Privacy Policy

1. Who we are

r4ptor is operated by James Readhead, trading as r4ptor ("we", "us", "our"). We are based in England and Wales.

For privacy matters, contact us at [email protected].

2. What this policy covers

This policy explains how we collect, use and protect personal data when you use r4ptor — the martial arts school management platform available at r4ptor.app and on your club's private subdomain.

r4ptor is a data processor for student and member data held within the platform. Your club (the account holder) is the data controller for that data and is responsible for its lawful collection and use under UK GDPR.

3. Data we collect

Account holders (instructors and admins)

• Name and email address (provided at signup)
• Password (stored as a one-way hash — we cannot read it)
• Login activity and timestamps

Student records (entered by the club)

• Name, contact details and any notes entered by the club
• Attendance records, grading history and class enrolments
• Communications sent via the platform (email/SMS logs)

Payment data

• Subscription payments are processed by Stripe. We do not store card numbers or payment details. Stripe's privacy policy applies to payment data: stripe.com/gb/privacy

Usage data

• Activity logs within the platform (admin actions, feature usage)
• Server logs (IP addresses, request timestamps) for security and debugging

4. How we use your data

• To provide and operate the r4ptor platform
• To authenticate users and maintain account security
• To send service emails (account setup, billing receipts, trial expiry notices)
• To investigate abuse or security incidents
• To improve the platform (aggregated, anonymised usage patterns only)

We do not sell your data, use it for advertising, or share it with third parties except as described below.

5. Legal basis for processing (UK GDPR)

• Contract: processing necessary to provide the service you've subscribed to
• Legitimate interests: security monitoring, fraud prevention, platform improvement
• Legal obligation: where required by law

6. Third-party processors

We use the following sub-processors to deliver the service:

• Hetzner Online GmbH — cloud hosting (servers located in the EU)
• Cloudflare, Inc. — DNS, DDoS protection and CDN
• Stripe, Inc. — subscription payment processing
• Twilio Inc. — optional SMS communications (only if configured by your club)

Each sub-processor is subject to data processing agreements and provides appropriate safeguards for personal data.

7. Data retention

• Active accounts: data is retained for the duration of the subscription
• Free/inactive accounts: automatically deleted after 30 days of inactivity (you will receive warning emails before deletion)
• Closed accounts: data is deleted within 30 days of account closure or teardown
• Backups: encrypted backups are retained for a short rolling period for disaster recovery

8. Children's data

Many martial arts clubs have student members who are under 18. r4ptor processes student data as instructed by the club. As the data controller, the club is responsible for ensuring appropriate consent or lawful basis exists for processing minors' personal data, including obtaining parental/guardian consent where required.

r4ptor does not knowingly collect personal data directly from individuals under 16.

9. Data security

Each club's data is held in a private, isolated database. We use industry-standard security measures including encrypted connections (HTTPS/TLS), hashed passwords, server-side access controls and regular automated backups.

10. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to processing
• Data portability — receive your data in a machine-readable format

To exercise any of these rights, email [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been mishandled.

11. Cookies

r4ptor uses a single authentication token stored in your browser's local storage to keep you signed in. We do not use tracking cookies or third-party analytics cookies.

12. Changes to this policy

We may update this policy from time to time. We will notify account holders of significant changes by email and update the "Last updated" date at the top of this page.

13. Contact

For any privacy questions or data requests, contact us at [email protected].