Privacy Policy

Last updated: February 2026

This Privacy Policy explains how Gurnser Limited ("we", "us", "our"), the company behind the Gymzer app, collects, uses, stores, and shares your personal information when you use our mobile application and related services (collectively, the "Service"). By using Gymzer, you agree to the practices described in this policy.

    Summary: Gymzer is a fitness social and matchmaking app. We collect account information, location data, fitness data, and user-generated content to power matching, social features, and gym discovery. We share limited data with Firebase (Google), RevenueCat, Cloudflare, and Google Maps to operate the Service. You can delete your account and all associated data at any time.
  

1. Who We Are

Gurnser Limited is a New Zealand registered company that operates the Gymzer mobile application. Gymzer connects gym-goers with compatible workout partners, allows users to share fitness content (posts, lifts, personal records), discover nearby gyms, and communicate via in-app chat.

For questions about this Privacy Policy, please contact us using the details in Section 14.

2. Information We Collect

We collect information you provide directly, information generated by your use of the Service, and information from third-party services you connect.

2.1 Account & Profile Information

When you create an account, we collect:

Name – your display name (required)
Email address – collected via Firebase Authentication or Google OAuth (required)
Username – a unique public handle (required)
Age – stored as a numeric value (required, users must be 18 or older)
Gender – male, female, or other (required; used for matchmaking compatibility)
Location – a text description of your general location, e.g. city (required)
Profile photo – uploaded image of you (required)
Bio – a short personal description, up to 300 characters (optional)
Fitness interests – free-text field, up to 200 characters (optional)
Fitness level – beginner, intermediate, or advanced (required)
Privacy setting – whether your account is public or private (required)

2.2 Fitness Data

When you log lifts or posts, we collect:

Lift type (e.g. Squat, Bench Press, Deadlift, Overhead Press, Row, Other)
Weight lifted (in lbs) and plate configuration
Post and lift captions (up to 500 or 1,000 characters respectively)
Images and videos you upload for posts and lift records
Personal records (PR) for each lift type, derived from your uploaded lifts

2.3 Location Data

We collect your precise GPS location (latitude and longitude) when you:

Use the matchmaking feature to search for workout partners within a set radius; and/or
Use the gym search feature to find nearby gyms.

Location data is collected only in the foreground when you actively trigger these features. We do not track your location in the background. Your precise coordinates are temporarily stored in our matchmaking queue (see Section 4) while a search is active and are deleted when the match is found or when you leave the queue.

2.4 User-Generated Content

Posts – text, images, and videos you share on the feed
Lift records – fitness content with associated media
Comments – text comments on posts and lift records
Chat messages – messages you send in group or direct chat rooms

2.5 Social Graph Data

Your followers and following relationships
Follow requests (for private accounts)
Blocked user lists

2.6 Matchmaking & Search Preferences

When you search for workout partners, we temporarily store:

Your selected gyms (Google Place IDs and names)
Your search mode (gym-based or radius-based) and radius setting
Your matching preferences: preferred partner gender and fitness level
Premium users only: age range preference and partner gender filter per slot
Your current GPS coordinates during the search

2.7 Device & Usage Information

Device identifiers as required by Firebase Authentication
Usage patterns collected by Firebase Analytics (enabled by default in the Firebase SDK)
Error logs and crash reports

2.8 Subscription & Purchase Data

When you subscribe to Gymzer Premium, we store:

Subscription status (active, expired, cancelled, paused, billing issue)
Subscription expiry date
Product identifier and subscription period type (trial, intro, normal)
App store identifier (App Store or Google Play)
Transaction IDs from the app store (not full payment card details, which are handled by Apple/Google)
Approximate purchase price and currency as reported by RevenueCat

3. How We Collect Information

Directly from you – when you register, complete your profile, post content, search for partners, or contact us
Automatically – via the Firebase SDK when you use the app (usage data, session information)
From third parties – your name, email, and profile photo from Google if you sign in with Google OAuth; subscription status events from RevenueCat's webhook
From your device – GPS coordinates when you grant foreground location permission; camera/photo library access when you upload images or videos

