Privacy Policy

When you book a program, contact us, or join our interest list, we collect:

• Parent/guardian details: name, email, phone number, billing information (via Stripe).
• Participant details: child's first and last name, age, grade, allergies, and medical notes relevant to safe participation.
• Emergency contacts: name and phone number for an alternative adult, and the names of anyone authorized to pick up a participant.
• Inquiry content: messages you send us through the contact or interest-list forms.
• Technical data: IP address, browser type, device identifiers, pages visited, and timestamps. We use this only for security, fraud prevention, and basic site analytics.

We do not collect or store payment card numbers. Payments are processed by Stripe, Inc., which handles card data directly under PCI-DSS.

• To confirm and operate the program you booked — including roster, scheduling, health and safety checks, and communication with the parent/guardian.
• To process payments, refunds, and credits via Stripe.
• To send transactional emails (confirmations, schedule changes, safety notices) via Resend.
• To respond to inquiries you submit through the contact form.
• To improve site reliability, prevent abuse, and meet legal obligations.

We do not sell personal information, and we do not use any participant data for targeted advertising.

Our programs are designed for children, so all account-level actions — registration, payment, communication — are taken by a parent or legal guardian over the age of 18. We knowingly collect information about children under 13 only with verifiable parental consent, which is obtained when the parent or guardian completes the booking flow and accepts this policy.

The information we collect about a participant under 13 is limited to:

• Name, age, and grade (to assign appropriate group level).
• Allergies and medical notes (so staff can keep the child safe).
• Emergency-contact and authorized-pickup names (safety only).

We do not collect persistent identifiers, geolocation, or behavioral data from children, and we do not enable third-party advertising or analytics that profile children.

A parent or guardian can at any time review the information we hold about their child, request that we delete it, or withdraw consent for further collection by contacting us at {{CONTACT_EMAIL}}. We will respond within 30 days. Withdrawing consent may end enrollment in active programs.

We retain participant information only as long as needed to operate the program and meet legal/insurance obligations — see Retention below.

• Stripe, Inc. — payment processing. Stripe receives the cardholder name, billing details, and amount. See stripe.com/privacy.
• Supabase, Inc. — secure database hosting (US data residency).
• Resend — transactional email delivery.
• Google (Calendar API) — staff calendar sync only; participant medical/allergy details are not synced to Google.
• Vercel, Inc. — hosting and CDN.

Each provider is bound by a written agreement that limits use of your information to providing services to us.

We retain booking and roster records for 7 years after the end of the program for tax, insurance, and incident-response reasons. Health/medical notes about a participant are deleted 12 months after the end of the program unless a longer period is required by law. Interest-list and unsuccessful inquiry records are deleted after 24 months of inactivity.

Depending on where you live, you may have the right to: access the data we hold about you or your child, correct it, delete it, restrict or object to certain uses, and withdraw consent. To exercise any of these, email {{CONTACT_EMAIL}}. We do not discriminate against you for exercising these rights.

California residents have additional rights under the CCPA/CPRA, and EU/UK visitors have additional rights under the GDPR/UK-GDPR where applicable.

We use TLS in transit, encryption at rest for our database, industry-standard access controls, and rotating credentials. Card data never touches our servers. No system is perfectly secure; if we learn of a breach affecting your information, we will notify you as required by law.

We may update this policy from time to time. The "Effective" date at the top reflects the most recent change. For material changes that affect children's data, we will email parents/guardians and request renewed consent where required.

{{LEGAL_ENTITY_NAME}} (operating as "The Spot")
{{BUSINESS_ADDRESS}}
Email: {{CONTACT_EMAIL}}
Phone: {{PHONE}}

See also our Terms of Service, Cookie Policy, and Refund Policy.