Privacy Policy

Last updated: 2026-05-09

1. Who we are

ClassStack is a multi-tenant fitness studio management platform operated by GlenCookTech (the platform operator). Each fitness studio that uses ClassStack to run its bookings, classes, waivers, and payments is a separate "APP entity" under the Privacy Act 1988 (Cth) and is responsible for its members' personal information independently.

2. The personal information we collect

  • Identity & contact: name, email, phone, date of birth (where required for waivers or minor consent), emergency contact, profile photo.
  • Booking & attendance: classes booked, cancellations, check-in records.
  • Sensitive information — health: answers to the APSS V2 (2019) pre-exercise screening, any medical-clearance documents you upload. We collect this only with your explicit consent and only to make decisions about whether you are safe to participate.
  • Waivers: typed name, guardian details (for minors), the markdown of the waiver text at the moment you signed, and the date.
  • Payments: a Stripe customer reference, what passes/subscriptions you hold and have used. We never see your card number.
  • Technical: sign-in cookies and browser type at the moment you sign a waiver or pre-exercise screening (audit trail).

3. Why we collect it (purposes)

  • To deliver the booking, check-in, and member-app service.
  • To send transactional notifications about your bookings, waitlist promotions, schedule changes, and waiver expiry.
  • To meet the studio's duty of care — the pre-exercise screening and waiver protect both you and the studio.
  • To process payments and produce tax invoices the studio is required to keep under Australian tax law.
  • With your separate opt-in, to send class news and offers from the studio (you can unsubscribe at any time).

4. Overseas recipients (APP 8)

To provide the service we share personal information with the following processors. We take reasonable steps to ensure each handles your information in line with the Australian Privacy Principles.

  • Supabase— database and authentication (region as configured by the platform operator).
  • Vercel (USA)— application hosting.
  • Cloudflare (global)— DNS and edge routing.
  • Stripe (USA / Ireland)— payments and payouts to the studio. Stripe is a separate data controller for its own purposes; see Stripe's privacy policy.
  • Pingram— transactional and marketing email/SMS delivery.
  • Google / Apple— only if you choose to sign in with their identity providers.

5. Sensitive information — health

The pre-exercise screening collects health information, which the Privacy Act treats as sensitive. We will only collect it if you tick the explicit consent box on the screening form. You can withdraw consent at any time by contacting us — doing so will mean the studio cannot let you book classes until a fresh screening is completed, because the studio is required to assess fitness to participate.

6. How long we keep your information

When you delete your account we immediately remove your identifying details — name, email, phone, photo, emergency contact, and date of birth — and cancel any upcoming bookings. Records the studio is legally or contractually required to keep are retained for a fixed window:

  • Booking and payment records: 7 years (Australian tax law).
  • Signed waivers: 7 years from signing (insurance and limitation periods for personal injury claims).
  • Pre-exercise screenings and clearance documents: 7 years from signing (duty-of-care evidence).
  • Marketing consent records (so we can prove opt-in): for the life of the account plus 12 months.

Your studio can shorten any of these windows; the current studio settings are shown to staff in the Privacy section of the studio settings page. Automated destruction at the end of these windows is scheduled for the next platform release — until then, contact the studio to request earlier removal where the law allows.

7. Your rights (APP 12 & APP 13)

  • Access:the "Download my data" button on your account page returns a zip of every record we hold about you at this studio — profile, consent, bookings, screenings, passes, subscriptions, and signed waiver PDFs. For anything not covered by the export, contact the studio at the email in section 10.
  • Correction:you can edit your name, contact, and preferences directly on the account page. For changes you can't make yourself, contact us.
  • Deletion:you can delete your account from the account page. This immediately removes your identifying details from the studio's member list, cancels upcoming bookings, and signs you out. If this was your only ClassStack studio your login is also deleted. Records the studio is required by law to keep (bookings, waivers, screenings) are retained for the windows listed above and then destroyed.
  • Marketing opt-out:every marketing email has an unsubscribe link, and you can change your preferences on the account page at any time. Transactional notifications about your bookings can also be turned off in the account page's preferences, though we recommend keeping booking confirmations on so you don't miss class changes.

8. Security (APP 11.1)

We host on Supabase and Vercel with TLS in transit, encryption at rest, and per-tenant row-level security so studios cannot read each other's data. Staff access is gated by role-based permissions.

9. Data breach response

We follow the Notifiable Data Breaches scheme (Privacy Act Part IIIC). Where an eligible data breach occurs we will notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable, and within 30 days of becoming aware.

10. How to contact us / make a complaint

For questions, access requests, or complaints relating to your personal information at this studio, email [email protected].

For platform-level issues (issues with ClassStack itself rather than the studio you're a member of), email [email protected].

If we don't resolve your complaint, you can contact the Office of the Australian Information Commissioner at www.oaic.gov.au.