4. How We Use Your Information

Purpose	Data Used	Legal Basis
Creating and managing your account	Name, email, username, age, gender, profile photo, fitness level, location	Contractual necessity
Displaying your profile to other users	Username, name, bio, photo, fitness level, privacy setting, posts, lifts, PRs	Contractual necessity / Legitimate interest
Matchmaking – finding workout partners	Gender, age, location (GPS), preferences, gym selections, fitness level	Contractual necessity
Gym discovery	GPS location (sent to Google Maps API)	Contractual necessity
In-app messaging	User ID, name, profile photo, chat messages	Contractual necessity
Personalised matching filters (Premium)	Age range preference, partner gender preference	Contractual necessity / Consent (opt-in subscription)
Subscription management	User ID, transaction IDs, subscription status	Contractual necessity
Safety – blocking and reporting	Block lists, user IDs	Legitimate interest
Rate limiting and abuse prevention	User ID, daily action counts	Legitimate interest
Audit and compliance	User ID, action type, timestamp (audit log)	Legal obligation / Legitimate interest
Improving the Service	Aggregated, anonymised usage data	Legitimate interest
Communicating with you	Email address	Contractual necessity / Legitimate interest

We do not use your personal data for advertising, sell it to third parties, or use it for purposes incompatible with those described above.

5. How We Share Your Information

We do not sell your personal data. We share your information only in the following circumstances:

5.1 With Other Users

Certain information is visible to other users of the app as part of the core features:

Public accounts: your username, name, profile photo, bio, fitness level, interests, posts, lifts, personal records, and follower/following counts are visible to all users.
Private accounts: your username and profile photo are publicly visible; other content is visible only to approved followers.
Matchmaking: when you are matched, your name and profile photo are shared with the other matched users in the group chat.
Chat messages: visible to all participants in the chat room, including your name and profile photo.

5.2 With Service Providers (Sub-Processors)

Provider	Purpose	Data Shared	Location
Google Firebase (Firebase Authentication, Firestore, Cloud Functions, Firebase Storage)	Authentication, database, serverless backend, file storage	All profile and content data, authentication credentials, GPS coordinates during searches	USA (and regions per Google Cloud's infrastructure)
Google Maps Platform (Places API)	Gym discovery and location search	Latitude & longitude coordinates, search radius, gym name queries	USA
RevenueCat	In-app purchase management and subscription lifecycle	Firebase UID (as subscriber ID), purchase receipts, subscription events	USA
Cloudflare R2	Media storage for images and videos	Uploaded photos and videos (posts, lifts, profile pictures)	Global CDN (data stored in Cloudflare's infrastructure)
Apple App Store / Google Play	In-app purchase processing	Purchase transactions (handled natively by device OS; we receive transaction IDs only)	Varies by store

5.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Gymzer, our users, or the public.

5.4 Business Transfers

If Gymzer is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

6. Data Storage & Retention

6.1 Where Data Is Stored

Data Type	Storage Location
User profiles, posts, lifts, comments, messages, matchmaking data, subscription records	Google Firestore (primary database)
Profile photos (older uploads), post and lift images (older uploads)	Google Firebase Storage
Profile photos (new uploads), post images, lift images, post videos, lift videos	Cloudflare R2
Authentication credentials	Firebase Authentication
Subscription & purchase records	RevenueCat servers (external)

6.2 Retention Periods

Account data: retained for as long as your account is active. Deleted within a reasonable period upon account deletion.
Posts, lifts, and comments: retained until you delete them individually or delete your account.
Chat messages: retained until you leave the chat room (leaving deletes your messages) or until you delete your account.
Matchmaking queue entries: deleted automatically when a match is found or when you leave the queue.
Daily search counts (rate-limiting data): stored per day; older records are retained for operational purposes and deleted upon account deletion.
Audit logs: retained for a reasonable period for security and compliance purposes.
Purchase records: retained as required for financial record-keeping obligations, and separately managed by RevenueCat.

7. Device Permissions

Gymzer requests the following device permissions:

Permission	Why We Need It
Location (Foreground)	To power radius-based matchmaking searches and to find nearby gyms. We do not access your location in the background.
Camera	To allow you to take photos or videos for your profile, posts, and lift records.
Photo Library / Media Library	To allow you to select existing photos and videos for upload.
File System (Android)	To read video files from your device for upload.

You can revoke any of these permissions at any time through your device settings. Revoking location access will prevent matchmaking radius search and gym discovery features from working.

8. Children's Privacy

Gymzer is intended for users aged 18 and over. We do not knowingly collect personal information from individuals under the age of 18. If you become aware that a child under 18 has provided us with personal data, please contact us immediately. If we become aware that a child under 18 has registered, we will promptly delete their account and all associated data.

9. Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

Firebase Authentication for secure sign-in (including OAuth with Google)
All data in transit protected by TLS/HTTPS encryption
Firestore Security Rules to restrict database access to authenticated users and their own data
Server-side validation and sanitisation of all user-submitted content (including XSS prevention)
Rate limiting on sensitive operations to prevent abuse
Pre-signed, short-lived URLs for media upload to Cloudflare R2
Audit logging of sensitive account actions
Environment variables for secret keys (RevenueCat webhook tokens, API keys)

However, no method of transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security. Please notify us immediately if you believe your account has been compromised.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

Right	Description	How to Exercise
Access	Request a copy of the personal data we hold about you	Contact us at the email in Section 14
Correction	Request correction of inaccurate or incomplete data	Edit your profile in-app, or contact us
Erasure (Right to be Forgotten)	Request deletion of your personal data	Delete your account in-app (Settings → Delete Account) or contact us. This deletes your profile, posts, lifts, comments, chat messages, match history, personal records, and all media files.
Data Portability	Request your data in a structured, machine-readable format	Contact us at the email in Section 14
Restriction of Processing	Request that we limit how we process your data in certain circumstances	Contact us at the email in Section 14
Object to Processing	Object to processing based on legitimate interests	Contact us at the email in Section 14
Withdraw Consent	Where processing is based on consent, you may withdraw it at any time	Contact us or delete your account

Account Deletion — What Gets Deleted

When you delete your account, the following data is permanently deleted:

Your user profile (name, email, age, gender, location, bio, interests, fitness level)
All your posts and their associated images and videos
All your lift records and their associated images and videos
All comments you have made on posts and lifts
All your chat messages
Your matchmaking queue entries and matched group memberships
Your personal records
Your daily search and rate-limit tracking records
Your username reservation
Your entry in all followers/following lists
Your entry in all blocked users lists
Your profile photos and all uploaded media from Cloudflare R2 and Firebase Storage
Your Firebase Authentication account

Note: Subscription and purchase records held by RevenueCat and Apple/Google are managed by those platforms respectively and may be retained by them independently of our deletion.

We will respond to all legitimate requests within 30 days (or as required by applicable law).

11. Third-Party Services & Links

Our app integrates with third-party services whose privacy practices are governed by their own policies:

Google Privacy Policy (Firebase, Google Maps, Google OAuth, Google Play)
RevenueCat Privacy Policy
Cloudflare Privacy Policy
Apple Privacy Policy (App Store, In-App Purchases)

We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

12. International Data Transfers

Your personal data may be transferred to and processed in countries other than your country of residence, including the United States, where our primary service providers (Google Firebase, RevenueCat) are based. These countries may have different data protection laws than your home country.

When we transfer your data internationally, we rely on appropriate safeguards including standard contractual clauses, adequacy decisions, or other legally recognised transfer mechanisms.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page. For material changes, we may also provide in-app notification. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Gurnser Limited (trading as Gymzer)

11 Mary Street, Mt Eden, Auckland, New Zealand

Email: [email protected]