PRIVACY POLICY - Version 1.3 | Effective Date: 12

December 2025

GymGoer Pty Ltd (ABN 38 680 858 440)

1. Purpose and Scope

1.1 GymGoer Pty Ltd (“GymGoer”, “we”, “us” or “our”) is committed to protecting the privacy and personal information of individuals in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs) set out in Schedule 1 of that Act.

1.2 This Privacy Policy outlines how we collect, use, disclose, store and manage personal information, including information collected through our mobile application, website, and related services (“Services”).

1.3 This Policy applies to all individuals from whom we collect personal information, including but not limited to users of the GymGoer platform (“Members”), representatives of subscribing gyms (“Gym Partners”), contractors, and other users or stakeholders.

1.4 Definitions

For the purposes of this Privacy Policy: “Minor Member” means a GymGoer user aged 16 or 17 years. “Guardian” means a parent or legal guardian with legal authority to provide consent on behalf of a Minor

Member.2. Minimum Age and Minor Members

2.1 The GymGoer platform and Services are available to individuals aged 18 years and over, and to individuals aged 16 or 17 years subject to verified parental or legal guardian consent.

2.2 Where a user is aged 16 or 17 years, GymGoer collects personal information, including identification documents, only with Guardian Consent provided through the Application and in accordance with this Privacy Policy.

2.3 GymGoer does not knowingly collect personal information from individuals under the age of 16.

3. Collection of Personal Information3.1 GymGoer may collect and hold personal

information including, but not limited to:

(a) Name, address, email address and phone number;

(b) Account login credentials;

(c) Payment and billing details (via third-party processors);

(d) Usage data including IP address, device ID, mobile operating system, browser type and access times;

(e) Location data, where permission is granted;

(f) Information voluntarily provided via feedback,

surveys or customer support;

(g) Attribution and analytics data collected through third-party providers (including AppsFlyer), such as device identifiers, referral source, advertising engagement, install timestamp, in-app activity events, crash reports, purchase event details (transaction value, currency, product ID, order ID, quantity), and performance diagnostics.

3.2 Personal information may be collected directly from the individual or via third parties, including Gym Partners and service providers.

3.3 GymGoer maintains records of user consent, including the time, method, and scope of consent provided in relation to the collection, use, and disclosure of personal information.3.4 Where a Member is a Minor Member, GymGoer may collect additional personal and sensitive information, including copies of government-issued identification documents of the Minor Member and their Guardian, for the purposes of age verification, identity verification, consent validation, fraud prevention, and legal compliance.

4. Use of Personal Information

4.1 GymGoer collects and uses personal information for purposes including, but not limited to:

(a) Providing and managing access to the GymGoer platform;

(b) Facilitating gym pass transactions and associated services;

(c) Communicating with users regarding updates, promotions or service offerings;

(d) Conducting analytics and improving functionality of our platform;

(e) Complying with legal obligations or responding to lawful requests;

(f) Measuring app performance, installs, referral activity, attribution, and purchase events through AppsFlyer and similar providers;

(g) Fraud prevention, account security, and verification of user activity;

(h) Delivering personalised recommendations, advertising, promotions, and aggregated business insights for Gym Partners.

4.2 Where permitted, GymGoer may use automated decision-making tools for limited purposes, such as fraud prevention, user segmentation, and gym or content recommendations. These tools do not make decisions that have legal or similarly significant effects without human oversight.

4.3 GymGoer complies with the requirements of the Spam Act 2003 (Cth). All commercial electronic messages sent by GymGoer contain accurate sender identification, provide a functional unsubscribe facility, and are only sent with the recipient’s express orinferred consent.

4.4 GymGoer provides users with the ability to manage the visibility of their profile and activity information within the platform.

4.5 GymGoer may use your personal information, including activity and interaction data, to deliver targeted advertising or tailored content through our Services or third-party platforms.

4.6 Identification documents collected for Minor Members and Guardians are used solely for verification, consent, security, fraud prevention, and legal compliance purposes, and are not used for marketing, profiling, or advertising.

5. Consequences of Non-Disclosure

5.1 If you choose not to provide certain personal information, GymGoer may be unable to:

(a) Register you for an account;

(b) Provide access to certain features or services;

(c) Respond to support requests or process transactions.

5.2 Where required identification or Guardian Consent is not provided or cannot be verified, GymGoer may refuse registration, suspend access, or terminate a Minor Member account.

6. Disclosure of Personal Information

6.1 We may disclose personal information to third parties where reasonably necessary for the purposes set out in this Policy, including to:

(a) Gym Partners;

(b) Employees, contractors, professional advisers and service providers;

(c) Third-party software and payment platforms (e.g., Apple Pay, Stripe);

(d) Analytics and attribution platforms (including AppsFlyer), which may collect and process device, usage, and purchase event data on our behalf for the purposes of tracking installs, user engagement, transactions, and referral outcomes;

(e) Cloud hosting, IT support, and security service providers;

(f) Regulatory bodies, courts or law enforcement agencies as required by law;

(g) Successors or assignees in the event of a business transfer.

