Welcome
At Open, we take your privacy seriously. This Privacy Policy explains how Middlepoint Solutions SL ("Open," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use our platform.
Company: Middlepoint Solutions SL
Address: Carrer d'Aragó, 366, Oficina 24, d2, 08009 Barcelona, Spain
Tax ID: ESB67887794
Email: nik@openmanagerapp.com
1. Who This Policy Applies To
Open serves different types of users, and we handle their data differently:
- Studio Owners/Managers ("Business Users"): Yoga studios, fitness centers, and wellness businesses that use Open to manage their operations.
- Students/Members ("End Users"): Individuals who book and attend classes through studios using Open.
- Teachers/Instructors ("Teachers"): Professionals who teach classes at studios using Open.
- Urban Sports Club Members ("USC Members"): Members of Urban Sports Club who book classes at studios through the USC integration.
2. Information We Collect
2.1 Information from Business Users (Studio Owners)
Account Information:
- Full name
- Email address
- Phone number
- Business name and address
- Tax ID / VAT number (optional, for invoicing)
- Password (encrypted and hashed)
Business Information:
- Studio logo and photos (stored on Firebase)
- Business description
- Operating hours
- Location coordinates
- Room and class information
- Teacher profiles
- Pricing and ticket information
Payment Information:
- Stripe account connection details (we don't store your bank account numbers)
- Transaction history
- Subscription payment details
Usage Information:
- IP address
- Device type and operating system
- Browser information
- How you use the platform (via internal analytics)
- Error logs and crash reports (via Sentry)
2.2 Information About End Users (Students)
Required Information:
- Name
- Email address
Optional Information (may be required by individual studios):
- Phone number
- Date of birth
- Home address
- National ID / Tax ID (for invoicing)
- Profile photo (stored on Firebase)
- Teacher notes (optional notes for instructors about preferences or considerations)
Booking and Activity Data:
- Class bookings and attendance history
- Cancellations
- Ticket purchases and payment history (processed through Stripe)
- Device tokens for push notifications
- Feedback and ratings
Technical Information:
- IP address
- Device information
- App version
- Location data (with your permission, to find nearby studios)
2.3 Information About Teachers
- Name
- Email address and phone number (optional)
- Profile photo and biography (optional, if marked as public)
- Payment information (provided by studios)
- Teaching schedule and class attendance
2.4 Urban Sports Club Integration Data
When USC members book classes through our platform, we receive:
- USC member name
- USC member ID
- Booking information (class, date, time, location)
- Check-in data
Important: Urban Sports Club remains the data controller for USC member data. We process this data on their behalf according to our API License Agreement with Urban Sports Club.
2.5 Information We Don't Collect
- We do not store credit card numbers or full payment details (Stripe handles all payment processing)
- We do not collect passport information
- We do not collect emergency contact information
- We do not send SMS messages
- We do not collect session data or tracking cookies beyond what's necessary for the platform to function
3. How We Use Your Information
3.1 To Provide the Service
- Create and manage your account
- Process bookings and payments
- Send booking confirmations and reminders (via Postmark)
- Enable communication between studios and students
- Display class schedules and availability
- Manage waitlists
- Process refunds and cancellations
- Provide customer support
3.2 To Improve the Service
- Analyze usage patterns (using anonymized data only with Claude API)
- Fix bugs and technical issues (via Sentry error tracking)
- Develop new features
- Understand which features are most valuable
- Optimize platform performance
3.3 To Communicate With You
- Transactional emails (booking confirmations, reminders) - you cannot opt out of these
- Service updates and important notices
- Marketing communications about new features or promotions - you can opt out of these anytime
- Respond to your questions and support requests
3.4 For Legal and Security Purposes
- Comply with legal obligations (tax laws, financial regulations)
- Prevent fraud and abuse
- Enforce our Terms of Service
- Protect our rights and property
- Respond to legal requests from authorities
4. How We Share Your Information
4.1 With Studios (for End Users)
Important: When you book classes at a studio using Open, that studio becomes the data controller for your booking information. Each studio only sees your interactions with their business.
Studios can see:
- Your name, email, and any information you provide during booking
- Your booking history at their studio only
- Your attendance and cancellations at their studio only
- Your feedback and ratings for their classes only
- Teacher notes you've provided
Studios cannot see:
- Your activity at other studios using Open
- That you even use other studios
- Your cross-studio profile or history
This isolation is by design to protect your privacy.
4.2 With Payment Processors
We use Stripe to process all payments. When you make a purchase:
- Stripe collects and stores your payment information
- We only receive a token to process future transactions
- We never see or store your full credit card numbers
- Stripe's privacy policy applies: https://stripe.com/privacy
Payment fees:
- Stripe charges approximately 1.5% + €0.25 per transaction
- Open charges an additional fee:
- Single payments: 1.0% + €0.30 for transactions under €50
- Recurring payments: 2.9% + €0.30 for transactions under €50
4.3 With Service Providers
We share data with these trusted service providers who help us operate:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Firebase (Google Cloud) | Image and file storage | Profile photos, studio images |
| Digital Ocean | Server hosting (EU region, Netherlands) | All platform data |
| Sentry | Error tracking and monitoring | Error logs, device info |
| Postmark | Transactional email delivery | Email addresses, booking details |
| Claude AI (Anthropic) | Analytics assistance | Anonymized, aggregated data only |
| Yandex Metrika | Web analytics and user behavior analysis | Anonymized usage data, page views |
| Verifactu (Spanish Tax Authorities) | Invoice submission for Spanish businesses | Invoice data (Spain only) |
All service providers are contractually required to protect your data and use it only for the services they provide to us.
4.4 With Urban Sports Club
For USC members booking through our integration:
- We share booking and check-in data with Urban Sports Club
- This is governed by our API License Agreement with USC
- USC's privacy policy also applies: https://urbansportsclub.com/privacy
4.5 For Legal Reasons
We may disclose your information if required by law or if we believe it's necessary to:
- Comply with legal processes (court orders, subpoenas)
- Enforce our Terms of Service
- Protect our rights, property, or safety
- Protect the rights, property, or safety of our users or the public
- Prevent fraud or security issues
4.6 Business Transfers
If Open is acquired by or merges with another company, your information may be transferred to the new owner. We'll notify you before this happens.
4.7 With Your Consent
We may share your information with third parties when you explicitly consent to it.
5. Data Controller Roles
This is important for understanding who's responsible for your data:
5.1 When Open is the Data Controller
- For Business Users: We control how we use your studio account information.
- For End Users (cross-studio profiles): We control your central user account that lets you visit multiple studios.
5.2 When Studios are the Data Controllers
For End Users (bookings and class data): Studios control how they use your booking information. We process this data on their behalf as a "data processor."
This means:
- Studios decide what information to collect from you
- Studios decide how long to keep your information
- You should direct privacy requests to the studio
- We support studios in fulfilling your privacy rights
5.3 When Urban Sports Club is the Data Controller
For USC members, Urban Sports Club controls your membership data. We process booking data on their behalf.
6. International Data Transfers
Our primary infrastructure is in the European Union:
- Servers: Digital Ocean, EU region (Netherlands)
- Database: Hosted in EU
Some service providers process data outside the EU:
- Firebase/Google Cloud: May process data in US
- Stripe: May process data in US
- Sentry: May process data in US
When we transfer data outside the EU, we ensure appropriate safeguards:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions where the destination country is deemed adequate by the EU
- Service providers' compliance with GDPR
7. How Long We Keep Your Information
7.1 Active Accounts
We keep your information as long as your account is active or as needed to provide services.
7.2 After Account Deletion
When you delete your account:
- Most data deleted: Within 30 days
- Transaction records: Kept for 7 years (required by financial regulations)
- Communication records: Kept for 3 years (for customer service purposes)
- Marketing data: Deleted immediately if you've withdrawn consent
7.3 Studio Data After Student Deletion
If you delete your account, studios you've visited will still have a record of your bookings and attendance. This is their business record and required for their financial and legal obligations.
