Privacy Policy

Overview

ClubMogo (“we”, “us”) provides software that helps fitness facilities run their day-to-day operations. This policy explains what personal data we collect about three groups of people who use ClubMogo — members of the facilities we serve, their staff, and the operators who run them — and what we do with it.

We operate under India’s Digital Personal Data Protection Act (DPDPA), 2023. Where members are based in jurisdictions with additional protections — the EU’s GDPR, or applicable US state privacy laws — we apply those alongside the DPDPA.

Data we collect

The personal data we collect depends on whether you’re a member, a staff user, or a facility administrator.

From all users: name, email address, mobile number, authentication tokens, the IP address and device the request came from, and basic analytics about how you use the product.

From members: attendance and check-in history, class bookings, payment records processed through Razorpay (we do not store full card numbers), membership and pack history, self-submitted fitness profiles (body assessments, goals, attendance streaks), and communications you’ve had with the facility through ClubMogo’s WhatsApp, SMS, or in-app messaging.

From staff and operators: employment-context information needed to run the facility — role, assignment to facilities, payroll-related entries (commission, sessions delivered), and an audit trail of actions taken inside the product.

We do not knowingly collect biometric data, sensitive health records beyond what a member voluntarily submits, or special categories under the GDPR or DPDPA. If we ever add such features, we will update this policy and ask for fresh consent.

How we use data

We process personal data for the following limited purposes, each tied to a lawful basis under the DPDPA and, where applicable, the GDPR:

Service delivery — running the facility, processing check-ins, taking payments, sending receipts. Necessary for performance of the contract between the member and the facility.
Communications — operational reminders, renewal nudges, and one-to-one messages from the facility through WhatsApp, SMS, or email. Member-initiated communications are handled on the same lawful basis; marketing-style broadcasts require explicit consent.
Billing and tax compliance — generating GST-compliant invoices, reconciling subscriptions, and meeting Indian tax-record retention requirements.
Product quality and security — diagnosing errors, investigating abuse, preventing fraud. Limited to engineers on a need-to-know basis.
Aggregate analytics — anonymous or de-identified usage statistics that help us improve the product. We do not sell personal data, and we do not enrich our analytics with third-party advertising data.

Your rights (DPDPA / GDPR)

Under the DPDPA, you have the right to access your personal data, correct it, request its erasure, and withdraw consent for any processing you previously agreed to. Members can exercise most of these rights without contacting us — the in-app Data & Privacy Controls page (accessed through the member app or web) lets you download an export of your data or request deletion of your account.

For grievance redressal, our Data Protection Officer can be reached at privacy@clubmogo.com. We aim to respond within 14 working days.

If you are an EU resident exercising GDPR rights (access, portability, restriction, objection, lodging a complaint with a supervisory authority), please mention this in your request so we can route it correctly.

Cookies & tracking

ClubMogo uses a small number of cookies and similar technologies, grouped as follows:

Strictly necessary — Supabase authentication session cookies. Without these you cannot log in.
Preferences — the theme (light/dark) and interface choices you make.
Analytics — PostHog page-view and feature-use events, used in aggregate to understand product performance.

We do not use third-party advertising cookies. We do not allow cross-site behavioural tracking inside the product.

Children’s privacy

Member accounts may not be created independently by a child under 18. When a facility enrols a minor, the parent or legal guardian must be on the account as the verified contact, give consent in writing or in-app, and remain the recipient of all communications.

This aligns with Section 9 of the DPDPA. If you believe a child has signed up directly without parental involvement, please email us at privacy@clubmogo.com and we will remove the account.

Data retention

We retain personal data only as long as we need it for the purposes set out above:

Member account data — for the duration of the facility’s relationship with ClubMogo plus 12 months after the facility stops using the product, then deleted or anonymised.
Payment records and invoices — eight years from the date of issue, as required by Indian tax law.
Communications history — 24 months rolling window inside the product.
Application and access logs — 90 days, used for debugging, security investigations, and abuse prevention.

When a member requests erasure, we delete or de-identify their personal data within 30 days, except where we are legally required to retain it.

Changes to this policy

We may update this policy from time to time. If a change materially expands how we process personal data — adding a new purpose, a new sub-processor handling a new data type, or a new disclosure path — we will notify facility administrators by email and surface a banner inside the product for at least 30 days before the change takes effect.

Minor edits (clarifying language, fixing typos, adding contact details) are made without separate notice; we always update the “Last updated” date at the top of this page.

Contact us

For privacy questions, exercising your rights, or filing a grievance, email privacy@clubmogo.com. For everything else, you can also reach us at hello@clubmogo.com.