Privacy policy
Privacy Policy
Effective Date: 1 October 2026
Company: GYM3000.com LIMITED, registered in England and Wales
Markets covered: Worldwide, with dedicated provisions for the United Kingdom Ā· European
Union Ā· United States Ā· Canada Ā· Australia
Contact: via the contact form on our website
Contents
1. Scope and Who We Are
2. Data We Colect
3. How and Why We Use Your Data
4. Sharing Your Data
5. International Transfers
6. Cookies and Similar Technologies
7. Data Retention
8. Security
9. Childrenās Privacy
10. Your Rights
11. Regional Provisions
12. Automated Decision-Making
13. Changes to This Policy
14. Contact
1. Scope and Who We Are
This Privacy Policy explains how GYM3000.com LIMITED (āweā, āusā) colects, uses, shares, and
protects personal data when you visit our website, use the My FitButlr⢠application (the āAppā),
purchase our products, or otherwise interact with us. For purposes of this Policy, āServicesā means
colectively our website, the App, our products (including FitButlrā¢), gym deployment solutions,
subscriptions, and related services. This Policy addresses consumers. Business customers (such
as gym operators) are engaged under a separate written agreement, and data processing under
those engagements is governed by the data protection terms of that agreement. It applies to
customers worldwide, with Regional Provisions in Section 11 addressing the United Kingdom, the
European Economic Area, the United States, Canada, and Australia specificaly; those Regional
Provisions supplement, and prevail over, the general text to the extent of any conflict. If you are
located elsewhere, Section 11.5 explains how we protect your rights.
For data colected through our website, App, and direct sales, GYM3000.com LIMITED is the
controler (in California, the ābusinessā; in Australia, the organisation responsible for handling
personal information).
GYM3000.com LIMITED · Privacy PolicyGym deployments: where a gym offers FitButlr⢠towels under a business subscription, towel-
rental operational data ā which may include NFC scan events, timestamps, gym location, towel
identifiers, activation records, rental transactions, and, where applicable, device pairing information
and operational usage events ā is processed under a written business data agreement.
Depending on the deployment model, GYM3000.com may act as an independent controler, joint
controler, or processor on behalf of the gym operator, as reflected in the applicable agreement and
the partiesā respective roles under applicable data protection law. The gym may receive
aggregated, de-identified, or otherwise appropriately limited operational statistics depending on the
deployment model and applicable agreement; identity-linked personal data is shared with the gym
only where permitted by law and clearly disclosed to you in advance. Your gym membership
records belong to your gym and its own privacy notice; this Policy does not reach them.
2. Data We Collect
2.1 Data you provide
Name, email, phone, shipping and biling address, and account credentials. Order history and
delivery and refund records ā card details are processed by PCI-DSS certified payment
processors; we do not hold ful card numbers. Support correspondence and optional preferences
you choose to share.
2.2 Data from your device and your use of the Services
IP address, device identifiers, operating system, App version, crash logs, and session data,
colected via cookies and similar technologies (see Section 6). NFC scan events and related towel-
rental data (see Section 1, Gym deployments) where you use FitButlr⢠towels in participating
gyms. Approximate location derived from your IP address or gym check-in. We do not colect
continuous GPS location.
2.3 What we do not collect
We do not colect health data, biometric data, genetic data, neural data, precise geolocation trails,
your contacts, photographs, or microphone data, and we do not purchase data about you from data
brokers. If we introduce a feature involving health-related data (such as sweat-based physiological
signals), it wil be governed by a dedicated privacy notice, wil proceed only on your prior explicit
consent, and wil be announced in advance. Nothing in your current use of our Services involves
such data.
2.4 Sources
You; your device; and a closed set of third parties: payment processors (transaction status), fraud-
prevention services, delivery carriers (delivery status), and app-store platforms (subscription
status).
3. How and Why We Use Your Data
Purpose Data used Legal basis (UK / EU GDPR)
Fulfil orders, payments,
returns, refunds
Identity, contact, transaction data Contract
Operate your account and
the App
Identity, contact, device data Contract
GYM3000.com LIMITED Ā· Privacy Policy Ā· Page 2 of 5Customer support Identity, contact, correspondence Contract; legitimate interest
Fraud prevention and
security
Transaction, device data Legitimate interest; legal obligation
Product improvement and
analytics
Device, usage data (aggregated) Legitimate interest; consent for
cookies
Marketing communications Contact data, preferences Consent where required under
applicable electronic marketing law;
otherwise legitimate interest where
localy permitted
Legal and regulatory
compliance
Transaction, identity data Legal obligation
We do not use your data for purposes materialy different from those stated here without notifying
you and, where required, obtaining your consent.
4. Sharing Your Data
We share personal data only with:
⢠service providers acting on our instructions under written contracts ā payment processing,
delivery and logistics, cloud hosting, customer support tooling, and analytics;
⢠professional advisers, insurers, and regulators, where necessary;
⢠a buyer or successor in the event of a merger, acquisition, or sale of assets, subject to
continued protection of your data;
⢠law enforcement or public authorities, where required by law or a valid legal process,
folowing our internal legal review;
⢠business subscribers, limited to aggregated, de-identified statistics as described in Section
1.
We do not sel your personal data for money. Where applicable US state law defines certain
analytics or advertising cookies as a āsaleā or āsharingā of personal information, we provide the opt-
out described in Section 11.3.
5. International Transfers
We are based in the United Kingdom and use service providers located in the European Economic
Area, the United States, and other countries. Where we transfer personal data out of the UK or
EEA, we rely on adequacy decisions where available, or the UK International Data Transfer
Addendum and the EU Standard Contractual Clauses, together with supplementary technical and
organisational measures where required.
6. Cookies and Similar Technologies
Our use of cookies and similar technologies, including your controls and choices, is described in ful
in our Cookie Policy, available on our website. This Privacy Policy governs the personal data those
technologies may generate; the Cookie Policy governs the technologies themselves.
GYM3000.com LIMITED Ā· Privacy Policy Ā· Page 3 of 57. Data Retention
We retain personal data only for as long as necessary for the purposes described in Section 3, and
in any event no longer than applicable law requires or permits. Order and transaction records are
retained for the period required by tax and accounting law. Account data is retained while your
account is active. If your account is inactive for 36 consecutive months, we wil notify you and,
absent a response, delete your account data 60 days later, except records we are legaly required
to retain or that remain necessary for ongoing customer relationship, warranty, contractual, or
product support purposes.
8. Security
We apply industry-standard technical and organisational measures, including encryption in transit
and at rest, role-based access controls built on least-privilege principles, supplier security reviews,
and vulnerability management practices, to protect personal data against unauthorised access,
loss, or disclosure. No system is completely secure; if we become aware of a breach affecting your
data, we wil notify you and the relevant regulator where required by law.
9. Childrenās Privacy
Our Services are not directed to children, and we do not knowingly colect personal data from
anyone below the applicable minimum age of digital consent in their jurisdiction ā which ranges
from 13 to 16 depending on the country ā without appropriate parental consent. If we become
aware that we have colected personal data from a child without the required consent, we wil delete
it.
10. Your Rights
Depending on your jurisdiction, you may have the right to: access the personal data we hold about
you; correct inaccurate data; request deletion; object to or restrict certain processing; request data
portability; and withdraw consent at any time where processing is based on consent. Where
applicable, portable data wil be provided in a structured, commonly used, machine-readable
format. To exercise any of these rights, contact us via the contact form on our website. We wil
respond within the period required by applicable law.
11. Regional Provisions
11.1 United Kingdom and European Union
We process your data under the UK GDPR and, where applicable, the EU GDPR. You have the
right to lodge a complaint with the UK Information Commissionerās Office (ico.org.uk) or, for EEA
residents, with your local supervisory authority. Our EU Article 27 Representative details, where
applicable, are published on our website.
11.2 Canada
We process your data in accordance with the Personal Information Protection and Electronic
Documents Act (PIPEDA) and applicable provincial legislation, including QuĆ©becās Law 25.
Marketing communications comply with Canadaās Anti-Spam Legislation (CASL); you may
withdraw consent to marketing at any time. Recourse lies to the Office of the Privacy Commissioner
of Canada and, in QuĆ©bec, the Commission dāaccĆØs Ć lāinformation.
GYM3000.com LIMITED Ā· Privacy Policy Ā· Page 4 of 511.3 United States
Depending on your state of residence, you may have rights under applicable state privacy laws
(including California, Colorado, Connecticut, Virginia, and other states with comparable legislation)
to know, access, correct, delete, and opt out of the sale or sharing of your personal information, and
to opt out of targeted advertising. We do not sel personal information for money. We honour the
Global Privacy Control signal as a valid opt-out request where technicaly supported. California
residents may designate an authorised agent to submit requests on their behalf.
11.4 Australia
We handle personal information in accordance with the Australian Privacy Principles under the
Privacy Act 1988. Marketing communications comply with the Spam Act 2003. Complaints may be
lodged with the Office of the Australian Information Commissioner (oaic.gov.au).
11.5 Rest of World
If you are located outside the United Kingdom, the European Economic Area, the United States,
Canada, or Australia, we process your personal data in accordance with the general principles set
out in this Privacy Policy and with any mandatory data protection law of your country of residence.
We honour the same rights described in Section 10 (access, correction, deletion, objection,
portability, and withdrawal of consent) for al customers worldwide, regardless of whether your
country has its own comprehensive data protection legislation.
12. Automated Decision-Making
We do not use your personal data for automated decision-making that produces legal or similarly
significant effects concerning you without human involvement. Where AI-assisted features in the
App generate welness insights or recommendations, these are informational only, are not medical
advice, diagnosis, or treatment, do not constitute a decision about you, and are described further in
our Terms & Conditions.
13. Changes to This Policy
We may update this Policy from time to time. The updated version wil be posted on our website
with a revised effective date. Where a change is material, we wil notify you by email or through the
App at least 30 days before it takes effect. Your continued use of our Services after the effective
date constitutes acceptance of the updated Policy.
14. Contact
For any question about this Policy or to exercise your rights, contact us via the contact form on our
website. GYM3000.com LIMITED is registered in England and Wales; ful registration details are
published in the legal notice on our website. Where required by applicable law, we appoint a Data
Protection Officer or privacy representative; contact details are published on our website.
GYM3000.com LIMITED Ā· Privacy Policy Ā· Page 5 of 5