Legal

Privacy Policy

Plain answers about what data Lumifit touches, why, and what control you have over it.

Last updated: 10 June 2026

1. Who we are

Lumifit (“Lumifit”, “we”, “us”) operates lumifit.in and provides a business-to-business software platform that helps gyms manage operations, workouts and member engagement. You can reach us at contact@lumifit.in.

Lumifit plays two distinct roles, and your rights depend on which applies to you:

  • For gym owners and staff: we act as the data fiduciary for your account information.
  • For gym members: your gym is the data fiduciary. Lumifit processes your information on your gym's behalf and under its instructions, as a data processor.

2. Data we collect

2.1 From gym owners and staff

  • Account details: name, business name, email address, phone number, city.
  • Billing details: plan, payment records and GST information for invoicing.
  • Integration credentials you choose to connect (for example Twilio or WhatsApp Business API keys), stored encrypted and used solely to send messages on your gym's behalf.

2.2 About gym members (processed on the gym's behalf)

  • Identity and contact: name and phone number, as provided by the gym.
  • Membership data: plan type, start and expiry dates.
  • Activity data: attendance logs, completed exercises, workout history, points, streaks and milestones.
  • Device tokens for web push notifications, if a member opts in.

2.3 From website visitors

  • Information you submit through our contact form, which is sent to us by email.
  • We do not use advertising trackers or sell visitor data. Standard server logs (IP address, user agent) may be retained briefly for security.

3. Google Sheets access (“Trust Mode”)

If a gym connects a Google Sheet, Lumifit requests access through Google's OAuth consent flow. We access only the specific spreadsheet the gym connects, and only to read and write member-related rows needed to operate the platform. We do not access other files in the gym's Google account, and we do not use Google user data for advertising. Access can be revoked at any time from the gym dashboard or from the gym's Google account security settings, which immediately stops all syncing.

4. Messaging and consent

  • Workout reminders, attendance nudges and renewal alerts are sent over Web Push, Telegram, WhatsApp or SMS on behalf of the gym, typically through the gym's own channel credentials.
  • Gyms are responsible for obtaining their members' consent to receive these communications, and Lumifit provides the tools to honour opt-outs.
  • Members can stop messages at any time by replying STOP (where supported), disabling push notifications, or asking their gym to mark them as opted out — which takes effect across all channels.

5. How we use data

  • To operate the platform: member portals, magic links, workout tracking, dashboards.
  • To run automation the gym configures: retention nudges, reminders, expiry alerts.
  • To provide support, billing and GST-compliant invoicing.
  • To maintain security, prevent abuse and debug issues.

We do not sell personal data. We do not use member data for advertising. Gym data is never shared with other gyms — every tenant is isolated at the architecture level.

6. Who we share data with

We use a small set of service providers (sub-processors) strictly to deliver the product:

  • Twilio — SMS and WhatsApp message delivery.
  • Telegram — bot-based notifications.
  • SendGrid — transactional email.
  • Google — Sheets synchronisation, where enabled by the gym.
  • Cloud hosting providers — to run our infrastructure and store data securely.

Each provider receives only the minimum data needed for its function. We may also disclose information where required by law or to protect the rights and safety of our users.

7. Security

  • Strict multi-tenant isolation: every gym's data is siloed by design.
  • Encryption in transit (HTTPS/TLS) across the platform and member portals.
  • Member portals use secure, personal magic links instead of shared passwords.
  • Integration credentials are stored encrypted and never exposed to other tenants.

8. Data retention and deletion

  • Gym data is retained for as long as the gym maintains an active account.
  • On account closure, gym and member data is deleted from active systems within 30 days, except records we must keep for legal, tax or accounting purposes.
  • Gyms can export their data at any time and can request deletion of individual member records.
  • In Trust Mode, the source of truth remains the gym's own Google Sheet — disconnecting it removes our access immediately.

9. Your rights (DPDP Act, 2023)

We honour the rights of data principals under India's Digital Personal Data Protection Act, 2023, including the right to access, correct and erase personal data, and the right to grievance redressal. Gym members should direct requests to their gym first (as the data fiduciary); we support gyms in fulfilling them. You may also contact us directly at contact@lumifit.in — we acknowledge grievances within 7 days and aim to resolve them within 30.

10. Children

Lumifit is intended for use by adults. Where a gym enrols members under 18, the gym is responsible for obtaining verifiable parental or guardian consent as required by applicable law.

11. Changes to this policy

If we make material changes, we will notify gym owners by email and update the date at the top of this page. Continued use of the platform after changes take effect constitutes acceptance.

12. Contact

Questions, requests or complaints: contact@lumifit.in. See also our Terms of Service and Refund & Cancellation Policy.