Privacy Policy

Last updated: 27 April 2026 · Version 2.0 · Effective immediately

Fresh Air Pilates Pty Ltd (ABN: 41 687 766 150) ("Fresh Air Pilates", "we", "our", "us") is committed to protecting the privacy of every person whose information we hold. This Privacy Policy explains in detail what personal and sensitive information we collect, how we collect it, why we use it, who we disclose it to, how we store and secure it, and how you can exercise the rights granted to you under Australian and New South Wales privacy law.

This policy is written in accordance with our obligations as an "APP entity" under the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs); the health-information obligations imposed on private-sector health service providers in New South Wales under the Health Records and Information Privacy Act 2002 (NSW) ("HRIP Act") and its fifteen Health Privacy Principles (HPPs); the Spam Act 2003 (Cth); the Do Not Call Register Act 2006 (Cth); the Notifiable Data Breaches scheme established by Part IIIC of the Privacy Act; and, where applicable to visitors located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR.

1. Who we are and what this policy covers

Fresh Air Pilates Pty Ltd (ABN: 41 687 766 150) operates a Pilates, Barre and Reformer studio at Dural in the Hills District of greater Sydney, New South Wales, and an associated online and Member-Hub platform available at freshairpilates.com.au. Our registered office is in Dural, NSW. Australian Privacy Principle 5 ("APP 5") obliges us to make this notice available to you at or before the time we collect personal information from you; this policy fulfils that obligation.

This policy applies to all personal and sensitive information that Fresh Air Pilates Pty Ltd collects, holds, uses or discloses, whether collected from you directly (online forms, in person at the studio, by email, by phone, by SMS, by Zoom, or via our mobile application shell) or about you from a third party where lawful to do so. It applies regardless of which medium or device you use to interact with us.

Throughout this policy, the terms "personal information" and "sensitive information" carry the meanings given to them in section 6 of the Privacy Act 1988 (Cth). "Health information" carries the meaning given to it in section 6 of the HRIP Act and includes information about your physical or mental health, any disability, your express wishes about future health-service provision, and any health service that has been provided or that you wish to be provided to you.

2. The kinds of information we collect

2.1 Personal information

• Identity and contact details — full name, preferred name, email address, mobile and/or landline number, postal or residential address (where you elect to provide it for shop deliveries), date of birth, and where applicable a profile photograph that you upload.
• Account credentials — your password (which we never store in plain text; we store it as a PBKDF2-SHA256 hash with 600,000 iterations and a unique random salt per account, in line with current OWASP guidance), and the time-based one-time-password secret for staff multi-factor authentication.
• Booking and attendance records — classes you have booked, attended, cancelled, no-showed or waitlisted; the date and time of each interaction; the booking source (website, mobile, admin, gift code).
• Financial information — the description and amount of each transaction, the type of pass or membership purchased, the GST component (where applicable), and refunds. We do not hold full card numbers; payment cards are tokenised by our payment processors (Square, Stripe, PayPal) and we hold only the last four digits, the brand, and the expiry month and year for display purposes.
• Communication preferences — your opt-in or opt-out status for booking confirmations, class reminders, cancellation notices, purchase receipts, marketing emails, SMS messages and Web Push notifications.
• Family or relationship information — limited to the name and contact phone number of an emergency contact you nominate.
• Referral information — your referral code, any referrals you have sent or received, and any rewards applied.

2.2 Sensitive information (including health information)

The Privacy Act and the HRIP Act both apply heightened protections to "sensitive" categories of information. We collect the following categories only with your consent, only where reasonably necessary for our functions or activities, and only with the safeguards described in section 5 below:

• Health notes — information you provide voluntarily about injuries, pregnancy, post-surgical recovery, chronic conditions or other matters relevant to your safe participation in classes. You are not obliged to provide this information; if you choose not to, the instructor may be unable to provide modifications appropriate to your situation.
• Emergency-contact details — the name and phone number of a person we may contact in the event of a medical emergency at the studio.

We do not collect information about race or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, or biometric identifiers, and we will not solicit any such information.

