Privacy Policy

1. Introduction

Welcome to our gym management platform. We are committed to protecting your personal information and your right to privacy. This privacy policy explains what information we collect, how we use it, and what rights you have in relation to it.

This policy applies to all users of our platform, including gym owners, managers, instructors, members, and dependents. We comply with applicable federal and state privacy laws, including the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and other applicable state and federal regulations.

2. Information We Collect

Categories of Personal Information

We collect the following categories of personal information:

• Identifiers: Name, email address, phone number, postal address, unique personal identifier, online identifier, IP address, account name
• Personal Information (as defined by Cal. Civ. Code § 1798.80): Name, signature (digital waiver signatures), address, telephone number, date of birth, emergency contact information
• Protected Classifications: Age, date of birth, gender (optional)
• Commercial Information: Records of products or services purchased, membership plans, billing history, payment methods, merchandise purchases
• Biometric Information: Profile photos (if uploaded)
• Internet or Network Activity: Browsing history on our platform, login activity, session information, device information, browser type
• Geolocation Data: Gym location associated with your membership
• Professional Information: Role (owner, instructor, manager, member)
• Education Information: Belt rank and training progression (for martial arts gyms)
• Inferences: Profile reflecting preferences, behavior, and training habits

Sources of Information

• Directly from you when you create an account or update your profile
• From your gym administrator when they create or manage your account
• From guardians when they add dependents
• Automatically through your use of the platform (cookies, logs)
• From third-party authentication providers (Clerk)
• From payment processors (Stripe)

3. How We Use Your Information

We use your personal information for the following business and commercial purposes:

• Provide Services: Account creation, authentication, gym management, class scheduling, check-in tracking, membership management
• Process Transactions: Billing, payment processing, subscription management, invoice generation, merchandise sales
• Communications: Service notifications, membership updates, class reminders, billing notices, administrative messages
• Safety and Compliance: Waiver management, age verification, guardian consent for minors
• Platform Improvement: Analytics, feature development, bug fixes, performance optimization
• Security: Fraud prevention, account security, authentication
• Legal Compliance: Responding to legal requests, enforcing terms of service, protecting rights and safety

4. Information Sharing and Disclosure

We Share Information With:

• Your Gym: Your gym administrators, owners, and instructors can access your membership information, attendance records, and profile data
• Service Providers:
  • Clerk - Authentication and user management
  • Stripe - Payment processing and billing
  • AWS S3 / Cloudflare R2 - Secure file and image storage
• Legal Obligations: Law enforcement, government agencies, or other third parties when required by law or to protect rights and safety
• Business Transfers: In connection with a merger, acquisition, or sale of assets

We Do NOT:

• Sell your personal information to third parties
• Share your information for cross-context behavioral advertising
• Use tracking or analytics cookies
• Share your information with data brokers

5. Cookies and Tracking Technologies

Essential Cookies Only

We use essential authentication cookies that are strictly necessary for our platform to function. These cookies:

• Keep you signed in to your account
• Remember your gym selection and session preferences
• Maintain security and prevent unauthorized access
• Enable core platform functionality

Important: Cookies must be enabled in your browser to use this service. We do not use analytics, advertising, or tracking cookies. We do not track your activity across other websites.

Do Not Track

Because we do not track users across websites or use advertising cookies, Do Not Track signals do not affect our data collection practices. We only use essential cookies regardless of your Do Not Track settings.

6. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes described in this policy. Specific retention periods:

• Active Accounts: While your account is active and for a reasonable period after account closure
• Financial Records: 7 years to comply with tax and accounting requirements
• Waivers: According to state liability law requirements (typically 7 years)
• Communications: As long as necessary for customer service purposes
• Legal Holds: As required by law, litigation, or regulatory investigation

You may request deletion of your personal information at any time, subject to legal retention requirements.

7. Your Privacy Rights

General Rights (All Users)

• Right to Access: Request a copy of the personal information we hold about you
• Right to Correction: Correct inaccurate or incomplete personal information
• Right to Deletion: Request deletion of your personal information
• Right to Data Portability: Receive your data in a portable format
• Right to Opt-Out: Opt-out of non-essential communications
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights:

• Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom shared
• Right to Delete: Request deletion of personal information, subject to exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information, so no opt-out is necessary
• Right to Limit Sensitive Personal Information: We do not use sensitive personal information for purposes requiring an opt-out
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
• Authorized Agents: You may designate an authorized agent to make requests on your behalf

Virginia, Colorado, Connecticut, and Utah Residents

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you have similar rights to those described above, including:

• Right to confirm whether we process your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data
• Right to opt-out of processing for targeted advertising (we do not engage in this)
• Right to opt-out of sales of personal data (we do not sell your data)
• Right to appeal our decision regarding your privacy request

How to Exercise Your Rights

To exercise any of these rights:

• Contact your gym administrator through the platform
• Email us at [Contact Email - to be added by lawyer]
• Submit a request through your account settings (for certain requests)

We will respond to verifiable requests within 45 days (or as required by applicable state law). We may need to verify your identity before processing your request.

8. Data Security

We implement commercially reasonable security measures to protect your personal information, including:

• Encryption: HTTPS/SSL encryption for all data transmission, encrypted storage for sensitive data
• Authentication: Secure authentication through Clerk with industry-standard protocols
• Payment Security: PCI-DSS compliant payment processing through Stripe - we do not store credit card information
• Access Controls: Role-based access control, limited employee access to personal information
• Monitoring: Regular security audits, vulnerability assessments, and updates
• Data Backup: Regular backups with secure storage

Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify you and relevant authorities as required by applicable law. Notification will be provided without unreasonable delay and will include information about the breach, affected data, and steps you can take to protect yourself.

9. Children's Privacy

COPPA Compliance

Our service allows minors under 13 to be added as dependents by their parents or legal guardians. We comply with the Children's Online Privacy Protection Act (COPPA):

• Parental Consent: We require verifiable parental/guardian consent before collecting personal information from children under 13
• Limited Collection: We collect only information necessary for gym membership and services (name, date of birth, emergency contact)
• No Marketing: We do not market to children or use their information for advertising
• Parental Rights: Parents/guardians may review, delete, or refuse further collection of their child's information at any time
• Guardian Access: Parents/guardians have full access to their dependent's account and information
• No Public Profiles: Dependent accounts are not publicly visible

Minors Under 18

For minors between 13 and 18, we may allow account creation with parental consent or direct signup with guardian oversight depending on state law. Parents/guardians can always access and manage their minor child's account.

10. Third-Party Services

We use the following trusted third-party services that have access to your personal information:

Service Providers

• Clerk (clerk.com): Authentication and user management. Clerk processes authentication credentials and user identity information. Review their privacy policy at clerk.com/privacy
• Stripe (stripe.com): Payment processing, billing, and subscription management. Stripe processes payment information according to PCI-DSS standards. Review their privacy policy at stripe.com/privacy
• AWS S3 / Cloudflare R2: Secure cloud storage for files, images, and documents. Review privacy policies at aws.amazon.com/privacy and cloudflare.com/privacypolicy

These service providers are contractually obligated to protect your information and may only use it to provide services to us. They have their own privacy policies governing their data practices. We carefully select service providers who meet high privacy and security standards and comply with applicable privacy laws.

Third-Party Links

Our platform may contain links to third-party websites (such as payment portals). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

11. Multi-Tenant Architecture

Our platform serves multiple gyms (tenants) with data isolation between organizations:

• Data Isolation: Your gym's data is logically separated from other gyms
• Gym Access: Only users associated with your gym can access your membership and attendance data
• Gym Switching: If you have memberships at multiple gyms, you can switch between gym contexts
• Gym Owner Control: Gym owners control access permissions for their gym's data

12. International Users

Our services are provided from the United States. If you are accessing our platform from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located and our central database is operated.

The United States may not have the same data protection laws as your jurisdiction. By using our services, you consent to the transfer of your information to the United States and processing in accordance with this privacy policy and applicable US law.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you through the platform or via email
• For material changes affecting your rights, we may require renewed consent
• California residents will receive notice as required by CCPA

We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.

14. Contact Information

If you have questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

For Gym-Specific Issues:

For questions about how your specific gym handles your data, please contact your gym administrator through the platform or directly at your gym.

State-Specific Rights Requests:

To exercise your privacy rights under California, Virginia, Colorado, Connecticut, or Utah law, please use the contact information above or submit a request through your account settings.

Appeals (VA, CO, CT, UT Residents):

If we decline your privacy rights request and you are a resident of Virginia, Colorado, Connecticut, or Utah, you have the right to appeal our decision. To appeal, please contact us using the information above within 30 days of our decision.

15. State-Specific Disclosures

California

Notice of Collection: We collect the categories of personal information listed in Section 2 for the purposes described in Section 3. We do not sell or share your personal information.

Shine the Light Law: California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

California Minors: Users under 18 may request removal of content they posted. Contact us using the information in Section 14.

Nevada

Nevada residents: We do not sell your personal information as defined by Nevada law. If you have questions, contact us using the information in Section 14.

Other States

We will comply with all applicable state privacy laws as they take effect. If your state has enacted privacy legislation, you may have rights similar to those described in Section 7.