Privacy Policy

GRADR is a Brazilian Jiu-Jitsu gym management platform operated by Subconscious Jiu-Jitsu Association, located in Los Angeles, California, United States ("Company," "we," "us," or "our").

For the purposes of data protection law, the relationship between GRADR and its users is as follows:

• Gym Owners are data controllers for the personal data of their Students and Instructors. Gym Owners determine why and how personal data is processed through the Platform.
• GRADR acts as a data processor on behalf of Gym Owners, processing Student and Instructor data according to the Gym Owner's instructions via the Platform's features.
• GRADR is also a data controller for the personal data of Gym Owners themselves (account information, billing, and usage data).

2.1 Gym Owner Information

When a Gym Owner registers and uses the Platform, we collect:

• Name, email address, and phone number
• Gym name, city, and country
• Approximate student count
• Subscription plan and billing information (processed by Stripe)
• Stripe account identifiers (for Connect integration)
• Gym logo and branding assets
• Gym settings and configuration preferences
• PayPal credentials (encrypted, for optional payroll integration)

2.2 Instructor Information

When a Gym Owner adds an Instructor, the following data is stored:

• Name, email address, and phone number
• Belt rank and qualification level
• Hourly pay rates (coach and assist rates)
• PayPal email address (for optional payroll payouts)
• Schedule availability and shift history
• Account status (active, inactive, pending)

2.3 Student Information

Student data is entered by Gym Owners or collected through the public booking form:

• Full name, date of birth, and whether the student is a minor
• Contact email, phone number, and emergency contact information
• For minors: parent or guardian name, email, and phone number
• Belt rank, stripes, and belt track (adult or kids)
• Cumulative class count, start date, and attendance history
• Promotion and grading history
• Profile photograph
• Payment information (method, tier, status — card details handled by Stripe)
• Intro program enrollment status
• Transfer student information (previous gym, previous belt rank)
• Notes entered by Gym Owner
• Liability waiver signature (for trial bookings)

2.4 Lead Information

When a prospective student books a trial class through the public booking page:

• Name, email address, phone number, and date of birth
• For children: parent or guardian's name, email, and phone
• Prior experience level and referral source
• Liability waiver signature and, for minors, guardian name

2.5 Automatically Collected Information

We automatically collect certain technical information when you use the Platform:

• IP address and approximate geographic location
• Browser type, operating system, and device information
• Pages visited, features used, and timestamps of activity
• Authentication session data (cookies necessary for login)

We use personal information for the following purposes:

3.1 Service Delivery (Legal Basis: Contract Performance)

• Providing and maintaining the Platform's features
• Processing subscription payments and billing
• Facilitating student payment processing through Stripe Connect
• Processing instructor payroll through PayPal (when enabled)
• Delivering transactional emails (booking confirmations, shift notifications, password resets)
• Delivering SMS messages sent by Gym Owners through the campaign feature

3.2 Platform Operation (Legal Basis: Legitimate Interests)

• Maintaining Platform security and preventing fraud
• Analyzing usage patterns to improve the Platform
• Providing customer support
• Enforcing our Terms of Service

3.3 Legal Compliance (Legal Basis: Legal Obligation)

• Retaining payment and payroll records for tax and accounting purposes
• Responding to legal requests, subpoenas, or court orders
• Reporting as required by applicable law

3.4 Communications (Legal Basis: Consent or Legitimate Interests)

• Sending Gym Owner campaign emails and SMS (on behalf of the Gym Owner)
• Notifying users of material changes to the Platform or these policies

3.5 SMS Text Messaging Program

When students opt in to SMS notifications during account setup, gym owners may send text messages via GRADR using Twilio as the delivery provider. The SMS program operates as follows:

• Message types: Membership payment alerts, billing reminders, and class schedule notifications
• Message frequency: Message frequency varies based on gym activity and billing events
• Opt-in: SMS consent is entirely optional. You can use the GRADR student portal without opting in to SMS
• Opt-out: Reply STOP to any message to unsubscribe at any time. You will receive a confirmation and no further messages will be sent
• Help: Reply HELP to any message for assistance, or contact your gym directly
• Rates: Message and data rates may apply depending on your carrier plan
• No sharing: Your phone number and SMS consent are never sold, shared, or transferred to third parties for their own marketing purposes

We do not sell your personal data. We share personal information only in the following circumstances:

4.1 Third-Party Service Providers (Subprocessors)

We use the following third-party services to operate the Platform. Each processes data only as necessary to provide their specific service:

We maintain agreements with each subprocessor to ensure they handle data in accordance with applicable data protection laws.

