Privacy Policy

Gym Art ("we," "us," or "our") is committed to protecting the privacy and personal information of all individuals who use our platforms, including Gym Art Meets, Judge's Companion, and our website at gymart.org (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information.

This policy is designed to comply with the strictest applicable standard across all jurisdictions in which we operate, including:

• Quebec's Act respecting the protection of personal information in the private sector (Loi 25 / Bill 64)
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
• Alberta's Personal Information Protection Act (PIPA AB)
• British Columbia's Personal Information Protection Act (PIPA BC)
• The United States Children's Online Privacy Protection Act (COPPA), including the FTC's 2025 Final Rule Amendments effective April 22, 2026
• The European Union General Data Protection Regulation (GDPR)

Where these laws impose different standards, we apply the most protective requirement.

Gym Art has designated a Privacy Officer responsible for overseeing compliance with all applicable privacy legislation and for responding to privacy-related inquiries and complaints.

Under Loi 25, the highest-ranking officer of the organization is the Privacy Officer by default. The CEO has assumed this role.

3.1 User Types and Account Information

Gym Art distinguishes between two categories of individuals whose information appears in our systems:

General Users (Spectators and Account Holders)

• Sign-in method (email address or phone number)
• Display name (username)

No other personal information is collected at account creation.

Gymnasts (Competition Participants) – data uploaded by organizers

• First and last name
• Club or organization affiliation
• Competitive level and age category
• Date of birth (for age category verification)
• Role within the competition context

A gymnast record in Gym Art Meets represents a competition entry and associated results—it does not constitute a user account. Dates of birth are used internally for age category verification and are only visible to authorized administrators within the gymnast's own club. Judges see only gymnast first and last names, levels, and club affiliations.

3.1.1 Organizer-Uploaded Data

Competition organizers may request and store additional data fields (e.g., emergency contact information, dietary requirements). Organizers who collect additional data acknowledge they have proper legal authority and consent. Gym Art acts as a processor; the organizer remains the controller.

3.2 Information Relating to Minors

Gym Art implements a tiered age-based consent framework:

• Under 13: Verifiable parental/guardian consent required for all collection, use, and disclosure
• 13–15: Parental/guardian consent required
• 16+: Individual may consent independently

Parents/guardians may exercise all rights on behalf of their minor children.

Under the COPPA 2025 Final Rule Amendments, Gym Art maintains a written data retention policy specifying the business need for keeping children's data and a clear timeframe for deletion. We do not disclose children's personal information to third parties for targeted advertising purposes.

3.3 Sensitive Personal Information

The following categories receive heightened protections:

• Medical information (injury notes, medical clearances)
• Video and photographic recordings of identifiable individuals, particularly minors
• Health-related data submitted by clubs or parents
• Biometric identifiers (as defined under the COPPA 2025 amendments: fingerprints, facial data, voice data, gait patterns, retina patterns)

Medical notes are accessible only to authorized organizer accounts and the submitting club. No other organizer or club can view another club's medical submissions. Medical information is automatically deleted 6 months after the event, or at a custom date set by the organizer.

3.4 Video and Media Recordings

Gym Art implements the following safeguards for video and media recordings:

• Organizers must obtain explicit written consent before recording
• Parents/guardians may opt out and request removal at any time (effective immediately)
• Granular video access control: per gymnast, per competition, per level, per meet
• Videos are accessible only within the Gym Art mobile application by signed-in and authenticated users, and only when all of the following conditions are met: the organizer has enabled video publishing, the meet has been made public, the level has video display enabled, and the gymnast's individual video publishing setting is enabled
• Requests to remove or restrict video access may be submitted to privacy@gymart.org
• Not used for biometric analysis, facial recognition, or automated profiling

3.5 Competition Scores

Competition scores are semi-public factual data records associated with gymnast names, clubs, and levels. These are treated as personal information under applicable privacy law.

3.6 Floor Music Files

Clubs using Gym Art Meets may upload floor music files for use during competition events. Floor music files are associated with individual gymnasts and constitute personal information when linked to an identifiable individual. Music files are retained for a default period of 3 years from the date of the competition. Clubs are required to set a retention date at meet setup, which may be customized. Gym Art enforces automatic deletion at the applicable date.

3.7 Tracking Technologies

Gym Art does not use cookies, web beacons, analytics trackers, advertising pixels, or any other tracking technologies.

We use personal information for the following purposes only:

1. Providing and operating our Services
2. Verifying user identity, age category, and competitive eligibility
3. Communicating with users about accounts, competitions, and updates
4. Ensuring security and integrity of our platforms
5. Complying with legal obligations

We do not use personal information for marketing, advertising, profiling, or any undisclosed purpose without separate, explicit consent. In compliance with the COPPA 2025 Final Rule, we do not disclose children's personal information to third parties for targeted advertising.

Gym Art does not use artificial intelligence, machine learning, or automated systems for decisions producing legal effects or similarly significant effects. All scoring, judging, and administrative decisions are made by authorized human users.

Gym Art does not sell, rent, or trade personal information. Limited disclosure occurs only in the following circumstances:

• To service providers bound by contract with equivalent privacy obligations
• When required by law or legal process
• To protect the rights, safety, or property of Gym Art, users, or the public
• With explicit user consent

Contractual safeguards are required for all service provider disclosures.

7.1 Encryption

• Transport Layer Security (TLS) for data in transit
• AES-256 encryption for data at rest
• Infrastructure hosted on Google Cloud Platform northamerica-northeast1 (Montréal, Canada), certified to SOC 1/2/3, ISO 27001, ISO 27017/27018

7.2 Access Controls

• Multi-layered authentication mechanisms
• Role-based, club-scoped access restrictions
• General users: access to own account and public competition results only
• Judges: access to gymnast names, levels, and clubs only
• Organizers: broader access within own club only
• Club data isolation enforced at application level: clubs registered for the same event cannot view other clubs' registrations, gymnast details, or submitted data during the registration process or at any other time
• All access requires authenticated login

7.3 Privacy by Default

• Competitions are private by default
• Registration closed by default
• Video recording and display disabled by default

In compliance with the COPPA 2025 Final Rule enhanced security requirements, we implement reasonable procedures and practices to protect the confidentiality, security, and integrity of children's personal information.

Gym Art maintains a written data retention policy as required by the COPPA 2025 Final Rule. The following table specifies retention periods by data category:

Gym Art honors the following privacy rights regardless of jurisdiction, applying the most protective standard:

9.1 Right of Access

You have the right to receive a copy of all personal information we hold about you within 30 days, provided in CSV format. Contact privacy@gymart.org.

9.2 Right to Data Portability

You have the right to receive your personal information in a structured, machine-readable format (CSV) within 30 days to facilitate transfer to another service provider.

9.3 Right to Rectification

You have the right to correct inaccurate or incomplete personal information we hold about you.

9.4 Right to Deletion

You have the right to request deletion of your personal information. Account deletion is available in-app at any time.

9.5 Right to De-indexation

You have the right to request that we cease distribution or de-index hyperlinks to your personal information.

9.6 Right to Withdraw Consent

You have the right to withdraw consent previously provided. Contact privacy@gymart.org. Video removal requests are processed immediately.

9.7 Right to File a Complaint

You have the right to file a complaint with the applicable regulatory authority. See Section 12: Complaint Process for contact information.

Gym Art's infrastructure is hosted on Google Cloud Platform in the northamerica-northeast1 region (Montréal, Canada). However, data transfers outside Quebec, Canada, or the European Economic Area may occur under the following conditions:

• We conduct a Privacy Impact Assessment before establishing new transfer arrangements
• We ensure equivalent privacy protection or execute contractual safeguards
• We execute written agreements with all sub-processors that include equivalent privacy terms

In the event of a confirmed confidentiality incident or data breach, Gym Art follows this protocol:

1. Contain: Immediately contain the incident to prevent further unauthorized access
2. Assess: Assess the nature, scope, and potential impact of the breach
3. Notify Authorities: Notify applicable authorities:
   • Commission d'accès à l'information (CAI) – Quebec
   • Office of the Privacy Commissioner of Canada (OPC)
   • EU supervisory authority (within 72 hours)
   • Federal Trade Commission (FTC) if COPPA data is affected
4. Notify Individuals: Notify affected individuals without unreasonable delay
5. Maintain Register: Maintain a register of all confidentiality incidents

If you believe your privacy rights have been violated, you may file a complaint with Gym Art using the following process:

1. Submit your complaint in writing to privacy@gymart.org
2. Gym Art will acknowledge receipt within 5 business days
3. Our Privacy Officer will investigate your complaint
4. We will provide a written response within 30 days
5. If not satisfied, you may escalate to the appropriate regulatory authority

Regulatory Authorities

All Gym Art employees and staff with access to personal information receive mandatory privacy training covering:

• Applicable privacy legislation and regulations
• Gym Art's internal privacy policies and procedures
• Identification and reporting of data breaches
• Individual privacy rights and exercising those rights
• Handling and protection of sensitive information relating to minors

Annual refresher training is conducted and maintained for all relevant personnel.

Gym Art may update this Privacy Policy from time to time. Material changes will be notified to users through the platform, and the "Last Updated" date will be revised accordingly. For material changes affecting minors' data, we will seek renewed consent before implementing the change.

If you have questions about this Privacy Policy or our privacy practices, please contact: