Privacy Policy

Effective date: 2026-04-13 Last updated: 2026-04-13

1. Who we are

Ritual (the "Service") is operated by 1585266 B.C. LTD. ("Ritual", "we", "us", "our"), a company incorporated in British Columbia, Canada.

You can contact us about privacy matters at:

  • Email: privacy@getritual.io

2. Scope of this policy

Ritual provides a multi-tenant booking and business-management platform. Two groups of people interact with us:

  • Studio Operators — fitness studios, salons, yoga studios, and other small businesses that sign up to use the Ritual dashboard to run their business.
  • Studio Customers — end users who book classes, buy credit packs, sign up for memberships, or make retail purchases at a studio that uses Ritual.

This policy describes how we handle personal information for both groups.

Who is the "controller" of your data:

  • When a Studio Operator signs up for Ritual directly, Ritual is the controller of that operator's personal information.
  • When a Studio Customer books a class or purchases a product at a studio that uses Ritual, the studio is the controller of that customer's personal information and Ritual is a processor acting on the studio's behalf. Questions about how your data is used by a specific studio should be directed to that studio first.

3. Information we collect

3.1 Information you give us directly

Studio Operators provide:

  • Name, email, phone number
  • Business name and address
  • Payment information for Ritual subscription fees (processed by Stripe; we never see your card number)
  • Stripe Connect account details (so we can route payments to you)

Studio Customers provide (to a studio, via Ritual):

  • Name, email, phone number, pronouns, date of birth
  • Profile photo (optional)
  • Billing address and emergency contact (when the studio requires it)
  • Payment card information (processed by Stripe; we never see your full card number, only the last 4 digits and card brand)
  • Health and fitness preferences (when entered into profile or staff notes)
  • Signed waivers and agreements

3.2 Information we collect automatically

  • Log data — IP address, browser type, device information, pages visited, timestamps
  • Cookies and similar technology — see Section 9
  • Usage data — actions you take on the Service, which helps us debug issues and improve the product

3.3 Information we receive from third parties

  • Stripe — payment status, fraud signals, Stripe Connect onboarding status
  • Studio Operators — staff-created notes, tags, credit balances, and other operational data recorded against your profile by the studio

4. How we use your information

We use personal information to:

  1. Provide the Service — create accounts, process bookings, transmit payments, send transactional notifications
  2. Communicate with you — magic-link sign-ins, booking confirmations, receipts, appointment reminders, account notices
  3. Operate and secure the Service — authentication, fraud prevention, rate limiting, abuse detection, error tracking
  4. Comply with legal obligations — tax reporting, accounting, responding to lawful requests
  5. Improve the Service — aggregate usage analysis, bug fixes, feature development

We do not sell your personal information. We do not use your personal information for advertising, profiling, or targeting.

4.1 Legal basis (for users in jurisdictions that require one)

We process your personal information because:

  • It is necessary to perform the contract between you and us (or between you and the studio)
  • You have consented to specific processing (e.g. marketing emails — which we currently do not send)
  • It is required by law (tax records, payment records)
  • We have a legitimate interest in operating and securing the Service

5. Subprocessors and service providers

We use the following third-party subprocessors to operate the Service. Each of them receives only the data necessary to perform its function, is bound by confidentiality obligations, and processes data on our instructions.

Subprocessor Purpose Data transferred Location
Supabase Database hosting (PostgreSQL) All application data United States
Vercel Application hosting and delivery Request metadata, logs United States and global edge network
Stripe, Inc. Payment processing, subscription billing, Stripe Connect Name, email, billing address, card details, transaction history United States
Resend Transactional email delivery Name, email address, email content United States
Twilio SMS / phone notifications Name, phone number, message content United States

This list may change as the Service evolves. We will update this policy before adding new subprocessors that materially affect how your data is handled.

6. International data transfers

Ritual is operated from Canada. Our subprocessors are located primarily in the United States. When personal information is transferred outside of Canada or your country of residence, we rely on the following safeguards:

  • Contractual protections with our subprocessors requiring them to maintain comparable standards of protection
  • Subprocessors' own compliance frameworks (e.g. Stripe, Supabase, and Vercel maintain SOC 2 compliance)

By using the Service, you acknowledge that your personal information may be processed in the United States and other countries where our subprocessors operate.

