Privacy Policy

This Privacy Policy explains how we collect, use, share, retain, and protect personal information when you use Sessio. It also describes your choices and privacy rights.

Sessio is designed for independent instructional professionals (e.g., Coach, Instructor, Trainer, Teacher, Tutor) and their invited clients. Sessio is not a public marketplace and does not sell personal information or share personal information for cross-context behavioral advertising.

If you do not agree with this Privacy Policy, please do not use the Service.

1. Introduction

Sessio provides tools to schedule sessions, manage clients, track bookings, optionally facilitate payments through third-party payment processors, and synchronize calendars. We aim to be transparent about what we collect and why, and to give you meaningful control over your information.

This Privacy Policy applies to personal information we process as a "controller" (or similar role) under applicable privacy laws (e.g., GDPR/UK GDPR, CCPA/CPRA, LGPD). Where we process information on behalf of a business customer as a "processor," the relevant agreement and instructions may also apply.

2. Information We Collect

We collect information you provide directly, information collected automatically when you use the Service, and (in limited cases) information from third parties.

2.1 Personal Information

Depending on how you use Sessio (professional or client), we may collect:

A. Account & Authentication Data

• Email address
• Password (handled via Supabase Auth; we do not store plaintext passwords)
• Authentication provider IDs (e.g., Sign in with Apple / Google, if you use them)
• Account role flags (e.g., professional vs client)

B. Profile Data

• Display name
• Avatar/photo URL (and the photo itself if you upload it)
• Bio (optional)
• Social links (optional)
• Profession type/title (Coach/Instructor/Trainer/Teacher/Tutor)
• Language and timezone

C. Connection Data

• Invitations you send or receive (invite email, status, timestamps)
• Professional–client and client-client relationship records (who is connected to whom)
• Referral relationships/codes (if enabled)

D. Session / Booking Data

• Professional and client IDs
• Session date/time and duration
• Location (e.g., address or "online" flag)
• Attendees (for group sessions)
• Notes you enter (e.g., session notes; please avoid sensitive data)
• Cancellation status, no-show flags
• Refund status (if applicable)

E. Payment-Related Data (Limited)

• Payment mode/status (e.g., Stripe vs off-platform)
• Amounts and currency
• Stripe identifiers/metadata (e.g., Stripe customer IDs, Last4 of card, payment method tokens, connected account IDs, subscription/billing tier status, invoice/payment intent metadata)
• We do not receive or store full card numbers or CVV (handled by Stripe)

F. Uploaded Content

• Profile photos
• Images you upload as off-platform payment receipts (if you choose to use that feature)

G. Notification Data

• Push notification token(s)
• Notification preferences
• Notification delivery logs (e.g., title/body/data/status, timestamps)

H. Calendar Sync Data

• Calendar sync enabled/disabled flag
• Selected calendar identifier stored on our servers (when applicable)
• Calendar event mapping stored locally on your device to support sync/remove actions

I. Permissions Data

• Camera access (for QR code scanning, if used)
• Photo library access (for avatar and receipt uploads)

2.2 Automatically Collected Information

When you use the Service, we may automatically collect:

• Device and app information: device type, operating system, app version, language, time zone, identifiers needed to deliver push notifications
• Usage and events: in-app event logs (e.g., invite creation, booking actions), feature usage, timestamps
• Diagnostics and error data: crash reports and performance/diagnostic telemetry (e.g., via Sentry error monitoring)
• IP address and general location: derived from IP for security, fraud prevention, and regional settings (we do not do continuous background location tracking)
• Log data: limited server logs for security, reliability, and troubleshooting

2.3 Information from Third Parties

We may receive limited information from:

• Authentication providers (e.g., Apple/Google): identifiers and basic profile fields you authorize
• Payment processors (e.g., Stripe): payment status and metadata required to operate billing and connected accounts (where enabled)
• Push notification platforms (e.g., Apple Push Notification service (APNs), Firebase Cloud Messaging (FCM)): delivery/registration data
• Google Places API: address autocomplete queries and results (for location input convenience)

