Marrow Back to trust center

For gym owners

How your data is handled

You are thinking about handing us your gym and your members. The first question is fair. Where does my data go, and is it safe, especially now that there is AI involved? Here is the plain answer, in order, with nothing dressed up.

The short version, before any detail.

Your members' card numbers never touch us. Your gym is sealed off from every other gym. Your data is locked while it moves and while it sits. And the AI never sees your full member list, only the one member it is helping, and we are tightening what it sees even further.

We are not going to wave our hands and say "trust us." Below is exactly how each of those works.

Owner Edwin Grant, founder Posture enhanced privacy, CCPA and GDPR grade Full detail on the security page

Your members' card numbers never touch us

When a member pays, the card goes straight to Stripe. Stripe is the company that runs payments for millions of businesses. We never see the card number, we never store it, and we never pass it along. We only ever hold a Stripe reference, never the card itself. So even if someone got into our systems, there is no card number there to take.

Your gym is walled off from every other gym

Your members, your programs, and your numbers live in their own locked room. Another gym on Marrow cannot see into yours, and you cannot see into theirs. One coach can never see another coach's people.

This is not a setting we remembered to switch on. It is built into the deepest layer of the system, the database itself, so the wall holds no matter which screen, app, or button anyone uses. We check those walls against an attack plan on a regular basis.

Your data is locked while it moves and while it sits

Everything is encrypted on the way in and on the way out, and encrypted again while it sits in storage. In plain terms, if anyone grabbed it in transit or at rest, they would see scrambled nonsense, not your members and not your money. There is no open, unlocked path for your data anywhere in the system.

Most of the smart decisions never leave our system

A lot of what looks like AI is actually simple decision logic that runs right inside Marrow. Sorting a lead, flagging who might need attention, routing a task. None of that is sent to any outside AI. It is decided in our own system and nothing about your members goes anywhere to make those calls.

What the AI assistant sees

There is one place a member's words reach an AI. The in-app member assistant. It only ever sees the one member it is helping, never your full member list and never your business numbers. Today that means the member's name, their goals, and the coaching notes it needs to answer well, sent over an encrypted connection to one vetted provider.

We are tightening this further. We have built a filter that strips out names, contact details, and member IDs before anything is sent, and trims an injury note down to a short coaching summary, because your coach holds the real notes, not the AI. It is tested and on its way into the live system now. We keep this page matched to what is actually running, and we can show you where it stands.

One AI brain, on business terms

For the Marrow platform, member text only ever reaches one AI provider, Anthropic, the maker of Claude. We use it through its business API. Under Anthropic's stated business terms, customer data is not used to train its general AI and is kept only for a limited window, not held forever. We are confirming those exact terms for our own account in writing, and we will share that confirmation when you ask. One vetted provider, named plainly, over an encrypted connection. Nothing is sold, and your information is not handed around.

Note. This single-provider point describes the Marrow platform. Our separate AI phone and messaging product (the AI receptionist) uses a few named specialist vendors for the phone line, the hearing, and the voice. If you take that product, you get its own plain list of who touches the call and why.

We name the companies that touch your data

We do not keep a secret list of vendors. The outside companies that touch your data are named on a public page with what they do and what they see. We are updating that list right now to name our AI provider alongside the rest, and the update publishes the moment our attorney signs off on the wording. If we ever add or change a vendor, you hear about it. You can read the list any time.

For the AI employees, your accounts stay yours

If you add one of our AI employees, like the AI receptionist, we run the AI brain, but your phone number, your calendar, your inbox, and your member list stay in your own accounts. The AI reads only what it needs to do its job and act for you. It does not copy your member list into a separate place we own.

This is different from the core platform on purpose. On the platform, your member data lives inside Marrow, sealed off by the wall described above. With the AI employees, the data stays in your systems. Two honest, different answers for two different things.

The honest part, because you deserve it

We are a young, focused company and we say what is true. We are not SOC 2 certified, and we will never pretend we are. We do not handle medical records, and we do not claim to. We treat your members' fitness and wellness information as sensitive personal data and protect it at a privacy grade that lines up with the strong consumer privacy laws, the kind in California and Europe.

What we do have is real. Card numbers that never touch us, the locked wall between gyms, encryption coming and going, an AI that never sees your full member list, one named AI provider used through its business API, and a written plan for the bad day. If a big enterprise ever hands you a security questionnaire about us, we answer it straight.

The short version. Your money runs through Stripe, your data is locked and walled off, the AI never sees your whole member list, and we tell you the truth about where we are. That is the standard we hold.

Marrow Fitness LLC. Miami, FL. Security posture · Subprocessors · Privacy