Privacy Policy

A NOTE TO OUR USERS:
Questions? Contact us anytime via our Help Center. 

On May 6, 2024, we rebranded to Wellhub to represent the full scope of our offering. Although we have changed our logo and our name to Wellhub, nothing has changed with respect to our Terms or our Privacy Policy. Our legal entity for our Terms is Gympass US, LLC, doing business as "Wellhub" for all users, except for users who reside in Brazil where the legal entity is GPBR PARTICIPAÇÕES LTDA., with the trade name of "Wellhub." If you have any general questions regarding our service or the rebrand, you may always contact us via our Help Center. If you have questions relating to your privacy, please email us at dpo@gympass.com or dpo@wellhub.com.

Welcome to Gympass! We at Gympass know you care about how your Personal Data is used and shared, and we take your privacy seriously.

This Privacy Policy, incorporated into our Terms and Conditions of Use (“Terms”), describes the privacy practices of Gympass (“Gympass,” “we,” or “us”). Any terms we use in this policy without defining them have the definitions given to them in our Terms. This Policy applies to our privacy practices for our websites (including Gympass.com), the Gympass mobile applications (the “Apps”), and our other services. By accessing or using our Services, you acknowledge that you accept the practices and policies outlined in this Privacy Policy.

What does this Privacy Policy cover?
Gympass offers eligible individuals the opportunity to enroll in a Gympass Subscription. The Gympass Subscription provides access to the services and content of our Third Party Providers. Our network of Third Party Partners varies by location, by Subscription level, and by the fitness or wellness services offered.

This Privacy Policy covers the data we collect about you (the “Personal Data”) and how we store, analyze, and share your Personal Data. This Policy does not apply to the practices of companies we do not own or control, including your employer or the organization that provided you with access to the Gympass Services, Third Party Providers, or other parties.

If you reside in Brazil, the data controller for your Personal Data is GPBR PARTICIPAÇÕES LTDA. (“GPBR”), CNPJ 15.664.649/0001-84, headquartered at  Avenida Engenheiro Luís Carlos Berrini, n° 716, 10th floor, Cidade Monções, CEP 04571-926, São Paulo - SP, a subsidiary of Gympass US, LLC. For Personal Data collected in connection with our Services in the European Economic Area, the United Kingdom, or any other location where applicable law requires, the data controller for your Personal Data is Gympass US LLC,a Delaware limited liability company, with a registered address at 30 Irving Place, 8th floor, New York, NY 10003 (“Gympass US”).

We gather various types of Personal Data from you, as explained in more detail below, and we use this Personal Data in connection with our Services, including to personalize, provide, and improve our Services, to allow you to set up a user account and profile, to contact you and allow other users to contact you, and to fulfill your requests for certain products and services. In certain cases, we may also share some Personal Data with third parties, as described below.

What information does Gympass collect? 

Gympass collects the following data:

  • Data provided by you, including: 

Contact and Registration Data. If you access our Platform and/ or register for an account, we will collect Personal Data such as your first and last name, username and password, email, mobile or other phone number, mailing address, and zip code, as well as any other Personal Data you choose to provide, including a profile picture and your preferred location. If you have registered for an account, you may log in to review and update your information and preferences.

Transaction Information. If you become a Gympass Subscriber and utilize a direct payment method such as a credit card, we will collect information related to the payment for our Services, such as your credit/debit card information, billing address, and other related transaction information, either directly or through our payment provider. If you pay for our Services by requesting payroll deduction, we will receive confirmation of the transaction from your employer.

Communications, Surveys, and Reviews. We will also collect information when you communicate with us, such as through emails or other communications that you send us, exchanges through the website or app, or exchanges through social media. If we ask you to provide feedback by completing a survey or by offering a testimonial or review, we will collect any information you choose to provide.

  • Data collected about you, including:

Check-in/ Location Data. We may collect location data from your mobile device in order to validate your check-in data to the extent that it is enabled in your device settings.

