Privacy Policy

RunStudio Inc. (hereinafter “RunStudio”, “we” or “our”) places great importance on the protection of your personal information. This privacy policy describes how we collect, use and protect your data in connection with your use of our Platform, in compliance with applicable data protection laws, including:

• The Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)
• Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, Québec)
• The General Data Protection Regulation (GDPR) (European Union), for users residing in the EU

This policy addresses two categories of users:

• Professional Users (Studios) who use our management dashboard
• End Clients who make bookings through Studios' public portals

The data controller is RunStudio Inc., with registered office at [TO BE COMPLETED — Canadian address], registration number [TO BE COMPLETED].

For any questions regarding your personal data: privacy@runstudio.io

Privacy Officer: [TO BE COMPLETED] — privacy@runstudio.io

3.1 Professional Users (Studios)

• Identity: first name, last name, studio name
• Contact details: email address, phone number
• Studio information: address, city, country, description, logo, photos
• Payment data: managed by Stripe (we do not store banking data)
• Connection data: IP address, login dates and times
• Usage data: actions performed on the Platform, preferences

3.2 End Clients

• Identity: first name, last name
• Contact details: email address, phone number
• Booking information: room, package, date, time, amount
• Payment data: processed exclusively by Stripe

3.3 Automatically Collected Data

• Navigation data: IP address, browser type, operating system
• Technical cookies necessary for the Platform to function
• Anonymized usage data for statistical purposes

We collect only the personal information necessary for the stated purposes and do not use it for undisclosed purposes without obtaining your prior consent.

• Account data: duration of the contractual relationship + 3 years after account termination
• Booking data: 7 years from booking date (Canadian accounting obligations)
• Payment data: retained by Stripe per their policies (typically 7 years)
• Connection logs: 12 months
• Navigation data and cookies: maximum 13 months

• Stripe: secure payment processing. Data processed in the US and EU. Safeguards: Standard Contractual Clauses (SCCs).
• Supabase: database hosting. Data stored on AWS servers in us-east-1 (Virginia, United States). Safeguards: SCCs.
• Vercel: application hosting. Servers primarily in the US and EU. Safeguards: SCCs.
• Resend: transactional email delivery. Data processed in the US. Safeguards: SCCs.

Cross-border transfers (Canada): pursuant to PIPEDA, we inform users that their personal information may be transferred outside of Canada to the sub-processors listed above. These sub-processors are bound by contractual data protection obligations equivalent to our own. By using the Platform, you consent to these transfers.

We do not sell or rent your personal data to third parties.

Under PIPEDA, Law 25 (Québec) and the GDPR (depending on your location), you have the following rights:

• Right of access: obtain confirmation that your data is processed and receive a copy
• Right of rectification: correct inaccurate or incomplete data
• Right to erasure / de-indexation: request deletion of your data (subject to legal retention obligations)
• Right to portability (Law 25 & GDPR): receive your data in a structured, commonly used technological format
• Right to withdraw consent: at any time for consent-based processing, without retroactive effect
• Right to object (GDPR): object to processing based on legitimate interest

To exercise your rights, contact our Privacy Officer: privacy@runstudio.io. We will respond within 30 days (45 days for complex requests under PIPEDA, with notice).

Québec residents: if you believe your rights have not been respected, you may file a complaint with the Commission d'accès à l'information du Québec (CAI).

Canadian residents (outside Québec): you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

EU residents: you may file a complaint with your national data protection authority (e.g., CNIL in France).

• Encryption in transit (HTTPS / TLS 1.2+)
• Encryption at rest (AES-256 via Supabase)
• Strict access controls (principle of least privilege)
• Secure authentication (Supabase Auth)
• Hashed passwords (bcrypt)
• Regular security reviews

In the event of a privacy incident likely to cause real harm to an individual, we commit to notifying the relevant authorities and affected individuals within the legally required timeframes (72 hours under GDPR; as soon as feasible under PIPEDA/Law 25).

• Privacy Officer: our Privacy Officer is designated and their contact information is publicly available through this policy (see section 2)
• Privacy impact assessments (PIA): we conduct PIAs for any new project involving personal information
• Right to portability: upon request, you may receive your data in a structured and commonly used technological format
• Express consent: for non-essential processing (marketing, non-necessary cookies), we collect your consent separately and explicitly
• Privacy by default: only the information necessary for the purpose is collected; the highest privacy settings apply by default

For more information on the cookies used by the Platform, please consult our Cookie Policy.

We may modify this policy at any time. The current version is the one available on this page, with the last update date shown at the top. For material changes, we will notify you by email at least 30 days before the changes take effect.

• Email: privacy@runstudio.io
• Online form: Data Subject Access Request (DSAR)
• Mail: RunStudio Inc. — [TO BE COMPLETED — Canadian postal address]