Furever Yoga
Book a class
Draft, pending Queensland solicitor review. This document is a lawyer-quality first draft. It is shown to test users for content review only and is not yet a live, signed-off legal document. The substantive provisions are what we expect to ship.

Privacy Policy

What we collect, why, and how we handle it.

Version 1 · Effective 21 May 2026

This policy is written to be APP-aligned from day one. We aren't required to comply with the Privacy Act 1988 (Cth) below the A$3m turnover threshold, but we choose to, it's the right way to run a studio that handles health information, customer photos, and a small group of ethical breeders.

1. Who we are

Brisbane Bernedoodles & Groodles Australia Pty Ltd (ABN 31 657 176 497), trading as Furever Yoga. Brisbane, Queensland.

2. What we collect

When you interact with us, we may collect:

  • Identity & contact: name, email, mobile number, date of birth (only for under-18 verification).
  • Booking & attendance: classes booked, classes attended, no-shows, cancellations, payment status.
  • Payment: we don't store credit card numbers. Payments are processed by Stripe under Stripe's privacy posture. We retain Stripe's payment-intent IDs and metadata only.
  • Health information you disclose (sensitive information under APP 3.3): allergies, recent injury, pregnancy disclosure, accessibility needs. Collected only to run the class safely.
  • Waivers: the signed body of each waiver you've agreed to, the typed name, the drawn signature, the IP address and user-agent at the time of signing, and a SHA-256 hash of the waiver body you saw.
  • Photo-release status: whether you have opted in to the Studio photographer's use of your image.
  • Operational: support conversations (SMS, email, in-app chat, Facebook, Instagram, phone), waitlist entries, reviews you submit.
  • Cookies & analytics: a session cookie for authentication; if you opt in to analytics, anonymised usage events via PostHog (no advertising cookies).

3. Why we collect it

  • To deliver the class you booked (legal basis: contract).
  • To maintain the welfare audit trail required by our published welfare framework (legal basis: legitimate interest).
  • To keep the legally-required waiver record (legal basis: legal obligation + legitimate interest in defence of claims).
  • To respond to your messages and provide support across the channels you contact us through.
  • To send marketing messages only when you have expressly opted in, with a one-click unsubscribe in every message (Spam Act 2003 (Cth)).

4. Where your information is stored

Our database is hosted on Supabase in the AWS ap-southeast-2 (Sydney) region. Backups remain in Australia. The following third-party processors are involved in operating the Studio:

  • Stripe (payments), US-headquartered, processes Australian transactions under their PCI-DSS controls.
  • Resend (transactional email), US-headquartered. Email content is transmitted via Resend's SMTP gateway.
  • Twilio (SMS), US-headquartered with an Australian sender number. Outbound message bodies are transmitted via Twilio.
  • Inngest (background jobs), US-headquartered. Job payloads may contain your name, email, and booking IDs.
  • Vercel (hosting/edge), US-headquartered with edge POPs including Sydney.
  • Anthropic (chat bot, when active), US-headquartered. Chat messages you send through the bot are transmitted for inference and not retained for model training by Anthropic.
  • PostHog (analytics, when active and you've opted in), region selectable (we use the EU instance).

Where personal information is disclosed to an overseas processor (APP 8), we take reasonable steps to ensure the processor handles it consistently with the APPs and our contracts.

5. How long we keep it

  • Signed waivers: seven years from the date of the class (industry-safe retention; statute of limitations on personal-injury claims in Qld is three years, longer for minors).
  • Booking and attendance records: seven years (BAS / tax).
  • Marketing data: until you opt out, plus a 30-day grace period for unsubscribe propagation.
  • Photos with active release: three years from capture; then either re-consent or removal from active marketing.
  • Support conversations: two years from last activity, then deleted unless flagged for a welfare or legal incident.
  • Inactive customer accounts: archived after 24 months of inactivity; deletable on request.

6. Your rights under the Australian Privacy Principles

You have the right to:

  • Access the personal information we hold about you (APP 12).
  • Correct personal information we hold about you that you consider inaccurate or out of date (APP 13).
  • Object to direct marketing and unsubscribe at any time.
  • Revoke your photo releaseat any time (see the Photo & Media Release for the revocation process).
  • Lodge a complaint with the Studio first and, if unresolved within 30 days, with the Office of the Australian Information Commissioner (OAIC).

To exercise any of these rights, email info@fureveryoga.com.au. We respond within 30 days.

7. Children's information

Attendees aged 14 to 17 are admitted only with a participating adult who has signed the waiver on their behalf. Personal information about minors is collected only to the extent necessary to deliver the class safely, is retained under the standard waiver retention schedule, and is never used for marketing. No image of an attendee under 16 is ever published, regardless of whether the photo release was signed.

8. Photo and media information

Use of your image is governed by a separate Photo and Media Release. We explicitly do not:

  • sell or license your image to a third party for their commercial use;
  • supply your image to any AI training dataset, public or private;
  • publish a caption identifying an individual puppy by its breeder of origin (protecting the breeder's privacy and the puppy's future placement);
  • use your image in a way that implies endorsement of unrelated products.

9. Breeders' information

Our partner breeders are individuals running businesses. We treat their contact details, certification records, and site-visit notes as personal information and handle them under this policy. Breeders have access to a dedicated portal showing only their own puppies' data.

10. Security

We use HTTPS/TLS everywhere, encryption at rest at the database layer, role-based access for staff, and Postgres row-level security on every business table so a query scoped to the wrong tenant returns zero rows. We never email or text you payment-card information.

11. Cookies and analytics

Essential cookies are used for authentication and session integrity. Analytics (via PostHog) is opt-in and only stores anonymised usage events with IP truncation. We do not run advertising cookies or sell visitor data.

12. Changes to this policy

We publish the current version on this page with the effective date at the top. Material changes are announced at the next booking confirmation.

13. Contact

Privacy questions and APP requests: info@fureveryoga.com.au. Complaints unresolved within 30 days may be referred to the OAIC at oaic.gov.au.