Data from Social Media Apps. If you link your Gympass account to any social media profile, or otherwise interact with us through a social media site (e.g., by logging in through Facebook or by clicking a Facebook “like” button), the social media network may share information with us. You can access and revise your information-sharing practices in the privacy settings of such social media sites.

Usage Information. We will collect information about how you interact with and use our Services, such as your “check-in” with a Third Party Provider or other proof of your access and/or use of the Services of a Third Party Provider, virtual or in-person classes that you book and/or attend, and workouts you log.

Device Data. When you interact with our Services, either on our website or through our mobile app, we automatically receive and record data which may include your IP address, geolocation data, device identification, “cookie” data (please see below), the type of browser and/or device you're using to access our Services, the page or feature you requested and time of access. If you choose to do so and your Program sponsor allows, you may allow us to collect and analyze information about your wellness and fitness, including but not limited to the number of steps you walked, your fitness and wellness information, using the HealthKit framework from Apple, Inc., or another tool. The information you provide to HealthKit (or such other tool) is governed by Apple’s privacy terms (or the terms of the applicable tool).    

  • Data from other sources. This includes:

Eligibility Information. To offer you our Services and confirm your eligibility for the Gympass Platform, we may collect Personal Data from your employer or other entity who provides you with access to Gympass (or, in the case of a qualifying Family Member, the individual who is the primary account holder for you), which may include first and last name, work email, employee ID or another personal identifier, and/or your status as an active employee.

Referral Information. When our referral services are utilized (for example, to refer a local gym to the Gympass network), we receive the referred person's data or the personal data for a referred company.

Publicly available sources. Gympass may receive data from publicly available sources.

How does Gympass use my Personal Data?
We use your Personal Data to provide you with our Services, confirm eligibility for and administer your Membership and Subscription, respond to your inquiries, deliver a more relevant experience with our Services and Third Party Providers, and meet our other business purposes. We may also use your Personal Data in order to facilitate the administration of your account through your employer or a wellness solution platform that your employer has engaged in order to offer you our Services. We may use this data to contact you or to cross-reference it with other Personal Data we may hold about you in accordance with this Policy. Specifically, we may use your Personal Data for the following purposes and based on the following legal basis under data protection law for each purpose:
 

Purpose for processing your Personal DataLegal basisCategories of Personal Data
To provide the Gympass Services
  • Performance of a contract 
  • Legitimate interest
  • Consent
  • Contact and Registration Data
  • Usage Data
  • Transaction Data 
  • Check-in/ Location Data
  • Device Data


To confirm eligibility for Gympass

 

  • Performance of a contract 
  • Eligibility Data
  • Contact and Registration Data
To manage your Subscription 
  • Performance of a contract 
  • Contact and Registration Data
  • Usage Data
  • Transaction Data
To delivery relevant content and news, including making recommendations to you and monitoring trends
  • Legitimate interests
  • Consent
  • Contact and Registration Data
  • Check-in/ Location Data
  • Usage Data 
To enable your participation in activities we organize related to the Services, including sweepstakes, competitions, surveys
  • Legitimate interests
  • Consent
  • Contact and Registration Data
  • Usage Data
  • Transaction Data
To diagnose and fix issues with the Gympass Platform and Services
  • Performance of a contract 
  • Legitimate interest
  • Contact and Registration Data
  • Usage Data
  • Transaction Data 
  • Device Data
To evaluate and develop new features and improvements 
  • Legitimate interests
  • Contact and Registration Data
  • Usage Data
  • Data from Communications, Surveys, and Reviews
  •  
To process your payment and facilitate payment in support of your Membership or Subscription
  • Performance of a contract 
  •  
  • Contact and Registration Data
  • Usage Data
  • Transaction Data 
  • Eligibility Data
To comply with a legal obligation or law enforcement requirement, including to collect applicable taxes
  • Compliance with legal obligations
  • Legitimate interest
  • Contact and Registration Data
  • Usage Data
  • Transaction Data
To fulfill contractual obligations with Third Party Providers
  • Legitimate interests
  • Contact and Registration Data
  • Usage Data
  • Eligibility Data
To comply with a legal obligation or law enforcement requirement, including to collect applicable taxes
  • Compliance with legal obligations
  • Legitimate interest
  • Contact and Registration Data
  • Usage Data
  • Transaction Data
To take appropriate action with reports of IP infringement or inappropriate conduct on the Platform
  • Legitimate interests
  • Contact and Registration Data
  • Usage Data
  • Device Data
  •  
To establish, exercise or defend legal claims
  • Legitimate interests
  • Contact and Registration Data
  • Usage Data
  • Transaction Data
  • Eligibility Data
  • Data from Communications, Surveys, and Reviews
To conduct business planning reporting, and forecasting
  • Legitimate interests
  • Contact and Registration Data
  • Usage Data
  • Transaction Data
  • Eligibility Data
  • Data from Communications, Surveys, and Reviews
To detect and prevent fraud
  • Legitimate interests
  • Contact and Registration Data
  • Usage Data
  • Transaction Data
  • Eligibility Data
  • Device Data

