Legal

Privacy Policy

How we collect, use, and protect your information across the ThinkGym platform.

Effective date: 31 May 2026

This Privacy Policy describes how ThinkOMega IT Solutions Pvt Ltd ("ThinkOMega", "we", "us") collects, uses, and protects information when you use the ThinkGym mobile applications for Android and iOS, the ThinkGym web application at gym.thethinkomega.com, and the related backend services (together, the "Service"). The Service is provided to members and staff of gyms that have chosen to run on the ThinkGym platform.

If you do not agree with this policy, please do not use the Service.

1. Information we collect

We collect only what we need to run your gym membership. Specifically:

Account and identity

  • Phone number — used to log you in. We send a one-time password (OTP) over SMS through Firebase Authentication (provided by Google).
  • Name — shown on your profile and printed on invoices.
  • Gender — collected when your gym registers you.
  • Date of birth and anniversary (optional) — used by your gym for birthday greetings and age-related offers.
  • Address (optional) — collected by your gym for record-keeping.

Membership and attendance

  • Membership plan, start and end dates, payment history, outstanding balance — collected so you can see your membership status in the app.
  • Check-in timestamps — every time you check in at the gym using the biometric reader, the date and time are recorded so you and the gym have an attendance log.

Profile picture (optional)

  • If you upload a profile photo, it is stored on Amazon Web Services S3 and shown on your profile inside the Service. You can remove it at any time from the app.

Fingerprint enrollment (optional, gym-side)

  • If your gym uses an eSSL biometric reader, your gym's staff may enroll your fingerprint on the reader so you can check in without typing a code.

The raw fingerprint template stays on the physical reader device at the gym. What we store on our servers is only the link between your member record and the device's internal user ID, plus which finger slot was used. We do not receive, transmit, or store the fingerprint image or template.

Technical information

  • When the app talks to our servers, our infrastructure logs the standard request metadata (IP address, timestamp, request path, HTTP status, user agent). These logs are retained for short-term operational debugging and security monitoring.
  • The app uses your device's local storage (UserDefaults / SharedPreferences) to remember which gym you belong to and your login session, so you do not have to sign in on every cold start.

We do not collect:

  • Precise location.
  • Contacts list.
  • Microphone or camera content (the camera permission is only used when you actively tap to take a profile photo, and the image is uploaded only when you confirm).
  • Any health or fitness measurements beyond your check-in history.
  • Advertising identifiers. We do not use tracking SDKs and we do not show ads.

2. How we use information

  • To run your gym membership — show you your plan, balance, payments, attendance.
  • To authenticate you — verify your phone number via OTP at sign-in.
  • To communicate — let your gym contact you about your membership (renewal reminders, invoices). We may send transactional notifications (renewal due, payment received). We do not send marketing email or push.
  • To prevent abuse — detect and stop fraudulent sign-ins or impersonation attempts.
  • To comply with law — respond to lawful requests from competent authorities in India.

We do not use your information for cross-app or cross-site tracking, profiling for advertising, or sale to third parties.

3. Who we share information with

Your data is shared with three categories of recipient, and no others:

  • Your gym. The gym that registered you on the Service is the controller of your membership records. Their authorised staff can see your profile, attendance, and payment history through the admin side of the Service. If you have questions about how your gym uses your data, contact them directly.
  • Service providers acting on our behalf:
    • Google (Firebase Authentication, Firebase Cloud Messaging) — processes your phone number to send OTP SMS and, where enabled, to deliver push notifications.
    • Amazon Web Services (S3, RDS, EC2) — hosts our database and stores your profile photo. Servers are located in the AWS Asia Pacific (Mumbai) region.
    These providers are bound to use your data only to provide their service to us.
  • Legal authorities, when required by a valid legal process in India.

We do not sell, rent, or trade your personal information to anyone.

4. International transfers

Data is processed and stored in India (AWS Mumbai). Firebase Authentication may process your phone number through Google infrastructure that operates globally; Google is the data controller for that processing under its own privacy terms.

5. How long we keep your data

  • Account and membership records — kept while your account is active at your gym and for a reasonable period after, as required for accounting, tax, and dispute resolution under Indian law (typically up to 8 years for financial records).
  • Profile photos — deleted when you remove them or when your account is deleted.
  • Check-in logs — kept for the duration of your membership at the gym so you and the gym have a complete attendance history.
  • Operational logs — retained for short-term debugging (typically 30 days) and then rotated out.

6. Your rights

You can:

  • See your data — your profile, memberships, payments, and attendance are visible in the app at any time.
  • Correct your data — ask your gym to update incorrect information.
  • Delete your data — request deletion by emailing [email protected] from the phone number registered on your account. We will delete your personal information within 30 days, except where law requires us to retain financial records.
  • Withdraw consent — stop using the Service at any time; uninstalling the app does not by itself delete server-side records, so use the deletion request above if you want them removed.
  • Complain — if you believe we have mishandled your data, write to us first. You may also approach the relevant Indian authority.

7. Security

  • All network traffic between the app and our servers uses HTTPS.
  • Passwords (where used) are stored hashed with bcrypt.
  • Server access is restricted to authorised ThinkOMega personnel.
  • We follow industry-standard practices to protect data, but no system is perfectly secure. If you suspect unauthorised access to your account, contact us immediately.

8. Children

The Service is not directed to children under 13. If your gym registers a minor, the gym is responsible for obtaining a parent or guardian's consent. If you believe we hold data about a child without that consent, contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. The "Effective date" at the top will change when we do. Material changes will be announced in the app. Your continued use of the Service after a change means you accept the updated policy.

10. Contact us

For privacy questions, deletion requests, or anything else relating to this policy:

  • Email: [email protected]
  • Company: ThinkOMega IT Solutions Pvt Ltd
  • Service: ThinkGym (gym.thethinkomega.com)

We aim to respond within 5 working days.