Privacy Policy

Last updated: May 2, 2026

1. Introduction

Classi ("we," "our," or "us") operates as an independent scheduling assistant service. This Privacy Policy describes how we collect, use, and disclose information about you when you use our website and services (the "Service"). By creating an account or using the Service, you agree to the collection and use of your information as described here. This Policy applies to all users, including California residents.

2. Information We Collect

We collect only what is necessary to provide the Service: Account Information: Name, email address, and payment information. Payment card data is processed directly by Stripe and never stored on our servers. Authentication Tokens: To act as your scheduling agent, we store encrypted Equinox authentication tokens. We do not store your Equinox password in plaintext. Tokens are encrypted at rest using AES-256-GCM. They are permanently deleted when you close your account. Location Data: If you use the gym-finder feature, we may use your approximate location to suggest nearby clubs. This is not stored beyond your session. Usage Data: Class selections, reservation history, and feature usage, associated with your account. Device and Log Data: Browser type, IP address, and referring URLs for security and abuse prevention. Support Communications: Records of contact form submissions or emails you send us.

3. How We Use Your Information

We use the information we collect to: • Provide, operate, and maintain the Service • Authenticate with Equinox on your behalf as your authorized agent • Process payments and manage your subscription • Send booking confirmations and billing notices • Detect and prevent unauthorized access and abuse • Enforce our Terms of Service • Comply with applicable law

4. Third-Party Service Providers

We do not sell your personal information. We share it only with the following service providers: Stripe (stripe.com): Payment processing. See stripe.com/privacy. Supabase (supabase.com): Database and authentication infrastructure. See supabase.com/privacy. Resend (resend.com): Transactional email delivery. See resend.com/privacy. Equinox Systems: Your encrypted tokens are decrypted transiently in memory solely to execute your booking instructions. Equinox's handling of this data is governed by their own privacy policy. Legal Requirements: We may disclose your information if required by law, court order, or to protect our legal rights. Business Transfers: In a merger or acquisition, your information may transfer. We will provide notice before it becomes subject to a different policy.

5. Data Retention and Security

Retention: We retain your data while your account is active and as required by law. You may request deletion at [email protected]. We process deletion requests within 30 days. Billing records may be retained up to 7 years as required by tax law. Security: We use TLS 1.2+ in transit and AES-256-GCM at rest for sensitive credentials. No method of electronic storage is 100% secure. You are responsible for maintaining the security of your own account credentials.

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or receive a copy of your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days and may need to verify your identity.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights: Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties we share it with. Right to Delete: Request deletion of your personal information, subject to legal retention obligations. Right to Correct: Request correction of inaccurate personal information. Right to Opt Out of Sale: We do not sell your personal information. Right to Non-Discrimination: We will not discriminate against you for exercising your rights. Categories of personal information collected (CCPA categories): • Identifiers: name, email, IP address • Commercial information: subscription tier, billing and booking history • Internet activity: page views, feature usage, log data • Geolocation: approximate location during gym-finder use (session only) • Sensitive personal information: encrypted authentication tokens (used only to provide the Service) To submit a request: email [email protected]. We will respond within 45 days.

8. Cookies

We use strictly necessary cookies for session authentication and access control. These are httpOnly, Secure, and SameSite=Strict. We do not use advertising cookies or third-party tracking pixels. You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in. Do Not Track: We do not respond to DNT signals. We do not engage in cross-site tracking regardless of DNT.

9. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect information from minors. If you believe we have collected information from a minor, contact us immediately at [email protected].

10. Changes to This Policy

We may update this Policy. For material changes, we will notify you by email at least 14 days before the changes take effect. Continued use of the Service after changes constitutes acceptance.

11. Contact

Email: [email protected] We aim to respond to all privacy inquiries within 5 business days.