Contract Reference: ICF-2026-48291 Analysis Date: April 5, 2026 Document Type: Consumer Membership Contract — Gym/Fitness Facility Analyst Scope: Comprehensive review covering consumer fairness, legal enforceability, regulatory compliance, and risk identification
| Metadata Field | Value |
|---|---|
| Legal authority cutoff date | April 5, 2026 |
| Revision | 2.0 |
| Prior version date | April 5, 2026 (v1.0) |
| Revision summary | Corrected financial calculations; added risk methodology; expanded data security, governing law, severability, force majeure, and PCI DSS analyses; added legal citations; restructured comparative and unconscionability sections |
The Ironclad Fitness Center Membership Agreement is a heavily one-sided consumer adhesion contract that systematically favors the business while minimizing member rights, remedies, and flexibility. The agreement contains numerous provisions that may be unenforceable under state consumer protection statutes, federal regulations, and common-law unconscionability doctrines. The contract employs aggressive fee structures, restrictive cancellation procedures, broad liability waivers, mandatory arbitration, and expansive data collection practices that collectively present significant consumer risk exposure. Several provisions appear designed to create friction barriers to cancellation rather than serve legitimate business interests. Notably, the contract is entirely silent on data breach notification obligations, data security controls, and member remedies in the event of permanent facility closure or business insolvency — omissions that are significant given the sensitivity of the biometric, health, and payment data collected.
This report employs a four-tier severity scale applied consistently throughout. Each provision is assigned a single rating based on the criteria below. Section 15 (Key Findings and Risk Summary) maps one-to-one with the ratings assigned in the body of this report.
| Rating | Criteria |
|---|---|
| Critical | Provision likely violates applicable federal or state law; high probability of unenforceability in a majority of jurisdictions; significant consumer harm exposure; active or likely regulatory enforcement risk. Provisions at this level may independently render portions of the contract void. |
| High | Provision raises serious legal or fairness concerns; enforceable in some jurisdictions but vulnerable to challenge in others; material consumer detriment; contributes substantially to an unconscionability finding. |
| Moderate | Provision is aggressive relative to industry norms but within the range of enforceability in most jurisdictions; consumer should be aware of the risk; may contribute to a cumulative unconscionability finding when combined with other provisions. |
| Low | Provision is standard or mildly unfavorable; unlikely to be successfully challenged on its own; minimal incremental consumer risk. |
Where a provision’s severity varies by jurisdiction (e.g., biometric data practices that are Critical in Illinois but Low in states without biometric privacy laws), the rating reflects the highest applicable tier, with jurisdictional variation noted in the analysis.
The contract is organized into eight substantive sections plus an acknowledgment block. While the section headings are descriptive, the document is dense, uses capitalized emphasis extensively, and buries critical obligations within sub-clauses.
The contract states the AEF is “charged on each anniversary of the Effective Date” (Contract Section 2.2). Over a 36-month Initial Term commencing April 5, 2026, anniversaries fall on April 5, 2027, April 5, 2028, and April 5, 2029.
Assumptions and calculation: - Monthly fees: $89.99 × 36 months = $3,239.64 - The third anniversary (April 5, 2029) coincides with or falls at the boundary of the 36-month term. The contract does not specify whether the AEF is charged at the start or end of the anniversary date, creating ambiguity as to whether two or three AEF charges apply within the Initial Term.
| Scenario | AEF Charges | AEF Total | Grand Total | Effective Monthly Cost |
|---|---|---|---|---|
| Three AEF charges (anniversaries at months 12, 24, and 36) | 3 × $149.00 | $447.00 | $3,686.64 | $102.41 |
| Two AEF charges (anniversaries at months 12 and 24 only) | 2 × $149.00 | $298.00 | $3,537.64 | $98.27 |
Under the principle of contra proferentem (see Section 6.3 below), ambiguity in the contract is construed against the drafter. However, the more conservative assumption for consumer risk analysis is three AEF charges, yielding a minimum commitment of $3,686.64 over 36 months — an effective cost of $102.41 per month. This figure appears nowhere in the contract and excludes any declined payment fees, interest, price increases, or other ancillary charges. These calculations assume no unilateral price increases under Contract Section 2.4, which could raise the total substantially with no contractual cap.
The agreement does not comply with plain-language requirements mandated in several U.S. states for consumer contracts. Terms such as “covenants not to sue,” “indemnify and hold harmless,” and “successive twelve (12) month periods” are legal terms of art that many consumers would not understand without legal counsel. See, e.g., N.Y. Gen. Oblig. Law §5-702 (plain-language requirement for consumer contracts); Pa. Cons. Stat. tit. 73, §2205 (Plain Language Consumer Contract Act); Conn. Gen. Stat. §42-152 (plain-language requirement).
A 36-month initial commitment is unusually long for a gym membership contract. Industry norms range from month-to-month to 12-month agreements. This extended term significantly limits consumer flexibility and increases financial exposure. Several states cap health club contract terms: California limits initial terms to a maximum of 36 months (Cal. Civ. Code §1812.85), while New York limits initial terms to 36 months (N.Y. Gen. Bus. Law §623). The Ironclad contract sits at the statutory maximum in these states, leaving no margin for error.
Risk Rating: High
The auto-renewal provision is among the most restrictive elements of the contract:
| Element | Contract Requirement | Industry Norm | Assessment |
|---|---|---|---|
| Renewal term length | 12 months | Month-to-month | Excessively long |
| Cancellation notice period | 90 days before expiration | 30 days | Unreasonably long |
| Cancellation method | Certified mail only | Any written form, online, in-person | Unduly restrictive |
| Cancellation recipient | Delaware P.O. Box only | Local facility or online portal | Creates geographic barrier |
Legal exposure: Many U.S. states have enacted automatic renewal laws that impose disclosure, consent, and cancellation-mechanism requirements:
This contract’s requirement that cancellation occur only via certified mail to a P.O. Box in Delaware likely violates multiple state automatic renewal statutes and the FTC’s Click-to-Cancel rule.
