Privacy Policy

Last updated: 2026-05-28

Midwest BJJ, LLC (“we”, “us”) operates the Midwest BJJ member platform at app.midwestbjj.org and the Midwest BJJ mobile apps (Android today; iOS forthcoming). This policy explains what information we collect, how we use it, and the choices you have.

Information we collect

• Account information. Name, email address, phone number, and date of birth that you provide when you join the gym or create an account.
• Membership and attendance. Your membership tier, belt rank, stripes, promotion history, and class check-ins.
• Profile content. Optional fields like emergency contacts, medical conditions, allergies, profile photo, and apparel sizes.
• Payment information. If you pay through the platform, billing is processed by Stripe or Square (whichever your gym has connected). We store invoice records and the last four digits of the card on file; the full card number never touches our servers.
• SMS consent records. If you opt into our SMS program we record the date and time, the consent language version you saw, the source of the opt-in (signup, RSVP, admin attestation, portal toggle, or START keyword), your IP address, and the device user agent. This audit trail is required for mobile-carrier compliance and is never sold or shared with marketing third parties.
• Device identifiers. When you sign in on one of our mobile apps we record a push-notification token for the device so we can deliver class reminders and account alerts.
• Diagnostic data. Sentry receives error reports (stack traces, request IDs) when something crashes. Sentry is configured to scrub email addresses and other identifiers from payloads.

How we use it

• To run your gym membership: attendance tracking, belt promotion, billing, communication.
• To send transactional notifications you opted into (class reminders, event invitations, promotion alerts).
• To answer questions you send the front desk.
• To meet our legal and tax obligations.

We do not sell your information. We do not show advertising in the app.

Camera and gallery access

The app accesses your camera and photo library only when you tap “Take photo” or “Upload” to change your profile picture. The operating system shows a permission prompt the first time you tap one of those buttons; you can decline and continue to use the rest of the app. We do not capture, store, transmit, or process biometric data, facial geometry, or any image from your device without that explicit action. If you deny camera access, the app falls back to the standard photo picker so the feature stays usable. You may revoke camera or media permissions at any time from your device’s system settings.

Sharing

• Stripe — payment processing (when your gym uses the Stripe connector).
• Square — payment processing (when your gym uses the Square connector).
• Amazon SES (AWS) — transactional email delivery.
• Twilio — SMS delivery for opt-in alerts. See “Mobile messaging (SMS)” below.
• Google Firebase Cloud Messaging — mobile push notifications.
• Sentry — error monitoring.
• Amazon Web Services — infrastructure hosting (US-East-2 region).

Each processor sees only the data needed for its job (e.g. Amazon SES sees the email + subject + body of the message we send you, never your training history).

Mobile messaging (SMS)

Our SMS program is governed by our Mobile Messaging Terms. SMS is carrier-delivered via Twilio; Twilio sees only the destination phone number, the message body, and delivery metadata required to route the message. We do not sell phone numbers, opt-in records, or consent state to any third party for marketing.

Opt-in is always explicit. You enroll by ticking the consent checkbox at member signup, on an event RSVP form, in your portal notification settings, by verbal attestation at the front desk, or by texting START to our brand number. Opt-out is one tap: reply STOP to any message, toggle the SMS setting off in your portal, or email legal@midwestbjj.org.

SMS is not the same as push notifications. Push notifications (Android and iOS) ride a separate channel. They are enrolled when you accept your device’s notification permission prompt; SMS enrollment requires the separate explicit opt-in described above. Disabling one does not affect the other.

We do not read your SMS inbox. The Midwest BJJ mobile apps do not request the Android READ_SMS or RECEIVE_SMS permissions and never access SMS messages on your device.

Mixed audience and children

The Midwest BJJ app serves both adults and children (we run kids classes). Before showing personalised content we ask for a date of birth. Users under 13 receive a restricted experience: no direct messages, no public profile, and no events flagged adult-only. We do not knowingly collect any additional information from children under 13 beyond what is needed to manage their membership at the gym. Parents can review or remove their child’s information at any time by contacting the front desk or emailing legal@midwestbjj.org.

Your choices and rights

• Access & correction. You can review and edit your profile data from /portal/account.
• Communication preferences. Email, push, and SMS opt-outs are managed at /portal/settings/notifications. See our SMS terms for the full SMS opt-out story.
• Account deletion. You can request deletion at any time from /portal/account/delete. We mark the account for deletion immediately and remove all data permanently after a 30-day recovery window. See /legal/account-deletion for details.
• Data export. Email legal@midwestbjj.org and we’ll send a copy of your records within 30 days.

Retention

We keep your account data for as long as you remain a member, plus the time required by our tax and accounting obligations (typically seven years for billing records). Deleted accounts are purged after the 30-day recovery window; aggregated, non-identifying analytics may remain. SMS consent records are retained for as long as we may need to demonstrate compliance with mobile-carrier rules.

Security

Data is encrypted in transit (TLS 1.2+) and at rest (AWS-managed keys). Access to the admin platform is gated by role-based permissions and audited via session logs. We rotate credentials periodically and run security reviews on schema changes.

Contact

For privacy questions email legal@midwestbjj.org. Mailing address: