Privacy Notice

Membry ("we", "us") provides member management software for gyms, martial arts academies, and clubs. This notice explains what data we collect, how we use it, and the rights you and your members have.

From gym owners and staff

• Account info: name, email, password (hashed)
• Gym details: name, address, contact info, logo, timezone
• Usage data: pages visited, actions taken (for product improvement)

From members (uploaded by gym staff)

• Name, email, phone, date of birth, emergency contact, membership status
• Class bookings, attendance records, payment history

• Provide the service (logins, bookings, attendance, billing)
• Send transactional emails (invites, password resets, receipts)
• Power optional AI features for your gym (drafting messages, summarising your gym's own statistics, and a member's in-app monthly training recap). These send only limited data — such as a member's first name, activity figures (e.g. attendance), belt rank and most-attended class — to our AI provider, Anthropic (United States). We never send health notes, date of birth, contact details, photos or payment data. Staff-facing drafts are reviewed and edited by your gym before use; some member-facing text (such as the in-app monthly recap) is generated and shown to the member automatically. This data is not used to train AI models.
• Improve the product based on aggregated usage

We do not sell your data, your members' data, or use it for advertising.

Your data is stored in the European Union — on Supabase (Amazon Web Services, Ireland / eu-west-1). Our application is served via Vercel. We comply with GDPR, and each gym's data is isolated using row-level security.

We share data only with the service providers (sub-processors) we need to run Membry:

• Supabase (EU — Ireland / eu-west-1) — database, authentication, and file storage
• Vercel — application hosting and delivery
• Stripe — payment processing (card details go directly to Stripe and never touch our servers)
• Resend — transactional and gym-sent email
• Anthropic (United States) — optional AI features (limited data, as described in section 3; not used for model training)
• Expo — mobile push-notification delivery (device push tokens)
• Cloudflare Turnstile — bot protection on sign-up forms

Beyond these, we disclose data only to authorities where legally required, and we notify you when permitted. We'll update this list before adding a new sub-processor.

Under GDPR you can request access to, correction of, or deletion of your personal data. Members should request these via their gym in the first instance, and we'll support that request. For platform-level concerns, email hello@membry.org.

Many gyms train members under 18 (kids' and juniors' classes). Where a gym adds data about a minor, the gym is the data controller and is responsible for obtaining the appropriate consent from a parent or guardian. We process that data only on the gym's instructions, to provide the Service.

We do not knowingly collect personal data directly from children. Members under 18 interact with Membry through their gym and, where relevant, a parent or guardian account.

We keep your data for as long as your account is active. If you cancel, we retain it for 30 days so you can reactivate or export, then delete it — unless we're required to keep it longer (for example, invoices for tax purposes).

We use only essential cookies (session, auth, CSRF). No tracking or advertising cookies. Any analytics we use is privacy-friendly and cookieless.

We'll post any updates to this page and notify gym owners by email of material changes.