Skip to main content
/Docs

Data & Privacy

StudioBase is committed to protecting your data and your clients' data. This guide covers what data is collected, how it's protected, and how to manage it.

What Data Is Collected

Studio owners:

  • Account information (name, email, password hash)
  • Studio details (name, subdomain, settings)
  • Stripe Connect account information (for payment processing)

Guests/clients:

  • Name and email address (provided during booking)
  • Booking history (class, date, time, status)
  • Payment information (processed securely via Stripe — StudioBase does not store card numbers)
  • Waiver acceptance records (if enabled)
  • Notification preferences

How Data Is Protected

  • Encryption in transit — All connections use HTTPS/TLS
  • PCI-compliant payments — Card data is handled entirely by Stripe
  • Row-Level Security — Database access is enforced per-studio (multi-tenant isolation)
  • CSRF protection — All mutations require valid tokens
  • Rate limiting — Prevents abuse of sensitive operations

Managing Your Data

Anyone can export or delete their personal data from StudioBase — no account required.

Exporting Your Data

  1. Visit studiobase.org/privacy/manage
  2. Enter your email address
  3. Click Export My Data
  4. Check your email for a verification link (expires in 30 minutes)
  5. Click the link to download a JSON file containing all your data

The export includes: guest sessions, bookings, consent records, and notification preferences.

Deleting Your Data

  1. Visit studiobase.org/privacy/manage
  2. Enter your email address
  3. Click Delete My Data
  4. Check your email for a verification link (expires in 30 minutes)
  5. Click the link to confirm deletion

When data is deleted:

  • Personal information (name, email) is anonymized on booking records
  • IP addresses and device information are removed
  • Notification preferences are deleted
  • Consent withdrawal is recorded for compliance

Anonymized booking records are retained for up to 7 years for tax and accounting compliance. No personally identifiable information remains on these records.

Data Retention

Data TypeRetention Period
Guest sessions90 days
Booking records7 years (anonymized after deletion)
Consent recordsRetained for compliance proof
Payment dataManaged by Stripe per their policies

Studio Owner Account Deletion

Studio owners can delete their entire account from Settings > Security > Danger Zone. See Account Security for details on the 30-day recovery window.

Privacy Policy

For the full privacy policy including US state-specific rights (CCPA, GDPR), visit studiobase.org/privacy.

Need Help?

For privacy questions or data requests, contact privacy@studiobase.org.

Last updated February 7, 2026
Previous
Liability Waivers

Navigation