Privacy Policy

Last updated: August 20, 2025


This policy describes how Gambit Dev (“we,” “us,” “our”) processes information when you and your organization use the Crunch Fitness Utility web application and related services (the “Service”). The Service is intended for internal use by Crunch Fitness clubs and staff only.


1) Who we are & roles under privacy law

Service provider / processor (GDPR “processor”): Gambit Dev (developer and operator of the Service).

Business / controller (GDPR “controller”): Your employer or the Crunch Fitness entity that provides your account and determines how the Service is used at your club location(s).

We enter into a Data Processing Addendum (DPA) with the controller when required. Admins can request one (see §14).


2) What this policy covers

This policy applies to the Service’s web app, APIs, scheduled workers, and integrations (e.g., AI chat, inventory, shift notes, cash calculator, PDF chat, and optional email/calendar integrations). It does not cover third-party websites you may visit through links.


3) Information we collect

A. Account & organization data

Name, work email, role, club/location, team membership.

Authentication identifiers and OAuth profile data (from your chosen identity provider) and token metadata.

B. App content you and your org input

Shift notes & reports (free-form text, timestamps, author).

Inventory data (item names/SKUs, counts, thresholds, activity logs).

Cash register calculator entries (denominations/totals, reconciliation notes).

AI features: chat prompts, files for PDF chat, attachments/metadata, and model outputs.

Email/calendar integration (if enabled): token metadata and necessary message/metadata in the scopes you approve. We never store your email password.

Not for PHI: The Service is not designed to store Protected Health Information (PHI) or regulated medical data. Please do not input health/medical details about members or staff.

C. Billing & subscription data (for paid tiers)

Plan, seat counts, invoices, and payment status.

We do not collect or store full payment card numbers; a payment processor handles those directly.

D. Communications & support

Support requests, feedback, and email correspondence.

Email delivery/engagement metadata for automated reports.

E. Technical & usage data

Device and browser information, IP address, timestamps.

Event/usage analytics (e.g., feature usage, performance metrics).

Error/exception data and stack traces.

Server and job execution logs for scheduled/background tasks.


4) Sources of information

Directly from users and organization admins.

Automatically through your use of the Service (cookies/SDKs/logs).

Third-party integrations you connect and authorize.

AI service providers used to generate responses.


5) How we use information (purposes)

Provide the Service: authenticate users, run AI chat and PDF chat, track inventory, generate shift and inventory reports, reconcile cash, and deliver optional email/calendar features.

Send communications: daily shift, inventory, and cash calculator emails; service notices; account/billing emails.

AI features: process prompts/files with third-party AI providers to return answers and summaries.

Improve & secure the Service: analytics, debugging, monitoring, quality assurance, preventing abuse/fraud, and access auditing.

Billing & account management: subscriptions, invoicing, tax compliance.

Legal: comply with law, enforce terms, and protect rights and safety.

We do not sell personal information or use it for cross-context behavioral advertising.


6) Legal bases (GDPR/UK GDPR, where applicable)

Contract: to provide the Service to your organization and you.

Legitimate interests: security, service improvement, troubleshooting, proportional analytics.

Consent (where required): for certain cookies, marketing, or optional integrations.

Legal obligations: tax, accounting, and regulatory duties.


7) AI features & data handling

When you use AI chatbot or PDF chat, your prompts, files, and outputs are sent to third-party AI providers for processing.

We disable provider training on your content where such controls are available; however, provider retention and safety/abuse monitoring may still apply.

Do not paste secrets (API keys, passwords) or sensitive personal data unless your organization approves that use and understands the risks.

Admins may request deletion of AI logs we control (see §11) and can ask about provider-side retention options.


8) Disclosures & recipients (categories)

We share information only as needed to operate and support the Service:

Hosting & infrastructure providers (application hosting, compute, storage, databases, content delivery).

Email/communication providers (transactional emails and report delivery).

Payment processors (subscriptions, invoicing).

Analytics and monitoring providers (product analytics, error/performance monitoring).

Content management & configuration tools (for site/app content and settings, if used).

AI service providers (to process prompts/files and generate outputs).

Professional advisors & legal (auditors, lawyers) where necessary.

Corporate transactions (merger, acquisition, or asset transfer, subject to protections).

Legal compliance (if required by law or valid legal request).

We maintain an internal list of current sub processors. Organization admins can request the list and will be notified of material changes as required by our DPA. We require subprocessors to use information only to provide services to us and to implement appropriate security.


9) Cookies & similar technologies

We use essential cookies for authentication and session management, and (if enabled by your organization) analytics cookies/SDKs for usage measurement. Where required, we obtain consent for non-essential cookies.


10) Data retention

We retain information only as long as needed for the purposes described or as required by law. Typical defaults (admins can request configuration):

Account profiles: life of the account + up to 90 days.

Shift notes, inventory, cash entries: life of the workspace; deletions honored within 30 days from trash/purge.

AI prompts/outputs (our logs): 30–180 days (shorter on request, subject to operational limits).

Email delivery logs: per email provider limits (commonly 30–90 days).

Server logs/analytics: 30–180 days.

Billing records: up to 7–10 years (tax/accounting).

Third-party providers may apply their own retention periods to copies they hold.


11) Your rights & choices

Depending on your location (e.g., EU/EEA, UK, CA/CPRA, CO, CT, VA), you may have rights to:

Access, correct, delete, or port your personal information.

Restrict or object to certain processing.

Opt out of sale/sharing (we do not sell) and certain profiling.

Appeal automated decisions where applicable.

How to exercise rights:

Contact your organization’s admin first (they control the workspace and can export or delete content).

You may also contact us (see §14). We will coordinate with your organization to fulfill requests.

We will verify identity (and, where required, authority) before acting.


12) Security

We implement administrative, technical, and physical safeguards, including encryption in transit and at rest, role-based access controls, audit logging, secure OAuth flows for SSO, segregated environments, backups, and vulnerability management/monitoring.

No system is perfectly secure. If a breach affects your data, we will notify your organization and/or authorities as required by law.


13) International data transfers

We are based in the United States and may process data in other countries through our service providers. Where required, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) for cross-border transfers.


14) Contact us

Gambit Dev (Service Provider)

Email: privacy@crunchfitness.app


15) Children’s privacy

The Service is for workplace use and not directed to individuals under 16. We do not knowingly collect personal information from children.


16) Changes to this policy

We may update this policy to reflect operational or legal changes. We’ll post the new version with the “Last updated” date and, where appropriate, provide in-app or email notice to organization admins.


17) California disclosures (CPRA)

We act as a service provider/contractor to your organization.

We do not sell or share personal information for cross-context behavioral advertising.

Categories collected may include: identifiers (name, email), employment-related information (role, club), commercial information (subscription/billing metadata), internet/electronic activity (usage and logs), and inferences (basic usage analytics).

Sensitive personal information is processed only for permitted purposes (e.g., authentication tokens) and not for inferring characteristics.


18) Notes for admins (no vendor names)

Data mapping (what lives where, conceptually)

Primary data stores: structured records for accounts, content (shift notes, inventory, cash entries), and related metadata; file/object storage for uploads and exports; background job queues for scheduled tasks.

Operational telemetry: product analytics and error/performance monitoring with data minimization controls.

Email: transactional mail for reports and notifications.

AI: third-party providers process prompts/files to generate outputs.

Payments: subscription and invoicing data via a compliant payment processor.

Configuration options (available on request)

Custom retention windows for app content/logs.

SSO enforcement and IP allow-lists.

Analytics minimization or org-level opt-out.

Choice/controls around AI provider retention/training where supported.

Regional processing preferences where supported by providers.


19) Practical summary for end users

Your employer is the data controller; we operate the app for them.

We use your work info and the content you enter (notes, inventory, cash counts) to run the app.

AI features send your prompts/files to third-party AI providers to generate answers.

We don’t sell your data. We share it only with providers needed to run the Service.

You can ask your admin (or us) to access/export/delete your data, subject to law and business needs.