 

 

 

How does Gympass share my Personal Data?
We may share your Personal Data as described in this Privacy Policy or where we have provided you with prior notice and, to the extent applicable law requires, obtained your consent. Gympass may share your Personal Data with the following parties for the reasons discussed below:

Third Party Providers (including gyms,studios, and personal trainers). We may share your Personal Data with Third Party Providers (such as a gym, studio, third-party wellness app, booking partner, or other partner entity) in order to facilitate your use of their services, including to ensure your check-in if required, to facilitate and process your booking and the payment to the Provider, and to allow the Third Party Provider to operate their business as disclosed in that Third Party's terms and privacy policy. When you book a session with a personal trainer or other Provider, we may share your Personal Data to provide coaching or support services directly to you.

Sponsor for Gympass Services. We may share certain Personal Data (including but not limited to name, surname, email address, your  Membership or Subscription, cost of your plan, whether you have Family Members enabled where allowed, and administrative details) with your employer or other third party that offers you an opportunity to use our Services. If enabled by your Sponsor and you choose to join, we may share your data in a challenge or other competition or program type in order to administer the particular program, such as enabling your Sponsor to share a leaderboard. If you sign up for Gympass as a qualifying Family Member, we may share your personal data with the primary account holder who provided you with access to Gympass and with their Sponsor. In specific circumstances and for limited purposes, including but not limited to ensuring proper administration,  supporting tax and financial reporting compliance, and reporting on the workforce engagement with the Program to support administration, we share reports containing identifiable information with your Sponsor. Finally, if your activity information indicates that there is a problem or abuse, we may share your information with the Sponsor as required in order to ensure the proper functioning of the Platform.  

Indirect Partners. If your Sponsor engaged with Gympass through an indirect channel or other benefits distributor, then we may share limited Personal Data that relates to your participation in the Platform with these services, as directed by your Program Sponsor, in order to facilitate coordination of services across these entities and to administer the Program to you.

Vendors. We may share Personal Data with companies who perform services on our behalf, including providers that help us send communications, analyze data, and maintain our websites and the Gympass Platform.  

Social Media and Third-Party Apps.We may share information with social networks when you use our Services to interact with a social media site (e.g. you click a Facebook “like” button), or connect to our Services through social media . You can review the privacy practices of these sites and third-party apps on their respective sites.

Affiliates. We may share your Personal Data with Gympass corporate affiliates, such as parent or sister entities, in order to administer our Services and operate, evaluate, and improve our business.

Legal and Compliance. We may disclose your Personal Data as required or permitted by law, regulation, or legal process, including to respond to an inquiry from a governmental or law enforcement agency or a court order, to investigate suspected or actual fraud, illegal activity, or security incident, to enforce or apply our Terms of Use or other agreement we may have with you, and where we believe disclosure is appropriate to protect the rights, property, health, or safety of Gympass, its affiliates (including Third Party Providers), our users, employees, or others.

Corporate Transactions. We may choose to buy or sell assets and may share and/or transfer customer data in connection with the evaluation of and entry into such transactions. Also, if we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, your Personal Data could be one of the assets transferred to or acquired by a third party.

