Data Processing Policy

Effective Date: July 15, 2025 | Last Updated: July 15, 2025

This Data Processing Policy (“DPP”) describes how Jack Solutions LLC (“Processor”) handles personal data on behalf of Customers (“Controllers”) who use the GymBot Service.

1. Roles & Responsibilities

Controller (Customer): The gym or fitness business that determines the purposes and means of processing member data. The Customer is responsible for obtaining appropriate consent or legal basis for data processing.
Processor (Jack Solutions LLC): Processes gym member data solely on the Controller’s behalf, per the Controller’s instructions, and in accordance with this DPP.

2. Categories of Data Processed

Category	Examples	Purpose
Identity Data	Name, email, phone, member ID	Member identification, communications
Membership Data	Agreement status, billing info, package details	Billing management, retention workflows
Communication Data	SMS/email content, call recordings, timestamps	AI response generation, follow-up automation
Appointment Data	Training sessions, calendar events	Scheduling, attendance tracking
Usage Metrics	Feature usage counts, API calls, license key	Billing, rate limiting, support

3. Sub-Processors

We engage the following sub-processors to deliver the Service. By using GymBot, the Controller authorizes these sub-processors:

Provider	Purpose	Data Shared
Google (Gemini AI)	AI response generation	Conversation context, member first name
Groq	AI inference	Conversation context
Vapi	AI voice calls	Phone numbers, call scripts, recordings
Deepgram	Speech-to-text	Voice audio streams
Twilio	SMS delivery	Phone numbers, message content
Stripe	Subscription billing	Customer email, subscription status
Square	Member payment processing	Invoice amounts, member identifiers
Railway	Server hosting	License keys, usage metrics, webhook data
Gmail / SendGrid	Email delivery	Email addresses, message content
Meta (Facebook/Instagram)	Social media posting	Post content, page analytics

We will notify the Controller before adding new sub-processors that handle personal data. The Controller may object within 14 days.

4. Security Measures

All data in transit encrypted via TLS 1.2+.
API authentication via HMAC-SHA256 signed requests.
Stripe payment data secured under PCI-DSS compliance (handled by Stripe).
Database access restricted to authenticated application processes.
License keys and secrets stored as environment variables, never in source code or logs.
Webhook payloads verified via cryptographic signature before processing.
Local data stored in encrypted SQLite database on Customer-controlled hardware.

5. Data Breach Notification

In the event of a personal data breach, we will:

Notify the Controller within 72 hours of becoming aware.
Provide details of the nature, scope, and likely consequences.
Describe measures taken or proposed to mitigate the breach.
Cooperate with the Controller’s obligation to notify supervisory authorities and affected individuals.

6. Data Subject Requests

If we receive a request from a data subject (gym member) regarding their personal data, we will promptly forward it to the Controller. We will assist the Controller in fulfilling data subject requests including access, rectification, erasure, and portability.

7. Data Deletion & Return

Upon termination of the Service:

Customer Data on our proxy server is retained for 30 days, then permanently deleted.
Local data on Customer hardware remains under Customer control.
Customers may request a data export before termination by contacting support.
Billing and webhook logs are retained for 7 years per legal requirements.

8. International Transfers

Some sub-processors may process data outside your jurisdiction. Where applicable, we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection.

9. Audit Rights

The Controller may request, no more than once per year with 30 days’ notice, information reasonably necessary to demonstrate compliance with this DPP. We will cooperate with reasonable audit requests.

10. Contact

Jack Solutions LLC
Email: j.mayo@jacksolutionsllc.com
Website: www.jacksolutionsllc.com