4.2 Within the Gym

Student information is accessible to the Gym Owner and their authorized Instructors as needed for gym operations (scheduling, attendance, grading). Instructors can only see student data for classes they are assigned to or as permitted by the Gym Owner.

4.3 Legal Requirements

We may disclose personal information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.

We implement industry-standard technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS) and sensitive data at rest (AES-256-GCM for PayPal credentials)
• Row-level security (RLS) policies ensuring users can only access data belonging to their gym
• Authentication via secure session tokens with automatic expiration
• Role-based access controls separating Gym Owner, Instructor, Student, and Admin permissions
• Rate limiting on authentication endpoints and public forms
• Regular security reviews of application code

No method of transmission over the Internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach, we will notify affected users and relevant authorities as required by applicable law, aiming to do so within seventy-two (72) hours of discovery.

We retain personal data for as long as necessary to fulfill the purposes described in this policy:

• Active accounts: Data is retained for the duration of your account
• After account termination: Gym data is available for export for thirty (30) days, then deleted from active systems within ninety (90) days
• Payment and payroll records: Retained for seven (7) years as required for tax and accounting compliance
• Inactive student records: Retained per the Gym Owner's discretion while the gym account is active
• Lead data: Retained for one (1) year after last activity, unless the Gym Owner deletes it sooner
• Backup copies: May persist for up to ninety (90) days after deletion from active systems

GRADR is used by BJJ academies that may include children in their programs. We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA) and similar regulations.

7.1 Data Collection for Minors

We do not knowingly collect personal information directly from children under thirteen (13). All children's data is entered into the Platform by the Gym Owner, who is responsible for obtaining verifiable parental consent before doing so. For the purposes of COPPA, GRADR acts as a service provider to the Gym Owner.

7.2 Limited Data Collection

For children, we collect only what is necessary for gym management:

• Name and date of birth (for age-appropriate class placement)
• Belt rank, stripes, and attendance (for training progress)
• Parent or guardian contact information (for communications)
• Profile photo (optional, uploaded by Gym Owner)
• Emergency contact information (for safety)

7.3 No Behavioral Tracking

We do not engage in behavioral tracking, targeted advertising, or profiling of children. Children's data is used exclusively for gym management purposes.

7.4 Parental Rights

Parents or guardians may at any time request to review, correct, or delete their child's personal information by contacting their Gym Owner or by emailing privacy@bjjgradr.com. We will respond to verified requests within thirty (30) days.

For more detailed information about how we handle children's data, please see our Student Privacy Notice.

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Delete your personal information, subject to certain exceptions
• Opt out of the sale or sharing of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights
• Correct inaccurate personal information
• Limit use of sensitive personal information to what is necessary

To exercise these rights, email privacy@bjjgradr.com. We will verify your identity before processing your request and respond within forty-five (45) days.

8.2 Rights Under GDPR (European Economic Area and UK)

If you are in the EEA or UK, you have the right to:

• Access your personal data and receive a copy
• Rectification of inaccurate or incomplete data
• Erasure ("right to be forgotten") in certain circumstances
• Restrict processing of your data
• Data portability — receive your data in a machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local data protection authority

For Students and Instructors: your Gym Owner is the data controller. Please direct requests to your Gym Owner first. If your Gym Owner is unable to assist, contact us directly.

8.3 Data Portability

Gym Owners can export student data in CSV format at any time through the Platform. For other data portability requests, contact us at privacy@bjjgradr.com.

GRADR is hosted in the United States. If you access the Platform from outside the United States, your personal data will be transferred to and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms as applicable. By using the Platform, you consent to the transfer of your information to the United States as described in this policy.

10.1 Essential Cookies

We use essential cookies that are strictly necessary for the Platform to function. These include authentication session cookies that keep you logged in. These cookies cannot be disabled without losing access to the Platform.

10.2 Third-Party Cookies

Embedded YouTube videos on lesson and welcome pages may set their own cookies subject to YouTube's (Google's) privacy policy. Stripe may set cookies during payment processing for fraud detection purposes.

10.3 No Advertising Cookies

We do not use advertising or marketing tracking cookies. We do not engage in cross-site tracking or retargeting.

The Platform does not currently respond to "Do Not Track" (DNT) browser signals. However, as described above, we do not engage in cross-site tracking or advertising-based tracking.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered users of material changes via email or in-app notification at least thirty (30) days before changes take effect. The "Last Updated" date at the top of this page indicates when this policy was last revised.

Your continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the changes.

For questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us: