Privacy Policy
Last Updated: April 5, 2026
Spotness (“we,” “us,” or “our”) operates the Spotness mobile application and website (collectively, the “Platform”). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Platform.
By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.
1. Who We Are
Spotness is a technology platform that facilitates the discovery and booking of fitness classes, court sports, and venue-based activities in Lebanon. We act as an intermediary between you and independent venues and fitness professionals.
2. Data We Collect
2.1 Account and Identity Data
When you create an account, we collect:
- Full name, email address, and phone number
- Profile image (if you choose to upload one)
- Password (stored only in hashed form; we never store or access your plaintext password)
- Date of birth (if provided)
- Account role (consumer or venue administrator)
2.2 Health and Fitness Data
If you choose to provide it, we may collect:
- Fitness goals and preferences
- Medical information and health conditions relevant to your fitness activities
- Emergency contact details
This data is optional. You are never required to provide health or medical information to use the Platform. We collect this data only with your explicit, separate consent. See Section 5.2 for details on how we handle sensitive data.
2.3 Booking and Activity Data
When you use the Platform, we collect:
- Booking history (classes, court sessions, slot-based bookings)
- Waitlist activity
- Attendance and check-in records
- Class and venue preferences
- Cancellation history
- Membership and package purchase records
2.4 Financial and Transaction Data
When you make a payment, we collect:
- Transaction amounts, dates, and descriptions
- Promo code usage
- Refund and cancellation records
We do not store your full payment card details. All payment processing is handled by our third-party payment processor. We receive only a tokenized reference and transaction confirmation.
2.5 Location Data
With your permission, we may collect:
- Precise geolocation for discovering nearby venues
- Geofence-based check-in data at venue locations
Location access is optional. You can disable it in your device settings at any time, though some features (such as nearby venue discovery) may be unavailable.
2.6 User-Generated Content
You may submit:
- Reviews and ratings for sessions, venues, class templates, and professionals
- Profile biography text
2.7 Device and Technical Data
We automatically collect:
- Device type, operating system, and app version
- IP address
- Push notification tokens
- Authentication session data
2.8 Usage Data
We collect data about how you interact with the Platform:
- Search queries and filters applied
- Screens viewed and features used
- Favorites (saved venues, professionals, and class templates)
- Notification interactions (read/unread status)
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Data Used |
|---|---|
| Account creation and authentication | Identity, device data |
| Facilitating bookings and managing your schedule | Booking, activity, identity |
| Processing payments, refunds, and credits | Financial, booking, identity |
| Discovering venues near you | Location |
| Sending booking confirmations and transactional notifications | Identity, booking, device |
| Displaying reviews and ratings | User-generated content, identity |
| Managing memberships and class packages | Financial, booking, identity |
| Ensuring safety during fitness activities (if you choose to share) | Health and fitness data |
| Preventing fraud and securing your account | Device, technical, usage data |
| Improving the Platform and user experience | Usage data, device data |
| Complying with legal obligations | All categories as required |
4. Legal Basis for Processing
We process your personal data in accordance with Lebanese Law No. 81/2018 (Electronic Transactions and Personal Data Protection). Our processing adheres to the principles of purpose limitation, proportionality, accuracy, storage limitation, security, and confidentiality.
For health and fitness data classified as sensitive under Article 97, we obtain your explicit, separate consent before collection.
If you access the Platform from the European Union, we also comply with the GDPR. See Section 19 for additional rights that may apply to you.
5. Sensitive Data
5.1 What We Consider Sensitive
Under Lebanese Law No. 81/2018 (Article 97), health-related data is classified as sensitive. This includes:
- Medical conditions relevant to fitness participation
- Injury history
- Emergency medical information
- Fitness assessments that may reveal health conditions
5.2 How We Handle Sensitive Data
- Separate consent: We request your explicit consent before collecting any health or fitness data, through a dedicated consent prompt distinct from general Terms acceptance.
- Optional collection: You can use all core Platform features (discovering venues, booking classes, making payments) without providing health or medical data.
- Restricted access: Health and medical data is encrypted at rest and accessible only to you and, where necessary, the specific venue or professional you have booked with.
- Independent deletion: You may delete your health data at any time without deleting your account.
- No sale or advertising use: We never sell health data or use it for advertising purposes.
6. Data Sharing
6.1 Venues and Professionals
When you book a class or session, we share relevant booking information with the venue or professional, including your name, contact details, and booking details. If you have provided health or emergency information for that booking, it may be shared with the venue in accordance with your consent.
6.2 Third-Party Service Providers
We engage the following service providers to operate the Platform:
| Provider | Data Shared | Purpose |
|---|---|---|
| Payment processor | Tokenized payment data, email, transaction amounts | Payment processing, refunds, fraud prevention |
| Resend | Email addresses, user names | Transactional emails (verification, password reset, booking confirmations) |
| Cloud storage provider | Profile images, venue images | File storage and delivery |
| Google (OAuth) | Email, name, profile picture (received from Google) | Social authentication |
| Database hosting provider | All application data | Database infrastructure |
| Hosting/CDN provider | IP addresses, request data | Application hosting and content delivery |
All third-party providers process data under our instructions and are contractually bound to protect your data.
6.3 Legal and Compliance Disclosures
We may disclose your data when required by:
- Lebanese law, regulation, or legal process
- A valid court order or government request
- The need to protect the rights, safety, or property of Spotness, our users, or the public
- Fraud prevention or security incident investigation
6.4 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.
6.5 No Sale of Personal Data
We do not sell your personal data to third parties.
7. International Data Transfers
Your data may be stored and processed on servers located outside Lebanon as we scale our infrastructure. When we transfer data internationally, we adopt appropriate safeguards, including contractual protections with our service providers, to ensure your data remains protected.
8. Data Retention
We retain your data for only as long as necessary for the purposes described in this Policy:
| Data Category | Retention Period |
|---|---|
| Active account data | Duration of your account + 30 days after deletion |
| Booking history | 3 years from the booking date |
| Payment and transaction records | 7 years (financial record-keeping requirements) |
| Reviews and ratings | Duration of your account; anonymized upon deletion |
| Location data | Not persisted beyond your active session |
| Health and medical data | Duration of your account; deleted immediately upon your request |
| Authentication and session logs | 90 days |
| Audit logs | 3 years |
| Waiver signatures | Duration of your relationship with the venue + 6 years |
| Inactive accounts | Anonymized after 2 years of inactivity |
9. Data Security
We implement technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest for sensitive data
- Hashed and salted password storage (bcrypt)
- Role-based access controls
- JWT-based authentication with token expiration
- Regular security assessments
- Restricted access to production systems
While we take reasonable steps to protect your data, no system is completely secure. We encourage you to use a strong, unique password and to notify us immediately if you suspect unauthorized access to your account.
10. Your Rights
Depending on applicable laws, you may have the right to:
- Access your personal data and obtain information about how it is processed
- Correct inaccurate, incomplete, or outdated data
- Delete data that is no longer necessary for the purpose for which it was collected
- Object to the processing of your data, particularly for marketing purposes
- Withdraw consent at any time, without affecting the lawfulness of prior processing
To exercise any of your rights, contact us at:
- Email: contact@spotness.fit
- In-app: Profile > Settings > Privacy
We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.
11. Children's Privacy
Spotness accounts must be created by individuals who are at least 18 years old. Minors cannot create their own accounts.
Parents or legal guardians may register minors under their own account for the purpose of booking fitness activities on their behalf. When doing so, the parent or guardian is responsible for the accuracy of the information provided about the minor and consents to our processing of that information in accordance with this Privacy Policy.
We do not knowingly collect personal data directly from minors without parental involvement. If we learn that a minor has created an account without parental consent, we will delete the account and associated data promptly. If you believe this has occurred, please contact us at contact@spotness.fit.
12. Cookies and Tracking Technologies
12.1 Mobile App
The Spotness mobile app uses:
- Authentication tokens stored securely on your device to maintain your login session
- Push notification tokens to deliver notifications you have opted into
12.2 Web App
If you access Spotness through a web browser, we may use:
| Technology | Purpose | Duration |
|---|---|---|
| Authentication tokens | Session management | Access token: 60 minutes; Refresh token: 30 days |
| Essential cookies | Platform functionality | Session-based |
| Analytics (if enabled) | Usage patterns and performance | Per provider policy |
You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Platform from functioning correctly.
13. Marketing Communications
We may send you marketing communications about new features, venues, or promotions only with your explicit consent. You can opt out at any time by:
- Using the unsubscribe link in any marketing email
- Adjusting your notification preferences in Profile > Settings > Notifications
- Contacting us at contact@spotness.fit
Transactional communications (booking confirmations, cancellation notices, security alerts) are not affected by your marketing preferences and will continue as long as you have an active account.
14. Venue Administrators
If you are a venue administrator, you may have access to consumer booking data, attendance records, and client profiles for your venue. You are responsible for:
- Using consumer data only for the purposes of managing your venue's services
- Complying with applicable data protection laws when handling consumer data
- Obtaining appropriate consent before creating client profiles for walk-in or offline clients
- Not disclosing consumer data to unauthorized third parties
Spotness may audit venue administrator data practices to ensure compliance with this Privacy Policy and applicable law.
15. Data Breach Response
We are committed to transparency. In the event of a data breach that affects your personal data:
- We will notify affected users within 72 hours of confirming the breach
- Notification will be sent via email and, where possible, in-app notification
- We will describe the nature of the breach, the data affected, and the steps we are taking to address it
- We will report the breach to relevant authorities as required by applicable law
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before they take effect, via email or in-app notification. Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes.
17. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights:
- Email: contact@spotness.fit
- In-app: Profile > Settings > Privacy > Contact Us
18. Governing Law
This Privacy Policy is governed by the laws of the Republic of Lebanon, regardless of conflict-of-laws principles.
19. Additional Rights for Users in the European Union
If you access the Platform from the European Union, the GDPR provides you with additional rights, including:
- Data portability: Receive your data in a structured, machine-readable format
- Restriction of processing: Request that we limit how we use your data
- Object to automated decision-making: Including profiling
- Lodge a complaint with your local data protection authority
We process your data based on contract performance (for bookings and payments), explicit consent (for health data and geolocation), and legitimate interest (for security, analytics, and reviews). For international data transfers, we use Standard Contractual Clauses or equivalent mechanisms as required.