2.3 Technical, device and usage information collected automatically

• The IP address from which you connect to our services and the network operator inferred from it.
• Your device's user-agent string (operating system, browser, version), screen size and language preference.
• The pages and API endpoints you request, the timestamp of each request, the HTTP referrer, and a per-request correlation identifier we use to trace any incident affecting your session.
• Member-Hub viewing activity — which on-demand videos you start, your watch progress, completion events, and your favourites list.
• Pilates Flow mini-game play data — score, run length, heart-rate-zone telemetry generated locally by your device, and aggregate statistics. This data is used to power the leaderboard and to give you a private personal-best history.
• Zoom join records (time joined, time left, the Zoom display name you provided) for online classes you attend.

2.4 Information we do not collect

We do not knowingly collect information about your physical location more precise than the city implied by your IP address. We do not record audio or video of you during in-studio classes. We do not collect biometric identifiers. We do not use device fingerprinting beyond what is strictly necessary for security (a hash of your IP-network prefix and user-agent for new-device detection only).

3. How we collect information

Wherever practicable we collect personal information directly from you, in line with APP 3.6. The methods we use are:

• Forms you complete — registration, profile, booking, contact, gift-card purchase, feedback survey, contact-us inquiry, password reset.
• In-person interactions at the Dural studio — for example, when you sign up at reception, update your emergency contact, or complete an in-person waiver.
• Phone, SMS and email when you communicate with us through these channels.
• Automatic technical collection as described in section 2.3 when you visit our website, open our mobile app shell, or load an email we send you that contains tracking pixels (we do not currently use email tracking pixels but reserve the right to do so for transactional delivery confirmation only).
• Third parties, only where you have authorised that disclosure or where it is permitted by law — for example, when you sign in with your Google account we receive your name, email address and the public Google ID; when a referrer invites you to the studio we receive their referral code so we can attribute the introduction.

Where we receive personal information about you from someone else without you having directly provided it (an "unsolicited" disclosure under APP 4), we will assess whether we could lawfully have collected it ourselves; if not, we will destroy or de-identify the information within a reasonable time.

4. Why we collect, hold and use information

Our primary purposes for collecting and holding the information described above are:

1. To provide the Pilates, Barre and Reformer classes (in-studio and online) you have booked, including the safe instruction of those classes.
2. To operate our booking, waitlist, attendance, payment, refund, gift-card and membership-billing systems.
3. To deliver the Member Hub on-demand video library and the Pilates Flow companion application.
4. To respond to enquiries, complaints, support requests and refund requests.
5. To verify your identity, authenticate your sessions, detect and prevent fraud, brute-force attacks, account takeover and abuse, and to keep an audit trail of significant administrative actions.
6. To meet our obligations under Australian taxation, consumer-protection, work-health-and-safety, anti-money-laundering, and corporations law — including the seven-year financial-record retention obligation imposed by the Income Tax Assessment Act 1936 (Cth), the Goods and Services Tax Act 1999 (Cth), and the Corporations Act 2001 (Cth).
7. To provide statistics, reporting and product analytics, in aggregated and de-identified form, that help us improve our services.

The secondary purposes for which we may use your information, only where they are related to the primary purpose and within your reasonable expectation, include:

• Sending booking confirmations, class reminders, waitlist alerts, payment receipts, billing-failure notices and other transactional communications.
• Sending direct marketing communications, but only if you have consented to receive them (see section 8).
• Conducting cohort retention, lifetime-value and class-popularity analyses to improve scheduling and pricing.
• Inviting you to complete a post-class feedback survey.
• Investigating and resolving any complaint or dispute.

We will not use or disclose your personal information for any purpose other than those described above without your consent or unless permitted by law.

