Privacy Policy

1. Who we are

Retain Analytics is a membership retention analytics service operated in New Zealand. We provide gym and fitness studio operators with a weekly dashboard showing which members are at risk of cancelling their membership, and tools to act on that information.

For the purposes of the New Zealand Privacy Act 2020, Retain Analytics is the agency responsible for personal information processed through this service.

2. Information we collect

From gym operators (via CSV upload)

Gym operators upload a member export from their gym management software. This typically contains:

• Member IDs and names
• Membership type and status
• Join date and last visit date
• Visit history and booking and cancellation records
• Account balance and payment status
• Membership start and expiry dates
• Freeze or pause status

We do not require, and ask gyms not to include: phone numbers, home addresses, dates of birth, health information, bank account details, or payment card details.

From demo requests (via contact form)

• Name and email address of the gym owner or staff member
• Gym name, location, type, and management software
• Any message content submitted voluntarily

From website visitors

• Standard server logs via Vercel Analytics (page views, browser type, country-level location). No advertising cookies or cross-site tracking.

3. How we use information

Member data uploaded by gym operators

Member data is used to:

• Calculate a weekly risk score for each member against their own historical baseline
• Populate the gym's Retain Analytics dashboard
• Track week-on-week movement (worsening, improving, recovered)
• Calculate estimated revenue at risk and ROI from outreach
• Generate plain-language AI insights on a member's risk pattern when requested by gym staff (see section 4 - AI processing)

We do not sell, share, aggregate across gyms, or use member data for any purpose other than providing the service to the gym that uploaded it.

Contact form submissions

Used only to respond to demo requests and schedule calls. Not added to any marketing lists.

4. Data storage and security

Dashboard data (risk scores, run history, outreach logs) is stored in Supabase, a managed PostgreSQL database service operated by Supabase Inc. (United States). Data is encrypted at rest and in transit. Access is restricted to the gym's authorised staff via email-based authentication.

Pipeline processing (running the analysis when a CSV is uploaded) occurs on Railway (Railway Corp., United States). Raw CSV files are not stored permanently; processed data (risk scores and movement history) is written to the Supabase database.

The dashboard website is hosted on Vercel (Vercel Inc., United States). Access to the underlying database is limited to Retain Analytics and is not shared with third parties.

AI processing - Groq

The member detail page includes an optional AI insight feature that generates a plain-language summary of a member's risk pattern. When a gym operator requests an AI insight, the following data is sent to Groq Inc. (United States) for processing: the member's name and behavioural data (visit frequency, days absent, movement trend, and risk factors). This data is transmitted securely and is not retained by Groq beyond the duration of the inference request, in accordance with Groq's terms of service.

AI insights are only generated when the gym operator actively requests them by clicking the insight button. They are not generated automatically.

5. International data transfers

Retain Analytics is based in New Zealand. Our service providers - Supabase, Railway, Vercel, and Groq (for AI insights) - operate infrastructure in the United States. By using Retain Analytics, gym operators acknowledge that member data will be transferred to and processed in the United States.

Gym operators are responsible for ensuring they have an appropriate basis under the Privacy Act 2020 (and any other applicable legislation) for sharing member information with Retain Analytics and for this international transfer.

6. Automated processing and human oversight

Retain Analytics uses an automated algorithm to calculate weekly risk scores for gym members. Scores are based on attendance patterns, booking behaviour, payment history, and tenure - compared against each member's personal historical baseline.

No automated decisions are made about gym members. Risk scores are presented to gym staff as a prioritised list to help focus their outreach efforts. All decisions about whether to contact a member, what to say, and how to respond are made by a human gym staff member. Members are not automatically notified, penalised, or removed based on their score.

7. Gym operator responsibilities

Gym operators who use Retain Analytics are the data controllers for their members' personal information. Retain Analytics acts as a data processor on their behalf. Gym operators are responsible for:

• Having a lawful basis for sharing member data with Retain Analytics (typically their existing gym membership agreement and privacy policy)
• Ensuring their privacy policy covers the use of third-party analytics services, including Groq (if they use the AI insight feature)
• Conducting human review before any outreach to members
• Ensuring member outreach is framed naturally - members should not be told they were flagged by an automated scoring system

8. Data retention

• Active subscription: Dashboard data is retained for the duration of the gym's subscription.
• After cancellation: All gym-specific data (member risk scores, run history, outreach logs) is permanently deleted within 30 days of the subscription ending.
• Contact form submissions: Retained for up to 12 months, then deleted.

Data deletion requests can be made at any time - see section 10 below.

9. Your rights under the Privacy Act 2020

Under the New Zealand Privacy Act 2020, individuals have the right to:

• Access - request a copy of personal information we hold about you
• Correction - request that inaccurate information be corrected
• Deletion - request that your information be deleted (subject to any legal retention obligations)
• Complaint - make a complaint if you believe your privacy rights have been breached

If you are a gym member, your personal information is held primarily by your gym. Please contact your gym first. If you need to contact us directly, use the details in section 9.

10. Contact and data deletion requests

For privacy enquiries, access requests, correction requests, or data deletion requests:

We will respond to requests within 20 working days in accordance with the Privacy Act 2020.

You may also contact the Office of the Privacy Commissioner (privacy.org.nz) if you believe your privacy rights have been breached and we have not resolved your complaint.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects when changes were last made. Continued use of Retain Analytics after changes are posted constitutes acceptance of the updated policy.