StudioCrew

Privacy Notice

Fitness Industry Sales LTD, trading as StudioCrew
Company registration number: 11101867
Registered office: 71–75 Shelton Street, London, Greater London, WC2H 9JQ
ICO registration number: ZB574641

Effective date: 10 June 2026
Last updated: 10 June 2026
Supersedes the StudioCrew Privacy Policy dated 3 May 2026.

One notice, three services. This notice covers everything operated by Fitness Industry Sales LTD under the StudioCrew and FitPhoneAI names: StudioCrew (the AI agents app, including WhatsApp messaging), Cockpit (the integrations and admin console), and the StudioCrew MCP Connector (which lets AI assistants such as Claude and ChatGPT answer questions about your studio's data). Where something applies to only one of the three, the section says so.


1. Who this notice applies to

  • Business customers — owners, managers, and staff of fitness studios and similar businesses who hold a StudioCrew, Cockpit, or MCP Connector account.
  • Members and leads of those businesses — people whose data a business customer processes through our services (for example, a gym member who messages a studio on WhatsApp, or whose booking history is held in a connected platform such as Mindbody).
  • Prospective customers — businesses we contact about our services (see Section 15).
  • Visitors to any StudioCrew, Cockpit, or Fitness Industry Sales LTD website.

2. Controller or processor — which one we are

For the purposes of UK data protection law, Fitness Industry Sales LTD acts in one of two capacities depending on the data involved:

  • Data controller — for information about our own business customers, app users, website visitors, account contacts, and prospective customers. We decide the purposes and means of this processing.
  • Data processor — for member and lead data we process on behalf of a business customer: WhatsApp message content, conversation history, AI-drafted replies, and data read from platforms the business connects (booking systems, CRMs, payment providers, calendars, and similar). The business is the controller; we act on its instructions under a Data Processing Agreement.

If you are a member or lead of a studio that uses our services, that studio is the controller of your data. Its privacy notice applies alongside this one, and rights requests about your relationship with the studio are best addressed to the studio first (we will assist them — see Section 12).

3. Information we collect

From business customers (we are controller)

  • Account data — name, business name, email address, phone number, and a password (stored only as a salted bcrypt hash; we never see or store the plain password).
  • Business profile data — studio details, branding, timezone, goals, policies, and similar configuration you provide so the AI can represent your business accurately.
  • Billing data — plan, subscription status, and payment records. Card details are handled by our payment providers and never touch our servers.
  • Integration credentials — OAuth tokens and API keys for platforms you connect (see Section 7). These are encrypted at rest with AES-256-GCM and every access is written to an audit log.
  • Support and communications — emails and messages you send us.

On behalf of business customers (we are processor)

  • Messaging data — WhatsApp and connected-channel message content, sender phone numbers and profile names, timestamps, delivery metadata, and conversation history.
  • Connected-platform data — member, class, booking, sales, invoice, campaign, calendar, and similar records read from the platforms a business connects, to the extent needed to answer the business's questions and run its configured tasks. Some of this is cached (for example booking and sales analytics) to avoid repeated calls to the source platform.
  • AI-assisted data — drafts, summaries, reports, tags, and analyses our AI produces from the above.

Technical data (all visitors and users)

Standard server logs (IP address, user agent, request paths, timestamps) and security/audit logs. We do not run third-party advertising or analytics trackers on the apps, and we do not use tracking cookies — see Section 16.

4. How we use information

  • To provide the services — operating the AI agents, answering questions about your studio data, drafting and (where you have configured it) sending messages, generating scheduled reports, and showing your data in the apps.
  • To operate your integrations — calling the platforms you have connected, on your instruction, using the credentials you authorised.
  • To run your account — authentication, billing, service emails (welcome, password reset, activation), and support.
  • To secure the services — fraud and abuse prevention, rate limiting, audit logging of credential access and connector tool calls.
  • To improve the services — aggregate, de-identified usage statistics (for example token counts and tool-call volumes). We do not use your message content or studio data to train AI models, and our AI providers are contractually restricted from doing so (Section 5).

5. Use of AI services

Our AI features are powered by Anthropic PBC's Claude models via Anthropic's commercial API.

  • Message content, conversation context, and relevant studio data are sent to Anthropic per request to generate a response, then returned to us.
  • Under Anthropic's commercial API terms, API inputs and outputs are not used to train Anthropic's models.
  • No solely automated decisions with legal or similarly significant effects are made about any individual (UK GDPR Article 22). AI-drafted member messages pass through the business's configured approval workflow; where a business chooses auto-approval, that is the business's configuration decision as controller, the messages are conversational rather than decisions about the individual, and safety flags route sensitive drafts to a human.
  • AI output can be inaccurate. Businesses must review AI-generated content before relying on it (see our Terms of Service).

6. WhatsApp and Meta

Where a business uses WhatsApp messaging (via the WhatsApp Business Platform, whether through Meta directly or through GoHighLevel):

  • Message delivery is handled by Meta Platforms, Inc. under its own terms and privacy policy.
  • We receive and store message content and metadata to provide conversation history and AI-assisted replies on the business's behalf.
  • Inbound webhook traffic from Meta is cryptographically verified before processing.
  • Members can opt out of messages at any time — see Section 13.

7. Integrations you connect (Cockpit)

Businesses can connect third-party platforms — for example Mindbody, TeamUp, Momence, GoHighLevel, Stripe, GoCardless, Xero, HubSpot, Pipedrive, Mailchimp, Klaviyo, Kit (ConvertKit), Calendly, Cal.com, Acuity, Notion, Slack, Zoom, Fathom, Loom, Gamma, Google Workspace, and Microsoft 365.

  • We access a connected platform only on the business's instruction — to answer a question, run a configured task, or display data in the apps.
  • Credentials are stored encrypted (AES-256-GCM); every decryption is recorded in an internal audit log. Plain credentials are never written to disk or shown back in the apps.
  • Each platform remains governed by its own terms and privacy policy. Businesses can disconnect a platform at any time in Cockpit, which deletes our stored credentials for it; they may also revoke our access from the platform's side.
  • Google user data. Our use of information received from Google APIs (Google Workspace: Gmail read access, Google Calendar, Google Drive) adheres to the Google API Services User Data Policy, including the Limited Use requirements: Google user data is used only to provide the features the business has requested, is not used for advertising, is not sold, and is not used to train generalised AI models. Human access is limited to the cases the policy permits (for example, with the business's consent for support, or for security purposes).

8. The MCP Connector and AI assistants

The StudioCrew MCP Connector lets a business connect its account to AI assistants — Claude.ai, Claude Desktop, and ChatGPT — so the assistant can answer questions using the business's live studio data.

  • Access is authorised by the business through an OAuth consent step (or a personal API key). Issued tokens are stored only as cryptographic hashes, are scoped to that one business, expire, and can be revoked.
  • The assistant only sees tools for platforms that business has actually connected, and every tool call is checked against the business's account and recorded in an audit log.
  • The assistant itself is a separate service. Anything typed into Claude.ai, Claude Desktop, or ChatGPT — and anything those products do with their own conversation history — is governed by Anthropic's or OpenAI's own terms and privacy policies as independent controllers. We receive only the tool requests the assistant makes, and we return the requested data to the assistant session the business authorised.

9. Lawful bases

Where we act as controller, we rely on:

PurposeLawful basis
Providing the services to account holdersPerformance of a contract (Art 6(1)(b))
Billing, tax, and accounting recordsLegal obligation (Art 6(1)(c))
Security, audit logging, abuse preventionLegitimate interests (Art 6(1)(f)) — keeping the services secure
Service improvement using aggregate statisticsLegitimate interests (Art 6(1)(f))
B2B marketing to prospective customersLegitimate interests (Art 6(1)(f)) — see Section 15; you can object at any time
Optional communications where we ask firstConsent (Art 6(1)(a))

Where we act as processor, the business customer is responsible for its own lawful basis (typically contract or legitimate interests for member communications) and we process under its instructions.

10. Sharing and subprocessors

We do not sell personal data. We share it only with:

SubprocessorPurposeLocation
Amazon Web Services (AWS)Database and storage — EU (London) regionUnited Kingdom / EEA
Salesforce, Inc. (Heroku)Application hosting and backend infrastructureUnited States
Vercel, Inc.Web application hosting (Cockpit and web apps)United States / Global
Anthropic PBCAI processing (Section 5)United States
Meta Platforms, Inc.WhatsApp Business message deliveryUnited States / Global
GoHighLevel, Inc.CRM-routed messaging and service emails (welcome, password reset)United States

Each subprocessor is engaged under a Data Processing Agreement or equivalent contractual safeguard. We will update this list when we engage new subprocessors and give business customers notice in line with our DPA.

Platforms a business itself connects (Section 7) are not our subprocessors — they are independent services chosen by the business.

We may also share data with professional advisers, and with law enforcement or regulators where legally required.

11. International transfers

Primary data storage is on AWS infrastructure in the UK/EEA. Where a subprocessor processes data in the United States (Heroku, Vercel, Anthropic, Meta, GoHighLevel), we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or on a UK adequacy decision (including the UK–US Data Bridge where the recipient is certified), and we assess recipient-country laws as UK GDPR Article 46 requires.

12. Retention

We keep personal data only as long as needed. Current schedules:

DataRetention
WhatsApp/connected-channel message content and conversation historyUp to 24 months rolling maximum; our automated daily schedule currently deletes message content after 12 months
Cached booking/sales analytics read from connected platforms24 months rolling
AI task and report execution logs6 months
Resolved message-approval records6 months
Cached member records no longer seen at the source platform6 months after last sync/visit
Cockpit AI chat historyUntil you clear it in-app or your account closes
Password-reset and invitation tokens7–30 days
Account and billing recordsLife of the account + statutory periods (typically 6 years under UK tax law)
Security, credential-access, and connector audit logs12 months, then deleted or anonymised
Opt-out / suppression recordsIndefinitely, so suppressed contacts are never messaged again

On account closure, conversation data and stored integration credentials associated with the account are deleted within 30 days. Suppression records and security audit logs survive closure under our legitimate-interest carve-out.

13. Deletion, erasure, and member opt-out

  • Member erasure (businesses): a business can delete a specific member's conversation history and contact data from the admin panel; removal from our systems completes within 30 days. This supports the business's UK GDPR Article 17 obligations.
  • Requests to us directly: email support@fitphone.ai with enough detail to identify the account, phone number, or conversation. Where we are controller we respond within one month; where we are processor we refer the request to the relevant business or act on its instructions.
  • Member opt-out: members can reply STOP, UNSUBSCRIBE, or any clear equivalent to a business's messages. The preference is recorded and non-essential messages cease. Some messages may still be sent to complete a requested service or meet a legal obligation.

14. Security

Measures in place include: AES-256-GCM encryption of all stored third-party credentials with key-rotation support; TLS for data in transit (including to our database); bcrypt password hashing; API keys and session/OAuth tokens stored only as cryptographic hashes; per-business (tenant) isolation enforced on every query; signature verification on inbound webhooks; rate limiting on authentication surfaces; audit logging of every credential access and connector tool call; and least-privilege tool filtering so AI assistants only ever see the platforms a business has connected.

No system is perfectly secure; we encourage strong, unique passwords and prompt reporting of any suspected issue to support@fitphone.ai.

15. Prospective customers (B2B outreach)

We contact fitness businesses about our services. For this we collect business contact data from public sources — business listings (for example Google Places), business websites, and public social profiles — typically business name, address, public phone/email, and publicly stated facts about the business. We rely on legitimate interests (B2B direct marketing) consistent with PECR's corporate-subscriber rules. Every email includes a way to opt out; opt-outs and bounces are suppressed permanently (Section 12). To object or be deleted from prospect records, email support@fitphone.ai.

16. Cookies and local storage

Our apps use the browser's localStorage to keep you signed in (session tokens) and to remember small UI preferences. These are functional only, never used for advertising or cross-site tracking, and are removed on sign out (tokens are also invalidated server-side). We do not set third-party tracking cookies.

17. Your rights

Under UK GDPR you have the right of access, rectification, erasure, restriction, portability, and objection (including to legitimate-interest processing and to direct marketing), and the right to withdraw consent where consent is the basis. Contact support@fitphone.ai; we respond within one month. We may need to verify your identity, and where we are processor we will route the request to the controller business.

You can complain to the Information Commissioner's Office ico.org.uk · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, SK9 5AF. We would appreciate the chance to address concerns first.

18. Business customer responsibilities

Businesses using our services must: have a lawful basis to message their members and leads; maintain their own privacy disclosures naming their use of AI-assisted messaging; honour opt-outs; respond to their members' rights requests; and enter into our Data Processing Agreement before processing member data through the services.

19. Children

The services are for businesses and are not directed at children. We do not knowingly process children's data as controller. Where a business's member base includes under-18s (common in fitness), the business is the controller responsible for the lawfulness of that processing.

20. Changes to this notice

We may update this notice from time to time. The current version is always available at this URL; material changes are notified to business customers by email or in-app with reasonable notice.

21. Contact

Fitness Industry Sales LTD, trading as StudioCrew
71–75 Shelton Street, London, WC2H 9JQ, United Kingdom
Company registration number: 11101867 · ICO registration: ZB574641
support@fitphone.ai