DojoOS ("AashCo", "we", "us", "our") is a corporation incorporated under the laws of Canada, operating the DojoOS platform. Our principal place of business is in Ontario, Canada.
For purposes of this Policy, AashCo acts as a data controller with respect to information collected directly from platform subscribers (school owners, administrators), and as a data processor with respect to personal information of End Users (members, students, staff) submitted by our subscribers. Subscribers are themselves data controllers in relation to their End Users' personal information.
This Privacy Policy applies to personal information collected through: the DojoOS platform (dojoos.ca and related subdomains), our marketing website, email communications, and any other interaction with AashCo in connection with the Service.
This Policy does not apply to third-party websites or services linked from our platform. We encourage you to review their privacy policies independently.
When you create a DojoOS account, we collect:
Subscribers enter personal information about their members, students, and staff into the platform. This may include:
AashCo processes this data on behalf of the subscribing school (our customer). The school is the data controller responsible for obtaining all necessary consents from their members, including parental or guardian consent for minors.
| Purpose | Information Used | Basis |
|---|---|---|
| Providing and operating the DojoOS platform | Account info, End User data, usage data | Contract performance |
| Processing subscription payments | Billing information, account info | Contract performance |
| Sending transactional service communications | Email address, account info | Contract performance / legitimate interest |
| Sending marketing communications (opt-in) | Email address, name | Consent (CASL express consent) |
| Customer support | Account info, communications | Legitimate interest |
| Security, fraud prevention, and abuse detection | Log data, account info | Legitimate interest / legal obligation |
| Platform improvement and analytics | Aggregated, anonymized usage data | Legitimate interest |
| Legal compliance and enforcement of Terms | As required by applicable law | Legal obligation |
We do not sell personal information to third parties. We do not use personal information for advertising, behavioural profiling, or marketing to End Users.
Under PIPEDA, we collect, use, and disclose personal information with your knowledge and consent, except where the law permits or requires otherwise. Consent is obtained at account creation through our click-wrap acceptance mechanism, which records the date, time, and IP address of acceptance.
You may withdraw consent at any time by contacting us at hello@dojoos.ca, subject to legal or contractual restrictions. Withdrawal of consent may result in our inability to provide certain or all aspects of the Service.
We collect only the personal information reasonably necessary for the identified purposes (principle of data minimization).
From time to time, AashCo may send you marketing or promotional communications about DojoOS features, updates, and related services. We will only do so where we have obtained your express consent under CASL or where a business relationship exception applies.
You may unsubscribe from marketing communications at any time by: (a) clicking the unsubscribe link in any marketing email; or (b) contacting us at hello@dojoos.ca. We will process unsubscribe requests within 10 business days as required by CASL. Transactional and service-related communications (invoices, security alerts, service notices) are not subject to marketing opt-out and will continue to be sent while your account is active.
We do not sell, trade, or rent personal information to third parties. We may disclose personal information only in the following circumstances:
We engage the following third-party processors to operate the platform. Each operates under a contract that includes data processing obligations consistent with PIPEDA and this Policy:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase / AWS | Database, authentication, file storage, edge functions | All platform data | Canada (ca-central-1, Montreal) |
| Stripe, Inc. | Payment processing and subscription billing | Billing and payment information | United States |
| Twilio Inc. | SMS message delivery | Phone numbers, message content | United States |
| Brevo (Sendinblue SAS) | Transactional and service email delivery | Email addresses, message content | European Union (France) |
| Mux, Inc. | Video hosting and adaptive streaming | Uploaded video content and playback metadata | United States |
| Docuseal | Digital waiver signing and document storage | Names, signatures, consent records, waiver content | Canada (AashCo-operated infrastructure) |
| Sentry (Functional Software, Inc.) | Error monitoring and performance tracking | Technical logs, stack traces, anonymized session data | United States |
| Vercel, Inc. | Web application hosting and edge delivery | HTTP request data, IP addresses | United States / global edge |
| Upstash, Inc. | Rate limiting and request caching | Request metadata (no personal content) | United States |
| Better Stack | Uptime and infrastructure monitoring | Service availability metrics | European Union |
We periodically review our service providers to ensure ongoing compliance with our privacy obligations. If we add or change a material processor, we will update this section and notify subscribers where required.
Several of our service providers listed in Section 8 process data outside Canada, primarily in the United States and the European Union. By using DojoOS, you acknowledge and consent to these cross-border transfers where necessary to provide the Service.
