Privacy Policy

Nexus ("Nexus", "we", "us", "our") is a gym and fitness club management platform operated by Alestra Pty Ltd, based in Victoria, Australia. Alestra Pty Ltd (ABN: [ABN to be published], ACN: [ACN upon incorporation]) is the data controller for your personal information. Our registered address is: [Physical address to be published upon incorporation], Victoria, Australia. For privacy enquiries, contact us at privacy@alestra.app. We take privacy seriously and are committed to handling personal information responsibly. This Privacy Policy explains what information we collect, why we collect it, how we use and share it, and the choices you have. It applies to: • Club owners, managers, coaches, and reception staff ("Club Users") who use the Nexus web portal • Gym members who use the Nexus member mobile app ("Members") • Visitors to our marketing website By using Nexus, you consent to the practices described in this policy. If you do not agree, please do not use our services.

We collect information in three ways: **Information you provide directly:** • For Club Users: name, email address, password, club name, address, phone number, ABN (optional), and billing details processed by Stripe • For Members: first and last name, email, date of birth, profile photo, emergency contact details, and health notes (optional, voluntarily provided) • Contract signatures (drawn or typed) and signed document data • Communications you send to us via contact forms or email **Information generated by using the platform:** • Class bookings and attendance records • QR code check-in events with timestamp and location • Payment history and subscription status • Push notification preferences and delivery logs • Session credits and personal training records • Achievement badges and attendance streaks **Technical information collected automatically:** • IP address and approximate location • Browser type, version, and operating system • Device type and identifiers (for mobile app) • Pages visited, features used, and time spent on platform • Error logs and crash reports (via Sentry) • Cookies and local storage data (authentication tokens)

We use personal information for the following purposes: **To provide and operate the Service:** • Authenticate you and maintain your session • Process class bookings, waitlists, and check-ins • Generate and store digital contracts and e-signatures • Send booking confirmations, class reminders, and transactional notifications • Process payments and issue receipts via Stripe • Provide club owners with member management tools **To improve the Service:** • Analyse usage patterns to improve features and fix bugs • Monitor performance, security, and reliability • Develop new features based on common usage patterns (aggregated, not individual) **To communicate with you:** • Send transactional emails (booking confirmations, receipts, password resets) • Send class and renewal reminder notifications (where opted in) • Respond to support requests and contact form submissions • Send club announcements created by club staff (where opted in) • Send product updates and marketing communications from Alestra (where opted in separately) **To comply with legal obligations:** • Retain financial records as required by Australian tax law • Respond to lawful requests from regulatory authorities • Enforce our Terms of Service

For individuals in the European Economic Area or United Kingdom, we process personal data on the following legal bases: • **Contract performance:** Processing necessary to provide the services you have engaged us for (e.g., processing your booking, sending your receipt) • **Legitimate interests:** Improving the platform, preventing fraud, and maintaining security, where our interests do not override your rights • **Legal obligation:** Where we are required to process data to comply with applicable law • **Consent:** For optional processing such as marketing communications, analytics cookies, or health notes — you may withdraw consent at any time Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

We do not sell, rent, or trade your personal information. We share data only in the following circumstances: **Service providers (sub-processors):** • **Stripe** — payment processing and subscription management (Stripe's privacy policy applies to payment data) • **Supabase** — database hosting, authentication, and file storage (Australia and US regions) • **Resend** — transactional email delivery • **Vercel** — web application hosting • **Cloudflare** — CDN, DDoS protection, and Turnstile CAPTCHA • **Expo** — mobile app build and push notification infrastructure • **Sentry** — error monitoring and crash reporting All sub-processors are bound by data processing agreements ensuring they handle your data in accordance with applicable privacy law. **Other disclosures:** • We may disclose information to law enforcement, regulators, or courts where required by law or in response to a valid legal order • In the event of a merger, acquisition, or asset sale, your information may be transferred to the successor entity, with notice provided to you beforehand • We may share aggregated, de-identified usage statistics that cannot be used to identify any individual We never share personally identifiable information with advertisers or third-party marketing platforms.

We retain your personal information for as long as your account is active and for a period of 7 years following account closure, to comply with Australian financial record-keeping obligations. Specific retention periods: • Active account data: Retained for the life of the account • Signed contracts: Retained for the minimum period required by applicable law (typically 7 years) • Access logs and audit trails: 2 years • Email delivery logs: 90 days • Deleted member data: Purged within 30 days of deletion request • Backups: Retained for 90 days from creation, then permanently deleted Upon account termination or your written request, we will delete your data within 30 days of confirmation, subject to legal retention obligations.

We implement industry-standard security measures to protect your information: • **Encryption in transit:** All data transmitted between your browser/app and our servers uses TLS 1.2 or higher • **Encryption at rest:** Database data is encrypted at rest using AES-256 (provided by Supabase on AWS) • **Row-level security:** Database access is enforced at the row level so club staff can only access their own club's data • **Authentication:** Secure session tokens with configurable expiry; support for Google OAuth • **Access controls:** Role-based permissions (owner, manager, reception, coach) limiting what each staff member can see • **Audit logs:** Sensitive actions (member data changes, contract signing, staff role changes) are logged with user, timestamp, and IP We conduct periodic security reviews and promptly investigate any reported vulnerabilities. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by law (72 hours under GDPR, as soon as practicable under the Australian Privacy Act). No security system is perfectly impenetrable. If you discover a security vulnerability in our platform, please report it responsibly to security@alestra.app.

Depending on your location, you have the following rights regarding your personal information: • **Access:** Request a copy of the personal information we hold about you • **Correction:** Request that inaccurate or incomplete information be corrected • **Deletion:** Request deletion of your personal information ("right to be forgotten"), subject to our legal retention obligations • **Portability:** Request your data in a machine-readable format (JSON or CSV) • **Restriction:** Request that we limit processing of your data in certain circumstances • **Objection:** Object to processing based on legitimate interests • **Withdraw consent:** Where processing is based on consent, withdraw it at any time To exercise any of these rights, contact us at privacy@alestra.app. We will respond within 30 days. We may ask you to verify your identity before processing your request. If you are located in the EEA/UK and believe we have not handled your request properly, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK).

We use only essential cookies and storage mechanisms necessary for the platform to function: • **Authentication cookies:** Used to maintain your login session. These are first-party, session-based, and essential for the platform to work. You cannot opt out without logging out. • **Local storage:** Used to store non-sensitive preferences (e.g., sidebar state, onboarding progress). Cleared when you clear browser data. • **Cloudflare Turnstile:** Used on sign-in and sign-up forms to detect automated abuse. Turnstile is privacy-preserving and does not track users across sites. We do **not** use: • Third-party advertising cookies • Cross-site tracking pixels • Google Analytics or similar analytics platforms • Social media tracking pixels Disabling cookies in your browser settings will prevent you from logging in to the platform.

The Nexus club management portal is for adults aged 18 and over. The Nexus member mobile app may be used by minors through a parent or guardian-linked account. When a minor is added to the platform: • The parent or guardian must accept the terms on behalf of the minor • The parent or guardian is the primary account holder with full control • We do not use minors' data for marketing or profiling purposes • Health notes and emergency contacts for minors are stored with heightened security • Parents may request deletion of their child's data at any time by contacting privacy@alestra.app We do not knowingly collect personal information from children under 13 years old directly. If you believe we have inadvertently collected such data, please contact us immediately.

Our primary infrastructure is hosted in Australia (Supabase ap-southeast-2 region). Some sub-processors may process data in other countries (e.g., Stripe in the US, Resend in the US/EU). Where personal data is transferred outside of Australia to countries without equivalent privacy protections, we ensure appropriate safeguards are in place through: • Standard contractual clauses (for EU/UK data) • Data processing agreements with each sub-processor • Reliance on sub-processors that maintain their own compliance programs (e.g., Stripe's PCI DSS certification)

We may update this Privacy Policy from time to time. We will notify you of material changes via email and an in-app notification at least 14 days before the updated policy takes effect. The "Last updated" date at the top of this page will always reflect the most recent version. Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree with the changes, you must stop using the Service and request deletion of your data.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): • **Right to know:** Request details about the categories and specific pieces of personal information we have collected, the purposes for which it is used, and with whom it is shared • **Right to delete:** Request deletion of personal information we hold about you, subject to certain exceptions • **Right to correct:** Request correction of inaccurate personal information • **Right to opt-out:** We do not sell or share personal information with third parties for cross-context behavioural advertising • **Right to non-discrimination:** We will not discriminate against you for exercising your CCPA rights To exercise these rights, contact us at privacy@alestra.app. We will respond within 45 days. You may designate an authorised agent to submit requests on your behalf, provided they submit written proof of authorisation.

For questions, requests, or complaints about this Privacy Policy or our data handling practices: **Privacy Officer:** privacy@alestra.app **General enquiries:** hello@alestra.app **Postal address:** Alestra Pty Ltd, Privacy Officer, Victoria, Australia If you are based in Australia and believe we have mishandled your personal information, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. If you are in the EU/UK, you may contact your local data protection supervisory authority.