8. Your Privacy Rights (GDPR & Beyond)
You have strong privacy rights. Here's what you can do:
8.1 Access Your Data
- What it means: Get a copy of all personal data we hold about you
- How to do it: Email nik@openmanagerapp.com
- Response time: Within 30 days
- Cost: Free
8.2 Correct Your Data
- What it means: Fix inaccurate or incomplete information
- How to do it: Update in your account settings or email us
- Response time: Immediately in app, or within 30 days for complex requests
8.3 Delete Your Data ("Right to be Forgotten")
- What it means: Have your data deleted when it's no longer necessary
- How to do it: Settings → Delete Account, or email us
- Response time: Immediate for most data
- Exceptions: We may keep data required by law (e.g., transaction records for 7 years)
8.4 Restrict Processing
- What it means: Limit how we use your data
- How to do it: Email nik@openmanagerapp.com with your request
- When available: If accuracy is disputed, processing is unlawful but you don't want deletion, or we no longer need the data but you need it for legal claims
8.5 Data Portability
- What it means: Get your data in a common format (like CSV) to transfer to another service
- How to do it: Email nik@openmanagerapp.com
- What you'll receive: Your personal data in machine-readable format
- Response time: Within 30 days
8.6 Object to Processing
- What it means: Object to us processing your data for certain purposes
- How to do it: Email nik@openmanagerapp.com
- When available: For processing based on legitimate interests or for marketing
8.7 Withdraw Consent
- What it means: If processing is based on consent, you can withdraw it anytime
- How to do it: In account settings or email us
- Effect: We'll stop processing, but it doesn't affect processing done before withdrawal
8.8 File a Complaint
- What it means: If you're unhappy with how we handle your data, you can complain to a data protection authority
- Spanish Authority: Agencia Española de Protección de Datos (AEPD) - https://www.aepd.es
- Your local authority: You can also complain to the authority in your country
9. Data Security
We take security seriously and implement appropriate technical and organizational measures:
Technical Measures:
- Encryption in transit (HTTPS/TLS for all connections)
- Encryption at rest (database encryption)
- Password hashing (bcrypt)
- Access controls and authentication
- Regular security assessments
- Automated backup systems
- Secure cloud infrastructure (Digital Ocean EU, Firebase)
Organizational Measures:
- Limited access to personal data (only authorized personnel)
- Confidentiality commitments
- Incident response procedures
- Regular security training
However: No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You're responsible for keeping your password confidential.
10. Data Breach Notification
If we discover a data breach that's likely to pose a risk to your rights and freedoms:
- We'll notify the relevant data protection authority within 72 hours of becoming aware
- We'll notify affected users without undue delay
- We'll provide information about the breach, its likely consequences, and the measures we're taking
11. Cookies and Tracking
11.1 What Cookies We Use
- Essential Cookies: Required for the platform to function (login sessions, security)
- Analytics Cookies: Help us understand how the platform is used (via internal Ahoy analytics)
- Preference Cookies: Remember your settings and preferences
11.2 Cookie Consent
When you first visit our website or app, you'll see a cookie banner. You can:
- Accept all cookies
- Reject non-essential cookies
- Customize your preferences
You can change your cookie preferences anytime in your account settings.
11.3 Third-Party Cookies
Some service providers (like Firebase, Stripe) may set their own cookies. We don't control these cookies. Please review their privacy policies.
11.4 Do Not Track
We respond to Do Not Track (DNT) signals. If your browser has DNT enabled, we won't track your activity beyond essential functionality.
12. Children's Privacy
Open is not intended for children under 16 years old. We don't knowingly collect personal information from children under 16.
- If you're under 16: Please don't create an account or provide any personal information.
- If you're a parent: If you believe your child has provided information to us, please contact us at nik@openmanagerapp.com and we'll delete it immediately.