7. How long we keep your information

  • Account information: retained for as long as you have an active account
  • Financial records (payments, invoices, Stripe transactions): retained for 7 years after the transaction, as required by Canadian and US tax law
  • Booking and attendance history: retained until you request deletion or the studio closes its account
  • Waivers and signed agreements: retained for as long as the studio requires them for liability purposes
  • Log data: retained for 90 days for debugging and security, then purged
  • Backups: retained for 7 days on a rolling basis

When you request account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law (primarily financial records, which are retained but anonymized so they no longer identify you).

8. Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

  • Access — receive a copy of the information we hold about you
  • Correction — ask us to correct inaccurate information
  • Deletion — ask us to delete your information (subject to the retention exceptions above)
  • Portability — receive your information in a structured, machine-readable format
  • Withdraw consent — where processing is based on consent, withdraw it at any time
  • Object to processing — ask us to stop processing your information for certain purposes
  • Lodge a complaint — with a data protection authority in your jurisdiction

8.1 How to exercise your rights

Automated self-service (Studio Customers):

If you have a customer account at a studio using Ritual, you can export or delete your data from that studio directly via the embedded widget:

  • Export: GET /api/embed/<studio-slug>/customer/me/export while signed into your customer account. Returns a JSON file containing all the information the studio holds about you.
  • Delete: POST /api/embed/<studio-slug>/customer/me/delete while signed into your customer account. Removes your personal information from the studio and, if this is your only studio on Ritual, anonymizes your base account.

You must cancel any active memberships before requesting deletion. Financial records (payments, bookings you were charged for) are retained in anonymized form for tax and audit purposes.

Manual requests:

For all other data access, correction, or deletion requests, email us at privacy@getritual.io with:

  • Your full name
  • The email address associated with your account
  • The specific request (access / correction / deletion / portability / objection / withdraw consent)
  • The studio name (if you are a Studio Customer)

We will respond within 30 days. We may ask you to verify your identity before acting on a request.

8.2 Rights specific to British Columbia and Canada

Under BC's Personal Information Protection Act (PIPA) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access and correct the personal information we hold about you, to know how it is being used, and to complain to the Office of the Information and Privacy Commissioner for British Columbia (for BC residents) or the Office of the Privacy Commissioner of Canada.

8.3 Rights specific to California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and share
  • Request deletion of personal information
  • Opt out of the "sale" or "sharing" of personal information (we do not sell or share your personal information for cross-context behavioral advertising)
  • Non-discrimination for exercising your rights

To exercise these rights, email privacy@getritual.io.

8.4 Users outside the US and Canada

Ritual is currently intended for use by Studio Operators and Studio Customers located in the United States and Canada. We do not direct the Service to residents of the European Economic Area, United Kingdom, or other jurisdictions. If you believe we have inadvertently collected your personal information while you are in one of these regions, contact privacy@getritual.io and we will delete it.

9. Cookies

We use a small number of cookies and similar technologies to operate the Service:

  • Strictly necessary cookies — authentication sessions (customer_session, dashboard_session), CSRF protection
  • Functional cookies — preferences (e.g. home studio selection)

We do not use cookies for advertising, cross-site tracking, or analytics that identify individuals.

When you first load the booking widget, a short informational notice is shown disclosing that strictly-necessary cookies are being used to keep you signed in. You can dismiss the notice at any time, and dismissal is remembered locally in your browser so it does not reappear on subsequent visits. If we ever add analytics or advertising cookies in the future, we will replace this notice with a full consent banner offering opt-in choices at that time.

10. Children's privacy

Ritual is not directed to children under the age of 13 (or under 16 in jurisdictions where the minimum age is higher). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact privacy@getritual.io and we will delete it.

Studio Operators who serve minors are responsible for obtaining parental consent in accordance with applicable law.

11. Security

We take reasonable technical and organizational measures to protect your personal information, including:

  • Encryption in transit (HTTPS / TLS) and at rest (database-level encryption provided by Supabase)
  • Row-level security in our database, so each studio can only access its own data
  • Strict access controls and audit logging on administrative tools
  • Error monitoring that scrubs personal information before it reaches our monitoring provider
  • Regular backups with tested restoration
  • Vulnerability scanning and dependency auditing in our CI pipeline

No system is perfectly secure. If we become aware of a breach that affects your personal information, we will notify you in accordance with applicable law.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top
  • Notify active account holders by email
  • Post a prominent notice on the Service

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact us

Questions, comments, or complaints about this policy:

Privacy Officer 1585266 B.C. LTD. Email: privacy@getritual.io