Effective date: April 15, 2026
This Privacy Policy explains how Amanda Stevens, operating as Red Maple Movement (“we”, “us”, “our”), collects, uses, shares, and protects your personal information when you visit redmaplemovement.ca or attend classes at our Campbellville studio. We follow Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
If you have questions about this policy or want to exercise any of your rights described below, contact us at amanda@redmaplemovement.ca.
1. Who We Are
Amanda Stevens, operating as Red Maple Movement
43 Main Street South, Suite 2B (inside Glow by Nelly)
Campbellville, ON, Canada, L0P 1B0
amanda@redmaplemovement.ca
Amanda is our designated privacy contact and is accountable for how your personal information is handled.
2. Information We Collect
When you create an account or book a class
- Identity: first name, last name
- Contact: email address, phone number
- Authentication: a password (stored only as a one-way bcrypt hash — we never see or store your actual password), or a Google/Facebook sign-in identifier if you use social login
- Bookings: the classes you reserve, cancel, or attend; any class credits you purchase
- Payment confirmation: we accept payment via Interac e-Transfer. We record that a booking was paid, but we do not collect, store, or process credit card or bank account numbers. The e-Transfer itself happens entirely in your banking app.
When you sign a waiver
- Date of birth (optional)
- Emergency contact name and phone
- Relevant health conditions, injuries, or pregnancy status you choose to disclose
- Your digital signature (captured as an image of what you drew in the signature box)
- Your Pilates experience level
Health information is sensitive personal information. We only use it to keep you safe in class and to respond in an emergency.
Automatically collected when you use the site
- Session cookie: a single first-party cookie that keeps you signed in. It expires 30 days after your last visit.
- Server logs: IP address, browser/device user agent, and request timestamps — retained for troubleshooting and security monitoring. We keep these logs for no longer than 30 days.
- Aggregated analytics via Vercel Web Analytics (first-party, cookieless page-view counts) and — only if you consent — Microsoft Clarity session heatmaps.
3. How We Use Your Information
| Purpose | What we use |
|---|
| Run your account and let you book classes | Identity, contact, authentication, bookings |
| Send booking confirmations, cancellation receipts, and class reminders | Email address, name, booking details |
| Keep you safe during class and respond in an emergency | Waiver: health info, emergency contact |
| Record that payment was received for a booking | Booking record, payment status (not card data) |
| Detect abuse, debug problems, protect the site | Server logs, rate-limit records |
| Understand which pages are popular so we can improve the site | Anonymous page-view counts; optional session heatmaps (with consent) |
| Comply with our legal obligations | Booking and waiver records as required |
We do not sell your personal information. We do not use it for advertising profiles or to track you across other sites.
4. Your Consent
By creating an account or signing a waiver, you consent to the collection and use described here. You can withdraw consent at any time by deleting your account (see Section 8 below) or emailing us — though some data must be retained to meet legal obligations, as explained in Section 6.
5. Service Providers and Third Parties
We share the minimum amount of information needed with these service providers, who are contractually bound to protect it:
- Vercel Inc. (USA) — hosts the website and its database. Your account, booking, and waiver records are stored in a Vercel Postgres database encrypted in transit.
- Resend Inc. (USA) — sends our transactional emails (booking confirmations, cancellation receipts, password-reset links, class reminders). Your name and email address are passed to Resend for each message.
- Google LLC (USA) — if you use “Sign in with Google”, Google shares your name and email with us, and we create or link an account. Google also serves the studio-location map on the Schedule page and the location autocomplete in the admin dashboard.
- Meta Platforms, Inc. (USA) — same as above, if you use “Sign in with Facebook”.
- Microsoft Corporation (USA, via the Clarity product) — only if the studio has enabled analytics and only if you accept the cookie/analytics banner. Clarity records anonymised session replays and heatmaps used to improve the site. Sensitive fields (waiver health info, signature, emergency contact) are masked in these recordings.
Because these providers operate servers outside Canada, your information may be accessed from, or stored in, the United States. While it is there, it is subject to the laws of that country, which may differ from Canadian privacy law.
6. How Long We Keep Your Information
| Data | Retention |
|---|
| Waivers (including health info and signature) | 2 years from the date signed, then deleted. This aligns with Ontario’s Limitations Act window for liability claims. |
| Account profile (name, email, phone, password hash) | Until you request deletion, or after 3 years of continuous inactivity — whichever comes first. |
| Booking and cancellation records | Until you request deletion, or as long as needed to reconcile payments and respond to disputes. |
| Email server logs at Resend | 30 days (Resend default) |
| Vercel server logs | 30 days |
| Analytics data (Vercel Insights, Clarity) | As per the provider’s retention schedule — typically 30–90 days |
7. How We Protect Your Information
- All traffic between your browser and our site is encrypted over HTTPS.
- Passwords are stored as bcrypt hashes, not plaintext. We can never recover your password — only reset it.
- Access to the admin dashboard is restricted to accounts that have been explicitly granted admin permissions.
- Brute-force and credential-stuffing attempts are rate-limited at the server.
- Modern security headers (Content Security Policy, HSTS, X-Frame-Options) defend against common web attacks.
- Service-provider access is limited to what each vendor needs to deliver their service.
8. Your Rights
Under PIPEDA you have the right to:
- Access the personal information we hold about you. Email us with “PRIVACY — Access Request” in the subject line and we will send you a complete export — typically as a JSON or PDF file, whichever you prefer — within 30 days.
- Correct any information that is inaccurate. Most fields can be edited directly in your account; email us for anything you can’t change yourself.
- Delete your account and the personal information attached to it. You can initiate deletion by signing in and choosing to delete your account, or by emailing us. Some records (paid-booking ledgers, signed waivers within their retention window) must be kept briefly to meet tax and liability-claim obligations; those will be deleted as soon as those obligations expire.
- Withdraw consent to optional uses (for example, Clarity session analytics) at any time via the cookie banner or by emailing us.
- Complain if you believe we have mishandled your information. Please contact us first so we can investigate. If you are not satisfied with our response you may contact the Office of the Privacy Commissioner of Canada.
Want to request something right now? Email amanda@redmaplemovement.ca with the word “PRIVACY” in the subject line and a brief description of what you need. We aim to respond within 30 days.
9. Cookies
We use as few cookies as possible:
- Strictly necessary: a single session cookie that keeps you signed in. Without this, the site cannot function.
- Analytics (optional): if the studio has Microsoft Clarity enabled and you consent via the banner, a Clarity cookie is placed to associate pageviews across your visit. You can decline.
- Vercel Insights: first-party pageview counting, cookieless.
10. Children
Our classes are open to adults. We do not knowingly collect information from anyone under 16 online. If you are a parent or guardian and believe your child has provided us with information, please contact us and we will delete it.
11. Changes to This Policy
We may update this policy occasionally. When we do, we will update the effective date at the top of the page. Material changes will be announced by email to active account holders.
12. Contact
For questions, access requests, corrections, deletion requests, or complaints:
Amanda Stevens, Privacy Contact
Red Maple Movement
43 Main Street South, Suite 2B
Campbellville, ON, L0P 1B0, Canada
amanda@redmaplemovement.ca