← Back to GOAT OS

Privacy Policy

Effective date: July 13, 2026 · Last updated: July 13, 2026

⚠️ Draft Template — Not Legal Advice. This document is a draft template and has not been reviewed by a licensed attorney. Before using GOAT OS commercially, have these documents reviewed by a qualified lawyer in your jurisdiction.

1. Introduction

[COMPANY LEGAL NAME] ("GOAT OS," "we," "us," or "our") operates the GOAT OS gym and studio management platform, including the staff dashboard and the parent-facing web portal (collectively, the "Service").

This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding that information. It applies to:

  • Gym Owners and Staff — businesses and individuals who create a GOAT OS account to manage their gym or studio
  • Families and Parents — parents and guardians who access the parent portal through a gym that uses GOAT OS

By using the Service, you agree to the collection and use of information as described in this policy.

2. Information We Collect

From Gym Owners and Staff

When you create or manage a GOAT OS account, we collect:

  • Name, email address, and phone number
  • Gym or studio name, business address, and primary sport/discipline
  • Payment information — processed by Stripe; GOAT OS does not store full card numbers
  • Account credentials (password is stored in hashed form; we never store it in plaintext)
  • Communications and support requests submitted to GOAT OS

From Families and Parents (via the Parent Portal)

When a gym using GOAT OS invites families to its parent portal, the gym may input or invite families to provide:

  • Parent or guardian name, email address, and phone number
  • Student (child) name, date of birth, and class enrollment information
  • Emergency contacts and health notes (if entered by the gym)
  • Communications with the gym through the portal messaging system

Families access the portal through the gym's invitation. The gym, not GOAT OS, is responsible for the data they collect from their members.

Automatically Collected Information

When you use the Service, we automatically collect:

  • IP address and approximate location derived from it
  • Browser type, operating system, and device information
  • Pages visited, features used, and time spent in the platform
  • Session identifiers and authentication tokens
  • Error logs and performance data used to diagnose and fix issues

3. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the GOAT OS platform
  • Process billing and manage your subscription
  • Send transactional communications — account confirmations, password resets, billing receipts, and service notifications
  • Respond to customer support requests
  • Detect, investigate, and prevent fraudulent or illegal activity
  • Improve the platform through aggregate analysis of usage patterns
  • Comply with legal obligations

We do not use your data or your members' data for advertising purposes, and we do not build advertising profiles.

4. Information Shared with Third Parties

GOAT OS uses a small number of trusted third-party service providers to operate the platform. These providers process data only on our behalf and are bound by their own privacy commitments.

  • Stripe — payment processing. Your payment card information is transmitted directly to Stripe and is subject to Stripe's Privacy Policy. GOAT OS does not store full card numbers.
  • Twilio— SMS delivery. Messages sent through GOAT OS's SMS features are delivered via Twilio and are subject to Twilio's Privacy Policy.
  • Supabase — database hosting and authentication infrastructure. Platform data is stored on Supabase servers and is subject to Supabase's Privacy Policy.
  • Resend — transactional email delivery. Emails sent through GOAT OS are delivered via Resend and are subject to Resend's Privacy Policy.

We do not sell, rent, or trade your personal information or your members' personal information to any third party for their own marketing or commercial purposes.

We may disclose information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of GOAT OS, our users, or the public.

5. Children's Privacy (COPPA)

GOAT OS is a business-to-business platform sold to and operated by gyms and studios. GOAT OS does not directly market to or knowingly collect personal information from children under 13.

When a gym uses GOAT OS to manage student records that include children, the gym (not GOAT OS) is the "operator"for purposes of the Children's Online Privacy Protection Act (COPPA). Gyms are solely responsible for:

  • Obtaining verifiable parental consent before collecting personal information from or about children under 13
  • Providing parents with the required disclosures about data collection practices
  • Complying with COPPA and any applicable state children's privacy laws

If you are a parent and believe that your child's personal information has been collected without proper consent, please contact the gym directly or reach out to us at privacy@[COMPANY DOMAIN] and we will assist with directing your inquiry.

6. Data Retention

  • Active accounts: Data is retained for as long as your account remains active and for a reasonable period afterward to handle support requests, disputes, or legal obligations.
  • After account termination: Gym owner account data and associated records are scheduled for deletion 90 days after the account termination date. You may export your data at any time within this window.
  • Family/member data: Families and parents who wish to have their data deleted should contact their gym directly. Gyms may request deletion of member data by contacting privacy@[COMPANY DOMAIN].
  • Backups: Data may persist in encrypted backups for up to 90 days after deletion from the live database.

7. Security

We take the security of your data seriously and implement industry-standard safeguards, including:

  • Encryption of data in transit using TLS (HTTPS)
  • Encryption of data at rest in our database infrastructure
  • Row-level security controls limiting data access to authorized tenants only
  • Authentication token management with short expiry windows
  • Access controls limiting employee access to production data

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information and are not responsible for unauthorized access that results from circumstances beyond our reasonable control.

In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law.

8. Your Rights (CCPA / GDPR)

Depending on your location, you may have rights regarding your personal information:

  • Right to access — request a copy of the personal information we hold about you
  • Right to correction — request that we correct inaccurate or incomplete personal information
  • Right to deletion — request that we delete your personal information, subject to legal retention obligations
  • Right to data portability — request your data in a machine-readable format
  • Right to opt out of sale — we do not sell personal information, but California residents under the CCPA may formally assert this right

California residents (CCPA): You have the right to know what personal information we collect, to request deletion, and to opt out of the sale of your personal information (we do not sell it). You will not be discriminated against for exercising these rights.

EU/EEA and UK residents (GDPR): Where GDPR applies, you have the additional right to object to processing, to restrict processing, and to lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at privacy@[COMPANY DOMAIN]. We will respond within the timeframe required by applicable law (typically 30–45 days).

9. Cookies

GOAT OS uses a minimal set of cookies necessary to operate the platform:

  • Session cookies — used for authentication. These cookies allow you to stay signed in and are deleted when you close your browser or sign out.
  • Security cookies — used to detect and prevent cross-site request forgery (CSRF) attacks and other security threats.

We do not use third-party advertising cookies, tracking pixels, or behavioral retargeting technologies. We do not share cookie data with advertising networks.

10. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — those that meaningfully affect how we collect, use, or share your information — we will provide at least 30 days advance notice via email to the address on file for your account. The updated policy will also be posted at this URL with a revised "Last updated" date.

Your continued use of GOAT OS after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

11. Contact

For privacy-related questions, data access requests, or to report a concern about how your data is handled, please contact:

[COMPANY LEGAL NAME]
Email: privacy@[COMPANY DOMAIN]
[COMPANY ADDRESS]