Last updated: 04 May 2026
This page lists the third parties that we engage to provide the GymOS service, and that may process personal data on behalf of our customers (gym operators) under UK GDPR. We refer to these third parties as Sub-processors.
This list forms part of our Terms and Conditions. Under those Terms, we give you at least 14 days’ notice on this page before we add or replace a Sub-processor. If you wish to object to a change, please email [email protected] within that 14-day window.
A note on what is and isn’t on this list. We list the third parties that may receive or process personal data of your members, your staff, or other individuals whose data is held in your GymOS account. We don’t list internal tools that we use only for our own operations and that do not process your customers’ data — for example, our own accounting, internal communication, or development tooling.
Sub-processors
| Sub-processor | Function | Processing location |
|---|---|---|
| Microsoft (Azure) | Cloud hosting infrastructure: compute, databases, storage, networking. The primary platform on which GymOS runs. | United Kingdom (primary), with secondary regions across the European Union and the United States |
| Google (reCAPTCHA, Maps, OAuth, and other services) | Bot protection on member-facing forms, location/mapping features, and authentication via Google Sign-In where you have enabled it | European Union and United States |
| Cloudflare | Content delivery network, DDoS protection, web application firewall, and (where used) IP-to-location lookup | Global edge network, with primary operations in the United States and the European Union |
| Twilio | SMS message delivery for messages sent through GymOS | United Kingdom, European Union, and United States |
| Authy (Twilio) | Two-factor authentication for staff and operator accounts | United States |
| SendGrid (Twilio) | Delivery of transactional and notification emails sent through GymOS | United States |
| APILayer | IP-to-location lookup as a fallback where Cloudflare is unavailable | European Union and United States |
| Stripe | Payment processing for member transactions | United Kingdom, European Union, and United States |
| GoCardless | Direct Debit collection (where you have enabled this option) | United Kingdom and European Union |
| Xero (customer-initiated integration) | Accounting integration: where you, the gym operator, choose to connect your Xero account, GymOS sends member transaction data to your Xero account on your instruction. This integration is enabled and managed by you. | United Kingdom, Australia, and other Xero data regions |
| Meta (WhatsApp Business API, Lead Ads, and Marketing APIs) | Member messaging via WhatsApp where enabled, and lead and marketing integrations where you have configured them | European Union and United States |
| Zendesk | Customer support helpdesk: tickets, conversations, and attachments raised by your team | European Union and United States |
| Vimeo | Hosting and delivery of workout and course video content uploaded to your GymOS account | United States |
| Zoom | Hosting of online classes for your members, where you have enabled this feature. Member identity information is provided to Zoom to facilitate session access. | United States, with regional infrastructure |
| OpenAI | AI-powered features within GymOS (text generation, drafting, summarisation) | United States |
| FAL.ai | AI-powered image and media generation features within GymOS | United States |
| GetImg | AI-powered image generation features within GymOS | European Union and United States |
| PDFMyURL | PDF generation for help articles and reference content | European Union |
For the current list of AI-specific Sub-processors, including the categories of processing they perform and our position on training data, see also gymos.com/ai-providers.
International transfers
Several of the Sub-processors above operate from, or use infrastructure in, locations outside the United Kingdom. Where personal data is transferred outside the UK, the transfer is made under the safeguards permitted by the UK GDPR — typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfer to a country with a UK adequacy decision.
Sub-processors’ sub-processors
Each of our direct Sub-processors may engage their own service providers (for example, infrastructure, banking, telecommunications, or sub-tier service providers). We require each of our Sub-processors to be bound by data protection terms equivalent in substance to those between you and us. We do not publish the full sub-processor chain of each of our Sub-processors; the equivalent-terms requirement is the protection.
Customer-initiated integrations
Some of the Sub-processors above are activated only when you, the gym operator, choose to enable a particular integration — for example, Xero accounting, WhatsApp messaging, or Zoom for online classes. Where this is the case, the integration is marked above. By enabling such an integration, you authorise the relevant data flow.
You can disable a customer-initiated integration at any time. Once disabled, no further data is sent to that Sub-processor, although data already shared remains under the terms of that Sub-processor (which is independently a contract between you and them, not us).
Changes to this list
We update this page when we add, replace, or remove a Sub-processor. The page itself is the notification — we do not send individual change notices to each customer, in line with our Terms and Conditions.
If you wish to be notified by email when this page changes, write to [email protected] and we will add you to the change-notification list.
Questions, objections, and audit requests
For any question about this list, any objection to a Sub-processor we have notified, or any audit-related request relating to a Sub-processor, please email [email protected].