Privacy Policy

1. Introduction

10RM Pty Ltd (ABN pending) ("10RM", "we", "us", or "our") operates the 10RM platform, including our mobile applications and website (collectively, the "Platform"). We are committed to protecting your personal information and your right to privacy.

This Privacy Policy explains what information we collect, how we use and share it, and your rights regarding your personal data. It applies to all users of the Platform, including gym members ("Members"), gym owners, personal trainers, and coaches ("Service Providers").

By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, phone number, and password (stored in hashed form).
• Profile information: Profile photo, display name, date of birth, gender, fitness goals, and fitness level.
• Payment information: Payment card details and billing information are collected and processed by our third-party payment processor (Stripe). We do not store your full card details on our servers.
• Fitness data: Workout results, scores, class attendance, booking history, personal records, and progress metrics.
• Waivers and consents: Waiver signatures, timestamps, and IP addresses recorded when you accept gym-specific waivers or platform terms.
• Communications: Messages you send through the Platform, support requests, and feedback.

2.2 Information Collected Automatically

• Device information: Device type, operating system, app version, unique device identifiers, and push notification tokens.
• Usage data: Pages viewed, features used, clicks, session duration, and interaction patterns.
• Log data: IP address, browser type, access times, and referring URLs.
• Location data: General location inferred from your IP address. We do not collect precise GPS location unless you explicitly grant permission.

2.3 Information from Service Providers

If you are a Member, your gym or trainer may provide us with information about you, such as membership status, class enrolments, and workout assignments.

3. How We Use Your Information

We use your personal information for the following purposes:

• Providing the Platform: Creating and managing your account, processing bookings, facilitating communication between Members and Service Providers, and displaying workout results and leaderboards.
• Processing payments: Facilitating payments between Members and Service Providers through our payment processor.
• Communications: Sending booking confirmations, reminders, class updates, and important service notifications via push notifications and email.
• Improving the Platform: Analysing usage patterns to improve features, fix bugs, and develop new functionality.
• Safety and security: Detecting and preventing fraud, abuse, and security incidents.
• Legal compliance: Complying with applicable laws, regulations, and legal processes.
• Analytics: Understanding how users interact with the Platform to improve the user experience.

4. How We Share Your Information

We do not sell your personal information. We share your data only in the following circumstances:

4.1 With Service Providers (Gyms and Trainers)

When you book a class or join a gym through the Platform, relevant information (such as your name, profile photo, and booking details) is shared with the Service Provider to facilitate the service.

4.2 With Third-Party Service Providers

We use the following third-party services to operate the Platform:

These providers are contractually obligated to use your data only as necessary to provide their services and in accordance with applicable privacy laws.

4.3 With Other Users

Certain information is visible to other users of the Platform as part of its core functionality:

• Workout results and scores may appear on class leaderboards.
• Your display name and profile photo are visible to other members of the same gym.
• You can manage your visibility preferences in the Platform's Privacy Settings.

4.4 For Legal Reasons

We may disclose your information if required by law, regulation, legal process, or government request, or to protect the rights, property, or safety of 10RM, our users, or the public.

5. Data Storage and Security

Your data is stored on servers hosted by Amazon Web Services (AWS) in the United States (Oregon region). We implement industry-standard security measures including:

• Encryption of data at rest and in transit (TLS/SSL);
• Secure password hashing;
• Access controls and authentication for internal systems;
• Regular security monitoring and logging;
• Web Application Firewall (WAF) protection; and
• Private network architecture for database and cache services.

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Platform's services. Specifically:

• Account data: Retained while your account is active. After account deletion, personal data is deleted or anonymised within 30 days, except where retention is required by law.
• Financial records: Transaction records are retained for 7 years to comply with tax and financial reporting obligations.
• Fitness data: Workout results and progress data are deleted upon account deletion unless you request earlier deletion.
• Backups: Encrypted database backups are retained for up to 7 days and are automatically overwritten.
• Log data: Server logs are retained for up to 90 days for security and debugging purposes.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data. You can delete your account at any time through the Platform's settings.
• Withdraw consent: Withdraw your consent to processing at any time (where processing is based on consent).

7.2 Australian Users (Privacy Act 1988)

Under the Australian Privacy Principles (APPs), you have the right to:

• Access your personal information held by us (APP 12);
• Request correction of personal information (APP 13); and
• Make a complaint about a breach of the APPs.

If you are unsatisfied with our response to a complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

7.3 European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Portability: Request your data in a structured, commonly used, machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Automated decisions: Not be subject to decisions based solely on automated processing that significantly affect you.

Legal basis for processing: We process your data based on: (a) your consent; (b) performance of our contract with you; (c) our legitimate interests (improving the Platform, preventing fraud); and (d) compliance with legal obligations.

International transfers: Your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses and other appropriate safeguards for these transfers.

You may lodge a complaint with your local Data Protection Authority.

7.4 California Users (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: Request details about the categories and specific pieces of personal information we have collected.
• Right to delete: Request deletion of your personal information.
• Right to opt-out: We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
• Non-discrimination: We will not discriminate against you for exercising your privacy rights.

7.5 Exercising Your Rights

To exercise any of these rights, contact us at privacy@10rm.app. We will respond within 30 days (or sooner where required by applicable law). We may need to verify your identity before processing your request.

8. Cookies and Tracking

Our mobile applications do not use cookies. Our web-based services may use:

• Session cookies: To maintain your logged-in state.
• Analytics: We use analytics tools to understand how users interact with the Platform. You can opt out of analytics tracking in the Platform's Privacy Settings.

We do not engage in cross-site tracking or sell data to advertisers.

9. Children's Privacy

The Platform is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@10rm.app.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the Platform or by email at least 14 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised. Your continued use of the Platform after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@10rm.app
• General support: support@10rm.app

For Australian privacy complaints, you may also contact the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992