For transfers to US-based processors (Stripe, Twilio, Mux, Sentry, Vercel, Upstash), we rely on the contractual data processing terms and privacy commitments of those providers, which include standard contractual safeguards. For transfers to EU-based processors (Brevo, Better Stack), we rely on the EU's adequacy framework and standard contractual clauses where applicable.
Where required by Quebec Law 25, AashCo conducts a Privacy Impact Assessment (PIA) before transferring personal information outside Quebec to a jurisdiction that does not offer an equivalent level of protection, and implements contractual measures to mitigate the risks identified.
Primary database storage for DojoOS is located in Canada (ca-central-1, Montreal region) on AWS infrastructure managed by Supabase. Docuseal (digital waivers) is self-hosted by AashCo on Canadian infrastructure.
AashCo has specifically selected Canadian data residency for primary storage as a design decision to support compliance with Canadian privacy law and to serve Canadian customers. Application-level backups are retained within the same Canadian region.
AashCo implements commercially reasonable technical and organizational security measures appropriate to the sensitivity of the personal information we process, including:
No method of electronic storage or transmission is completely secure. While we implement strong security practices, we cannot guarantee absolute security against all threats. In the event of a security incident affecting personal information, we will act in accordance with Section 14.
We retain personal information only as long as necessary for the purposes described in this Policy or as required by law:
When personal information is no longer required, it is securely deleted or anonymized in a manner that prevents reconstruction.
Under PIPEDA and applicable provincial law, individuals whose personal information we hold have the following rights:
To exercise any of these rights, contact our Privacy Officer at hello@dojoos.ca. We will acknowledge your request within 5 business days and respond substantively within 30 days. We may need to verify your identity before processing your request. There is no charge for access requests unless the request is manifestly unfounded or excessive.
Note for End Users (members/students): If you are a member of a martial arts school using DojoOS, your personal information is controlled by that school. Please contact your school directly to exercise your privacy rights in relation to your membership data. AashCo will cooperate with schools in responding to such requests.
In the event of a privacy breach (unauthorized access, use, disclosure, or loss of personal information), AashCo will:
SMS features within DojoOS are provided in compliance with Canada's Anti-Spam Legislation (CASL). The CASL compliance framework within DojoOS operates as follows:
AashCo's responsibility: AashCo provides the technical infrastructure for sending SMS and email communications and maintains records of platform-level consent. AashCo does not send commercial electronic messages to End Users on its own behalf except where it has independently obtained consent.
Subscriber's responsibility: Subscribing schools are the senders of commercial electronic messages to their members and are solely responsible for:
AashCo provides technical controls within the platform to support CASL compliance. However, legal responsibility for CASL compliance in relation to End User communications rests with the subscribing school as the sender.
DojoOS uses the following limited categories of cookies and similar technologies:
We do not use advertising cookies, tracking pixels for behavioural advertising, third-party marketing cookies, or cross-site tracking technologies. We do not participate in real-time bidding or targeted advertising ecosystems.
DojoOS is a business-to-business platform. Schools may enter personal information about minor students (under 18) as part of their membership management. This data is entered and controlled by the subscribing school, which is responsible for obtaining appropriate parental or guardian consent for the collection of minors' personal information under applicable provincial and federal law.
AashCo does not knowingly collect personal information directly from minors. If you believe a minor's personal information has been entered without appropriate parental consent, please contact the school directly, or contact AashCo at hello@dojoos.ca.
Certain categories of personal information require heightened protection under PIPEDA and applicable law, including health information, financial information, and information about minors. Where DojoOS processes sensitive personal information (for example, health notes on waivers), AashCo applies heightened security controls including:
Subscribers are responsible for ensuring they have a valid legal basis and appropriate consents for collecting and processing sensitive personal information about their members.
Quebec's Act respecting the protection of personal information in the private sector (Law 25, also known as Bill 64) imposes additional obligations on organizations handling personal information of Quebec residents. AashCo complies with Law 25 as applicable, including:
Quebec residents have the following additional rights under Law 25:
To exercise Law 25 rights, contact our Privacy Officer at hello@dojoos.ca. We will respond within 30 days.
We may update this Privacy Policy periodically. We will notify you of material changes by email at the address associated with your account at least 14 days before the changes take effect. The updated Policy will be posted at dojoos.ca/privacy with a revised "Last updated" date and version number.
Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must cancel your Subscription and cease using the Service before the effective date.
AashCo has designated a Privacy Officer accountable for our compliance with PIPEDA and applicable provincial privacy law. You may contact the Privacy Officer for any privacy-related inquiry, access request, or complaint:
If you are not satisfied with our response, you have the right to escalate your complaint to the relevant supervisory authority: