Privacy Policy
Last updated: May 26, 2026 · Notice at collection for California residents · Multi-state US privacy compliance.
This Privacy Policy explains how StudioBook (operated by Marcel Jurna, a German sole proprietor) collects, uses, shares, and protects your personal information when you use StudioBook to operate a studio or book classes.
This policy applies to users in the United States. If you are in the EU/EEA, see our GDPR Privacy Policy instead.
Quick reference
| Information | |
|---|---|
| Who we are | StudioBook · Marcel Jurna (German sole proprietor) · `hello@studiobook.app` |
| What we collect | Account info, payment metadata (no card numbers), bookings, communications |
| Do we sell your data? | No. We do not sell or share personal information for cross-context advertising. |
| Your rights | Request access, deletion, correction, opt-out via email |
| Response time | 45 days (extendable by 45 days with notice if needed) |
1. Who we are
StudioBook is a software-as-a-service platform for boutique fitness, yoga, dance, and similar studios. We are operated by:
Marcel Jurna (sole proprietor)
Am Glockenberg 52
51515 Kürten, Germany
Email: `hello@studiobook.app`
For studios operating in the US, StudioBook serves as your software provider. For US members booking classes, StudioBook is the platform that powers your booking experience.
2. Notice at collection (California)
When you create a StudioBook account or use the StudioBook-powered booking page of a US studio, we collect the categories of personal information listed in Section 3 below for the business and commercial purposes described in Section 4. We retain this information for as long as your account is active, or as required by law (see Section 8). We do not sell this information, and we do not share it for cross-context behavioral advertising.
You have the rights described in Section 9 to access, delete, correct, or opt out of certain processing.
3. What we collect
Categories of personal information
| Category (CCPA terminology) | Specific items |
|---|---|
| Identifiers | Name, email address, account ID, IP address, browser session ID |
| Customer records (Cal. Civ. Code §1798.80(e)) | Billing address for studios (legal name, street, city, state, ZIP), EIN for US studios (optional, on receipts) |
| Commercial information | Bookings, class attendance, payment history (amounts + dates only — Stripe holds card data, we never see it), membership status |
| Internet/electronic network activity | Pages visited within StudioBook, features used, session timestamps, device type, browser language (used for our internal analytics via Plausible — cookieless) |
| Geolocation (approximate) | Country/state inferred from IP for tax and language purposes — not precise location |
| Inferences | Studio category preferences, booking frequency patterns (used only to improve our product, never sold or shared) |
| Communications | Emails you send to us via support, marketing emails you opt into |
Categories we do NOT collect
We do not collect:
- Social Security Numbers, government IDs, or passport numbers (Stripe collects these from studios for KYC; we never see them)
- Health information (other than what a studio includes in its own intake forms, which the studio controls — we are merely the processor for studio-collected member data)
- Precise geolocation (GPS coordinates)
- Biometric information
- Genetic information
- Racial or ethnic origin, religion, sexual orientation, union membership (sensitive categories under California's CPRA)
- Information about children under 13 (we do not knowingly collect — see Section 12)
Sources of personal information
We collect personal information from:
- You directly — at signup, in your account settings, and during use of the Service
- Studios — for member-related data (a studio may add a member's email when issuing a gift card, for example)
- Stripe — payment metadata only (amount, date, last 4 of card, billing address as needed for tax)
- Your browser — IP address, browser type, basic session data
- Plausible Analytics — aggregated, cookieless usage metrics (never personally identifying)
4. How we use your information (business and commercial purposes)
We use your personal information to:
1. Provide the Service — create your account, process bookings, manage payments via Stripe, send transactional emails (booking confirmations, payment receipts, class reminders)
2. Account security — authenticate your logins, detect suspicious activity, prevent fraud
3. Customer support — respond to your questions
4. Improve the product — aggregated usage patterns inform feature development (we never single out individual users)
5. Send marketing — only with your opt-in consent, and only from the studio you booked with or directly from StudioBook for product announcements. You can unsubscribe at any time.
6. Legal compliance — respond to subpoenas, court orders, IRS or state-tax inquiries, CCPA requests, etc.
We do not use your information to:
- Sell or share with third parties for advertising
- Track you across other websites or apps
- Build profiles for use by third-party data brokers
- Send you push notifications without your permission
5. Cookies and tracking
StudioBook uses a small number of strictly necessary cookies for authentication (so you stay logged in) and CSRF protection. We do not use marketing cookies, advertising pixels, or third-party tracking scripts.
Our analytics tool is Plausible Analytics, which is cookieless and GDPR/CCPA-compliant by design — it stores no personal data, only aggregate metrics.
If your browser sends a "Do Not Track" signal, we do not currently process it differently because we don't track you in the first place. California's "Global Privacy Control" (GPC) signal is also unnecessary for the same reason — we don't sell or share your data.
6. Who we share data with
We share your personal information only with the following categories of recipients, and only for the specific purposes listed:
Sub-processors (service providers)
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing for studio subscriptions and member transactions; Stripe Connect onboarding for studio Connect accounts; Stripe Tax for sales-tax calculation | US (Delaware-incorporated; data centers worldwide) |
| Supabase (Skybase Inc.) + AWS | Database, authentication, file storage. Our staging and production databases are hosted in AWS Frankfurt (`eu-central-1`) | Germany (data residency in EU) |
| Resend | Transactional and marketing email delivery | US (San Francisco) |
| Vercel, Inc. | Frontend hosting (`app.studiobook.app` + `studiobook.app` marketing site) | US (San Francisco, global edge network) |
| Plausible Analytics (HostedAnalytics OÜ) | Aggregate, cookieless web analytics | EU (Tallinn, Estonia) |
Each sub-processor is contractually bound to use the data only to provide the specific service we engage them for. Stripe, in particular, is a separate data controller for the payment data it processes — see Stripe's privacy policy.
Legal compliance
We may disclose your data to law enforcement, regulators, or other authorities if:
- Required by a valid subpoena, court order, or other legal process
- Required to comply with applicable law (tax authorities, CCPA requests, etc.)
- Necessary to investigate fraud, security incidents, or violations of these Terms
We will notify you of any compelled disclosure unless legally prohibited from doing so (e.g., a gag order).
Business transfers
If StudioBook is sold, merged, or restructured, your data may be transferred as part of that transaction. We will notify you and provide you the opportunity to delete your account before any such transfer takes effect.
What we don't share
- We do not sell your data to anyone for any purpose.
- We do not share your data with advertising networks, data brokers, or marketing analytics providers other than Plausible (cookieless aggregate metrics only).
- We do not share studio-member data across studios — each studio sees only its own members.
7. International data transfers
StudioBook is operated from Germany; some sub-processors (Stripe, Resend, Vercel) are US-based; our database is in AWS Frankfurt. Data may transit between these regions to provide the Service.
For US users: this is disclosed for transparency. US law does not impose specific restrictions on outbound data transfers from the US to other jurisdictions. We rely on the contractual data-protection terms of each sub-processor.
8. How long we keep your data
| Data type | Retention period |
|---|---|
| Active account data (profile, bookings, communications) | Duration of your active account |
| Payment transaction records (amount, date, parties, last 4 of card) | 7 years from end of calendar year of the transaction (IRS recordkeeping rule under 26 U.S.C. §6001) |
| Marketing email opt-out / suppression list | Indefinitely (to honor your opt-out forever) |
| Email logs (delivery confirmations, bounces) | 2 years |
| Analytics (Plausible aggregated metrics) | Indefinitely — but anonymized; never traces back to individuals |
| Account-deletion records (for CCPA proof of compliance) | 7 years |
When you delete your StudioBook account, we remove your personal data within 30 days, except records we are legally required to retain (payment transactions, tax records, account-deletion logs).
9. Your privacy rights
If you are a California resident, you have the rights granted by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, Nebraska, New Jersey, Tennessee, Minnesota, Maryland, Rhode Island, Indiana, Iowa, or Kentucky, you have substantially similar rights under your state's privacy law.
Your rights
1. Right to know. You can request that we disclose what personal information we collect about you, the sources, the categories of third parties we share it with, and the purposes for which we use it.
2. Right to delete. You can request that we delete your personal information, subject to legal-retention exceptions (Section 8).
3. Right to correct. You can request that we correct inaccurate personal information about you.
4. Right to opt out of sale or sharing. We don't sell or share your information for cross-context behavioral advertising. This right is preserved for the unlikely event that we ever change practice — at which point we would post a "Do Not Sell or Share My Personal Information" link in our footer.
5. Right to limit use of sensitive personal information. We do not collect sensitive personal information (see Section 3), so there is nothing to limit. If we ever start collecting it, this right will be added to our submission process.
6. Right to non-discrimination. Exercising your privacy rights will not result in different service or pricing.
7. Right to data portability. You can request your data in a portable, machine-readable format (we provide CSV or JSON exports).
How to exercise your rights
Email us at `hello@studiobook.app` with the subject line "Privacy Request" and:
- Your account email (so we can authenticate you)
- The specific right you wish to exercise
We will:
- Acknowledge your request within 10 business days
- Authenticate you (typically by verifying your control of the account email)
- Respond to your request within 45 days of receipt
- Extend the response window by 45 days if necessary, with notice to you (CCPA §1798.130(a)(2))
Authorized agent
You may use an authorized agent to submit privacy requests on your behalf. The agent must provide:
- Signed permission from you authorizing them to act
- Their contact information
- Sufficient information for us to identify you in our systems
10. Security
We take reasonable measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Specifically:
- Data in transit: TLS 1.2+ encryption on all connections to StudioBook
- Data at rest: encrypted in our database (AWS RDS encryption at rest)
- Access controls: role-based access; only Marcel Jurna and contracted developers have production database access
- Payment data: never stored by us — Stripe handles all payment-card data and is PCI-DSS Level 1 certified
- Logging and monitoring: all production database access is logged
No system is 100% secure. If a security incident occurs that affects your personal information, we will notify you within the timeframe required by applicable state law (typically 30 to 90 days, depending on state). If the incident affects 500+ residents of a single state, we will also notify the state attorney general where required.
11. Marketing emails
You only receive marketing emails (newsletters, product announcements, studio promotions) if you opt in. Studios may include a marketing-consent checkbox on their signup form; you must affirmatively check it.
You can unsubscribe at any time using the link in any marketing email. We honor opt-outs within 10 business days as required by CAN-SPAM, but practically the suppression takes effect within minutes.
You will continue to receive transactional emails (booking confirmations, payment receipts, password resets, class reminders) regardless of marketing preferences — these are necessary for the Service.
12. Children's privacy
StudioBook is not directed to children under 13. We do not knowingly collect personal information from anyone under 13.
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at `hello@studiobook.app` and we will promptly delete the information.
StudioBook requires users to be at least 16 years old to create an account. We may, at our discretion, allow a studio to add a minor member (e.g., a 14-year-old taking a yoga class) with parental consent, but we never directly collect data from the minor without going through the studio and parental authorization.
13. Updates to this policy
We may update this Privacy Policy from time to time. Material changes (new categories of data, new sub-processors, changes to your rights) will be communicated by email to your account email address with at least 30 days' notice.
Non-material changes (typo fixes, clarifying examples) take effect when posted.
14. Contact
For privacy questions, requests, or complaints:
- Email: `hello@studiobook.app`
- Mail: Marcel Jurna, Am Glockenberg 52, 51515 Kürten, Germany
If you believe your privacy rights have been violated and you are not satisfied with our response, you may file a complaint with:
- California Attorney General for CCPA violations: oag.ca.gov/contact/consumer-complaint
- Your state's Attorney General for state-privacy-law violations
- The Federal Trade Commission at ftc.gov/complaint