Privacy Policy

1. Who we are

Combat Vault is a trading name of Combat Vault Limited, a company registered in England and Wales under company number 17075177. Our registered office is at 4 Riverside Avenue, Chorlton, Manchester, M21 7PU, United Kingdom. References to "we", "our", and "us" in this policy mean Combat Vault Limited.

This policy applies to the platform we operate at combatvault.io, including any subdomains we host on behalf of gyms.

2. Controller and processor

Combat Vault is a business-to-business platform sold to gyms. Different parts of this policy apply depending on how you use the Service.

If you are a gym, gym owner, coach, or other member of gym staff who has signed up for Combat Vault directly, we are the data controller for the personal data you give us when you sign up and use the platform.

If you are a gym member or lead whose information has been added to Combat Vault by your gym, your gym is the data controller for that information. Combat Vault is the data processor, which means we hold and process the data on the gym's behalf and only on its instructions. If you want to know how your gym uses or shares your data, contact your gym directly.

3. The data we collect

The data on the platform falls into a few buckets.

• Account information for gym staff: name, email address, hashed password, and role within the gym. If you sign in with Google we receive your name, email, and profile photo from Google.
• Gym member records: the information your gym chooses to store, which typically includes name, contact details, membership tier, attendance history, payment status, and signed contracts.
• Payment information: we never see or store full card details. Card payments are processed by Stripe and Direct Debit collections are processed by GoCardless. Only the metadata returned by those providers (such as the last four digits of a card, payment status, and a payment identifier) is stored on Combat Vault.
• Connected social accounts: if a gym connects its Instagram, Facebook, or Google Business Profile, we receive the access tokens and any data the platforms provide under the scopes the gym has approved.
• Usage and diagnostic data: server logs, error reports, and basic analytics events that help us run and debug the platform.
• Anything you send us: emails, support messages, and other correspondence you send to us directly.

4. Why we use it

We use the data to operate the platform and meet our obligations to gyms that have signed up. In practice that means:

• Running gym dashboards, class booking, and check-in.
• Taking and reconciling payments, generating invoices, and handling refunds.
• Sending transactional emails such as booking confirmations, payment receipts, password resets, and class reminders.
• Publishing posts and answering messages on the gym's connected social accounts when the gym instructs us to.
• Investigating bugs, monitoring uptime, and improving the product.
• Meeting our legal and tax obligations.

5. Lawful basis (UK GDPR Article 6)

• Contract: processing necessary to provide the platform to a paying gym customer.
• Legitimate interests: running the business, debugging, and security. We balance these against your rights and interests.
• Consent: when you opt in to optional things like marketing emails or social account connections.
• Legal obligation: tax records, accounting, and responding to lawful requests from authorities.

6. The third parties we share data with

We share data with the following providers, each of which processes data only on our instructions and under a written agreement:

• Vercel hosts the application and serves the website.
• Neon hosts the PostgreSQL database where gym data is stored.
• Stripe processes card payments and subscriptions.
• GoCardless processes Direct Debit collections.
• Resend delivers transactional emails.
• Sentry receives error and performance reports from the application.
• OpenAI processes prompts when AI features (such as content suggestions and lead scoring) are used. Prompts may include limited member or post content. OpenAI does not use API data to train its models.
• Meta (Facebook and Instagram) and Google are accessed when a gym connects those accounts. Your data is governed by their own policies once it leaves Combat Vault.

Each provider has its own privacy policy. We don't sell data to anyone.

7. Where the data lives

Combat Vault is a UK business. Most of our processors operate in the UK, the EEA, or the United States. Where data leaves the UK we rely on the UK Addendum to the EU Standard Contractual Clauses, or on the UK adequacy framework, to keep the same level of protection.

8. How long we keep it

We keep your data for as long as the gym's account is active. If a gym closes its account we delete the gym's data, including its members' records, after a reasonable wind-down period unless we're required to keep it for accounting or legal reasons (typically up to 6 years for financial records under UK tax law).

Gym staff can delete individual member records from inside the platform at any time. If you want your data removed sooner, email us using the contact details below.

9. Cookies

We use a small number of cookies. Some are strictly necessary for the platform to work, like the session cookie that keeps you signed in. We don't use third-party advertising cookies. The cookie banner on the website asks you to accept or reject non-essential cookies before any are set.

10. Your rights

Under UK GDPR you have the right to:

• Ask for a copy of the data we hold about you.
• Ask us to correct anything that's wrong.
• Ask us to delete it, where there's no overriding reason to keep it.
• Ask us to restrict or object to how we're using it.
• Ask for a portable copy in a machine-readable format.
• Withdraw consent for anything you previously consented to.

If your data is on Combat Vault because of a gym you're a member of, the gym handles these requests in the first instance. If we're the controller of your data, email us and we'll respond within one calendar month.

You also have the right to complain to the Information Commissioner's Office at ico.org.uk.

11. Security

All traffic is served over HTTPS. Passwords are stored as salted bcrypt hashes. Sensitive third-party access tokens are encrypted at rest. Database backups and access logs are maintained by our hosting providers. No system is perfectly secure, but if we find evidence of a breach affecting your personal data we will notify the ICO and, where required, you within 72 hours.

12. Children

The Combat Vault platform is intended for gym staff aged 16 and over. Gym members under 16 may have their information stored on the platform by their gym. In that case the gym is the data controller and is responsible for any consent required from a parent or guardian.

13. Changes to this policy

We'll update this policy when the platform changes or when the law requires it. The "Last updated" date at the top of this page reflects the most recent change. If a change is material we'll email account holders.

14. Contact us

For data protection questions, requests, or complaints:

• Email: admin@combatvault.io
• Company: Combat Vault Limited
• Company number: 17075177
• Registered office: 4 Riverside Avenue, Chorlton, Manchester, M21 7PU, United Kingdom