OmniPulse

Privacy Policy

Effective date: March 13, 2026
Last updated: March 13, 2026

OmniPulse is a cloud-based gym management platform operated by Ousama Nahle (sole proprietor). This Privacy Policy explains what personal data we collect, how we use it, and what rights you have. It applies to the OmniPulse website (omnipulseweb.onahle.com) and the OmniPulse application (omnipulse.onahle.com).

We take privacy seriously. We are a small, early-stage company, and we handle data responsibly — not because a legal team told us to, but because it is the right thing to do.

1. Data Controller

The data controller for information processed through OmniPulse is:

• Name: Ousama Nahle (operating as OmniPulse)
• Email: [email protected]

2. Information We Collect

2.1 Account Information (Customers)

When you sign up for OmniPulse, we collect:

• Full name
• Email address
• Password (stored securely via AWS Cognito — we never see or store your plaintext password)
• Gym/club name

2.2 Gym Member Data (Entered by Customers)

As a gym management tool, OmniPulse stores data that our customers (gym owners and their staff) enter about their gym members. This may include:

• Member names, contact information, dates of birth
• Membership plans, payment history, attendance records
• Activity bookings and schedules
• Staff records and payroll information

Our customers are the data controllers for their gym members' data. We process this data solely on their behalf to provide the service. If you are a gym member and have questions about how your gym uses your data, please contact your gym directly.

2.3 Usage and Analytics Data

We collect anonymized usage data through Google Analytics (GA4) on the marketing website to understand how visitors find and use our site. This includes:

• Pages visited, time on page, referral source
• Browser type, device type, screen resolution
• Approximate geographic location (country/city level, derived from IP)

Google Analytics is only loaded if you consent via our cookie banner.

2.4 Cookies and Local Storage

We use essential cookies for authentication and session management. For details, see our Cookie Policy.

3. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• Contract performance (Article 6(1)(b)): Processing account data and gym member data is necessary to provide the OmniPulse service as agreed with our customers.
• Legitimate interest (Article 6(1)(f)): We use analytics data to understand website usage and improve the product. We have assessed that this interest does not override your privacy rights, particularly as the data is anonymized.
• Consent (Article 6(1)(a)): Google Analytics cookies are only loaded after you consent via our cookie banner. You can withdraw consent at any time.

4. How We Use Your Data

We use the data we collect to:

• Operate and maintain the OmniPulse service
• Authenticate users and manage accounts
• Provide customer support
• Send important service notifications (downtime, security, billing)
• Improve the product based on usage patterns
• Communicate about product updates (you can opt out at any time)

5. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal data to anyone. Period.

We share data only with the following sub-processors, strictly to operate the service:

• Amazon Web Services (AWS) — Cloud hosting, database, authentication (Cognito), storage. Data is stored in the EU-West-1 (Ireland) region.
• Google Analytics (GA4) — Website analytics only (marketing site). Subject to your cookie consent. See Google's Privacy Policy.

We do not use any other third-party services that have access to customer data.

6. Data Storage and Location

All customer data is stored on AWS infrastructure in the EU-West-1 (Ireland) region. Data does not leave the European Union for processing or storage.

7. Data Retention

• Active accounts: Data is retained for as long as your account is active and the service is in use.
• After account deletion: We retain your data for 30 days after deletion in case you change your mind. After 30 days, data is permanently deleted from our production systems.
• Backups: Encrypted backups may retain data for up to 90 days after deletion, after which they are automatically purged.
• Analytics data: Anonymized analytics data may be retained indefinitely as it cannot be linked back to individuals.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: Request your data in a structured, machine-readable format (CSV export is available in the app).
• Right to restrict processing: Request that we limit how we use your data.
• Right to object: Object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent: Where processing is based on consent (e.g., analytics cookies), you may withdraw it at any time.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority if you believe your data is being processed unlawfully.

Gym Members

If you are a member of a gym that uses OmniPulse, your gym is the data controller for your personal data. Please contact your gym directly to exercise your rights. If your gym is unable or unwilling to assist, you may contact us and we will help facilitate your request.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Encryption at rest: All databases and backups are encrypted at rest using AWS-managed encryption keys.
• Access controls: Access to production systems is restricted to authorized personnel only, using multi-factor authentication.
• Regular backups: Automated encrypted backups ensure data can be recovered in case of failure.

No system is 100% secure. We are transparent about this. If we ever discover a data breach that affects your personal data, we will notify you and the relevant supervisory authority as required by GDPR (within 72 hours of becoming aware).

10. Children's Privacy

OmniPulse is a business tool designed for gym owners and their staff. The service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

11. Data Processing Agreement

Business customers who require a Data Processing Agreement (DPA) for GDPR compliance can request one by emailing [email protected]. We will provide a standard DPA that covers our obligations as a data processor.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

13. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

• Email: [email protected]