Legal

Privacy Policy

Last updated March 23, 2026

Introduction

Spoto ("we," "us," "our") operates a gym management platform at joinspoto.com. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta's Personal Information Protection Act (PIPA), and applicable provincial privacy legislation.

We are committed to transparency. This policy is written in plain language so you can understand exactly what happens with your information.

Who This Policy Applies To

This policy applies to:

  • Gym owners and staff who use Spoto to manage their business ("Gym Operators")
  • Gym members whose information is stored and processed through Spoto ("Members")
  • Visitors to joinspoto.com
  • Leads and prospects whose contact information is entered by a Gym Operator

Roles and Responsibilities

Spoto acts as a service provider (processor) on behalf of Gym Operators. Each Gym Operator is the data controller responsible for the personal information of their members. Spoto processes that information on their behalf, according to this policy and our Terms of Service.

When you interact with Spoto directly (for example, signing up as a Gym Operator or visiting our website), Spoto is the data controller.

Personal Information We Collect

Information Gym Operators provide to us

  • Full name, email address, phone number
  • Business name, business address, province
  • Payment information for Spoto subscription fees (processed by Stripe; we do not store card numbers)
  • Staff names, roles, and contact information

Information about Members (collected by Gym Operators through Spoto)

  • Identity information: Full name, date of birth, email address, phone number, mailing address, emergency contact details
  • Photos: Member profile photos used for identification at check-in
  • Health information: Physical Activity Readiness Questionnaire (PAR-Q) responses, noted medical conditions, injury flags. This is classified as sensitive personal information under PIPEDA and PIPA and requires express consent.
  • Payment and billing information: Payment method details (processed and stored by Stripe; Spoto stores only a reference token, last four digits, and expiry date), transaction history, invoices
  • Membership information: Plan type, status, start and end dates, freeze history, cancellation records
  • Attendance and usage data: Check-in timestamps, class bookings, attendance, no-show records
  • Workout and training data: Exercise logs, personal records, assigned training programs
  • Communications: Consent preferences (email, SMS, push), message history
  • Digital signatures: Signed waivers and contracts with audit trails

Information collected automatically

  • Device and browser information: IP address, browser type, device type, operating system
  • Usage data: Pages visited, features used, session duration
  • Cookies: See the Cookies section below

How We Use Personal Information

  1. Providing the service: Operating the gym management platform, processing check-ins, managing memberships, scheduling classes
  2. Payment processing: Processing membership payments and subscription billing through Stripe
  3. Communications: Sending transactional messages (booking confirmations, payment receipts), and marketing messages only with appropriate CASL consent
  4. Safety and health compliance: Storing PAR-Q responses so gym staff can ensure member safety
  5. Analytics and reporting: Generating aggregate reports for Gym Operators
  6. Service improvement: Analyzing aggregate usage patterns to improve the platform
  7. Security: Detecting fraud and preventing unauthorized access
  8. Legal compliance: Meeting obligations under PIPEDA, PIPA, CASL, and tax regulations

Third-Party Service Providers

We share personal information only with service providers necessary to operate the platform:

Provider Purpose Data Shared
Stripe Payment processing, billing Name, email, payment details, amounts
Cloudflare Hosting, database, file storage, CDN All platform data (North American data centers)
Amazon SES Email delivery Email addresses, email content
Telnyx SMS (OTP and critical alerts only) Phone numbers, SMS content
Firebase Push notifications Device tokens, notification content

We do not sell, rent, or trade personal information to third parties for marketing purposes. Ever.

Data Retention

Data Type Retention
Active member profiles Membership + 3 years
Payment and transaction records 7 years (CRA requirement)
Health questionnaires (PAR-Q) Membership + 3 years
Signed waivers and contracts Membership + 6 years
Check-in and attendance logs 3 years
Marketing consent records 3 years after last interaction
Automatically collected data 12 months

When a Gym Operator terminates their account, we provide a full data export (CSV) and delete all data within 90 days, unless legally required to retain.

Your Rights

  1. Right to access: Request a copy of your personal information. We respond within 30 days.
  2. Right to correction: Request correction of inaccurate information.
  3. Right to withdraw consent: Withdraw consent at any time, subject to legal restrictions.
  4. Right to deletion: Request deletion of your personal information.
  5. Right to know about breaches: We notify you if a breach creates a real risk of significant harm.

For Members: Contact your gym first. If unresponsive, contact privacy@joinspoto.com.

For Gym Operators: Contact privacy@joinspoto.com directly.

Consent

  • Express consent is required for: health information, marketing communications, member photos
  • Implied consent for: processing necessary for the service (billing, transactional communications)
  • You may withdraw consent at any time by contacting privacy@joinspoto.com

CASL Compliance

  • Express consent required before marketing messages (opt-in, not pre-checked)
  • Every marketing message includes sender identity, address, and unsubscribe mechanism
  • Unsubscribe requests processed within 10 business days
  • Consent tracked per channel (email consent does not cover SMS)

Cookies

Type Purpose Duration Opt Out?
Strictly necessary Authentication, security Session / 30 days No
Functional Preferences (theme, language) 1 year Yes
Analytics Aggregate usage patterns 12 months Yes

We do not use advertising cookies, cross-site tracking, or behavioral profiling.

Data Security

  • Encryption in transit (TLS 1.2+) and at rest
  • Database isolation: each gym has its own separate database
  • Role-based access control
  • Payment security through Stripe (PCI DSS compliant)
  • We never store payment card data on our servers

Children's Privacy

Spoto does not collect information from children under 13. Members under 18 must have a parent or guardian manage their account.

Changes to This Policy

Material changes are posted at joinspoto.com/privacy with 30 days' notice to Gym Operators by email.

Contact

Privacy Officer
Spoto Technologies Ltd.
Calgary, Alberta, Canada
Email: privacy@joinspoto.com

If unsatisfied, file a complaint with:

  • Office of the Privacy Commissioner of Canada: 1-800-282-1376, priv.gc.ca
  • Office of the Information and Privacy Commissioner of Alberta: 780-422-6860, oipc.ab.ca