Reformer Pilates Booking

Legal

Privacy Policy

Effective 1 June 2026

This Privacy Policy describes how Reformer Pilates Booking (“RPB”) handles personal data of Studios (the operators of pilates studios using our Platform) and Clients (end users booking classes through Studios). For Client data processed on behalf of Studios, the Studio's own privacy notice and our Data Processing Agreement apply in addition to this Policy.

1.What we collect

From Studios:business legal name, tax IDs, IBAN, billing email, contact details, the studio's configuration on the Platform (class types, schedule, pricing).

From Clients: name, email, phone, optional address, marketing-consent flags, booking history, payment records via Stripe, optional health/safety notes provided to the Studio.

Automatically: log data (IP, user-agent, access timestamps) for security and rate-limiting purposes. Retained for 30 days unless an incident requires longer retention.

2.How we use it

  • Provide the booking, payment and admin functionality of the Platform.
  • Send transactional emails (booking confirmation, reminders, cancellations).
  • Process payments via Stripe and remit payouts to Studios.
  • Detect and prevent abuse and fraud.
  • Comply with legal obligations (tax records, regulatory requests).

We do not sell or share personal data with third parties for their own marketing purposes.

3.Legal bases (GDPR)

We rely on the following legal bases under GDPR Article 6:

  • Contract: processing necessary to provide the Platform to Studios and Clients.
  • Legal obligation: tax and accounting records.
  • Legitimate interest: abuse prevention, service improvement.
  • Consent: marketing emails / WhatsApp / SMS where the Client has explicitly opted in.

4.Cookies and tracking

The Platform uses strictly-necessary cookies for authentication (Supabase session) and CSRF protection. No third-party analytics or advertising cookies are set.

5.Sub-processors

Listed in our Data Processing Agreement.

6.Your rights

You may exercise the GDPR rights of access, rectification, erasure, portability, restriction of processing and objection. Clients should direct requests to their Studio in the first instance; we will assist the Studio in fulfilling them. Studios may contact us directly.

7.Retention

Active account data: for as long as the Studio uses the Platform plus 90 days. Payment records: 6 years (Spanish tax law). Backups: up to 12 months. Audit logs: 12 months.

8.International transfers

Data is processed within the European Economic Area where possible. Sub-processors with operations outside the EEA (Stripe US-based incident response, for example) operate under Standard Contractual Clauses.

9.Contact and complaints

Contact details and the supervisory authority for complaints (the Spanish Agencia Española de Protección de Datos, AEPD) will be listed here in the production version. Email us at [privacy contact email] for questions about this policy.