- Classes for children: If a studio offers classes for children, parents must create accounts on behalf of their children and are responsible for the information provided.
13. Automated Decision-Making
We do not use automated decision-making or profiling that would have legal effects or similarly significant effects on you.
Any decisions that significantly affect you (like account termination) are made by humans, not algorithms.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do:
- We'll post the new policy on this page
- We'll update the "Last Updated" date at the top
- For material changes, we'll notify you by email or through a prominent notice in the app
- Continued use of Open after changes means you accept the updated policy
We encourage you to review this policy periodically.
15. Contact Us
For privacy questions or to exercise your rights:
Address: Middlepoint Solutions SL, Carrer d'Aragó, 366, Oficina 24, d2, 08009 Barcelona, Spain
We'll respond to your request within 30 days (or let you know if we need more time).
For data protection complaints:
- Spanish Data Protection Authority (AEPD) - https://www.aepd.es
- Or your local data protection authority
16. Jurisdiction-Specific Information
16.1 European Union / European Economic Area
This Privacy Policy complies with the General Data Protection Regulation (GDPR). All the rights described in Section 8 apply to you.
Legal Basis for Processing (GDPR Article 6):
| Purpose | Legal Basis | Your Rights |
|---|---|---|
| Provide the Service (bookings, payments, communications) | Performance of contract with you | You can request deletion after contract ends |
| Improve the Service (analytics, bug fixes, new features) | Legitimate interest | You can object to processing |
| Marketing communications | Your consent | You can withdraw consent anytime |
| Legal compliance (tax records, responding to authorities) | Legal obligation | Limited - required by law |
| Security and fraud prevention | Legitimate interest | You can object unless necessary for security |
16.2 Norway
This Privacy Policy complies with the Norwegian Personal Data Act and GDPR (via EEA Agreement). You can contact the Norwegian Data Protection Authority (Datatilsynet) at https://www.datatilsynet.no
16.3 Spain
This Privacy Policy complies with Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).
16.4 California (United States)
California Consumer Privacy Act (CCPA) Rights:
If you're a California resident, you have additional rights:
Right to Know: You can request that we disclose what personal information we collect, use, disclose, and sell (note: we don't sell your information).
Categories of Personal Information We Collect:
- Identifiers (name, email, phone, IP address)
- Commercial information (booking history, payment transactions)
- Internet activity (device info, usage patterns)
- Location data (with your permission)
- Professional information (for teachers)
Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out of Sale: We do not sell your personal information to third parties for their marketing purposes.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
How to Exercise Your Rights:
- Email: nik@openmanagerapp.com
- Subject line: "California Privacy Rights Request"
- We'll verify your identity and respond within 45 days
16.5 Other Jurisdictions
If you're in a country with specific data protection laws, those laws may give you additional rights. Please contact us to learn more.
17. Important Clarifications
We Do Not Sell Your Data
IMPORTANT: Open does not and will not sell your personal data to third parties for their own marketing purposes.
When we share data with service providers (like Firebase, Sentry, Postmark), this is only so they can provide services to us. They are contractually prohibited from using your data for their own purposes.
Mobile Communications
Phone numbers collected through our services will not be shared with third parties or affiliates for marketing or promotional purposes. Any phone number information will only be used to provide the services you request.
To opt out of push notifications: Go to your device settings and disable notifications for the Open app.
Aggregated Anonymous Data
Notwithstanding anything to the contrary, we may collect and use aggregated, anonymized data about platform usage that does not identify you personally. We use this "Aggregated Anonymous Data" to:
- Analyze industry trends
- Understand yoga/fitness booking patterns
- Develop new features
- Publish industry benchmarks and best practices
- Improve the platform
This aggregated data cannot be traced back to you and may be used indefinitely, even after you close your account.
Thank you for trusting Open with your data.
We're committed to protecting your privacy while helping you find and book the perfect yoga class.
View Terms of Service
Document Version: 2.0
Effective Date: October 12, 2025
Last Updated: October 12, 2025