What is PIPEDA?
PIPEDA is the Personal Information Protection and Electronic Documents Act, Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information. In Alberta, the Personal Information Protection Act (PIPA) is the provincial equivalent. Spoto complies with both.
The 10 Fair Information Principles
PIPEDA is built on 10 principles. Here is how Spoto upholds each one:
Spoto has a designated Privacy Officer at privacy@joinspoto.com. We are accountable for all information in our custody, including data processed by our service providers.
We identify purposes for collecting information at or before collection. Every data point has a stated purpose tied to gym management.
We obtain meaningful consent. Express consent for sensitive information (health data, photos). Implied consent for service-necessary processing. You can withdraw at any time.
We collect only what is necessary. We collect PAR-Q responses for member safety but do not collect social insurance numbers.
Information is used only for its stated purpose. We do not sell member data. We retain only as long as necessary.
Members and Gym Operators can update information at any time through the platform.
Encryption in transit and at rest. Each gym has its own isolated database. Role-based access control. Payments handled by Stripe (PCI DSS Level 1).
Our practices are documented in our Privacy Policy and this page. Questions? Ask us.
You can request what information we hold about you. We respond within 30 days.
Contact our Privacy Officer. We investigate all complaints within 30 days. You can escalate to the Privacy Commissioner.
For Gym Owners: Ensuring Your Compliance
- Consent: Use the consent checkboxes Spoto provides during enrollment. Obtain separate consent for email and SMS marketing. For health information, ensure express consent is clearly separate from general terms.
- Collection: Collect only what you need. Do not store sensitive medical details in notes fields unless necessary and consented to.
- Access Requests: Respond within 30 days when members ask to see their data. Spoto provides export tools.
- Deletion: Honor deletion requests unless legally required to retain (e.g., tax records).
- Staff Training: Brief staff on privacy obligations. Role-based access control helps, but training is also important.
Data Breach Procedures
What qualifies: Any unauthorized access, disclosure, or loss of personal information.
Our response:
- 1 Contain the breach immediately
- 2 Assess risk within 72 hours
- 3 Notify the Privacy Commissioner if required (as soon as feasible)
- 4 Notify affected individuals directly
- 5 Notify the Gym Operator
- 6 Maintain breach records for 24 months
For Gym Operators: If you discover a breach, contact privacy@joinspoto.com immediately. Document what happened. Do not minimize — Canadian law requires transparency.
How to File a Complaint
Step 1: Contact Spoto at privacy@joinspoto.com. We respond within 30 days.
Step 2: If unsatisfied, file with:
30 Victoria Street, Gatineau, Quebec K1A 1H3
1-800-282-1376 | priv.gc.ca
Suite 6500, 10025-102A Avenue, Edmonton, Alberta T5J 2Z2
780-422-6860 | oipc.ab.ca
The Alberta commissioner has order-making power (binding orders), unlike the federal OPC which can only recommend.
Key Commitments
We collect only what is necessary for gym management
We never sell personal information
Each gym's data is isolated in its own database
Payment card data is handled by Stripe, not by us
Export all your data at any time, for free, in CSV
We respond to privacy requests within 30 days
We notify you of breaches that may affect you
We maintain breach records for 24 months