Privacy Policy

Last Updated: June 2, 2026 · Version: 1.0

This document was drafted for review by legal counsel. It has not been reviewed by an attorney.

DojoMojo ("we," "us," or "our") operates the website dojomojo.pro and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, and share information when you use our Service.

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

Depending on how you use the Service, we may collect the following categories of personal information:

  • Studio Owner Information: Name, email address, phone number, business name, business address, and Stripe account credentials when you register as a studio operator.
  • Student Information: Name, email address, phone number, date of birth, emergency contact details, medical notes or conditions relevant to participation, and guardian information for minors.
  • Payment Information: Credit card numbers, billing addresses, and related financial data. Payment data is processed directly by Stripe and is not stored on our servers.
  • Waiver Data: Signed liability waivers, including guardian signatures for students under 18.
  • Communications: Information you provide when you contact us for support or other inquiries.

1.2 Information Collected Automatically

When you use the Service, we may automatically collect certain technical information, including:

  • Browser type and version
  • Operating system
  • IP address
  • Pages visited and features used
  • Date and time of access
  • Referring URL

1.3 Information from Third Parties

We may receive information from third-party services you connect to your account, including Stripe (payment and account information) and domain providers (DNS configuration data for white-label domains).

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process transactions and send related notifications
  • Manage student enrollments, waivers, and attendance
  • Send administrative communications, such as account verification, billing updates, and security alerts
  • Respond to your support requests and inquiries
  • Monitor usage patterns to improve the Service
  • Detect, investigate, and prevent fraudulent or unauthorized activity
  • Comply with applicable legal obligations

3. Information Sharing

We do not sell your personal information. We share information only in the following circumstances:

3.1 Service Providers

We use the following subprocessors to operate the Service. Each processor is bound by data processing agreements and industry security standards:

  • Supabase Inc. — Database hosting, authentication, and file storage. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Row-level security policies enforce tenant isolation.
  • Stripe, Inc. — Payment processing, subscription billing, and payout management. Stripe is PCI DSS Level 1 certified. Payment card data is handled entirely by Stripe and never touches our servers.
  • Amazon Web Services (AWS) — Simple Email Service (SES). Transactional and notification email delivery. AWS SES operates within AWS's SOC 2 and ISO 27001 certified infrastructure.
  • Vercel, Inc. — Application hosting and content delivery. Vercel provides TLS encryption and operates a SOC 2 Type II compliant platform.

3.2 Studio Access to Student Data

Student information (including name, contact details, medical notes, and waiver data) is accessible to the studio that the student is enrolled with. Studios are independently responsible for their own privacy practices with respect to student data they collect and manage through the Service.

3.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of substantially all of our assets, your personal information may be transferred as part of that transaction.

4. Data Storage and Security

4.1 Storage

Your data is stored on Supabase infrastructure hosted in the United States. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.

4.2 Tenant Isolation

DojoMojo uses row-level security (RLS) policies to ensure that each studio's data is isolated and accessible only to authorized users within that studio. Students can only access their own data.

4.3 Security Measures

We implement reasonable administrative, technical, and physical safeguards to protect your information, including:

  • Encrypted data storage and transmission
  • Row-level database access controls
  • Authentication with secure session management
  • Regular security reviews of our infrastructure

While we strive to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. After account termination:

  • Studio data (student records, waivers, attendance) is retained for 90 days, after which it is permanently deleted unless you request earlier deletion.
  • Billing records are retained for the period required by applicable tax and financial regulations (typically 7 years).
  • Authentication logs are retained for 1 year for security auditing purposes.

6. Your Rights

6.1 Rights for All Users

You have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to certain exceptions (such as legal retention requirements).
  • Portability: Request your data in a structured, machine-readable format.

6.2 GDPR Rights (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, you also have the right to:

  • Restrict processing: Request that we limit how we use your data in certain circumstances.
  • Object to processing: Object to our processing of your personal data for certain purposes.
  • Withdraw consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint: Make a complaint to a supervisory authority in your jurisdiction.

To exercise any of these rights, please contact us at the address listed in Section 10.

7. Cookies and Tracking

The Service currently uses only essential cookies required for authentication and basic functionality (such as session tokens and CSRF protection). We do not use analytics cookies, advertising cookies, or third-party tracking technologies at this time.

If we introduce additional cookies or tracking technologies in the future, we will update this policy and provide appropriate notice and consent mechanisms.

8. Children's Privacy

The Service is used by martial arts studios that may enroll students under the age of 13. In compliance with the Children's Online Privacy Protection Act (COPPA):

  • Registration for students under 13 must be completed by a parent or legal guardian.
  • We collect only the information reasonably necessary to provide the Service (name, emergency contacts, medical notes, and waiver signatures).
  • Guardian information (name, email, and signature) is collected and stored alongside minor student records.
  • Parents or guardians may review, modify, or request deletion of their child's information at any time by contacting us.

Studios using the Service are responsible for obtaining appropriate guardian consent before enrolling minor students.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

  • We will update the "Last Updated" date at the top of this page.
  • For material changes, we will provide notice via email or a prominent notice on the Service at least 30 days before the change takes effect.
  • Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Email: [EMAIL]
  • Phone: [PHONE]
  • Mailing Address: [ADDRESS]