Plain-language summary: We collect only what we need to run the gym's attendance system — your name, email, and class check-ins. We do not sell your data, serve you ads, or share your information with anyone except the email delivery service we use to send you verification codes. You can request deletion of your account at any time.
Alliance Jiu Jitsu – Ames ("we", "us", or "our") operates this web-based attendance management system, accessible at amesbjjattendance.cloud. This platform is used solely to manage gym membership records, class attendance, and belt progression for students and coaches at our facility located in Ames, Iowa, USA.
For the purposes of applicable privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA), Alliance Jiu Jitsu – Ames is the data controller — the entity that determines why and how your personal information is processed.
Privacy contact:
Email: privacy@amesbjjattendance.cloud
Location: Ames, Iowa, United States of America
We aim to respond to all privacy requests within 30 days.
This Privacy Policy applies alongside our Terms of Service, which govern your use of the platform.
We collect only the minimum information necessary to operate the attendance system.
| Category | Specific Data | How Collected |
|---|---|---|
| Identity | First and last name | Provided by you at registration, or by a coach when creating your account |
| Contact | Email address; phone number (optional) | Provided by you |
| Account credentials | Password (stored as a one-way bcrypt hash — we cannot read or recover it) | Created by you |
| Attendance records | Date, time, and class type of each check-in | Recorded automatically when you check in |
| Training progress | Belt rank, stripe count, class count since last promotion, class streaks | Updated by coaches based on your training |
| Session data | Authentication cookie (see Section 6) | Generated automatically when you sign in |
| Server logs | IP address, browser type, and request timestamps retained briefly in server logs | Collected automatically by the web server |
We do not collect: payment or financial information, precise location data, government-issued ID numbers, biometric data, health or medical information, social media profiles, or any special category data under GDPR Article 9. We do not use tracking pixels, advertising networks, or third-party analytics services.
We use your personal data only for the purposes listed below. Where GDPR applies to you, the specific lawful basis under Article 6 is indicated. If you are in the United States, our use is governed by applicable US law and our Terms of Service.
| Purpose | Lawful Basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account | Contract performance — Art. 6(1)(b) |
| Authenticating your identity when you sign in | Contract performance — Art. 6(1)(b) |
| Recording and displaying your class attendance history | Contract performance — Art. 6(1)(b) |
| Tracking belt rank and promotion eligibility | Contract performance — Art. 6(1)(b) |
| Sending one-time verification codes (OTP) and password reset emails | Contract performance — Art. 6(1)(b) |
| Allowing coaches to manage and view student records | Legitimate interests — Art. 6(1)(f) (operating the gym) |
| Detecting and preventing security threats and abuse | Legitimate interests — Art. 6(1)(f) (securing the platform) |
| Complying with legal obligations (e.g., responding to lawful requests) | Legal obligation — Art. 6(1)(c) |
We do not use your data for marketing, advertising, behavioural profiling, automated decision-making, or any purpose beyond operating this attendance system.
We do not sell, rent, license, or trade your personal data to any third party. We do not share your information with advertisers, data brokers, or analytics companies.
The only third-party service that processes your data on our behalf is:
| Service Provider | Role | Purpose | Data Shared |
|---|---|---|---|
| Resend resend.com |
Data Processor | Transactional email delivery (verification codes, password resets) | Your email address and name — only to deliver the requested email |
Resend is contractually bound to process your data only on our documented instructions and is not permitted to use it for their own purposes. Their privacy policy is available at resend.com/legal/privacy-policy.
We may disclose your personal information if required to do so by applicable law, regulation, or a valid legal process (such as a court order, subpoena, or governmental request). Where permitted by law, we will attempt to notify you before making such a disclosure.
If Alliance Jiu Jitsu – Ames is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via the email address on your account before your data becomes subject to a different privacy policy.
