Yes that’s absolutely what will happen. They likely have language in the contract you signed allowing them to do just that.
You are paying for access to the gym. They don’t have to provide you access via a card or a list or an app - they probably specify that they can refuse access for a variety of reasons, including “safety and privacy” or some shit they can shoehorn an app into. You don’t have a legal right to access a place via the mechanism you choose.
It is apparently used for emergency location https://discuss.grapheneos.org/d/746-imsservice-system-app-accesses-location-consistently
Most things you share will be static. These are things like news articles and webcomics where the output of the page is always the same no matter what you do. Things like google searches or YouTube links that are different depending on some way you interact with the site are dynamic. If you search for “apples” in google you’ll get different results than if you search for “oranges.” If you share the apple search with someone, your apple text will be coded as a parameter after the ?. If you strip that off they’d go to google.com and not see any apples. Trackers and other surveillance tools are also captured in the query params so for dynamic content it can be tricky to know which params to remove and which to keep. For static content you can just remove them all because the content doesn’t change based on the params you pass it
If they are checking data brokers or aggregators it’s not really a background check. Carefully read any consent you give for a potential employer to perform a background check. Look for the records they are accessing and make a determination based on that language.
It is possible that some vendor is the space incorporates data brokers into their service, and that’s hard to tell. But they still should ask for your consent, I believe.