Privacy Policy

This Privacy Policy describes how SupaHit (“we,” “us,” or “our”) collects, uses, shares, and protects your personal information when you use the SupaHit mobile app, VDojo web platform, and our website at supahit.com (collectively, the “Service”). We also maintain a separate Consumer Health Data Privacy Policy that covers health-related data as required by applicable state laws.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a cryptographic hash — we never store plaintext passwords). Dojo owners also provide their school name, address, phone number, and contact details during the VDojo setup process.

1.2 Profile Information

You may optionally provide a profile photo (avatar), martial arts disciplines, belt/rank history, and training preferences.

1.3 Training and Activity Data

We collect data you voluntarily log, including:

• Training sessions (date, duration, type, notes, training partners)
• Belt/rank progression and promotion history
• Goals and goal progress
• Class attendance and booking records
• Gamification data (XP, streaks, achievements)

1.4 Health-Related Data

If you use our injury tracking feature, we collect injury data including affected body area, severity, description, and recovery status. This data is classified as consumer health data under certain state laws. Please see our Consumer Health Data Privacy Policy for detailed information about how we collect, use, and protect this data.

1.5 Social and Communication Data

We collect content you create through social features, including:

• Posts, comments, photos, and videos shared in the social feed
• Messages sent through direct messages and channel conversations
• Follow relationships
• Post likes and interactions

1.6 Payment Information

Payment details (credit card numbers, bank accounts) are processed directly by Stripe, Inc. and are never stored on our servers. We retain only Stripe customer identifiers, transaction references, and subscription status necessary to manage your account.

1.7 Device and Usage Data

We automatically collect:

• Device type, operating system, and app version
• General usage patterns (pages visited, features used, session duration)
• Push notification tokens (mobile only, with device-level consent)
• IP address (used for security and rate limiting; not used for precise geolocation)

We do not collect precise GPS location data.

1.8 Website Analytics

Our marketing website uses Google Analytics 4 (GA4) to collect anonymized usage data, including pages visited, referral sources, and general geographic region (country/city level derived from IP address). Google Analytics uses cookies — see Section 8 for details.

2. How We Use Your Data

• Provide and operate the Service — display your training history, sync attendance with your dojo, process bookings, deliver notifications, manage subscriptions, and enable social features.
• Communications — send transactional emails (account confirmations, password resets, billing receipts, security alerts) and, for dojo members, relay messages sent by dojo operators through our email and SMS tools.
• Analytics and improvement — understand usage patterns to improve features, fix bugs, and optimize performance. We use aggregated, anonymized data for these purposes.
• Safety and security — detect fraud, enforce our Terms of Service, prevent abuse, and protect users and the platform.
• Legal compliance — comply with applicable laws, legal processes, and government requests.

We do not use your personal data for targeted advertising. We do not sell your personal information to third parties.

3. Multi-Party Data Sharing Within the Service

The Service involves data sharing between different parties. Here is exactly who can see what:

3.1 Dojo Owners and Staff → Student Data

When you connect to a dojo (via invite code), the dojo’s authorized staff (owner, managers, and instructors based on their assigned role) can see:

• Your name, email, profile information, and avatar
• Your class attendance and booking records
• Your belt/rank progression and promotion history
• Messages you send in dojo channels

3.2 Opt-In Injury Sharing

If you enable the “Share with Dojo” toggle when logging an injury, only the severity level (low/medium/high) is shared with your dojo’s owner and managers for staffing purposes. Your injury description, specific body area, and notes are never shared. This feature is off by default and you can revoke sharing at any time. See our Consumer Health Data Privacy Policy for details.

3.3 Opt-In Training Log Sharing

If you enable “Share Training Log” in your privacy settings, your dojo’s owner and managers can see a summary of your recent training sessions (dates, durations, types). Your personal notes and training partner names are never shared. This feature is off by default.

3.4 Parent → Child Data

Parents and legal guardians who link to their child’s student record (via a dojo-issued invite code) can view their child’s attendance, class bookings, injuries, belt progression, and schedule. Parents can also book and cancel classes on their child’s behalf and log injuries for their child.

3.5 Social Feed Visibility

Posts you create in the social feed are visible to your followers and to fellow members of your connected dojo. Milestone posts (e.g., belt promotions) may be generated automatically if you have social sharing enabled.

