Student Privacy Notice

GRADR is a gym management platform designed for Brazilian Jiu-Jitsu (BJJ) academies. Gym owners use GRADR to manage their class schedules, track student attendance, record belt promotions, organize curriculum, and communicate with students and families.

Your gym (the academy your child attends) is the one who decides what information to enter into GRADR. GRADR stores and protects that information on behalf of your gym.

In legal terms: your gym is the data controller (they decide what data to collect and why), and GRADR is the data processor (we store and manage the data securely on their behalf).

Your gym may enter the following information about your child into GRADR:

• Name and date of birth — to identify your child and place them in age-appropriate classes
• Belt rank and stripes — to track your child's training progress
• Attendance records — dates and classes your child attended, recorded via kiosk check-in or manually by the gym
• Class and promotion history — when your child was promoted and in which grading sessions
• Parent or guardian contact information — your name, email, and phone number so the gym can communicate with you
• Emergency contact information — for safety purposes during classes
• Profile photograph — if your gym chooses to upload one (this is optional)
• Notes — any notes the gym owner records about your child's training, such as injury accommodations or learning preferences

Your child's information is used only for gym management purposes:

• Class management — checking your child into classes, tracking which classes they attend, and managing class rosters
• Progress tracking — recording belt promotions, stripe awards, and cumulative class counts
• Communication — your gym may use GRADR to send you emails or text messages about schedule changes, events, or gym announcements
• Student portal — if the gym enables portal access, your child (or you on their behalf) can view their own attendance, schedule, grades, and lesson materials online
• Billing — if the gym processes membership payments through GRADR, payment status is tracked (actual credit card numbers are handled by Stripe, not stored by GRADR)

Access to your child's data is strictly limited:

• Your gym owner — has full access to manage your child's record
• Gym instructors — can see information relevant to the classes they teach (attendance, belt rank)
• You (parent/guardian) — if the gym enables portal access, you can view your child's attendance, grades, and schedule
• GRADR staff — only when necessary for technical support, and under strict confidentiality obligations

Your child's data is isolated by gym — other gyms on the GRADR platform cannot see it. This is enforced at the database level through row-level security policies.

We protect your child's information through multiple layers of security:

• Encryption — all data is encrypted when transmitted between your browser and our servers (HTTPS/TLS)
• Access controls — only authorized users at your gym can see your child's data, enforced by the database itself
• Secure authentication — all accounts require passwords, and sessions expire automatically
• No public exposure — student data is never displayed on public pages. The student portal requires login credentials.

The following services may process some of your child's information as part of normal platform operation:

• Supabase — our database provider, where all gym data is securely stored
• Stripe — if the gym processes membership payments, Stripe handles payment card information (GRADR never stores card numbers)
• Resend — if the gym sends you emails through GRADR, this service delivers those emails
• Twilio — if the gym sends you text messages through GRADR, this service delivers those messages

These services process data only as needed to provide their specific function. None of them use your child's data for their own marketing purposes.

You have the right to:

Your child's data is kept for as long as the gym owner maintains an active account on GRADR and chooses to retain the record. Gym owners can archive or delete student records at any time.

If the gym owner closes their GRADR account, all associated student data (including your child's) is deleted within one hundred twenty (120) days (thirty days for export plus ninety days for backup cleanup).

You do not need to wait for the gym to close — you can request deletion of your child's data at any time (see Section 8 above).

The Children's Online Privacy Protection Act (COPPA) provides additional protections for children under thirteen (13) years of age. Here is how GRADR complies:

• Parental consent required — your gym is required to obtain your consent before entering your child's information into GRADR. GRADR does not collect information directly from children.
• Minimum necessary data — we only store data that is necessary for gym management (class tracking, progress, safety contacts). We do not collect more than what is needed.
• No behavioral tracking — we do not track children's online behavior, build profiles, or serve targeted content.
• No third-party marketing — children's data is never shared with advertisers, data brokers, or other third parties for marketing.
• Parental access and control — you can review, correct, or delete your child's data at any time (see Section 8).

Some gyms enable a "student portal" where students (or parents on behalf of younger students) can log in to view their own information. If your gym offers this:

• The portal is read-only — students cannot modify their own records
• Students can view: their attendance history, belt rank and promotions, class schedule, published lesson materials, and any resources shared by the gym
• Access requires a username and password — the gym owner initiates access, and you set a password via a secure email link
• The gym owner can revoke portal access at any time
• Lesson content is gated by payment status — students without an active membership may not see full lesson details

For younger children, we recommend that a parent or guardian manage the portal login credentials and supervise access.

If you book a trial class for your child through the gym's public booking page on GRADR:

• We collect your name, email, phone number, and your child's name and date of birth
• You will be asked to sign a digital liability waiver before the trial class. For minors, the waiver requires a parent or guardian's name and signature.
• This information is shared with the gym owner to facilitate the trial class
• If your child does not enroll after the trial, the gym owner can delete the lead record. Lead data is retained for no more than one (1) year after last activity.

We may update this Student Privacy Notice from time to time. Material changes will be posted on this page with an updated "Last Updated" date. If changes significantly affect how children's data is handled, we will notify gym owners so they can inform parents.

If you have any questions about your child's data on GRADR, you have two options: