Your privacy, protected.

StillHous (“StillHous,” “we,” “us,” or “our”) operates the StillHous platform — an all-in-one management system for gyms, studios, and fitness facilities. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website (stillhous.com) and our software platform.

For questions about this policy, contact us at: privacy@stillhous.com

We collect personal data in the following ways:

Data you provide directly:

• Name, email address, and phone number when you register or contact us
• Billing information processed securely through Stripe or Square (we do not store full card numbers)
• Profile information including fitness goals, membership type, and facility preferences
• Communications you send to us via support, email, or in-app messaging

Data collected automatically:

• Usage data: pages visited, features used, timestamps, and session duration
• Device and browser information: IP address, browser type, operating system
• Check-in and attendance data when you access a facility using our platform
• Cookies and similar tracking technologies (see Section 6)

Data from third parties:

• Payment and transaction data from Stripe and Square
• Door access event logs from Kisi and HID Mobile Access integrations
• Analytics data from Google Analytics 4 (subject to your consent preferences)

We use personal data to:

• Provide, operate, and improve the StillHous platform
• Process payments and manage subscriptions
• Send transactional communications (booking confirmations, billing alerts, access notifications)
• Send marketing communications where you have given consent or we have a legitimate interest
• Comply with legal obligations and resolve disputes
• Analyze platform usage to improve product performance and user experience
• Detect and prevent fraud, abuse, and security incidents

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases:

• Contract performance — to provide the services you have subscribed to
• Legitimate interests — to improve our platform, detect fraud, and for direct marketing to existing customers (where not overridden by your rights)
• Legal obligation — to comply with applicable laws and regulations
• Consent — for analytics cookies, marketing emails, and any processing not covered above. You may withdraw consent at any time.

Depending on your location, you may have the following rights regarding your personal data. To exercise any right, contact us at privacy@stillhous.com.

EU/EEA, UK & Switzerland (GDPR / UK GDPR):

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure ("right to be forgotten") — request deletion of your data
• Right to restriction of processing — limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making and profiling

UAE (Personal Data Protection Law — PDPL):

• Right to access and obtain a copy of your personal data
• Right to request correction of inaccurate or incomplete data
• Right to request destruction or deletion of data no longer needed
• Right to withdraw consent at any time without affecting prior lawful processing

Brazil (Lei Geral de Proteção de Dados — LGPD):

• Right to confirmation of processing and access to your data
• Right to correct incomplete, inaccurate, or outdated data
• Right to anonymization, blocking, or deletion of unnecessary data
• Right to data portability to another service provider
• Right to information about third parties with whom data is shared
• Right to withdraw consent at any time
• Right to lodge a complaint with Brazil's national data protection authority (ANPD)

We will respond to all requests within 30 days. We may need to verify your identity before fulfilling a request.

We use cookies and similar technologies to operate the platform, analyze usage, and support marketing. We use Google Analytics 4 (GA4) with Consent Mode v2. This means:

• For visitors in the EU/EEA, UK, Switzerland, UAE, and South America — no analytics or advertising cookies are set until you explicitly accept via the cookie banner.
• For all other visitors — anonymous analytics are enabled by default. Advertising cookies remain off until you accept.
• You can change your preferences at any time via the "Cookie Settings" link in the footer.

The following cookie categories are used:

• Strictly necessary — required for the platform to function (session authentication, security). These cannot be disabled.
• Analytics — help us understand how the platform is used (Google Analytics 4). Requires consent in regulated regions.
• Marketing/Advertising — used for retargeting and ad performance measurement. Always requires explicit consent.

We do not sell your personal data. We share data only with:

• Payment processors (Stripe, Square) — to process transactions securely
• Access control providers (Kisi, HID) — to manage physical door access
• Email infrastructure providers — to send transactional and marketing emails
• Analytics providers (Google) — subject to your consent preferences
• Hosting and infrastructure providers (Vercel, Supabase) — to operate our platform
• Law enforcement or government authorities — when required by law or to protect our rights

All third-party providers are contractually bound to handle your data in accordance with applicable privacy law.

StillHous operates globally. Your data may be processed in the United States, the European Union, or other countries. Where we transfer personal data from the EEA or UK to countries outside those regions, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.

We retain personal data for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law. Generally:

• Active account data — retained for the duration of your account
• Transaction and billing records — retained for 7 years for tax and legal compliance
• Analytics data — retained for 14 months in Google Analytics 4
• Deleted account data — removed within 90 days of account deletion request

We implement technical and organizational security measures appropriate to the risk, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no system is 100% secure — in the event of a data breach that creates high risk to your rights and freedoms, we will notify affected users as required by applicable law.

StillHous is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us at privacy@stillhous.com and we will promptly delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where required by law, notify you by email or in-platform notice. Your continued use of StillHous after changes take effect constitutes acceptance of the updated policy.

For any privacy-related questions or to exercise your rights, contact our privacy team:

• Email: privacy@stillhous.com
• Support: support@stillhous.com

If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.