order and transaction records are

retained for the period required by tax and accounting law. Account data is retained while your

account is active. If your account is inactive for 36 consecutive months, we wil notify you and,

absent a response, delete your account data 60 days later, except records we are legaly required

to retain or that remain necessary for ongoing customer relationship, warranty, contractual, or

product support purposes.

8. Security

We apply industry-standard technical and organisational measures, including encryption in transit

and at rest, role-based access controls built on least-privilege principles, supplier security reviews,

and vulnerability management practices, to protect personal data against unauthorised access,

loss, or disclosure. No system is completely secure; if we become aware of a breach affecting your

data, we wil notify you and the relevant regulator where required by law.

9. Children’s Privacy

Our Services are not directed to children, and we do not knowingly colect personal data from

anyone below the applicable minimum age of digital consent in their jurisdiction — which ranges

from 13 to 16 depending on the country — without appropriate parental consent. If we become

aware that we have colected personal data from a child without the required consent, we wil delete

it.

10. Your Rights

Depending on your jurisdiction, you may have the right to: access the personal data we hold about

you; correct inaccurate data; request deletion; object to or restrict certain processing; request data

portability; and withdraw consent at any time where processing is based on consent. Where

applicable, portable data wil be provided in a structured, commonly used, machine-readable

format. To exercise any of these rights, contact us via the contact form on our website. We wil

respond within the period required by applicable law.

11. Regional Provisions

11.1 United Kingdom and European Union

We process your data under the UK GDPR and, where applicable, the EU GDPR. You have the

right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or, for EEA

residents, with your local supervisory authority. Our EU Article 27 Representative details, where

applicable, are published on our website.

11.2 Canada

We process your data in accordance with the Personal Information Protection and Electronic

Documents Act (PIPEDA) and applicable provincial legislation, including QuĆ©bec’s Law 25.

Marketing communications comply with Canada’s Anti-Spam Legislation (CASL); you may

withdraw consent to marketing at any time. Recourse lies to the Office of the Privacy Commissioner

of Canada and, in QuĆ©bec, the Commission d’accĆØs Ć  l’information.

GYM3000.com LIMITED Ā· Privacy Policy Ā· Page 4 of 511.3 United States

Depending on your state of residence, you may have rights under applicable state privacy laws

(including California, Colorado, Connecticut, Virginia, and other states with comparable legislation)

to know, access, correct, delete, and opt out of the sale or sharing of your personal information, and

to opt out of targeted advertising. We do not sel personal information for money. We honour the

Global Privacy Control signal as a valid opt-out request where technicaly supported. California

residents may designate an authorised agent to submit requests on their behalf.

11.4 Australia

We handle personal information in accordance with the Australian Privacy Principles under the

Privacy Act 1988. Marketing communications comply with the Spam Act 2003. Complaints may be

lodged with the Office of the Australian Information Commissioner (oaic.gov.au).

11.5 Rest of World

If you are located outside the United Kingdom, the European Economic Area, the United States,

Canada, or Australia, we process your personal data in accordance with the general principles set

out in this Privacy Policy and with any mandatory data protection law of your country of residence.

We honour the same rights described in Section 10 (access, correction, deletion, objection,

portability, and withdrawal of consent) for al customers worldwide, regardless of whether your

country has its own comprehensive data protection legislation.

12. Automated Decision-Making

We do not use your personal data for automated decision-making that produces legal or similarly

significant effects concerning you without human involvement. Where AI-assisted features in the

App generate welness insights or recommendations, these are informational only, are not medical

advice, diagnosis, or treatment, do not constitute a decision about you, and are described further in

our Terms & Conditions.

13. Changes to This Policy

We may update this Policy from time to time. The updated version wil be posted on our website

with a revised effective date. Where a change is material, we wil notify you by email or through the

App at least 30 days before it takes effect. Your continued use of our Services after the effective

date constitutes acceptance of the updated Policy.

14. Contact

For any question about this Policy or to exercise your rights, contact us via the contact form on our

website. GYM3000.com LIMITED is registered in England and Wales; ful registration details are

published in the legal notice on our website. Where required by applicable law, we appoint a Data

Protection Officer or privacy representative; contact details are published on our website.

GYM3000.com LIMITED Ā· Privacy Policy Ā· Page 5 of 5