Your Privacy Matters

Privacy Policy

Last update: May 2026

GDPR Compliant
Secure Data
Transparent

OSS Manager respects your privacy. This Privacy Policy explains what data we collect, how we use it, and what your rights are. By using our platform, you agree to this policy.

Who We Are

OSS Manager is an online application for managing martial arts academies, operated from Portugal and available globally.

Data Controllers & Processors

OSS Manager operates as a B2B2C platform with the following data roles:

  • OSS Manager (Platform Controller): operates the SaaS platform and sets global data policies.
  • Each subscribing school (School Controller): determines the purpose of student data collection and is responsible for communicating with their students about data use.
  • OSS Manager acts as a data processor on behalf of schools for all student-level data.

Data We Collect

Account data:

  • Name
  • Email
  • Password (stored in encrypted form)

Data entered by users:

Users with Master and Teacher permissions can register:

  • Student name
  • Email
  • Phone
  • Date of birth
  • Weight
  • Belt and rank
  • Address
  • Student image (optional)

Technical data:

  • IP address
  • Browser and device type
  • Cookies and access logs

Sensitive Data

The following categories of data require special care and are handled with heightened protections:

  • Health data (medical certificates): submitted voluntarily by students to request an emergency streak freeze; reviewed only by school staff; stored securely.
  • Date of birth: used for tournament age bracket assignment and student profile.
  • Weight: used for tournament weight category assignment.
  • GPS location: captured transiently at mobile check-in only to verify proximity to the school (minimum 100 m); not stored as a standalone location history.
  • Payment and banking data: processed exclusively by Stripe; OSS Manager does not store raw card numbers or bank account details.

Purpose of Processing

We use the collected data to:

  • Enable platform functionality
  • Manage accounts and profiles
  • Store and display academy and student information
  • Improve user experience
  • Ensure security and prevent misuse
  • Send operational communications (such as renewal notices)

Legal Basis for Processing

We process data based on:

  • Contract execution (platform access and use)
  • Compliance with legal obligations (such as invoices)
  • Consent (for non-mandatory communications)
  • Legitimate interest (platform improvement, security, technical support)

Data Retention

We retain data for as long as necessary to provide the service:

  • Student records: soft-deleted (data retained in database; not automatically purged). Schools are responsible for defining and communicating their own retention periods.
  • XP transaction history: permanent append-only ledger, required for auditing and reversals.
  • Graduation certificates: stored in AWS S3 indefinitely, accessible via signed URL.
  • Medical certificates: retained with their approval status; no automatic expiry.
  • Push notification device tokens: deleted on explicit logout or when replaced by a new registration.
  • Application error logs: managed by Sentry, subject to Sentry's own retention policies.

Data Sharing & Sub-processors

Your data is not sold. We share information only with the following sub-processors, strictly to operate the platform:

  • Stripe — subscription billing and student payment collection (United States)
  • Google OAuth / Firebase — single sign-on authentication and push notifications to mobile students (United States)
  • AWS S3 — file storage: graduation certificates, school logos, images (configurable AWS region)
  • Sentry — error tracking and application monitoring (United States)
  • Laravel Nightwatch — request logging and application observability (United States)
  • IPinfo — IP geolocation for country-based access control (United States)
  • MaxMind GeoIP2 — VPN and location detection (United States)
  • Postmark / Resend / Amazon SES — transactional email: welcome messages, certificates, reminders (United States)

Each sub-processor accesses only the data strictly necessary for their service and is bound by confidentiality obligations.

International Transfers (GDPR Art. 46)

All sub-processors listed above are based in or transfer data to the United States. These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46 GDPR, or by the sub-processor's participation in equivalent frameworks. No data is transferred to third countries without adequate protection measures.

We do not use third-party advertising cookies. No data is shared with ad networks.

Your Data Rights (LGPD / GDPR)

You have the following rights regarding your personal data:

  • Access — view your profile, attendance history, graduation records, XP, and financial data in your student dashboard.
  • Rectification — students and school admins can edit profile data directly on the platform.
  • Deletion (Art. 17) — submit a deletion request via your student privacy portal. Payment data erasure is processed automatically; profile erasure is executed upon confirmation.
  • Data portability (Art. 20) — download a copy of all your personal data (profile, attendance, XP, graduations) in JSON format via your student privacy portal.
  • Restriction of processing (Art. 18) — you can request that we restrict the processing of your data (suspend emails, push notifications, XP processing) via your student privacy portal.
  • Withdraw consent for notifications — delete your device token via app settings or by logging out.
  • Lodge a complaint with a supervisory authority (e.g., CNPD in Portugal, ANPD in Brazil, or your local data protection authority).

To exercise any of these rights, contact us at: [email protected]

Cookies & Sessions

We use only the following cookies:

  • Session cookie — maintains your authenticated web session.
  • Locale cookie — stores your language preference for unauthenticated visitors (1-year lifetime).
  • Stripe cookies — set by Stripe during payment flows (Stripe-managed).
  • Google Analytics 4 cookies — activated only after your explicit consent via the cookie banner (analytics_storage: denied by default).

Google Analytics 4 is used with Consent Mode v2 — analytics cookies are blocked by default and only activated after your explicit consent via the cookie banner. You can manage or withdraw your consent at any time by clicking "Manage Cookies" in the page footer.

Changes to This Policy

We may update this policy periodically. When this occurs, we will notify users by email or through the platform itself. The revision date will always be indicated at the top.

Contact

For questions, suggestions, or requests related to privacy:

Back to Home