Privacy Policy
Building Rome LLC, doing business as 5 Mile Gym ("we," "us," "our"), respects your privacy. This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights. It applies to our mobile app, website, and related services (collectively, the "Service").
1. Information We Collect
| Category | Examples | Source |
|---|---|---|
| Account | Email, full name, account creation date | You, at signup |
| Billing | Stripe customer ID, subscription status, plan, billing history | Stripe, on subscription |
| Pass usage | QR token, expiration time, scan timestamp, gym scanned at, scan IP | The verification system, on each scan |
| Visits | User ID, gym ID, timestamp, hotel referral flag | The mobile app and verification system |
| Device | App version, OS version, device model, language, time zone | Your device, on app launch |
| Analytics | Page views, button clicks, funnel events | Marketing site and app, via PostHog |
| Support | Messages and attachments you send us | You, on contact |
We do not collect government-issued IDs, biometric data, or payment card numbers (Stripe handles cards directly).
2. How We Use Your Information
- Operate the Service: authenticate you, issue QR passes, verify visits, process payments, send transactional messages (receipts, password resets, subscription notices).
- Improve the Service: understand which features and gyms are used, debug issues, plan capacity, identify abuse.
- Communicate with you: respond to support requests, send service updates, occasional product announcements (you may opt out of non-transactional emails).
- Comply with law: meet tax, audit, and regulatory obligations; respond to lawful requests from authorities.
- Detect fraud: identify scan abuse, account sharing, payment fraud, or other policy violations.
3. Legal Basis (for users in the EEA/UK)
We process personal data on the basis of: (a) performance of a contract (operating your subscription); (b) our legitimate interests (security, product improvement, fraud prevention); (c) legal obligation (tax, regulatory); and (d) consent where required (marketing communications). You may withdraw consent at any time.
4. Sharing
We share personal data only as described below:
- Service providers. Stripe (payments), Supabase (database and authentication), Vercel (web hosting), PostHog (product analytics), and email delivery providers. Each is bound by a data-processing agreement and processes data only on our instructions.
- Gym partners. When you scan in, the gym sees your name and the validity of your pass on the verification page. We do not share your email, billing details, or visit history with gym partners. We may share aggregate, non-identifying visit counts with gym partners for reporting.
- Hotel partners (if you activate a hotel referral). We may share that a referred guest used the Service, without identifying you by name.
- Legal and safety. We may disclose information to comply with valid legal process, protect our rights or property, or protect the safety of users or the public.
- Business transfers. If we are acquired or merged, your information may be transferred to the successor entity, subject to this Privacy Policy.
We do not sell personal data and do not allow third parties to use it for their own marketing.
5. Cookies and Analytics
The marketing site uses minimal cookies for basic functionality and PostHog for product analytics. PostHog is configured to anonymize IP addresses and to respect the Do-Not-Track header where applicable. You can opt out of analytics in your browser or via your account settings (once available).
6. Data Retention
- Account data: kept for as long as your account is active, then deleted within 90 days of account closure, except where retention is required by law.
- Billing records: kept for 7 years to meet tax and audit obligations.
- QR tokens: kept for 30 days, then purged.
- Visit logs: kept for 24 months in identifiable form, then aggregated.
- Analytics events: kept for 24 months.
7. Your Rights
You have the right to: access the personal data we hold about you; correct inaccurate data; delete your account and data (subject to legal retention obligations); export your data in a portable format; restrict or object to certain processing; and lodge a complaint with your local data protection authority. Email info@buildingrome.dev to exercise these rights. We will respond within 30 days.
8. California Residents
If you are a California resident, you have additional rights under the CCPA and CPRA, including the right to know what personal information we have collected, the right to delete it, and the right not to be discriminated against for exercising these rights. We do not sell personal information.
9. Children's Privacy
The Service is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact info@buildingrome.dev and we will delete it.
10. Security
We use industry-standard safeguards including TLS in transit, encryption at rest, scoped database row-level security policies, single-use rotating QR tokens, and access controls limiting personal data access to authorized personnel. No system is perfectly secure; we will notify affected users of a material breach as required by law.
11. International Transfers
We are based in the United States, and our service providers may process data in the United States and other countries. If you are in the EEA or UK, transfers are made under appropriate safeguards (Standard Contractual Clauses or equivalent).
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-app notice at least 14 days before the changes take effect.
13. Contact
Privacy questions: info@buildingrome.dev
Building Rome LLC dba 5 Mile Gym, Pentagon City, NCR