MEAO

Privacy Policy

Effective May 3, 2026 Last updated May 3, 2026

1. Who we are

MEAO ("we", "us", "our") provides multi-tenant membership and member-management software to fitness studios, gyms, schools, clubs, studios, and other membership-based businesses ("Operators"). MEAO is operated from British Columbia, Canada.

If you are a member, customer, lead, or other end-user of an Operator that uses MEAO ("End User"), your relationship is primarily with that Operator. MEAO acts as a service provider (under PIPEDA) and a data processor (under GDPR) on behalf of the Operator. The Operator is the controller of End-User data.

If you are an Operator, MEAO is the controller of your account, billing, and platform-usage data, and a processor of any End-User data you bring into MEAO.

2. Information we collect

2.1 Information you give us

  • Account details — name, business name, email address, phone number, physical address.
  • Authentication data — password (hashed with Argon2id), TOTP multi-factor enrollment, recovery codes (hashed).
  • Payment information — billing address and last-four card digits stored by Stripe; we never store full card numbers.
  • Operational content — member records, lead records, bookings, contracts, scheduled communications, settings, files uploaded by you.
  • Support correspondence — emails, chats, and tickets you send to support.

2.2 Information we collect automatically

  • Device + connection — IP address, browser type, OS, language, referrer.
  • Usage events — pages visited, actions taken, timestamps, request IDs.
  • Cookies and similar — see Section 8.
  • Security events — failed login attempts, MFA prompts, session changes.

2.3 Information from third parties

  • Stripe — payment status, dispute notifications, payout reports for Operators using Stripe Connect.
  • Email and SMS providers (Postmark, Twilio) — delivery, bounce, complaint, and unsubscribe events.
  • Bot-protection (Cloudflare Turnstile) — challenge results on lead forms, signup, login.
  • Marketing partners — limited UTM and click data when you arrive from a campaign.

2.4 Children's data (COPPA, US Operators in education)

Some Operators serve children under 13 (e.g. coding education, dance, martial arts). MEAO requires verifiable parental consent before any under-13 record is created and applies data-minimization principles. Parents may review, correct, or delete their child's record by contacting the Operator or privacy@meao.app.

3. How we use information

  • Deliver the service — authenticate you, run bookings, process payments, send transactional messages, generate reports.
  • Operator-directed processing — execute the workflows your Operator configures (campaigns, automations, exports).
  • Improve the service — analyze usage to fix bugs, improve performance, and prioritize features. Aggregated and de-identified where possible.
  • Security and fraud prevention — detect abuse, enforce rate limits, investigate incidents.
  • Compliance — meet legal obligations (tax, anti-spam, e-signature, audit retention).
  • Communications — send service notices, security alerts, and (where you have opted in) marketing.

We do not use End-User data to train machine-learning models, sell it, or share it with advertisers. We do not engage in "sale" of personal information as defined under US state privacy laws.

4. Legal bases (GDPR / UK GDPR)

Where GDPR applies, we rely on:

  • Contract — to provide the service to Operators and End Users.
  • Legitimate interests — security, fraud prevention, product improvement, and direct B2B communications to Operators.
  • Consent — for marketing email/SMS to End Users (CASL also requires express opt-in in Canada), for non-essential cookies, and for processing of children's data.
  • Legal obligation — recordkeeping for tax, e-signature, and SOC 2 evidence.

5. Sharing your information

We share information only with the following categories of recipients:

5.1 Sub-processors (vendors that help run MEAO)

VendorPurposeRegion
VercelApplication hosting and edge deliveryGlobal
NeonPostgres database hosting (per-tenant isolation)US, EU, Canada
Cloudflare R2 / DNS / TurnstileFile storage, DNS, bot protectionGlobal
StripePayment processing, Connect onboarding, taxUS
PostmarkTransactional and marketing emailUS, EU
TwilioSMS messaging, phone-number lookupUS
InngestBackground workflow orchestrationUS
UpstashRate-limit stateMulti-region
SentryError tracking (PII-scrubbed)US, EU
PostHogProduct analytics, feature flagsUS, EU

A full and up-to-date sub-processor list is published at meao.app/sub-processors. Operators are notified at least 30 days before adding a new sub-processor that materially changes data handling.