Risk Rating: Critical
The blanket rejection of email, telephone, fax, and in-person cancellation is procedurally unconscionable in many jurisdictions:
Risk Rating: Critical
The base monthly fee is within the upper range of commercial gym pricing but not inherently unreasonable when viewed in isolation. However, the contract permits unilateral price increases (Contract Section 2.4) with minimal notice and no cap, which could result in significant cost escalation over the 36-month term. See Section 5.4 below.
This fee is described as covering “facility improvements, equipment maintenance, and administrative costs” — operational expenses that would ordinarily be funded by the monthly membership fee. The Annual Enhancement Fee functions as a hidden price increase, adding an effective $12.42 per month to the real membership cost (assuming three AEF charges over 36 months). Labeling it as a separate non-refundable fee obscures the true cost of membership, which is effectively $102.41/month.
Several state consumer protection agencies have targeted “enhancement” or “maintenance” fees in gym contracts as deceptive pricing practices. See, e.g., Commonwealth of Pennsylvania v. LA Fitness International, LLC, No. 2:12-cv-06543 (E.D. Pa. 2012) (challenging deceptive fee disclosures); New York Attorney General enforcement actions against gym chains for hidden annual fees (2019–2023).
Risk Rating: High
The cascading penalty structure for declined payments raises serious concerns. The contract states that Ironclad may “[c]harge a $35.00 declined payment fee per occurrence” and “attempt to process the payment up to five (5) additional times within the billing period.” This language is ambiguous as to whether “per occurrence” refers to the initial decline only or to each re-processing attempt. The two interpretations produce dramatically different financial exposure:
Interpretation A — Fee per billing cycle (one fee per declined month): - Member’s exposure for a single month’s missed payment: $35.00 declined payment fee + $89.99 monthly fee = $124.99, plus interest.
Interpretation B — Fee per re-attempt (fee on each processing attempt): - Member’s exposure: up to 6 processing attempts (initial + 5 re-attempts) × $35.00 = $210.00 in fees, plus the $89.99 monthly fee = $299.99, plus interest.
Under the doctrine of contra proferentem, ambiguous terms in an adhesion contract are construed against the drafter (here, Ironclad). See Mastrobuono v. Shearson Lehman Hutton, Inc., 514 U.S. 52, 62 (1995). The consumer-favorable interpretation (Interpretation A) should apply. Nevertheless, the ambiguity itself is a readability and fairness concern, as a consumer cannot determine their potential liability from the contract text.
Additional concerns with the penalty structure:
Risk Rating: High
The contract grants Ironclad unlimited authority to increase fees with 30 days’ notice, with notice methods as minimal as a posting on the company website. This effectively makes the membership an open-ended financial commitment with no price ceiling, while the member remains locked into a 36-month minimum term.
The asymmetry is stark — the member cannot cancel without penalty, but the business can increase the price at will. Courts have found such provisions unconscionable because they deprive the consumer of the benefit of the bargain. See Ingle v. Circuit City Stores, Inc., 328 F.3d 1165, 1172–73 (9th Cir. 2003) (one-sided modification provisions may render contract illusory); Dumais v. American Golf Corp., 299 F.3d 396, 402 (5th Cir. 2002).
Risk Rating: Critical
The blanket non-refund policy, including for temporary closures up to 14 days, is concerning. If a facility is closed for 13 days in a month, the member is paying $89.99 for approximately 17 days of potential access. Many state health club statutes require prorated refunds or extensions for closures beyond a specified period. See, e.g., Cal. Civ. Code §1812.89 (refund or extension for club closure); N.Y. Gen. Bus. Law §627 (prorated refund for inability to use facilities); Mass. Gen. Laws ch. 93, §80 (similar).
Risk Rating: Moderate
The ETF is calculated as the greater of 75% of the remaining balance or $500.00. The following table illustrates member exposure at various cancellation points, assuming the base monthly rate of $89.99 with no price increases:
| Cancellation Point | Remaining Months | Remaining Balance | 75% of Balance | Applied ETF |
|---|---|---|---|---|
| After month 1 | 35 | $3,149.65 | $2,362.24 | $2,362.24 |
| After month 12 | 24 | $2,159.76 | $1,619.82 | $1,619.82 |
| After month 24 | 12 | $1,079.88 | $809.91 | $809.91 |
| After month 30 | 6 | $539.94 | $404.96 | $500.00 (minimum) |
This ETF is likely unenforceable in many jurisdictions:
Risk Rating: Critical
This provision is framed as a benefit but is remarkably punitive:
A member who suffers a serious long-term injury or illness (e.g., cancer treatment, major surgery with 6-month recovery) receives no meaningful relief. Many states require gyms to allow cancellation, not merely a short freeze, for documented medical conditions. See, e.g., Cal. Civ. Code §1812.89 (cancellation for disability); N.Y. Gen. Bus. Law §625(2) (cancellation upon disability); 815 ILCS 645/11(b) (cancellation upon disability certified by physician).
Risk Rating: High
While a relocation exception exists, it is burdened with conditions designed to discourage its use:
State health club statutes typically cap relocation processing fees and require a lower radius threshold. See, e.g., Cal. Civ. Code §1812.89 (cancellation if member moves more than 25 miles); N.Y. Gen. Bus. Law §625(3) (relocation exception with reasonable conditions).
Risk Rating: High
Charging a $75.00 “processing fee” upon a member’s death is ethically objectionable and likely unenforceable. Additionally, continuing to charge fees for 30 days after receiving the death certificate means the estate is billed for a period when the member cannot possibly use the facility. Several state attorneys general have taken enforcement action against gyms for similar practices. See, e.g., New York Attorney General’s office enforcement actions against Town Sports International Holdings for improper post-death billing (2020); Cal. Civ. Code §1812.89 (membership terminates upon death; no further charges permitted).
