Privacy Policy

Last updated: May 2026 — Effective immediately

                TumbleBuddy is committed to protecting your privacy and the privacy of your children.
                This policy explains what we collect, why we collect it, and your rights under
                Canadian law (PIPEDA and Quebec's Law 25).
            

1. Who We Are

TumbleBuddy is a gymnastics club management platform operated in Canada. We act as a data processor on behalf of gymnastics clubs (our customers) and as a data controller for the accounts and personal information you provide directly to us. Questions about this policy can be directed to: [email protected].

2. What We Collect

We collect only the information necessary to provide our service:

Parent / Guardian accounts: First name, last name, date of birth, email address, phone number, and password (stored as a one-way bcrypt hash — we never see your actual password).
Athlete profiles: First name, last name, date of birth, optional allergy information, and optional medical notes provided by the parent or guardian.
Attendance records: Which classes an athlete attended and when.
Coach and Director accounts: Name, date of birth, email, and role within the club.
Session data: Encrypted session identifiers stored server-side, not in your browser beyond a signed cookie.

We do not collect payment card information, Social Insurance Numbers, or government-issued IDs.

3. Why We Collect It (Purposes)

To manage class schedules, attendance, and progress for athletes at your club.
To allow coaches and directors at your club to communicate with your family.
To send account security emails (password reset, login alerts, consent verification).
To comply with children's privacy requirements (parental consent verification for athletes under 13).

We do not use your data for advertising, sell it to third parties, or share it outside your club except as required by law.

4. Children Under 13 (COPPA & PIPEDA)

When a parent adds an athlete under the age of 13, we require verifiable parental consent before storing the child's data. The process works as follows:

Athlete information is held in a temporary staging table — it is not stored in our live database until consent is verified.
A consent verification email is sent to the parent's registered email address.
The athlete profile is only created after the parent clicks the secure consent link (valid for 7 days).
Consent timestamps are recorded and retained for our records.

This process complies with the U.S. Children's Online Privacy Protection Act (COPPA), Canada's PIPEDA, and Quebec's Law 25 requirements for persons under 14.

5. How We Protect Your Data

Passwords: Stored using bcrypt with 12 rounds — irreversible and never visible to us.
Transmission: All data is transmitted over HTTPS with HSTS enforced.
Database: Hosted on DigitalOcean's managed MySQL with encrypted storage and SSL-required connections.
Sessions: Signed and stored server-side; session ID regenerated on each login to prevent fixation attacks.
Access control: Club data is strictly isolated — coaches can only see athletes from their own club.
Account lockout: Accounts are temporarily locked after 5 failed login attempts.

6. Who Sees Your Data

Coaches and directors at your club can see athlete names, attendance, and any health notes you have provided.
TumbleBuddy staff may access data to provide technical support, subject to confidentiality obligations.
No one else. We do not share, sell, or rent your personal information to third parties.
Legal requirement: We may disclose data if required by a valid court order or law.

7. Your Rights (PIPEDA & Quebec's Law 25)

Under Canadian federal and provincial privacy law, you have the right to:

Access: Request a copy of the personal information we hold about you. Use the Download My Data button in your account profile.
Correction: Update your information at any time from your profile page.
Erasure / Right to be Forgotten: Delete individual athlete profiles (from the Athletes section of your profile) or delete your entire account (from Account Settings). Deletion is permanent and irreversible.
Portability: Export your data in a structured JSON format via the Download My Data feature.
Withdraw consent: Parents may withdraw consent for an under-13 athlete by deleting their profile.

To exercise any right not addressed by the in-app tools, email us at [email protected]. We will respond within 30 days.

8. Data Retention

Active accounts are retained as long as you maintain your account.
Deleted athlete profiles and account data are permanently removed immediately upon deletion.
Pending consent records (for under-13 athletes awaiting verification) expire automatically after 7 days if not verified.
Security audit logs are retained for 90 days.

9. Cookies & Tracking

We use one session cookie (signed, HTTP-only, same-site strict) to maintain your login session. We do not use third-party tracking cookies, advertising cookies, or analytics services that send your data to third parties.

10. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner of Canada (OPC) as required under PIPEDA Section 10.1. If you are a Quebec resident, we will also notify the Commission d'accès à l'information (CAI) within 30 days as required by Quebec's Law 25.

11. Changes to This Policy

We may update this policy to reflect changes in the law or our practices. Significant changes will be communicated by email or via an in-app notice. The effective date at the top of this page reflects when this version became active.

12. Contact Us

Privacy Officer — TumbleBuddy
Email: [email protected]
For complaints under PIPEDA, you may also contact the Office of the Privacy Commissioner of Canada. Quebec residents may contact the Commission d'accès à l'information (CAI).