3. How We Use Your Information

We use personal information to:

1. Provide and operate the Service

• Create accounts and authenticate users
• Enable scheduling, bookings, and session management
• Manage professional–client connections and invites
• Support calendar synchronization and notifications

2. Process subscriptions and payments (as applicable)

• Determine subscription tier status and billing state
• Facilitate Stripe-based payments (if enabled by the professional)
• Track off-platform payment status (if you choose to record it)

3. Improve and maintain the Service

• Diagnose errors and fix bugs
• Analyze feature usage to improve UX and performance
• Monitor reliability and security

4. Communicate with you

• Send service and administrative communications (e.g., account notices, changes, security alerts)
• Send notifications you request or that are necessary to deliver core features (e.g., booking confirmations, cancellations)

5. Security, fraud prevention, and compliance

• Protect accounts and prevent misuse
• Enforce our Terms of Service
• Comply with legal obligations and respond to lawful requests

AI / Automated Decision-Making

Sessio does not use automated decision-making or profiling that produces legal or similarly significant effects (as described in GDPR/UK GDPR) for core account decisions. We do not sell your personal information for AI model training. If we introduce AI-powered features in the future (e.g., scheduling suggestions), we will provide additional disclosures and, where required, choices or consent.

4. How We Share Your Information

We share personal information only as described below and do not sell personal information or share it for targeted advertising.

4.1 Sharing Within Sessio (Between Users You Connect)

Because Sessio is built around private relationships:

• If you are a professional, your invited clients can see information necessary to schedule and manage sessions with you (e.g., availability, session details, basic profile).
• If you are a client, the professional you work with can see information necessary to provide sessions and manage scheduling (e.g., your display name, booking history, relevant session details).

4.2 Service Providers (Processors)

We use vendors to help run the Service. These vendors may process personal information on our behalf under contractual obligations (including confidentiality and security). Key processors include:

• Supabase (authentication, database, storage, serverless functions)
• Stripe (payment processing and onboarding, if enabled)
• Expo / APNs / FCM (push notification delivery)
• Sentry (error monitoring/diagnostics)
• Google Places API (address autocomplete)

4.3 Legal, Safety, and Business Transfers

We may disclose information:

• To comply with law, regulation, legal process, or government requests
• To protect the rights, safety, and security of Sessio, our users, or others
• In connection with a merger, acquisition, financing, reorganization, or sale of assets (information will remain subject to this policy or a policy with materially similar protections)

4.4 No Sale / No Targeted Advertising Sharing

• We do not "sell" personal information as defined by the CCPA/CPRA.
• We do not "share" personal information for cross-context behavioral advertising (targeted advertising) as defined by the CCPA/CPRA.
• We do not permit third-party ad networks to track you across apps for targeted advertising purposes.

5. International Data Transfers

Sessio may process and store information in the United States and other countries where we or our service providers operate. If you are located in the EEA/UK/Switzerland, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses and other safeguards) when required.

6. Data Retention

We retain personal information only as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

6.1 Retention by Category (High-Level)

• Account & profile data: retained while your account is active; deleted or anonymized upon account deletion, subject to the exceptions below.
• Bookings/session records: retained for operational continuity, dispute resolution, and legal compliance. When you delete your account, we may anonymize your identity in historical booking records while retaining the records themselves.
• Payment-related records: retained as required for accounting, audits, tax, and legal compliance. Where payments are processed by Stripe, Stripe retains certain records as an independent controller for its own compliance.
• Invites/connection data: retained while necessary to operate relationships; may be deleted or anonymized after account deletion.
• Logs/diagnostics: retained for a limited period to maintain security and reliability (typically days to months, depending on the log type), then deleted or aggregated.