Risk Rating: High
The waiver releases the gym from liability for its own negligence, including negligent equipment maintenance and negligent instruction. While many jurisdictions permit prospective negligence waivers for recreational activities, several states deem such waivers void as against public policy. See, e.g., Va. Code §8.01-230 (prospective negligence waivers generally unenforceable); Hanks v. Powder Ridge Restaurant Corp., 276 Conn. 314, 885 A.2d 734 (2005) (recreational activity waiver void as against public policy); La. Civ. Code art. 2004 (clause limiting liability for intentional or gross fault is null); Mont. Code Ann. §28-2-702 (prospective negligence waivers void).
Positive aspect: The contract correctly excludes gross negligence and willful misconduct from the waiver, which is consistent with the majority rule and increases the provision’s enforceability in jurisdictions that permit negligence waivers.
Risk Rating: Moderate
The indemnification clause requires the member to cover the gym’s legal fees arising from the member’s use of the facility. This is a standard commercial risk-shifting provision, but its application in a consumer adhesion contract raises fairness concerns. A member injured by defective equipment could theoretically be asked to indemnify the gym against a third-party claim arising from the same incident.
Risk Rating: Moderate
The arbitration clause raises several concerns:
National Arbitration Forum (NAF): The NAF largely ceased administering consumer arbitrations following a 2009 consent decree with the Minnesota Attorney General. See State of Minnesota v. National Arbitration Forum, Inc., No. 27-CV-09-18550 (Minn. Dist. Ct. July 17, 2009) (consent judgment). Specifying the NAF as the sole arbitration administrator renders the clause potentially inoperable.
Under the Federal Arbitration Act (“FAA”), 9 U.S.C. §5, when the parties’ designated arbitration forum is unavailable, a court may appoint a substitute arbitrator rather than void the arbitration agreement entirely. Courts have applied §5 to designate the American Arbitration Association (“AAA”) or JAMS as substitutes when the contractually named forum is unavailable. See Green v. SuperShuttle International, Inc., 653 F.3d 766 (8th Cir. 2011); Khan v. Dell Inc., 669 F.3d 350 (3d Cir. 2012).
Practical outcome: A court would likely replace the NAF with the AAA or JAMS under FAA §5, preserving the mandatory arbitration requirement. This substitution, however, may alter the applicable procedural rules, fee schedules, and consumer protections — the AAA’s Consumer Arbitration Rules, for example, include fee caps, venue flexibility, and small-claims procedures that the contract’s original NAF designation may not have contemplated. The substitution is not automatic; it requires judicial intervention, which introduces delay and cost.
Fixed venue in Wilmington, Delaware: Requiring a member in California, Texas, or any distant state to arbitrate in Delaware creates a geographic barrier that may render the clause unconscionable. Courts in multiple jurisdictions have struck down arbitration clauses with distant mandatory venues in consumer contracts. See Nagrampa v. MailCoups, Inc., 469 F.3d 1257, 1287 (9th Cir. 2006) (distant venue contributes to unconscionability); Swain v. Auto Services, Inc., 128 S.W.3d 103 (Mo. Ct. App. 2003) (similar).
Risk Rating: High
While the U.S. Supreme Court has upheld class action waivers in arbitration agreements under the FAA, AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011); Epic Systems Corp. v. Lewis, 584 U.S. 497 (2018), some state courts continue to resist enforcement where the waiver effectively insulates the business from accountability for small-dollar systematic overcharges. See, e.g., Discover Bank v. Superior Court, 36 Cal. 4th 148 (2005) (though largely preempted by Concepcion, the policy concern remains relevant in states testing the boundaries of FAA preemption).
Risk Rating: Moderate
Reducing the limitations period to one year may conflict with state statutes that prescribe longer periods for contract claims (typically 3–6 years). Courts in several states have declined to enforce contractual limitations periods that are unreasonably short relative to the nature of the claim. See, e.g., Cal. Civ. Proc. Code §337 (4-year statute for written contracts); N.Y. C.P.L.R. §213 (6-year statute); Morales v. Sun Constructors, Inc., 541 F.3d 218 (3d Cir. 2008) (contractual limitations period must be reasonable).
Risk Rating: Moderate
The prevailing-party attorneys’ fees clause disproportionately deters consumer claims. A member with a $500 dispute faces the risk of paying the gym’s legal fees if unsuccessful, creating a powerful deterrent against legitimate claims. Some states limit or prohibit fee-shifting against consumers in adhesion contracts. See, e.g., Cal. Civ. Code §1717 (reciprocal attorneys’ fees; but still creates deterrent effect on consumers).
Risk Rating: Moderate
The contract selects Delaware law as the governing law and designates Wilmington, Delaware as the exclusive jurisdiction for non-arbitrable claims. This choice-of-law provision warrants careful analysis:
Delaware indicators: Ironclad Fitness Center is a subsidiary of IronGrip Holdings LLC, registered in Delaware. The corporate address is a P.O. Box in Wilmington. Delaware was likely selected for its business-friendly legal framework and limited consumer protection regulatory apparatus relative to states like California, New York, or Illinois.
Enforceability of choice-of-law in consumer contracts: While parties generally may select governing law under Restatement (Second) of Conflict of Laws §187 (1971) and UCC §1-301, consumer contracts face heightened scrutiny:
Practical effect: The Delaware choice-of-law clause is unlikely to displace mandatory consumer protection statutes in the member’s home state, particularly health club-specific statutes, automatic renewal laws, and biometric privacy laws. A court in the member’s home state would likely apply its own consumer protection laws notwithstanding the contractual choice of Delaware law.
Risk Rating: Moderate (for the contract’s enforceability strategy; this provision does not create direct consumer harm but misrepresents the applicable legal landscape)
The contract claims consent to collect: - Standard personal and payment information - Facility usage data - Biometric data (fingerprints, facial recognition) - Health information
This combination of data types creates a high-value target for data breaches and imposes heightened legal obligations on the data controller.