6.2 All third parties receiving personal information are required to adhere to confidentiality obligations and may only use such information for the limited purposes for which it was disclosed.

7. Overseas Disclosure

7.1 Personal information may be disclosed to third parties located outside of Australia, including but not limited to the United States, Israel (AppsFlyer HQ), Singapore, and the European Union.

7.2 Where information is disclosed internationally, we implement safeguards in accordance with APP 8, such as:

(a) Binding contractual clauses;

(b) Use of providers with adequate data protection standards (e.g., GDPR-compliant platforms such as AppsFlyer);

(c) Ongoing assessments of overseas data handling practices.

8. Data Retention and Deletion

8.1 Personal information will be retained only for as long as is reasonably necessary to fulfil the purposes outlined in this Policy, or as required by applicable laws.

8.2 When personal information is no longer required, we will take reasonable steps to destroy or de-identify it securely.

8.3 Identification documents collected for Minor Members and Guardians are retained only for as long as reasonably necessary to verify eligibility, manage legal obligations, resolve disputes, or comply with regulatory requirements, after which they are securely deleted or de-identified.

9. Security of Personal Information

9.1 GymGoer implements appropriate physical, electronic and administrative safeguards to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.

9.2 Despite these safeguards, no data transmission can be guaranteed as fully secure. You acknowledge and accept this risk when transmitting information to us.

9.3 In the event of a data breach likely to result in serious harm, we will notify affected individuals and report to the Office of the Australian Information Commissioner (OAIC) within required timeframes.

9.4 GymGoer implements internal controls and procedures to ensure that personal information used for marketing purposes is handled in accordance with applicable privacy and electronic communications laws.

9.5 Access to identification documents provided by Minor Members and Guardians is restricted to authorised personnel only and protected by enhanced security controls appropriate to the sensitivity of the information.

10. Access and Correction

10.1 You may request access to, or correction of, personal information held about you by contacting our Privacy Officer at help@joingymgoer.com.

10.2 We will respond to access or correction requests within 30 days, subject to applicable exceptions under the Privacy Act. A reasonable administrative fee may apply.

10.3 You may request the deletion of your personal information held by GymGoer by contacting our Privacy Officer. Subject to legal and operational requirements, we will take reasonable steps to permanently delete, de-identify, or anonymise your information within 30 days of confirming your identity and request. Certain information may be retained where required by law, regulatory obligations, or for dispute resolution purposes.

11. Complaints Procedure

11.1 If you have a complaint regarding our handling of personal information, please contact:

Privacy Officer
GymGoer Pty Ltd
Suite 10, 1/84 Mount Eliza Way,
Mount Eliza VIC 3930
Email: help@joingymgoer.com

11.2 We take all complaints seriously and will respond in writing within a reasonable period.

12. Opt-Out Options12.1 You may opt out of:

(a) Marketing communications by using the unsubscribe link or contacting us directly;

(b) Location tracking via your device settings;

(c) AppsFlyer tracking by adjusting device settings (“Limit Ad Tracking” on iOS / “Opt Out of Ads Personalisation” on Android), or by contacting us to request suppression of tracking identifiers. This may limit our ability to attribute installs or purchases to campaigns;

(d) Targeted advertising delivered via third-party platforms;

(e) Data collection by uninstalling the GymGoer mobile application.

13. Cookies and Tracking Technologies

13.1 We may use cookies, pixels, SDKs, or similar technologies to enhance user experience, monitor usage, and deliver analytics.

13.2 Automatically collected information may include device identifiers, IP addresses, usage times, referral sources, in-app activity events, and browsing behaviours.

13.3 In particular, GymGoer integrates AppsFlyer SDK technology, which automatically collects device identifiers, referral URLs, advertising interactions, app open/install events, purchase event details (e.g., revenue, currency, product ID, order ID, quantity), and engagement data. This information is used to attribute installs and purchases, track referrals, detect fraud, and improve app performance.

13.4 Users may disable or limit certain tracking technologies through device or browser settings, but some features may be impaired.

14. Location Information

14.1 With your consent, we may use location services (e.g., GPS) to determine your current location for service-related features. You may revoke consent via your device settings at any time.

15. Third-Party Links and Integrations

15.1 The GymGoer platform may contain links to third-party websites or apps. We are not responsible for the privacy practices of these entities.

15.2 GymGoer does not store or process payment card information. All payments are processed securely by third-party providers such as Apple Pay and Stripe.

15.3 Where GymGoer integrates with third-party platforms such as AppsFlyer, Stripe, or Apple Pay, your data may be shared in accordance with their privacy policies, which you are encouraged to review.

16. Amendments to this Privacy Policy

16.1 GymGoer reserves the right to amend this Privacy Policy at any time. Amendments will be published on our website and will take immediate effect upon posting.