Your studio's member data is yours. We process it on your behalf to run Otto — risk scoring, Monday briefs, drafted member messages. We don't sell it, don't share it with third parties outside our named subprocessors, and don't train general-purpose AI models on it. You can disconnect at any time and we'll delete it. For the full detail, keep reading.
1. Who we are
Game Plan Designs LLC, a North Carolina limited liability company doing business as OctoEmployee ("octoEmployee", "Otto", "we", "us"), provides retention intelligence software to boutique fitness studios and wellness businesses that operate on the Mindbody platform. Under US and EU privacy law, we act as a data processor for the studios that use our service (our "Customers"). Our Customers are the data controllers of their members' personal information.
2. What we collect
2.1 Data from our Customers (studio owners)
When a studio signs up, we collect:
- Account information — name, business name, email, phone, billing address.
- Billing information — processed by Stripe. We store only the last four digits of the card and the billing descriptor; Stripe holds the full card number.
- Authentication data — hashed password, session tokens, optional MFA enrollment.
- Communications with us — support emails, in-app messages, call recordings if you've opted in.
- Usage telemetry — which pages you visit, which actions you take, approximate IP-derived location. We do not use third-party advertising cookies.
2.2 Data from our Customers' members (via Mindbody)
Once you authorize the Mindbody connection, Otto reads the following on a nightly sync:
- Member profile — name, email, phone, date of birth if on file, membership start date, emergency contact.
- Booking & attendance history — classes booked, attended, cancelled, no-showed; timestamps; coach.
- Membership & billing history — plan, price, renewal dates, freezes, cancellations, pack purchases.
- Transaction history — amounts and descriptors (not payment instruments).
- Consent flags — SMS and email opt-in status as recorded in Mindbody.
We access Mindbody on read-only credentials. We cannot and do not write back to Mindbody.
2.3 Data we generate
Otto produces derived data — per-member risk scores, predicted lifetime value, churn-reason clusters, drafted outreach messages, approval logs, and message-reply threads. This derived data belongs to the Customer and moves with them if they leave.
3. How we use it
- To run the service — compute risk scores, assemble the Monday brief, draft personalized member messages, route replies, produce reports.
- To improve the service — anonymized, aggregated retention patterns across our customer cohort inform model updates. No individual member is identifiable in that aggregate. You may opt out of this at signing or at any time thereafter by emailing privacy@octoemployee.com.
- To communicate with you — transactional messages about your account, product updates, and security notices. Marketing emails are opt-in and include a one-click unsubscribe.
- To protect the service — detect abuse, rate-limit, investigate security incidents, respond to legal obligations.
We do not: sell personal data, share it with data brokers, use it for advertising, or train general-purpose LLMs on it.
4. Who we share it with
We share personal data only with subprocessors strictly necessary to operate the service, and only under written data-processing agreements:
- Supabase — primary database, authentication, and encrypted credential vault. US regions.
- Vercel — application hosting and request execution. US regions.
- Anthropic — LLM API for drafting personalized member messages and risk explanations. Member PII is sent under a zero-retention, zero-training agreement; Anthropic does not retain or train on our request data.
- Stripe — billing and payments for Customer subscriptions.
- HighLevel (GHL) — booking, conversation hub, and SMS/email outreach delivery for outreach automation when enabled (Pro / Elite).
- Zoho — transactional email delivery for briefs, reports, and system alerts.
Mindbody is your source system, not a subprocessor of ours. We read from it under your authorization and do not write back. See Mindbody access for details.
We publish the current subprocessor list on our Trust page. We notify Customers 30 days in advance of any addition.
We may disclose data in response to a valid legal process (subpoena, court order) after reviewing its scope and, where legally permitted, notifying the affected Customer.
5. Retention & deletion
We retain ingested Mindbody data for the duration of your active subscription plus 30 days. After that, data is hard-deleted from primary storage within 30 days and from backups within 90 days of expiration. If you request earlier deletion, we'll accommodate it in writing.
Aggregated, anonymized retention patterns (no PII, no studio-identifying information) may persist in our model training set if you did not opt out at signing.
6. Your rights & your members' rights
As a Customer (studio owner), you may access, export, correct, or delete your account data at any time through the app or by emailing privacy@octoemployee.com.
For your members' personal data, the legal controller is your studio, not Otto. If a member submits a data-subject request directly to us (access, correction, deletion, portability, objection under GDPR/CCPA), we will forward it to you within 3 business days and support you in fulfilling it. We will not action the request unilaterally without your instruction, except where required by law.
California residents: you have the rights to know, delete, correct, and opt out of "sale" or "sharing" of personal information under the CCPA/CPRA. We do not sell or share personal information in the CCPA sense.
EU/UK residents: you have the rights of access, rectification, erasure, restriction, portability, and objection under GDPR/UK GDPR. Our EU representative, upon request, is listed on our Trust page.
7. Security
We use defense-in-depth. Encryption in transit (TLS 1.3), encryption at rest (AES-256), hardware-key-protected production access, isolated credential vault, SOC 2 Type I (Type II audit in progress, report expected Q3 2026), annual third-party penetration testing. Full detail on our Trust page.
No system is perfectly secure. If we become aware of a confirmed security incident affecting your data, we notify you within 24 hours with what we know, what we don't, and what we're doing about it.
8. International transfers
All production data lives in the United States. If you access Otto from outside the US, your data will be transferred to and processed in the US. For EU/UK data subjects whose data flows through Otto, we rely on the EU–US Data Privacy Framework and Standard Contractual Clauses as the legal basis for transfer.
9. Children's data
Otto is not directed to children under 13 (or the equivalent minimum age under applicable law). We don't knowingly collect personal information from children. If your studio's Mindbody account includes junior members, you as the Customer are responsible for the appropriate parental consent; we will process that data on your direction but we will not market or automate outreach to known minors.
10. Changes to this policy
If we make material changes, we will notify active Customers by email at least 30 days before the effective date, and post the updated version here with a revised "Last updated" date. Continued use of Otto after the effective date constitutes acceptance.
11. How to contact us
Privacy questions & data requests: privacy@octoemployee.com
Security disclosures: security@octoemployee.com
Mailing address: Game Plan Designs LLC — Legal, 13553 Providence Rd. PMB 283, Weddington, NC 28104
A human reads these inboxes. We respond within 1 business day.