Privacy policy
What SessionHQ collects, why, how long we keep it, and how you take it back.
Last updated: 2026-04-15.About this policy
SessionHQ is operated by Zack Design (ABN 11 405 255 456), 39 Kent Road, Mascot NSW 2020. This policy describes how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For EU/UK users, the equivalent GDPR rights (access, rectification, erasure, objection) are covered below; to exercise them, email info@sessionhq.org.
Controller vs processor
For data entered by a studio operator (member lists, attendance records), the studio is the data controller and SessionHQ acts as the processor on their behalf. For your SessionHQ account itself, SessionHQ is the controller.
What we collect
- Account: name, email, phone, password hash
- Operational: check-in records, pass balances, attendance history
- Payment: Square-tokenised card reference and transaction metadata (never raw card numbers)
- Optional: member photos, emergency contact, medical conditions — only if the operator collects them
- Technical: IP address, user agent, session cookies
Sensitive information (health data)
If your studio collects medical conditions or similar health information, that data is treated as sensitive under APP 6 and APP 11. It is:
- Visible only to staff with an owner/admin/staff role in the tenant
- Excluded from default member-data exports
- Automatically redacted from our error-monitoring system before any engineer can see a crash report
- Scrubbed when a member is anonymised under your right to erasure
Why we collect it
- To provide the service — running check-ins, passes, payments
- Legitimate interests — preventing abuse, audit logging, security, support
- Legal obligations — retaining financial records (7–10 years under Australian tax law)
- Consent — marketing communications (always opt-in, never pre-ticked)
Where your data is stored
SessionHQ stores the primary database in Australia (Sydney) via Supabase. Some sub-processors are located outside Australia — see Sub-processorsfor the current list and each provider's region. By using SessionHQ you consent to this cross-border handling for the purposes described above.
Retention
Check-in and payment records are retained as required by tax and consumer law (up to 10 years). Inactive member profiles are automatically anonymised after 3 years of no check-ins. Backups follow a 30-daily + 12-monthly retention schedule and are destroyed at the end of their retention window.
Your rights
- Access — request a JSON bundle of your data
- Correction — correct inaccurate data via your profile or by contacting us
- Erasure — request anonymisation; PII is scrubbed while financial and audit records are retained as required by law
- Objection & withdrawal of consent — opt out of marketing at any time
- Complaint — escalate to a supervisory authority (see below)
SessionHQ sends operational emails that are part of the service: welcome messages, payment receipts, pass expiry reminders, and re-engagement prompts from your studio. These identify the sender and include our business details. Where a message is a commercial electronic message under the Spam Act 2003 (Cth), it will include a functional unsubscribe mechanism. Marketing consent captured at signup is a separate, explicit opt-in and can be withdrawn at any time.
Data breach notification
We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. If we become aware of a breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) without undue delay.
Complaints
Contact us first at info@sessionhq.org. If we can't resolve your concern, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au. EU/UK users may contact their national data-protection authority.
Cookies
See Cookies.
Contact
Privacy enquiries: info@sessionhq.org
Post: Zack Design, 39 Kent Road, Mascot NSW 2020, Australia