User Profiles and Submissions. Certain account data, including your name, location, and any video or image content that you have uploaded to the Services, may be displayed to a Third Party Partner, for example, if you book a Personal Trainer session. Please remember that any content you share , along with any Personal Data or content that you voluntarily disclose online in some manner other Users can view (on discussion boards, reviews, posts, in messages and chat areas, etc. outside of the Gympass Platform) becomes publicly available, and can be collected and used by anyone.

Aggregated or De-identified Data. We may share aggregate usage data with current or prospective Third Party Providers or corporate clients (or allow Third Party Providers or corporate clients to collect that data from you). We reserve the right to provide aggregated and/ or de-identified data to third parties for our own purposes.

Does Gympass use cookies? 
For more information on how Gympass uses cookies and similar tracking technologies, please review our Cookie Policy.

You may be able to change the preferences on your browser or device to prevent or limit your device's acceptance of cookies, but this may prevent you from taking advantage of some of our features. Again, this Privacy Policy does not cover the use of cookies by any third parties, and we are not responsible for their privacy policies and practices.

How does Gympass communicate with me?
We may send you emails with information about Gympass and its Services. You may opt-out of these communications at any time by clicking on the unsubscribe button in each communication or by contacting us directly. You cannot opt-out of communications regarding transactional or service updates, security, and legal notices.

If you have opted to receive notifications on your mobile device, we may contact you mainly by email and we may on occasions contact you by phone or using text messaging. You always have the option to turn notifications off at the device level.

We may on occasion contact you by phone, but only as allowed under applicable law. You may elect to use text messaging as a way for us to communicate with you. You may opt-out of receiving any phone call or text by following the instructions in the communication. Please note that we may send you a confirmation that you have unsubscribed. Please allow us a reasonable time to process your request.

How does Gympass protect my Personal Data?
We have put in place appropriate technical and organizational measures to help protect the security of your Personal Data. We have implemented various safeguards to protect against unauthorized access to Personal Data in our systems.

Be aware that no system is ever totally secure, and we encourage you to take appropriate steps to protect yourself. For example, you should protect your account against unauthorized access to your password, mobile device, and computer by, among other actions, signing off after using a shared computer, selecting and protecting your password and/or other sign-on mechanisms appropriately, and limiting access to your computer or device and browser by signing off after you have finished accessing your account. We are not responsible for any lost, stolen, or compromised passwords, or for any activity in your account via unauthorized password activity.

Retention and Data Transfers
Gympass retains your Personal Data only for as long as is necessary for the purposes set out in this Policy, for as long as your Membership is active, or as needed to provide you with Eligibility to the Platform. If you no longer want Gympass to process your Personal Data to provide the Services to you, you may close your account. Gympass retains and uses your Personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your Personal Data to comply with applicable tax or revenue laws), resolve disputes, enforce our agreements, and as otherwise described in this Policy. We may also retain Personal Data where our legitimate business purposes require, such as ensuring site safety and security, improving the functionality of our Services, or when we are legally obligated to retain the data for a longer period. In some circumstances, we may anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information without further notice to you.

Gympass operates a global business, and thus it shares Personal Data internationally with Gympass group of companies, vendors, and partners when carrying out the processing described in this Policy. To ensure that each data transfer complies with all applicable law, Gymapss relies on approved legal mechanisms such as the EU Standard Contractual Clauses.  

Data Subject Rights
Where required by applicable law, you may have the following rights with respect to your Personal Data:

  • Right to access; right to data portability. You have the right to receive a copy of the Personal Data that we have about you and how we use this information. You also have the right to receive your Personal Data in a structured format and the right to have the Personal Data transmitted directly from Gympass at your direction. 
  • Right to rectification. You have the right to obtain from us without undue delay the correction of inaccurate Personal Data concerning you. 
  • Right to erasure. You have the right to request deletion of Personal Data concerning you unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of a legal claim.  
  • Right to restrict or object to processing. You have the right to object to or restrict the processing of your Personal Data to the extent that you dispute the accuracy of the data, the processing is unlawful but you oppose the erasure, or you have objected to the processing. If your Personal Data is processed by us for direct marketing, you have the right to object to the processing. 
  • Right to lodge a complaint. You have the right to lodge a complaint with our Data Protection Officer or a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence. 
  • Right to withdraw consent.You can withdraw your consent to the processing of your Personal Data by us at any time.
    If you would like to manage, change, or delete your Personal Data, you can do so through the settings in the Gympass Platform.
  • Alternatively, you may exercise any of the rights listed above by contacting us.

Deleting or limiting the use of your Personal Data will impact features and uses within the Platform that rely on that information. Please note that we may verify your identity before we are able to process any of the requests described in this section, and in our discretion, may deny your request if we are unable to verify your identity. As part of this process, government or other identification may be required. Where allowable under applicable law, you may designate an authorized agent to make a request on your behalf by contacting us through the Help Center but you must provide the required documentation including the requestor's valid government issued identification, the authorized agent's valid government issued identification, notarized authority to act on behalf of the requestor, and other information as needed to verify the request's authenticity.  

Additional Information for Residents of Certain US States

Disclosures for California Users
This section uses certain terms that have the meaning given to them in the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) and its implementing regulations (collectively, the “CCPA”).

We collect the following categories of CCPA personal information from consumers:

  • Identifiers: information that identifies you, which may include information such as your name, email address, unique personal identifiers (such as a device identifier and/or IP address), and employee ID.
  • Other Records: which may include phone number, address, or credit or debit card information..
  • Demographic Information but only where you provide this information voluntarily. .
  • Commercial Information such as your purchase of a plan, and/or your interaction with our Platform.
  • Internet or Other Network Activity including your interactions with our Platform, device type and/or identifier, operating system and version, browser type and settings and cookie-related data.
  • Sensory Information if, for example, you choose to share your picture in our Platform.
  • Geolocation Data when enabled through the Gympass app and your mobile device settings.

We collect the categories of personal information described in this section from the sources described above in our Gympass Privacy Policy, which includes collecting information directly from you, your Sponsor, your devices, our partners, and our vendors. We use these categories of personal information for our business and commercial purposes as described throughout this Gympass Privacy Policy.

California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties' direct marketing purposes. Subject to certain limitations, California consumers have certain rights over their personal information such as the right to request details about the categories or specific pieces of personal information we collect and to delete personal information. Gympass does not “sell” (as such term is defined under California law) the personal information we collect from you for monetary purposes (and will not sell it without providing a right to opt out). Please note that we do use third party cookies for advertising purposes as further described in our Cookie Policy. We do not knowingly sell, share or use the personal information of minors under 16 years of age.

To submit a request to exercise your rights as provided under California law, please follow the process as outlined in the section above on Data Subject Rights.

Information on Other US State Privacy Laws
The following section applies to residents of one or more states with consumer privacy law. Such states as of the date of this Privacy Policy are California, Colorado, Connecticut, Utah, and Virginia (collectively “US State Privacy Laws”).

To the extent applicable under US State Privacy Laws, you may have the following rights in connection with your personal information:

  • California users the right to request that we disclose the categories and specific pieces of CCPA personal information have been collected about you; the categories of sources from which CCPA personal information are collected; our business or commercial purpose for collecting, using, disclosing, selling or sharing personal information; the categories of third parties with whom we disclose, sell or share personal information; the categories of personal information we have disclosed, sold or shared about you for a business purpose.
  • Under applicable US State Privacy Laws, you may have a right to request deletion of your personal information and a right to request correction of any inaccurate personal information that we hold about you. 
  • You may also have the right to opt-out of our “sale” or “use” (as these terms are defined in the US State Privacy Laws) of personal information for targeted advertising purposes. You can learn more by clicking the “Do Not Sell My Personal Information” link located in the footer of our website. 
  • You also have a right to receive notice of our practices before collection of personal information, and you have a right not to receive discriminatory treatment for exercising any of our rights described above.

As described above, you may assert these rights only where we receive a verified request from you. If you are a resident in a jurisdiction that includes the ability to use an authorized agent, the agent may submit a request on your behalf by following the process outlined above.

Finally, you may file an appeal of our decision to refuse your request to exercise your rights if you are in a jurisdiction that recognizes your right to appeal any decision we make under applicable US State Privacy Laws. You may request any such appeal by contact dpo@gympass.com. Please provide the state where you reside, accompanied by relevant documentation to support your claim. If you do not have a Gympass account, we may not be able to respond to requests to exercise your rights including, for example, the right to delete or the right to know personal information.  

Children
As noted in our Terms, you must be at least 16 years of age or the age of legal majority in your jurisdiction (if different than 16) to register as a primary account holder for Gympass Services and become a Gympass Member. While individuals under the age of 16 may utilize the service through a Family Member account in some circumstances, they may do so only with the involvement, supervision, and approval of a parent or legal guardian as the primary account holder.  If you extend the registration opportunity to a child and authorize payment for this account, you are expressly consenting to the collection and use of the child's Personal Data in accordance with this Privacy Policy. If you are a parent or guardian of a minor who has registered for or used the Services without your consent, please contact us and we will delete any personal data collected as quickly as possible.

Information for Supplemental Services 
This section provides information on how Gympass collects and processes your personal data when you agree to receive communications regarding Gympass products, services, or events before creating a Gympass account (for example, when you sign up for a Gympass webinar on wellness or you download a white paper from our website on a wellness topic). By agreeing to receive communications regarding products, services or events, you acknowledge that any personal data provided by you will be processed in accordance with this Privacy Policy.

Important information. Gympass US acts as the controller of such personal data where required under applicable law, except that GPBR acts as the data controller if you reside in Brazil. The personal data Gympass directly collects and processes from you may include the following categories of personal data: contact information, such as your name, job title, company name, address, phone number, email address, username and password, and any other information you voluntarily chose to share. We process your personal data to send you information, product recommendations and other non-transactional communications (for example, marketing newsletters) about us, our affiliates and partners. When processing your personal data we rely on your prior consent.

How we share your personal data. Your personal data may be disclosed to relevant third parties involved in the communications (for example, to a vendor who provides support services if you register for a webinar or to another entity if they are a co-sponsor of an event), to other Gympass affiliates, and as disclosed in the Gympass Privacy Policy.

International transfers and Retention. We may transfer, store and process your personal data outside of your country of residence for the purposes of organizing communications in accordance with applicable law, and as explained in this Policy. As explained in this Policy, Gympass will delete your data once the applicable retention period has expired in accordance with applicable law.

Your Preferences and Your Legal Rights. You may manage your receipt of communications from Gympass by following the directions provided in the communication (for example, by clicking on the “unsubscribe” link located at the bottom of Gympass marketing email). Please note that you may still receive important business communications regarding your current relationship with Gympass even if you opt out of marketing communications. You have a right to request access,update, delete or correct your personal data, where these rights are provided by applicable law and subject to certain exceptions. To exercise your rights, please contact us.

Changes to the Privacy Policy
We are constantly improving our Services, so we may need to update this Privacy Policy from time to time. If you decide to use and/or access the Services after any changes to the Privacy Policy have been posted, you have expressly consented to such changes and the revised Privacy Policy will apply.


Contact us
If you have any questions, contact Gympass' support team via our Help Center.

If you have questions relating to this Policy or Gympass' privacy practices, you may send an email to Gympass' Data Protection Officer at dpo@gympass.com.

Without prejudice to any other rights you may have to file a complaint with your local data protection regulator, you may also contact the Dutch Data Protection Authority,  Gympass' Lead Supervisory Authority, if you are located in the European Union. The Dutch DPA can be reached at the following address:
Autoriteit Persoonsgegevens
PO Box 93374
2509 AJ DEN HAAG
+31 (0) 70 - 888 85 00

Effective Date:Dec 19, 2023