5.2 Operators

End-User data you submit to an Operator's MEAO instance is shared with that Operator and its authorized staff. The Operator's privacy practices govern how they use that data outside MEAO.

5.3 Legal and safety

We may disclose information when required by law, valid legal process, or to investigate fraud, security incidents, or violations of our terms. Where lawful and reasonable, we notify the affected Operator first.

5.4 Business transfers

If MEAO is involved in a merger, acquisition, or sale of assets, your information may transfer to the successor entity, subject to a privacy notice consistent with this one.

6. International transfers

MEAO data is stored in the region you select at provisioning (Canadian Operators default to ca-central; US to us-east or us-west; EU to eu-central). Some sub-processors operate from the United States. For transfers from the EU/UK/Switzerland, we rely on Standard Contractual Clauses with each sub-processor and apply additional safeguards including encryption in transit and at rest.

7. Retention

  • Operational data — kept while your account is active.
  • Audit logs — 7 years for billing, access, and money-affecting actions; 1 year for general events.
  • Signed contracts and statements — 7 years (legal hold).
  • Payment records — retained per applicable tax law (typically 6–7 years).
  • Backups — continuous PITR retained 7 days; cold archive monthly to encrypted R2 storage.
  • Account closure — Operator data is retained 30 days after offboarding (export window), then hard-deleted, except records subject to legal hold which remain in cold storage for the applicable retention period.

8. Cookies and similar technologies

We use a small number of cookies and equivalent identifiers:

  • Essential (always on) — session ID, CSRF protection, authentication state, language preference.
  • Analytics (opt-in) — first-party analytics events to understand usage.
  • Bot protection (essential) — Cloudflare Turnstile sets a short-lived token to validate humanness on signup, login, and lead forms.

Non-essential cookies are disabled until you accept them via the consent banner. You can change your choice at any time via the "Cookie preferences" link in the footer.

9. Your rights

Depending on where you live, you may have the right to:

  • Access — receive a copy of personal information we hold about you.
  • Correct — fix inaccurate or incomplete data.
  • Delete — ask us to delete personal information, subject to legal-retention exceptions.
  • Port — receive your data in a machine-readable format (JSON or CSV).
  • Restrict or object to certain processing.
  • Withdraw consent — for processing based on consent (marketing, non-essential cookies).
  • Lodge a complaint — with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your local data-protection authority.

To exercise these rights as an End User, contact your Operator first; many requests can be fulfilled directly in the member portal (download data, edit profile, manage communication preferences, delete account). For unresolved requests, email privacy@meao.app. We respond within 30 days.

10. Marketing communications and CASL

MEAO and its Operators only send commercial electronic messages with your express consent or where another CASL exemption applies. Every marketing message includes an unsubscribe link, our identity, and a postal address. Unsubscribe requests are honoured within 10 business days, as required.

Consents older than 24 months trigger a re-consent prompt; expired consents are auto-suppressed.

11. Security

  • Encryption — TLS 1.2+ in transit; AES-256-GCM envelope encryption for tenant connection strings; full-disk encryption at rest at every storage vendor.
  • Authentication — Argon2id passwords (m=64MB, t=3, p=4); TOTP multi-factor required for platform-admin and Operator super-admin roles.
  • Tenant isolation — one Postgres database per Operator; cross-tenant access is enforced at the middleware layer and tested in CI.
  • Audit logging — append-only logs for every action that touches money, access, messaging, or customer status.
  • Backups — continuous point-in-time recovery and quarterly disaster-recovery drills.
  • SOC 2 — Type I targeted within 6–9 months of launch; Type II within 18 months.

12. Breach notification

If we determine that a breach of personal information creates a real risk of significant harm, we notify affected Operators and (where required) regulators within 72 hours, and Operators notify their End Users in line with applicable law. We document every reportable breach in our incident register, regardless of materiality.

13. Changes to this policy

We will post any material changes here at least 30 days before they take effect and notify Operators by email. The "Last updated" date at the top reflects the most recent revision.

14. Contact

MEAO Inc.
Attn: Privacy
Vancouver, BC, Canada
privacy@meao.app

For data-protection authority complaints in Canada: Office of the Privacy Commissioner of Canada. In the EU/UK, contact your national supervisory authority.