6.2 Account Deletion Constraints (Important)

To prevent disruptions for others and maintain scheduling integrity:

• Account deletion may be blocked if you have upcoming sessions. You may need to cancel or complete upcoming sessions before deletion can proceed.
• After deletion, we remove or anonymize your personal profile where possible, but we may keep certain records (e.g., bookings and payment metadata) with a placeholder identity for legal and operational reasons.

If you need deletion support, contact us (see Section 11).

7. Your Privacy Rights and Choices

Sessio supports account deletion and data export, and we honor applicable rights under laws such as GDPR/UK GDPR, CCPA/CPRA, LGPD, PIPEDA, and certain U.S. state privacy laws (e.g., Virginia, Colorado, Connecticut, Utah) to the extent they apply.

7.1 Access, Correction, Deletion

You may have the right to:

• Access your personal information (request a copy)
• Correct inaccurate information
• Delete your account and certain personal information (subject to retention rules and upcoming-session constraints)
• Export your data (where available)

How to exercise:

• Use in-app settings where available (e.g., export, delete), or
• Email us at support@sessio.ai with your request.

We may need to verify your identity before fulfilling requests.

7.2 Opt-Out / Do Not Sell/Share

Sessio does not sell personal information or share it for targeted advertising. Therefore, "Do Not Sell or Share" opt-outs are not required for our current model. If our practices change, we will update this policy and provide required opt-outs.

7.3 Marketing Communications

Sessio may send service messages necessary to operate the app (e.g., confirmations, security notices). If we send optional marketing emails, you can opt out via the unsubscribe link or by contacting us. You may still receive non-marketing, administrative communications.

7.4 Cookies & Tracking Technologies

Our website may use cookies or similar technologies for:

• Essential site functionality
• Security
• Analytics (to understand usage and improve performance)

We do not use cookies for third-party targeted advertising.

If we publish a separate Cookie Policy, it will be linked here: https://sessio.ai/cookies.

You can control cookies through your browser settings and, where available, our cookie preference tools.

7.5 EU/UK Specific Rights (GDPR / UK GDPR)

If you are in the EEA/UK, you may also have rights to:

• Object to processing based on legitimate interests
• Restrict processing
• Data portability
• Lodge a complaint with your supervisory authority

We process data under bases that may include: performance of a contract, legitimate interests, and consent where required (e.g., certain optional features).

7.6 U.S. State Privacy Rights (CCPA/CPRA and Others)

If you are a resident of certain U.S. states, you may have rights to:

• Know/access categories and specific pieces of personal information we collected
• Delete personal information (with exceptions)
• Correct certain personal information
• Opt out of sale/sharing (not applicable as described above)
• Limit use of certain sensitive personal information (Sessio does not intentionally collect sensitive info for such purposes)

We do not discriminate against you for exercising your rights.

8. Children's Privacy

Sessio is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided personal information, please contact us and we will take appropriate steps to delete it.

9. Security of Your Information

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information. Measures may include encryption in transit, access controls, and monitoring. However, no system is 100% secure; you use the Service at your own risk.

You are responsible for maintaining the confidentiality of your login credentials and for any actions taken through your account.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service or by other means as required. The "Last Updated" date at the top indicates when this policy was last revised.

11. Contact Us / Data Protection Officer

Privacy Contact: support@sessio.ai
Support Contact: support@sessio.ai
Company: Crystal Labs LLC
Mailing Address: Crystal Labs LLC, United States

DPO / EU Representative (if applicable):
Sessio has not currently appointed a separate DPO or EU/UK representative. If this becomes required by law, we will update this section.

12. Additional Legal Notices / Disclaimers

• Sessio provides software tools and does not provide professional services, medical services, legal services, or financial advice.
• This Privacy Policy describes our general practices and is intended to be transparent and user-friendly. It may not address every scenario, and it does not create contractual rights beyond those in our Terms of Service.
• Where required, we will provide additional disclosures for specific features (e.g., calendar integrations, payment features) within the app.