Privacy Policy

Jitsunami+ is operated by Aptitude Agency Ltd (company number 6922078), a company registered in England and Wales whose registered office is at Bedford iLab, Stannard Way, Bedford, MK44 3RZ, United Kingdom. Our VAT registration number is 175581971. In this document, "we", "us", "our" and "Jitsunami+" mean Aptitude Agency Ltd.

Depending on how the Platform is used, we may process:

• Account and profile data: name, email address, password (stored only as a secure hash), date of birth, roles, and the academies you belong to.
• Membership data: attendance, belts and stripes, gradings and promotions, bookings, waitlists, and waiver signatures.
• Payment data: subscription and invoice records, and the status of payments. Payments are processed by the relevant payment provider; we never see or store full card numbers.
• Medical information: where an Academy or Member chooses to record it. Medical notes are encrypted with a separate key and are excluded from the AI Assistant by default.
• Communications and support: messages, notifications, and support tickets you send or receive through the Platform.
• Technical and usage data: log data, device and browser information, IP address, and cookie data (see our Cookie Policy).

There are two situations:

• Data your Academy manages about you. When an Academy collects or enters data about its Members and staff (such as attendance, belts, medical notes, and membership records), the Academy is the controller: it decides why and how that data is used. We process that data as the Academy's processor, acting on its instructions to provide the Platform. If you want to access, correct, or delete that data, the best route is usually to contact your Academy.
• Data we control. For your individual account, the security and operation of the Platform, billing of academies, and the improvement of our service, we are the controller.

Where we are the controller, we rely on these lawful bases under UK data protection law:

• Contract: to create and run your account and to provide the Platform.
• Legitimate interests: to secure, maintain, and improve the Platform, to prevent fraud and abuse, and to keep records. We balance these interests against your rights.
• Consent: for optional analytics or marketing cookies, and where else we ask for it. You can withdraw consent at any time.
• Legal obligation: to keep financial and tax records and to comply with the law.

The Platform includes an optional AI Assistant. When it is used:

• We send the relevant request to an enterprise AI provider (for example, Anthropic or OpenAI) under a zero-data-retention arrangement, so your data is not retained by the provider to train its models.
• Medical notes are excluded from the AI Assistant by default.
• Member-entered text is treated by the system as data, not as instructions, to reduce the risk of misuse.

We use a small number of trusted providers to run the Platform. They process data on our instructions under appropriate agreements. They include:

• Payment processing: Stripe (and, where an Academy chooses, other payment providers).
• AI providers: Anthropic and OpenAI, under zero-data-retention arrangements.
• Hosting and infrastructure: DigitalOcean, with data hosted in the United Kingdom.
• Network and security: Cloudflare.
• Email delivery: our email provider (for example, Postmark or another mail relay).
• Notifications: a push-notification provider, where enabled.
• Monitoring and log delivery: Better Stack. Application error reporting is handled in-house within the Platform.

The Platform's data is hosted in the United Kingdom. Some of our service providers are based outside the UK, including in the United States. Where data is transferred outside the UK, we rely on appropriate safeguards recognised under UK data protection law, such as the UK International Data Transfer Agreement or addendum, or an adequacy decision.

We keep personal data only for as long as we need it for the purposes set out here, then delete or anonymise it. In practice:

• Account and membership data is kept while the account or membership is active, and for a reasonable period afterwards.
• Financial and tax records are kept for as long as the law requires.
• Data exports are kept for about 7 days, and bulk-import source files for about 30 days, before being deleted.
• AI conversation tool results are kept for about 90 days and then reduced to a hashed record.
• Backups are kept on a rolling basis (around 90 days) and error logs for about 30 days.

Where we act as a processor for an Academy, retention also follows the Academy's instructions and its own obligations.

Under UK data protection law you have rights to access your personal data, to have it corrected, to have it erased, to restrict or object to its processing, and to data portability. You can also withdraw any consent you have given.

How to exercise these rights:

• For data your Academy manages about you, contact your Academy, which is the controller. The Platform gives academies tools to handle data exports and erasure requests.
• For data we control, raise a support ticket from within the Platform, or write to us at our registered office (see "How to contact us").

We will respond within the time limits set by law. There is normally no charge.

Academies often train children. Where a Member is below the Academy's age threshold, they do not hold their own login: a parent or guardian manages their participation and provides any consent needed. We process children's data on the instructions of the Academy and the relevant parent or guardian. If you believe a child's data has been provided without proper authority, contact the Academy or raise a support ticket so it can be addressed.

We use reasonable technical and organisational measures to protect personal data, including encryption of data in transit and at rest, a separate encryption key for medical notes, tenant isolation so one Academy's data is kept separate from another's, and access controls.

However, no online service can be guaranteed completely secure. While we work to protect your data, we cannot promise that it will never be lost or accessed without authorisation, and you acknowledge this residual risk. We will deal with any personal-data breach as the law requires.

We use essential cookies to run the Platform and a small number of optional cookies you can decline. Our Cookie Policy explains this in more detail.

We may update this Privacy Policy from time to time. When we make a material change, we will update the version and the "last updated" date and, where appropriate, ask you to review and accept the updated documents.

If you have a concern about how your personal data is handled, please contact us first so we can try to put it right. You also have the right to complain to the relevant data protection supervisory authority. Where your Academy is the controller, you may also raise your concern with the Academy.

You can reach us in either of these ways:

• Support tickets. If you have a Jitsunami+ account, open a support ticket from within the Platform. This is the quickest way to reach us and lets us link your request to your account.
• By post. Write to us at Aptitude Agency Ltd, Bedford iLab, Stannard Way, Bedford, MK44 3RZ, United Kingdom.

We do not provide support by email. Please raise a support ticket or write to us by post so that we can handle your request properly.