Several states have enacted biometric information privacy laws with specific requirements:
| State | Law | Key Requirements | Contract Compliance |
|---|---|---|---|
| Illinois | BIPA, 740 ILCS 14 | Written informed consent, purpose disclosure, retention schedule, destruction policy, private right of action with statutory damages ($1,000–$5,000 per violation) | Likely non-compliant — no purpose limitation, no destruction timeline tied to necessity, no separate written release |
| Texas | CUBI, Tex. Bus. & Com. Code §503.001 | Informed consent, no sale of biometric data, destruction within reasonable time | Partially addressed — consent obtained but data sharing provisions may permit sale |
| Washington | RCW 19.375 | Consent required, no sale/trade without consent | Unclear — broad third-party sharing provision may conflict |
| California | CCPA/CPRA, Cal. Civ. Code §§1798.100–1798.199.100 | Biometric data is “sensitive personal information”; right to limit use, right to delete, disclosure of categories and purposes | Not addressed — no CCPA-required disclosures |
| Colorado | CPA, Colo. Rev. Stat. §6-1-1301 et seq. | Biometric data classified as sensitive; consent required for processing | Not addressed |
| Virginia | VCDPA, Va. Code §59.1-575 et seq. | Consent for processing biometric data; purpose limitation | Not addressed |
| Connecticut | CTDPA, Conn. Gen. Stat. §42-515 et seq. | Consent for sensitive data processing including biometric data | Not addressed |
| Oregon | OCPA, ORS §646A.570 et seq. | Consent for biometric data processing; purpose limitation | Not addressed |
The 3-year post-termination retention period (Contract Section 7.4) may violate Illinois BIPA’s requirement to destroy biometric data when the initial purpose has been fulfilled (i.e., upon membership termination and last facility access). BIPA §15(a) requires a retention schedule and destruction guideline; the contract provides only a flat retention period with no necessity-based destruction trigger. Given BIPA’s private right of action and statutory damages of $1,000 per negligent violation and $5,000 per intentional/reckless violation (Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186), the litigation exposure is substantial for a gym with a large Illinois membership base.
Risk Rating: Critical (in states with biometric privacy laws, particularly Illinois; Moderate in states without such laws)
The contract authorizes sharing personal information — including biometric, health, and payment data — with “affiliated companies, marketing partners, data analytics providers, and other third parties” for “marketing and business purposes.” This broadly worded consent raises multiple concerns:
Consumer protection concerns: - CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.) requires disclosure of specific categories of data shared and the purposes for each recipient category. The contract’s catch-all language does not satisfy this requirement. - State consumer protection laws prohibiting deceptive data practices may be implicated by the vague “business purposes” justification. - FTC enforcement expectations under Section 5 of the FTC Act, 15 U.S.C. §45, require material data sharing disclosures. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
Supply-chain security concerns: - The contract is entirely silent on whether downstream data recipients are subject to data processing agreements (“DPAs”) or equivalent contractual controls. - There is no requirement that third-party recipients maintain security standards commensurate with the sensitivity of the data received. - Biometric data and health information shared with “marketing partners” is particularly concerning, as these recipients may not be subject to HIPAA, BIPA, or equivalent regulatory frameworks. - The absence of sub-processor restrictions means data may be further shared or sold without the member’s knowledge or consent. - Under CCPA/CPRA, the transfer of personal information to third parties for “marketing purposes” may constitute a “sale” or “sharing” of personal information, triggering additional consumer rights (opt-out of sale, right to know, right to delete). Cal. Civ. Code §§1798.120, 1798.135.
Risk Rating: High
Consent to autodialed calls and prerecorded messages implicates the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. §227. While contractual consent may satisfy the TCPA’s prior express written consent requirement (47 C.F.R. §64.1200(f)(9)), the bundling of this consent with the membership agreement — rather than obtaining separate, clear consent — has been challenged in TCPA litigation. See Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017) (examining whether gym membership agreement constitutes valid TCPA consent).
Risk Rating: Moderate
The contract is entirely silent on Ironclad’s obligations in the event of a data breach. Given the sensitivity of the data collected — biometric identifiers, health information, payment card data, and personally identifiable information — this omission is significant.
Legal obligations regardless of contractual silence: - State breach notification laws: All 50 states, the District of Columbia, and U.S. territories have enacted data breach notification laws requiring entities to notify affected individuals when their personal information is compromised. See, e.g., Cal. Civ. Code §§1798.29, 1798.82; N.Y. Gen. Bus. Law §899-aa; 815 ILCS 530 (Illinois Personal Information Protection Act). Several states impose accelerated notification timelines (e.g., Colorado requires notification within 30 days; Florida within 30 days of determination). - Biometric data breaches: A breach involving biometric data is particularly severe because, unlike passwords or credit card numbers, biometric identifiers cannot be changed. Once compromised, a fingerprint or facial geometry is permanently exposed. Illinois BIPA does not include a specific breach notification provision, but the underlying data exposure creates irremediable harm to affected individuals and substantial litigation risk under BIPA’s private right of action. - Health information: While Ironclad is not a HIPAA-covered entity, health information collected during enrollment may be subject to state health data privacy laws (e.g., Washington’s My Health My Data Act, RCW 19.373).
Contractual gaps: - No commitment to notify members within any specified timeframe following a breach - No description of incident response procedures - No commitment to provide credit monitoring, identity theft protection, or other remediation services - No limitation on Ironclad’s ability to delay notification (absent statutory requirements) - No description of how biometric data breach would be handled given the irrevocable nature of the data
Consumer risk: A member whose biometric and health data are compromised has no contractual basis to demand timely notification, remediation, or compensation from Ironclad. While statutory obligations exist, the contractual silence leaves members dependent on regulatory enforcement rather than contractual rights.
Risk Rating: High
The contract is silent on the security measures Ironclad employs to protect collected data. There is no reference to encryption standards, access controls, security audit practices, employee training, or any other technical or organizational safeguard.