3.6 Messaging

Messages in dojo channels are visible to all channel members. Direct messages are visible only to the participants of the conversation.

4. Third-Party Service Providers

We share data only with service providers necessary to operate the platform. These providers process data on our behalf under contractual obligations:

• Supabase, Inc. — database hosting, authentication, real-time subscriptions, and file storage (images, videos, documents). Data stored in the United States.
• Stripe, Inc. — payment processing for subscriptions and purchases. Stripe processes payment card data directly and is PCI-DSS Level 1 certified. See Stripe’s Privacy Policy.
• Resend, Inc. — transactional and dojo-to-member email delivery. Receives recipient email addresses and message content.
• Twilio, Inc. — SMS message delivery for dojo communications. Receives recipient phone numbers and message content.
• Expo (820 Labs, Inc.) — push notification delivery on mobile devices. Receives device push tokens and notification content.
• Vercel, Inc. — hosting for the VDojo web app and marketing website. Processes IP addresses and request metadata.
• Google LLC — Google Analytics 4 on the marketing website only. Collects anonymized browsing data via cookies.

We do not sell, rent, or trade your personal data to any third party for marketing, advertising, or any other purpose. We do not share data with data brokers.

5. Data Retention

• Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
• Account deletion: If you delete your account, we remove your personal data within 30 days. Backups containing your data are purged within 90 days.
• Children’s data: Data about children under 13 is deleted within 14 days of a parent’s deletion request.
• Legal exceptions: We may retain certain data longer when required by law, including: billing and transaction records (as required by tax law, typically 7 years), data subject to a legal hold or active dispute, and data necessary to enforce our Terms or protect our legal rights.
• Anonymized data: We may retain anonymized, aggregated data (from which no individual can be identified) indefinitely for analytics and improvement purposes.
• VDojo B2B data: Upon termination of a VDojo subscription, dojo operational data is retained for 30 days to allow export, then deleted. See our Data Processing Agreement for details.

6. Your Privacy Rights

Depending on your jurisdiction, you may have the rights described below. To exercise any of these rights, contact us at privacy@supahit.com. We will respond within 45 days (or as required by applicable law).

6.1 Rights Available to All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Data portability: Request your data in a structured, machine-readable format (JSON or CSV).
• Withdraw consent: Where processing is based on consent, withdraw your consent at any time.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know: You may request the categories and specific pieces of personal information we have collected, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to legal exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• Right to limit use of sensitive personal information: Injury data is classified as sensitive personal information. You may request that we limit its use to providing the Service. Contact privacy@supahit.com.
• Non-discrimination: We will not discriminate against you for exercising any of these rights.
• Authorized agents: You may designate an authorized agent to submit requests on your behalf with proper verification.

Categories of personal information collected (per CCPA categories): Identifiers (name, email, IP address); commercial information (subscription status, transaction history); internet/electronic activity (usage data, device info); sensory data (photos, videos uploaded by you); sensitive personal information (injury/health data, account credentials); inferences (training analytics derived from your activity data).

6.3 Texas Residents (TDPSA)

If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act, effective July 1, 2024:

• Right to know: Whether we are processing your personal data and what data we hold.
• Right to access and portability: Obtain a copy of your personal data in a portable format.
• Right to correct: Request correction of inaccurate personal data.
• Right to delete: Request deletion of your personal data.
• Right to opt out: Opt out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. We do not engage in targeted advertising, data sales, or automated profiling for decisions with legal effects.
• Sensitive data consent: We obtain your consent before processing sensitive data (including health/injury data) as required by the TDPSA.

To exercise your rights or appeal a decision regarding your request, contact privacy@supahit.com.

6.4 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, the following applies:

• Data controller: SupaHit is the data controller for personal data collected through the Service. For student data processed through VDojo, the dojo operator is the data controller and SupaHit is the data processor.
• Lawful basis: We process personal data under the following bases: (a) contract performance — to provide the Service you signed up for; (b) legitimate interests — for security, fraud prevention, and Service improvement, balanced against your rights; (c) consent — for optional features like injury sharing, training log sharing, and marketing communications; (d) legal obligation — to comply with applicable laws.
• Additional rights: You have the right to: restrict processing, object to processing based on legitimate interests, lodge a complaint with your local supervisory authority, and not be subject to solely automated decision-making with legal effects.
• International transfers: Your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and our sub-processors’ participation in the EU-US Data Privacy Framework where applicable, to provide adequate safeguards for these transfers.
• Data Protection Officer: Given our current size and processing activities, we have not appointed a formal DPO. For all privacy-related inquiries, contact privacy@supahit.com.