We keep your personal data only as long as necessary for the purposes described in this policy.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data (name, email, password hash) | Until account deletion, plus up to 30 days for permanent purge | Required to provide the service |
| Attendance records | Retained indefinitely in anonymised form after account deletion | Aggregate class statistics and gym records |
| Belt and promotion records | Until account deletion | Training progress tracking |
| Authentication cookies | 8 hours, or until sign-out | Session management only |
| One-time password (OTP) tokens | 10 minutes from generation, then deleted | Short-lived for security |
| Password reset tokens | 1 hour from generation, then deleted | Short-lived for security |
| Server log data (IP addresses, request logs) | Up to 90 days in standard server log rotation | Security monitoring and error diagnosis |
To request deletion of your account and personal data, email us at privacy@amesbjjattendance.cloud. We will complete the deletion within 30 days of a verified request.
A cookie is a small text file stored on your device by your browser. This site uses one cookie and one localStorage entry.
| Name | Type | Storage | Purpose | Duration |
|---|---|---|---|---|
auth_token |
Strictly necessary | HTTP cookie | Keeps you signed in to your account; carries your encrypted session identity | 8 hours or until sign-out |
cookie_notice_dismissed |
Functional / preference | localStorage (not a cookie) | Records that you have dismissed the cookie notice so it doesn't reappear | Persistent (until browser data cleared) |
No consent required: The auth_token cookie is strictly necessary
for the site to function — you cannot sign in without it. Under the ePrivacy Directive
(Recital 66) and GDPR Recital 47, strictly necessary cookies are exempt from the consent
requirement. The localStorage entry is a user-interface preference, not a tracking mechanism.
We use no analytics cookies, advertising cookies, social media tracking pixels, fingerprinting scripts, or any other form of cross-site tracking technology.
You can delete cookies or block new ones at any time via your browser settings. Note that
deleting the auth_token cookie will sign you out. Blocking it entirely will
prevent you from signing in at all. Instructions for common browsers:
We implement the following technical and organisational safeguards to protect your data. These measures are reviewed and updated as the platform evolves.
auth_token cookie is flagged HttpOnly (inaccessible to JavaScript), Secure (HTTPS only), and SameSite=Strict (not sent on cross-site requests), protecting against XSS and CSRF attacks.No method of electronic transmission or storage is 100% secure. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and, where legally required (e.g., under GDPR Article 33), notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
Depending on where you are located, you may have the following rights. To exercise any right, email us at privacy@amesbjjattendance.cloud with your name and the email address on your account. We will respond within 30 days and may ask for information to verify your identity before processing your request.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
To submit a CCPA/CPRA request, email privacy@amesbjjattendance.cloud. We will respond within 45 days as required by law.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and obtain a copy of their data. Contact us at the address above and we will respond in accordance with applicable law.
This platform is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. Consistent with the Children's Online Privacy Protection Act (COPPA), if we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly.
For students between the ages of 13 and 17, account creation and management should be performed by a parent, legal guardian, or an authorised coach on their behalf. By creating an account for a minor, the parent or guardian represents that they have the authority to consent to data collection on the minor's behalf.
If you believe a child's information has been collected without appropriate consent, please contact us immediately at privacy@amesbjjattendance.cloud.
Our servers are located in the United States of America (Ames, Iowa). All personal data we collect is stored and processed in the United States.
If you are accessing this service from outside the United States — including from the European Economic Area (EEA), the United Kingdom, or Switzerland — please be aware that your personal data will be transferred to and processed in a country that may not provide the same level of data protection as your home jurisdiction.
Where such transfers are subject to GDPR or UK data protection law, we rely on the following safeguards as appropriate transfer mechanisms:
By creating an account and using this service, you acknowledge that your data will be processed in the United States. If you have questions about our transfer mechanisms, contact us at privacy@amesbjjattendance.cloud.
Some browsers include a "Do Not Track" (DNT) signal to indicate that you do not wish to be tracked across websites. Because we do not use cross-site tracking, analytics, or advertising technologies of any kind, our service does not alter its behaviour in response to DNT signals — not because we ignore your preference, but because there is nothing to opt out of. We do not track you regardless.
We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. When we make changes, we will:
Your continued use of the system after any changes constitute acceptance of the updated policy. If you disagree with a material change, you may request deletion of your account before the change takes effect.
For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please reach us at:
Alliance Jiu Jitsu – Ames
Ames, Iowa, United States of America
Privacy enquiries: privacy@amesbjjattendance.cloud
You may also review our Terms of Service for the full terms governing your use of this platform.