Significance for biometric and health data: - Biometric data is irrevocable — unlike passwords or payment card numbers, a compromised fingerprint or facial geometry cannot be reset. This characteristic demands heightened technical safeguards, including encryption at rest and in transit, access control limitations, and regular security assessments. - Illinois BIPA §15(e) requires that biometric data be stored, transmitted, and protected “using the reasonable standard of care within [the entity’s] industry” and “in a manner that is the same as or more protective than the manner in which the [entity] stores, transmits, and protects other confidential and sensitive information.” The contract provides no assurance that this standard is met. - Health information, even outside the HIPAA context, is classified as sensitive under CCPA/CPRA, VCDPA, CPA, and other state privacy frameworks, requiring reasonable security measures.
Regulatory expectations: - The FTC has consistently held under Section 5 of the FTC Act that entities collecting sensitive consumer data must implement reasonable security measures. FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015); FTC v. D-Link Systems, Inc., No. 3:17-cv-00039 (N.D. Cal. 2017). - Several state data security laws impose affirmative obligations to implement reasonable safeguards. See, e.g., Cal. Civ. Code §1798.81.5; Mass. Gen. Laws ch. 93H, §2; 201 CMR 17.00 (Massachusetts data security regulations, among the most prescriptive).
Consumer risk: Without contractual commitments to specific security controls, members have no baseline against which to evaluate the adequacy of Ironclad’s data protection practices and no contractual remedy for failures of security short of an actual breach with demonstrable harm.
Risk Rating: High
Contract Section 2.3 requires the member to maintain a valid payment method on file and authorizes Ironclad to store and repeatedly charge that method, including up to five re-processing attempts per billing cycle. This raises concerns under the Payment Card Industry Data Security Standard (“PCI DSS”), currently version 4.0 (effective March 2024, with full enforcement of all requirements by March 31, 2025).
Persistent card storage: Storing payment card data on file requires compliance with PCI DSS requirements for data protection, including: - Requirement 3: Protect stored account data — card numbers must be rendered unreadable (encryption, truncation, tokenization, or hashing) wherever stored - Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks - Requirement 7: Restrict access to cardholder data to authorized personnel on a need-to-know basis - Requirement 9: Restrict physical access to cardholder data - Requirement 12: Maintain an information security policy
Re-attempt mechanism: The authorization to attempt payment processing up to six times (initial + five re-attempts) per billing period interacts with card network rules. Visa and Mastercard have implemented reattempt frameworks limiting the number and frequency of retries on declined transactions: - Visa’s Transaction Acceptance Procedures limit re-attempts on certain decline codes (e.g., code 05 — Do Not Honor) - Mastercard’s Automatic Billing Updater and reattempt rules limit retries and impose monitoring program fees for merchants with excessive decline rates
The contract’s blanket authorization of five re-attempts, without distinguishing among decline reason codes, may conflict with card network rules and could result in Ironclad being enrolled in monitoring programs or facing penalties from acquirers.
Consumer risk: The contract does not disclose whether Ironclad is PCI DSS compliant, what level of compliance it maintains, or how payment data is secured. A breach of stored payment card data exposes members to financial fraud.
Risk Rating: High
Contract Section 7.4 addresses only biometric data retention (3 years post-termination). The contract is silent on retention periods for all other categories of sensitive data:
| Data Type | Stated Retention Period | Data Minimization Concern |
|---|---|---|
| Biometric data | 3 years post-termination | Excessive — purpose (facility access) ceases at termination; BIPA requires destruction when purpose is fulfilled |
| Health information | Not stated | Indefinite retention of health data without purpose limitation violates data minimization principles |
| Payment card data | Not stated | PCI DSS Requirement 3.1 requires retention policies limiting storage to business necessity; post-termination storage of full card data has no legitimate purpose |
| Facility usage data | Not stated | Behavioral data retained post-termination without limitation or purpose |
| Personal information (name, address, email, phone) | Not stated | Reasonable retention for legal/tax purposes, but indefinite retention is disproportionate |
Data minimization principles: CCPA/CPRA (Cal. Civ. Code §1798.100(c)) requires that personal information collected be “reasonably necessary and proportionate” to the stated purposes. GDPR Article 5(1)(e) (applicable to EU-resident members) requires data be “kept in a form which permits identification of data subjects for no longer than is necessary.” While GDPR may have limited direct applicability, its principles inform best practices and are reflected in emerging U.S. state privacy laws (Colorado, Virginia, Connecticut, Oregon).
The contract’s silence on retention of non-biometric data effectively permits indefinite retention, which conflicts with applicable data minimization requirements and unnecessarily extends the duration of member exposure to breach risk.
Risk Rating: High
Ironclad reserves the right to modify any contract terms at any time with only 30 days’ notice posted at the facility or online. This provision, combined with the auto-renewal clause and cancellation restrictions, means:
This creates a fundamentally illusory contract: the gym’s promises are not binding because they can be unilaterally modified, while the member’s obligations are fixed and enforceable. Courts have found such provisions unconscionable. See Ingle v. Circuit City Stores, Inc., 328 F.3d 1165, 1172–73 (9th Cir. 2003); Harris v. Green Tree Financial Corp., 183 F.3d 173, 181 (3d Cir. 1999).
Intersection with data privacy provisions: The unilateral modification clause applies to the entire agreement, including the data collection, sharing, and retention provisions in Contract Section 7. This means Ironclad could unilaterally expand the scope of data collection, broaden third-party sharing, extend retention periods, or introduce new data uses — with the member’s only option being cancellation (subject to the 90-day notice, certified mail, and ETF barriers). This effectively nullifies the member’s data privacy “consent” because the terms to which they consented can be changed without re-consent. This is inconsistent with the affirmative consent requirements of BIPA (740 ILCS 14/15(b)), CCPA/CPRA opt-in requirements for sensitive data, and the consent frameworks in Colorado, Virginia, and Connecticut privacy laws.
Risk Rating: Critical
The severability clause states: “If any provision of this Agreement is found invalid or unenforceable, the remaining provisions shall remain in full force and effect.”
Analysis and practical implications:
Standard severability clauses are generally enforceable, but their operation is not automatic and courts retain discretion in their application:
Blue-pencil limitations: Courts in many jurisdictions apply the “blue-pencil” doctrine, which permits severance of discrete provisions but not judicial rewriting of terms. If a provision is so intertwined with other terms that severing it alters the fundamental nature of the bargain, courts may decline to sever. See, e.g., Booker v. Robert Half International, Inc., 413 F.3d 77 (D.C. Cir. 2005).
Pervasive unconscionability exception: When multiple provisions are found unconscionable, courts may find that the contract is “permeated” with unconscionability such that severance of individual clauses would not cure the defect. In such cases, the court may void the contract entirely rather than piece it together from the remaining enforceable provisions. See Armendariz v. Foundation Health Psychcare Services, Inc., 24 Cal. 4th 83, 124 (2000) (“an arbitration agreement permeated by unconscionability should simply be voided”); Razor v. Hyatt International Corp., 351 Ill. App. 3d 146 (2004).
Implication for this contract: Given the number of provisions identified in this report as likely unenforceable (see Section 15), a court could reasonably conclude that the Ironclad contract is permeated with unconscionable terms. If the ETF clause (Contract Section 3.1), the cancellation restriction (Contract Section 1.2–1.3), the unilateral modification clause (Contract Section 8.4), the biometric data provisions (Contract Section 7.1, 7.4), and the arbitration venue clause (Contract Section 6.1) were all severed, the remaining contract would represent a substantially different bargain from what Ironclad intended. A court might exercise its equitable discretion to void the agreement in its entirety rather than enforce a patchwork of surviving terms.
Strategic implication: The severability clause may give Ironclad a false sense of legal security. Including clearly unenforceable provisions (e.g., the death processing fee, certified-mail-only cancellation) alongside the severability clause creates a “litigation lottery” dynamic — Ironclad benefits from the deterrent effect of aggressive terms against consumers who do not challenge them, while relying on severability to salvage the contract against consumers who do. Courts have recognized and criticized this strategy. See Samaniego v. Empire Today, LLC, 205 Cal. App. 4th 1138, 1149 (2012).
Risk Rating: Moderate (the severability clause itself is standard; the risk lies in its potential to be overridden by a pervasive unconscionability finding)
The “irrevocable, perpetual, worldwide, royalty-free” license to use a member’s likeness is extraordinarily broad:
Risk Rating: High
The gym may freely assign the contract; the member may not. This is standard in commercial contracts but means a member could find their agreement assigned to a completely different gym operator with different facilities, equipment, and service quality, with no ability to cancel.
Risk Rating: Moderate
The contract is entirely silent on the following scenarios:
Permanent facility closure: The contract does not address member rights or remedies if Ironclad permanently closes the member’s home facility (or all facilities). Contract Section 2.5 provides that Ironclad has “no obligation to provide refunds for … temporary closures of less than fourteen (14) consecutive days,” but does not address permanent closure. Under Contract Section 4.1, membership is limited to the home facility unless the member pays for multi-club access. If the home facility closes, the member arguably receives no consideration for continued payments, yet the contract provides no cancellation right, refund mechanism, or obligation to provide access at an alternative location.
State health club statutes frequently address this gap: - California (Cal. Civ. Code §1812.84): Health clubs must maintain a bond or establish an escrow account to protect members against closure. Members are entitled to refunds of prepaid amounts upon permanent closure. - New York (N.Y. Gen. Bus. Law §622): Health clubs must post a surety bond. Upon permanent closure, members may file claims against the bond. - Illinois (815 ILCS 645/5): Requires a surety bond and prohibits collection of fees during any period of closure. - Ohio (Ohio Rev. Code §1345.41): Requires a bond and provides refund rights upon closure. - Massachusetts (Mass. Gen. Laws ch. 93, §79): Bonding requirement.
The contract’s silence on permanent closure obligations does not eliminate these statutory requirements, but the absence of any contractual commitment increases the risk that members in states without health club bonding statutes would have no practical remedy.
Bankruptcy: If Ironclad or IronGrip Holdings LLC files for bankruptcy, prepaid membership fees would likely be treated as unsecured claims under 11 U.S.C. §507 (Bankruptcy Code priority scheme). Pre-petition membership payments are general unsecured claims with low recovery priority. Members locked into 36-month contracts who have prepaid (or are subject to automatic billing) during a bankruptcy case may continue to be charged while receiving degraded or no services, with their contractual cancellation rights potentially stayed by the automatic stay under 11 U.S.C. §362.
Force majeure: The contract contains no force majeure clause and no excuse for non-performance due to events beyond either party’s control (pandemics, natural disasters, government orders, utility failures). The COVID-19 pandemic demonstrated the significance of this omission in the fitness industry, where prolonged government-mandated closures left members obligated under gym contracts with no express contractual remedy. Courts reached varying conclusions on whether common-law doctrines of impossibility, impracticability, or frustration of purpose excused members’ payment obligations absent a contractual force majeure clause. A well-drafted contract should allocate this risk explicitly.
Risk Rating: High
Important disclaimers: The following table is illustrative and does not represent an exhaustive survey of all U.S. state health club statutes. States were selected based on the prevalence and specificity of their health club regulatory frameworks and the likelihood that Ironclad operates facilities within those states. The analysis reflects statute text as of the legal authority cutoff date (April 5, 2026) and does not account for pending legislation, recent amendments not yet effective, or state-level regulatory guidance or enforcement actions not captured in statutory text. Members in states not listed below may nonetheless have protections under general consumer protection statutes, common-law doctrines, or other regulatory frameworks. This table should not be relied upon as a substitute for jurisdiction-specific legal advice.
| Provision | States with Likely Conflicts | Nature of Conflict | Relevant Statutes |
|---|---|---|---|
| 36-month initial term | CA, NY, OH, IL, MA, NJ, WI | Many states cap health club contract terms at 12–36 months or require month-to-month options | Cal. Civ. Code §1812.85; N.Y. Gen. Bus. Law §623; Ohio Rev. Code §1345.42; 815 ILCS 645/3 |
| Certified-mail-only cancellation | CA, NY, IL, CO, CT, OR | States require acceptance of electronic, written, or in-person cancellation | Cal. Civ. Code §1812.85(b); N.Y. Gen. Bus. Law §625; 815 ILCS 645/11 |
| 90-day cancellation notice period | NY, IL, MA, NJ | Typical statutory maximums are 30–60 days | N.Y. Gen. Bus. Law §625; 815 ILCS 645/11 |
| 75% early termination fee | CA, NY, OH, IL, MN, WI | Many states cap ETFs or require prorated refunds | Cal. Civ. Code §1812.89; N.Y. Gen. Bus. Law §625; Ohio Rev. Code §1345.42 |
| $75 death processing fee | CA, NY, IL, OH, MA | Several states prohibit fees upon member death | Cal. Civ. Code §1812.89; N.Y. Gen. Bus. Law §625 |
| Non-refundable fee policy during closures | CA, NY, MA, CT | Prorated refunds or extensions required | Cal. Civ. Code §1812.89; N.Y. Gen. Bus. Law §627; Mass. Gen. Laws ch. 93, §80 |
| No cooling-off period disclosed | CA, NY, IL, OH, MI, NJ | Many states mandate a 3–5 day right to cancel with full refund (see Section 11.1 below) | Cal. Civ. Code §1812.85; N.Y. Gen. Bus. Law §624; 815 ILCS 645/3; Ohio Rev. Code §1345.42 |
| No bonding/registration disclosure | CA, NY, IL, OH, MA | Many states require health clubs to post surety bonds and register with the state | Cal. Civ. Code §1812.84; N.Y. Gen. Bus. Law §622; 815 ILCS 645/5 |
The contract does not include a right-of-rescission or cooling-off period disclosure. This is a distinct legal requirement arising from two separate sources that should not be conflated:
State health club rescission statutes: Many states mandate a statutory right to cancel a health club contract within a specified period (typically 3–5 business days) after signing, with a full refund of all payments. This right exists regardless of where the contract was signed and is specific to the health club industry. See, e.g., Cal. Civ. Code §1812.85 (5 business days); N.Y. Gen. Bus. Law §624 (3 business days); 815 ILCS 645/3 (3 business days); Ohio Rev. Code §1345.42 (3 business days). These statutes typically require that the contract prominently disclose this right and that the disclosure appear in a specific form (often bold or conspicuous type near the signature line). Failure to include the required disclosure may extend the rescission period indefinitely until proper notice is given.
FTC Cooling-Off Rule (16 C.F.R. §429): This federal rule provides a 3-day right of cancellation for sales made at locations other than the seller’s permanent place of business (e.g., door-to-door sales, health fairs, off-site promotions). If any Ironclad memberships are sold at temporary locations, events, or outside a permanent retail location, the FTC Cooling-Off Rule independently requires a cancellation notice. The FTC rule is narrower in scope than state health club statutes (it does not apply to contracts signed at the gym itself) but broader in its industry application.
The absence of any rescission disclosure in this contract likely violates state health club statutes in the majority of states where Ironclad operates, and may also violate the FTC Cooling-Off Rule for off-premises enrollments.
Risk Rating: Critical
The following comparison segments the market by gym tier to provide appropriate context. Ironclad’s pricing and contract terms position it at or above the premium tier, while its contractual rigidity substantially exceeds all tiers.
| Feature | Ironclad Contract | Budget Tier | Mid-Tier | Premium Tier |
|---|---|---|---|---|
| Initial term | 36 months | Month-to-month | 1–12 months | 12 months |
| Auto-renewal term | 12 months | Month-to-month | Month-to-month | Month-to-month |
| Cancellation notice | 90 days, certified mail | 30 days, any form | 30 days, written | 30–45 days, written |
| Monthly fee | $102.41 effective | $10–$25 | $30–$60 | $80–$200+ |
| Early termination fee | 75% of remaining or $500 min. | None (no term) | $50–$150 flat | $150–$250 or buyout of 1–2 months |
| Medical exception | Freeze only, $25/mo, max 3 months, extends term | Cancellation permitted | Cancellation with documentation | Cancellation or extended freeze at no cost |
| Arbitration venue | Wilmington, DE (fixed) | Rare in this tier | Local venue or member’s state | Local venue |
| Biometric data collection | Required, retained 3 years post-termination | Typically none | Typically optional | Optional, disclosed separately |
| Annual enhancement fee | $149.00 | None | Uncommon ($0–$50) | $0–$100 |
Budget tier examples: Planet Fitness (month-to-month, $10–$25/month), Crunch Fitness (basic tier). Mid-tier examples: LA Fitness (12-month contracts typical, $30–$50/month), 24 Hour Fitness, Gold’s Gym. Premium tier examples: Equinox ($200+/month, 12-month terms), Life Time Fitness ($100–$200/month), Orangetheory Fitness.
Data sources: Tier classifications and fee ranges are based on publicly available membership pricing as of early 2026, consumer reporting (Consumer Reports, Wirecutter), and industry surveys (IHRSA/Health & Fitness Association Global Report 2025). Specific pricing varies by location and promotional offers.
Ironclad’s terms are substantially more restrictive and punitive than prevailing industry practices across every measured dimension. The contract demands premium-tier (or above) pricing through the effective monthly cost of $102.41, while imposing contractual restrictions that are more aggressive than any tier — including a term length (36 months) and auto-renewal commitment (12-month renewal, 90-day notice, certified mail only) that no major competitor requires.
Under the common-law doctrine of unconscionability, a court may refuse to enforce a contract or specific provisions if they are both procedurally and substantively unconscionable. See Williams v. Walker-Thomas Furniture Co., 350 F.2d 445 (D.C. Cir. 1965); Armendariz v. Foundation Health Psychcare Services, Inc., 24 Cal. 4th 83 (2000); UCC §2-302.
As analyzed in Section 10.2, the severability clause (Contract Section 8.2) may not rescue this contract. When multiple provisions are independently unconscionable, courts may decline to sever individual clauses and instead void the contract as permeated with unconscionability. See Armendariz, 24 Cal. 4th at 124; Razor v. Hyatt International Corp., 351 Ill. App. 3d 146 (2004). This report identifies five provisions at the Critical risk level and eight at the High risk level (see Section 15). The breadth and severity of the problematic provisions strengthen the argument for a pervasive unconscionability finding.
A court presented with the totality of these provisions would likely find multiple clauses unconscionable and unenforceable. The contract’s pervasive one-sidedness — particularly the combination of the ETF, certified-mail-only cancellation, unilateral modification, silence on data security and breach notification, and biometric data provisions — creates a substantial risk that the contract would be voided in its entirety rather than selectively enforced under the severability clause.
Contract Section 2.3(d) provides that Ironclad may refer delinquent accounts to a third-party collection agency, with the member agreeing to pay “all collection costs, including agency fees of up to 40% of the outstanding balance.”
FDCPA analysis: The Fair Debt Collection Practices Act, 15 U.S.C. §§1692–1692p, applies to third-party debt collectors (not to Ironclad directly as the original creditor, unless it uses a different name for collection purposes — 15 U.S.C. §1692a(6)). However:
Permissible collection amounts: Under 15 U.S.C. §1692f(1), a debt collector may not collect any amount “unless such amount is expressly authorized by the agreement creating the debt or permitted by law.” While the contract does authorize 40% agency fees, courts scrutinize whether such provisions in adhesion contracts are enforceable. A 40% surcharge on a debt that may already include $35 declined payment fees and 18% APR interest could be found unconscionable as applied. See Seeger v. AFNI, Inc., 548 F.3d 1107 (7th Cir. 2008).
State collection cost limitations: Several states limit the amount of collection costs that may be contractually imposed. See, e.g., Colo. Rev. Stat. §5-5-111 (limits reasonable attorney fees on consumer debts); Wis. Stat. §427.104(1)(g) (prohibits unconscionable collection practices).
Practical exposure: For a member who misses three months of payments ($269.97), potential exposure under the contract’s penalty structure includes:
Risk Rating: High
| # | Finding | Report Section |
|---|---|---|
| 1 | Auto-renewal cancellation procedure (certified mail only, 90-day notice) likely violates FTC Click-to-Cancel rule and multiple state automatic renewal statutes | §4.2, §4.3 |
| 2 | Early termination fee (75% of remaining balance) likely unenforceable as a penalty clause and in violation of state health club ETF caps | §6.1 |
| 3 | Unilateral modification clause combined with member lock-in creates an illusory contract; extends to data privacy terms, negating consent | §10.1 |
| 4 | Biometric data practices likely non-compliant with BIPA and equivalent state laws | §9.2 |
| 5 | Missing cooling-off period disclosure violates numerous state health club statutes and potentially the FTC Cooling-Off Rule for off-premises enrollment | §11.1 |
| 6 | Unilateral price increase authority with no cap while member is locked into a 36-month term | §5.4 |
| 7 | Overall unconscionability assessment — contract permeated with unconscionable terms, severability clause may not cure | §13 |
| # | Finding | Report Section |
|---|---|---|
| 8 | Death processing fee ($75) ethically and legally problematic | §6.4 |
| 9 | Photo/video release overbroad and irrevocable | §10.3 |
| 10 | Arbitration venue fixed in Delaware creates geographic barrier; NAF designation outdated and inoperable (FAA §5 substitution likely) | §8.1 |
| 11 | Medical hardship provision punitive rather than accommodating | §6.2 |
| 12 | Declined payment penalty cascade disproportionate to actual costs; ambiguous per-attempt vs. per-cycle application | §5.3 |
| 13 | Relocation exception includes 60-day facility use disqualifier | §6.3 |
| 14 | Annual Enhancement Fee obscures true membership cost | §5.2 |
| 15 | Contract silent on data breach notification obligations and incident response | §9.5 |
| 16 | Contract silent on data security controls for biometric, health, and payment data | §9.6 |
| 17 | PCI DSS compliance concerns with persistent card storage and re-attempt mechanism | §9.7 |
| 18 | Third-party data sharing lacks supply-chain security controls (DPAs, downstream requirements) | §9.3 |
| 19 | Post-termination data retention unlimited for non-biometric data types | §9.8 |
| 20 | No remedy for permanent closure, bankruptcy, or force majeure events | §10.5 |
| 21 | Collection surcharge of up to 40% potentially unconscionable and subject to FDCPA and state law limitations | §14 |
| # | Finding | Report Section |
|---|---|---|
| 22 | Fee-shifting clause deters legitimate consumer claims | §8.4 |
| 23 | Shortened statute of limitations (1 year) may conflict with state law | §8.3 |
| 24 | Broad data-sharing authorization lacks CCPA-compliant specificity | §9.3 |
| 25 | One-way assignment clause | §10.4 |
| 26 | TCPA consent bundled with membership agreement | §9.4 |
| 27 | Class action waiver (enforceable under Concepcion / Epic Systems but remains policy concern) | §8.2 |
| 28 | Non-refundable fee policy during temporary closures | §5.5 |
| 29 | Negligence liability waiver (enforceable in many states, void in some) | §7.1 |
| 30 | Indemnification clause in consumer adhesion context | §7.2 |
| 31 | Delaware choice-of-law unlikely to displace mandatory home-state consumer protections | §8.5 |
| 32 | Severability clause may be overridden by pervasive unconscionability finding | §10.2 |
The Ironclad Fitness Center Membership Agreement represents an extreme example of a consumer-hostile adhesion contract. It systematically maximizes the member’s financial obligations and legal exposure while minimizing the business’s accountability and the member’s ability to exit the relationship. Multiple provisions are likely unenforceable under existing federal and state law, and the contract as a whole presents significant unconscionability risk. The contract’s silence on data breach notification, data security controls, permanent closure remedies, and force majeure allocation — combined with its aggressive collection of biometric, health, and payment data — creates consumer risk exposure that extends well beyond the financial terms. A consumer considering this agreement should be advised to seek legal counsel before signing, and a consumer who has signed should be aware that many of these provisions may not withstand legal challenge in their home jurisdiction.