6.5 Other US State Privacy Laws

Residents of Colorado, Connecticut, Virginia, Oregon, Montana, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and port their data. We honor all valid requests regardless of jurisdiction. Contact privacy@supahit.com.

7. Children’s Privacy (COPPA Compliance)

SupaHit complies with the Children’s Online Privacy Protection Act (COPPA) and its 2025 amendments.

Children Under 13

• Children under 13 cannot create their own SupaHit accounts.
• Data about children under 13 is collected only through the Parent Portal, where a verified parent or legal guardian manages the child’s information on their behalf.
• Parental verification is performed through a dojo-issued invite code system: the dojo operator issues an invite token to the parent, and the parent claims it via their authenticated adult account. This process verifies the parent-child relationship through the dojo as a trusted intermediary.

What We Collect About Children

Through the Parent Portal, we collect only the data necessary for the dojo management relationship:

• Child’s name (as provided by the dojo and/or parent)
• Class attendance and booking records
• Belt/rank progression
• Injury data (only when logged by the parent)

We do not collect email addresses, phone numbers, social media identifiers, photos, or any device identifiers from children under 13. Children under 13 do not have access to social features, messaging, or the public feed.

Third Parties Receiving Children’s Data

Children’s data is stored in our database hosted by Supabase, Inc. and is accessible to the child’s connected dojo staff for operational purposes (class management, attendance, belt promotions). No other third party receives children’s personal data.

Parental Rights

Parents and legal guardians may at any time:

• Review all personal data collected about their child by accessing the Parent Portal.
• Request correction of inaccurate data about their child.
• Request deletion of their child’s data by contacting privacy@supahit.com. We will delete children’s data within 14 days of a verified request.
• Refuse further collection of their child’s data, which may require disconnecting from the dojo.

8. Cookies and Tracking Technologies

Our marketing website (supahit.com) uses the following cookies and tracking technologies:

• Google Analytics 4 cookies (_ga, _ga_*) — used to distinguish unique visitors and track anonymized usage patterns. These are first-party cookies with a 2-year expiration. You can opt out via Google’s browser opt-out.

The SupaHit mobile app and VDojo web app do not use cookies for tracking. They use Supabase authentication tokens stored in local/secure storage for session management only.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies on any of our properties.

9. Security

We implement industry-standard technical and organizational measures to protect your data, including:

• Encrypted connections (TLS/HTTPS) for all data in transit
• Row-level security (RLS) policies ensuring users can only access authorized data
• Role-based access control (RBAC) for VDojo staff permissions
• Rate limiting on authentication endpoints and API functions
• Cryptographic hashing of passwords (never stored in plaintext)
• Input validation and sanitization across all user inputs
• File type validation (magic-byte verification) for all uploads
• Timing-safe comparisons for security-sensitive operations
• Regular security audits of our codebase and infrastructure

No system is perfectly secure. We encourage you to use a strong, unique password and to enable any available security features on your device.

10. Data Breach Notification

In the event of a data breach that compromises your personal data, we will:

• Notify affected users via email within 72 hours of confirming the breach.
• Notify applicable regulatory authorities as required by law.
• Provide a description of the breach, the types of data affected, and the steps we are taking to address it.
• Offer guidance on steps you can take to protect yourself.

11. Do Not Track / Global Privacy Control

Our Service does not currently respond to Do Not Track (DNT) browser signals because there is no industry-standard protocol for DNT. We do honor Global Privacy Control (GPC) signals as a valid opt-out of data sharing where required by applicable law (e.g., CCPA). Since we do not sell or share personal data for advertising, GPC signals do not change our default processing behavior.

12. International Data Transfers

SupaHit is based in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Our sub-processors’ certifications under the EU-US Data Privacy Framework (where applicable)
• Contractual data protection obligations with all sub-processors

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify you via email and/or in-app notification.
• Where required by law, obtain your consent before applying material changes to the processing of your data.

Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

• Privacy inquiries: privacy@supahit.com
• General support: support@supahit.com
• Legal matters: legal@supahit.com