Privacy Policy

This Privacy Policy explains how Rellavo, Inc. (“Rellavo,” “we,” or “us”) handles personal information when you use a Rellavo-built mobile app or web application on behalf of your gymor any other Rellavo customer (each a “Tenant”).

Rellavo provides the software platform. The Tenant — your gym, community center, or studio — is the organization you joined and is the entity that controls how your member record is used in the course of running their business. Rellavo processes personal data on the Tenant’s behalf as a service provider, and also on its own behalf for the limited operational purposes described below.

Account & identity

Email address, password (stored as a one-way hash via Supabase), full name, phone number, optional profile photo, and any nickname you provide. If your Tenant assigns you a member ID or barcode, we store that too.

Profile & demographics

Date of birth, gender, mailing address, emergency contact, relationship to other family members on a shared membership, and any optional fields you fill in (interests, volunteer/donor status, etc.). You decide what is optional vs. required at signup; required fields are marked clearly in the app.

Activity & usage

Class registrations and check-ins, court reservations, program registrations, personal-training appointments, workout history, signed waivers, facility entry events, and any internal notes added by Tenant staff. This is the operational record your Tenant keeps about your participation.

Payments

When you add a payment method, the card number and CVC are sent directly from your device to Stripe, our payment processor. Rellavo never sees or stores raw card numbers. We store the Stripe customer ID, the last four digits + brand of cards on file, and the history of charges and refunds. Your Tenant’s bank account is the merchant of record for membership and program billing.

Device & technical

Push-notification token (if you grant the OS prompt), Apple/Google calendar permission state, app version, OS version, and device model — used to deliver notifications and diagnose issues. We do not collect cross-app advertising identifiers (IDFA / GAID), and we do not use third-party advertising SDKs.

Children

Our apps are intended for users 13 and older. Some Tenants offer family memberships that include information about children under 13 — that information is provided and managed by a parent or legal guardian who is the primary on the membership, and is treated as the parent’s data for legal purposes.

• Provide the service: signing you in, showing your reservations, processing payments, syncing your calendar.
• Communicate with you: account confirmations, receipts, reminders, and Tenant-initiated messages you have not opted out of.
• Operate the Tenant’s business: attendance reporting, billing, retention analysis, and any other CRM-style use the Tenant makes of their own member data.
• Maintain security and prevent fraud: detecting suspicious sign-ins, throttling abusive use, retaining minimum logs for incident response.
• Comply with legal obligations: tax records, financial audits, and lawful requests from regulators or courts.

We do not sell or rent your personal information, and we do not share it with third parties for their own marketing purposes.

The minimum set of vendors and parties needed to deliver the service:

• Your Tenant — they are the controller of your member record and access it to operate their business.
• Supabase — database hosting, authentication, file storage. SOC 2 Type II audited.
• Stripe — payment processing. PCI-DSS Level 1 audited.
• Twilio — SMS delivery, when your Tenant sends you texts.
• Resend — transactional email delivery.
• Apple & Google — push notifications, optional calendar sync, and app distribution.
• Vercel — web app hosting and edge networking.
• Government and law-enforcement requests — only when legally required, and we will notify you unless prohibited by law.

You can permanently delete your account from inside the app at any time. Settings → Delete account. When you delete:

• Your login credentials are removed and you can no longer access the app.
• Your name, email, phone, address, emergency contact, and other personally identifying fields are removed from active records.
• Saved payment methods are detached and Stripe-issued payment-method tokens are revoked.
• Future class, court, program, and appointment reservations are cancelled.

The Tenant retains anonymized financial and operational records — invoices, payments, attendance, waiver-signed timestamps — to satisfy their accounting, tax (typically 7 years), regulatory, fraud prevention, dispute resolution, and audit obligations. These records no longer carry your name or contact details, but they do reflect that an account existed and consumed the listed services.

If you want a fuller erasure, including from anonymized records (subject to applicable retention-of-records laws), email us at privacy@rellavo.com. We may need to verify your identity before acting on the request.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you (right to know).
• Correct inaccurate data.
• Delete your data (right to erasure / right to delete).
• Receive a portable copy of your data (right to data portability).
• Object to or restrict certain uses of your data.
• Withdraw any consent you previously gave.
• Lodge a complaint with your local data-protection authority.

California residents have rights under the California Consumer Privacy Act (CCPA / CPRA), and EU/UK residents have rights under the GDPR. Email privacy@rellavo.com to exercise any of the above. We do not discriminate against members who exercise their rights.

Personal data is encrypted in transit (TLS 1.2+) and at rest. Database access is protected by row-level security so a member of one Tenant cannot read another Tenant’s records, and admin access to Rellavo’s systems is restricted, logged, and reviewed. We notify you and the relevant authorities of any breach affecting your data within the timelines required by applicable law.

Rellavo is based in New York, New York, and our infrastructure is located in the United States. If you access the app from outside the U.S., your data is transferred to the U.S. for processing and storage. We rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) where required.

We may update this Privacy Policy as the product evolves or laws change. Material changes are announced inside the app and by email at least 30 days before they take effect. The latest version is always at rellavo.com/legal/privacy, and the effective date at the top of this page tells you which version you’re reading.

For privacy questions or any of the rights listed above, email privacy@rellavo.com. For day-to-day membership questions, please contact your gym directly — they hold your member record.