Privacy Policy

Effective May 28, 2026

PointOps ("we", "us") operates an operations dashboard for businesses that use Mindbody. This policy explains what information we handle, why, and what choices you have.

1. Who we are

PointOps is operated by Look Good Brands LLC (Georgia, USA). You can reach us at hello@pointops.io.

2. Information we handle

We hold three categories of data:

• Account information you provide directly: name, work email, password (stored hashed by Supabase Auth), role within your organization, and the locations you can access.
• Operational data synced from Mindbody on behalf of the franchise that authorized us: client first/last name and contact details, appointment history, sales and product activity, membership status, and staff schedules. This data belongs to the franchise; PointOps processes it on their behalf to render their own dashboard.
• Usage and security data we generate ourselves: server access logs (timestamp, route, response code, request id), IP address for rate-limiting and abuse detection, audit-log entries when a sensitive action is taken (e.g. inviting a teammate, rotating credentials), and anonymous error reports if something crashes.

3. How we use it

• To provide the dashboard, AI briefings, and reporting features.
• To authenticate you and enforce role + location access.
• To diagnose bugs and security issues. Logs are retained for 30 days unless tied to an active investigation.
• To send transactional email (sign-up confirmation, password reset, billing receipts when applicable).

We do not sell personal data. We do not use Mindbody client data to train AI models — when AI features run, the prompt is sent to Anthropic for inference and is not retained by them per their commercial terms.

4. Service providers we share with

We use the following processors. All are bound by their own data protection terms; the link is to their privacy or trust pages.

• Supabase (Postgres database, authentication, row-level security). supabase.com/privacy
• Vercel (web hosting, edge functions, request logs). vercel.com/legal/privacy-policy
• Mindbody (source-of-record for appointments, sales, and clients we sync on your behalf). mindbodyonline.com/privacy-policy
• Anthropic (Claude API, used for AI briefings and rundowns). anthropic.com/legal/privacy
• Shopify (only if you connect a Shopify store for inventory sync). shopify.com/legal/privacy
• Stripe (subscription billing, when enabled). stripe.com/privacy

5. Where data is stored

All databases and application servers run in the United States (AWS us-east via Supabase and Vercel). PointOps does not currently offer EU data residency. If you are in a region with data-locality requirements, contact us before sharing data.

6. Retention

Operational data synced from Mindbody is retained while your organization has an active subscription, plus 90 days after cancellation to allow restoration. After that, your organization's data is deleted from production databases. Backups are retained for an additional 30 days and then expire.

Audit-log entries are retained for the life of the account, since their purpose is the long-term integrity record.

7. Your rights

You can request a copy of your account data, correct it, or have it deleted by emailing hello@pointops.io. If you are a client of one of our franchise customers (i.e. your data is in PointOps because you visited a Mindbody studio that uses us), contact the franchise directly — they are the controller of your data and we act only on their instructions. We will assist them with any deletion or export request within 30 days.

Depending on your jurisdiction, you may have additional rights under laws such as the GDPR or CCPA — including the right to lodge a complaint with a supervisory authority.

8. Security

Data is encrypted in transit (TLS 1.2+) and at rest (Supabase / AWS). Access to production systems is limited to PointOps staff who need it for their role and is logged. Passwords are stored hashed (bcrypt via Supabase Auth). API keys to Mindbody are stored encrypted at rest in our database.

We do not claim to be impenetrable. If we discover a breach affecting your data, we will notify you without undue delay and no later than 72 hours after confirmation.

9. Cookies

We use first-party cookies only, for authentication (your Supabase session) and CSRF protection. We do not use advertising or cross-site tracking cookies.

10. SMS / text messaging

Studios that use PointOps may enable daily appointment-prep text notifications for their staff. The following terms apply to that program:

• Consent. Your studio owner or manager enables text notifications for you within the PointOps app on the basis of your employment relationship. You may opt out at any time by replying STOP to any message; reply START to opt back in, and HELP for help.
• Message frequency. Up to one message per working day (a morning appointment-prep summary).
• Cost. Message and data rates may apply, depending on your mobile carrier and plan.
• Mobile information is never shared for marketing. We do not share or sell your mobile phone number or your SMS opt-in consent to third parties or affiliates for their own marketing or promotional purposes. Your mobile number is used solely to deliver the operational notifications you have been enrolled in, and is passed only to our messaging provider (Twilio) for the sole purpose of transmitting those messages.
• Delivery. Mobile carriers are not liable for delayed or undelivered messages.

11. Children

PointOps is not directed at children under 13 and we do not knowingly collect their personal information.

12. Changes to this policy

We may update this policy. Material changes will be announced via in-app notification and email to account owners at least 14 days before they take effect. The "Effective" date at the top always reflects the current version.

13. Contact

Questions, requests, or concerns: hello@pointops.io.