5. Health information (HRIP Act and HPP compliance)

Because we collect optional health information from members for the purpose of providing safe Pilates instruction, Fresh Air Pilates is a "private sector person" within the meaning of the HRIP Act. Accordingly, we observe the fifteen Health Privacy Principles in addition to the Australian Privacy Principles. In particular:

• Lawful and fair collection (HPP 1). We collect health information only with your express consent and only for the lawful purpose of safe class instruction.
• Information to the individual (HPP 4). The class registration and profile pages include a notice describing the purpose, the recipients (the instructor for your class, and an admin user with permission to view client records) and the consequences of non-provision (the instructor may be unable to recommend modifications).
• Anonymity (HPP 8). You may participate in classes without providing health information; however, we strongly encourage members with relevant injuries, conditions or pregnancies to disclose them so that the instructor can keep you safe.
• Use and disclosure (HPP 10 & 11). Your health information is shown only to the instructor leading the class you have booked and to staff with the "view clients" permission. We do not disclose your health information to any third party except where you have given specific consent, where disclosure is necessary to lessen or prevent a serious threat to life or health, or where required or authorised by law.
• Identifiers (HPP 12). We do not adopt, use or disclose any government identifier (such as a Medicare number) except in the limited circumstances permitted by HPP 12.
• Transferring health information out of NSW (HPP 14). Where we transfer health information outside New South Wales — for example, when a US-based payment processor is involved — we do so only to recipients that are subject to a binding scheme of substantially similar privacy protections, or with your consent.

Health information is held in the same encrypted database as the rest of your account and is subject to the technical safeguards described in section 10. It is logically tagged in our application logs as a redaction-sensitive field, and our log pipeline automatically masks it before any line is written to disk.

6. To whom we disclose your information

We disclose personal information only to the categories of recipient described below. Each recipient is acting either as our service provider under contract (and bound to use the information only for the purposes we specify), or under a legal obligation, or with your consent.

6.1 Service providers (data processors)

• Square Inc. (United States) — payment processing, card tokenisation and recurring billing.
• Stripe Inc. (United States) — payment processing, card tokenisation and recurring billing.
• PayPal Australia Pty Ltd (Australia, with parent in the United States) — payment processing.
• Twilio Inc. (United States) — outbound SMS notifications, only where you have opted in to SMS reminders.
• Google LLC (United States) — Gmail OAuth-based email delivery, Google Sign-In identity verification, and (where applicable) Google Workspace administration.
• Vimeo Inc. (United States) — hosting of Member-Hub video content. Vimeo receives the IP address of your device when you stream a video; it does not receive your account name unless you separately log in to Vimeo.
• Zoom Video Communications (United States, Sydney POP) — delivery of online classes. Zoom receives the display name and email address you supply on join, and class participants are visible to other class participants.
• Sentry / GlitchTip — server-side error tracking. Personally identifying values are redacted by our log pipeline before any record reaches Sentry.
• Our hosting and infrastructure providers — including the network, DNS, certificate authority and offsite backup providers used to operate the website. The website is served from infrastructure located in Australia.

6.2 Disclosure required or authorised by law

We may disclose personal information where we are required or authorised by law to do so — for example, in response to a subpoena, search warrant, or other lawful demand from a court, tribunal or government agency; or where disclosure is reasonably necessary for the prevention, detection, investigation, prosecution or punishment of a criminal offence; or to comply with our reporting obligations under taxation, consumer-credit or anti-money-laundering law.

6.3 What we do not do

We do not sell, rent, lease or trade personal information to any third party. We do not disclose personal information to advertising networks, data brokers or marketing list rentals. We do not allow third parties to embed advertising trackers on our website or in our emails.

7. Cross-border data flows (APP 8)

Several of the service providers listed in section 6.1 are based outside Australia, principally in the United States. Where personal information is disclosed to an overseas recipient, APP 8.1 requires us to take reasonable steps to ensure the recipient does not breach the APPs in relation to the information. We satisfy this obligation by:

• Selecting reputable providers that publish privacy policies materially equivalent to the APPs and that have a record of regulatory compliance.
• Imposing contractual obligations through their standard data-processing agreements that limit use of personal information to the purposes for which we engaged them.
• Limiting the personal information we send to each provider to what is strictly required for the function they perform (for example, we do not send health information to payment processors).

You acknowledge that, by interacting with our services, you consent to the transfer of your personal information to these providers in their respective jurisdictions for the purposes set out in this policy. Where you withdraw that consent we may be unable to continue providing the relevant service to you.

8. Direct marketing & the Spam Act

We send marketing communications (newsletters, promotions, drip campaigns) only to members who have given us express consent at registration or who have opted in afterwards through their profile settings. Every marketing email we send contains a clear and prominent unsubscribe mechanism that, when used, takes effect within 24 hours, in compliance with the Spam Act 2003 (Cth).

For SMS marketing (where enabled), we comply with the Spam Act and the Australian Communications and Media Authority's industry codes. SMS messages will identify Fresh Air Pilates as the sender, will be sent only to numbers for which we hold consent, and will contain a "STOP to opt out" instruction where required.

We do not engage in telemarketing. If we ever do, we will check the Australian Government's Do Not Call Register before placing any call, in compliance with the Do Not Call Register Act 2006 (Cth).

Transactional communications (booking confirmations, payment receipts, password resets, security notices, billing-failure notices) are not marketing and are sent regardless of marketing-consent status because they are necessary for us to provide the service you have purchased.

9. Cookies, analytics & tracking

We use only cookies that are strictly necessary for the operation of our website. The cookies we set are:

• Session cookie — encrypted, HTTP-only, secure, SameSite=Lax; identifies your authenticated session.
• CSRF token cookie — protects against cross-site request forgery on state-changing API calls.

We do not use advertising cookies, conversion-tracking pixels, social-media trackers, or third-party analytics scripts that profile users. The cookie-consent banner that appears on first visit records your dismissal in your browser's localStorage only — no cookie is set for the dismissal itself.

If we ever introduce privacy-respecting analytics (such as Plausible or PostHog in cookieless mode) we will update this section before activating the change. We will not introduce any third-party tool that performs cross-site tracking.

10. How we secure your information

We take reasonable steps, having regard to the sensitivity of the information involved, to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure (APP 11). The technical and organisational measures we have in place include:

• Transport security — TLS 1.2+ on all connections; HTTP Strict-Transport-Security header with a 12-month max-age; modern cipher suites only.
• Application security — strict Content Security Policy with nonces on every public page; CSRF tokens on every state-changing API call; brute-force lockout after repeated failed sign-ins; password-strength minimums and rejection of passwords known to have appeared in public credential breaches (Have-I-Been-Pwned k-anonymity check).
• Authentication — passwords are stored as PBKDF2-SHA256 hashes with 600,000 iterations and a unique salt; staff accounts must use a time-based one-time-password (TOTP) authenticator app for sign-in; all sign-ins are recorded and a "sign-in from a new device" notice is emailed automatically.
• Payment security — payment cards are tokenised by Square / Stripe / PayPal at the point of capture. The card number, security code and full expiry are never seen by, transmitted to, or stored on our servers. We are descoped from PCI-DSS as a result of this approach.
• Database security — the database is held on encrypted disk, with foreign-key constraints enabled, write-ahead-log mode for crash safety, and a nightly snapshot using SQLite's online-backup API to off-site storage retained for thirty days.
• Access control — staff have role-scoped permissions (admin, instructor with sub-permissions for clients, schedule, reports, inquiries) so that an instructor can see only the data necessary for their classes and not, for example, finance or full client management.
• Logging and monitoring — application logs run through a server-side redaction filter that masks email addresses, phone numbers, payment-card-shaped digit runs, dates of birth, health notes and authentication tokens before any line is written to disk.
• Audit trail — significant administrative actions (sign-ins, password resets, role changes, refunds, data exports, account deletions) are recorded in an audit log retained for at least seven years.
• Vulnerability management — automated weekly dependency scanning (Dependabot) and static-analysis security scanning (Bandit) on every code change; a security-vulnerability disclosure policy is published at /SECURITY.md.

Despite these measures, no online system can be guaranteed completely secure. If you become aware of any security weakness in our service, we encourage you to report it via the channel described in SECURITY.md; we operate under a safe-harbour policy for good-faith security researchers.

11. Data retention

We retain personal information only for as long as we need it for the purposes described in this policy or as required by law, after which we destroy or de-identify it. The retention periods we apply are:

• Active account data — retained while you have an active account and for 90 days after account closure (to allow recovery of an inadvertent deletion).
• Booking and attendance history — retained for the life of the account and, in de-identified form, indefinitely for the purpose of cohort analysis.
• Financial records (payments, refunds, GST-relevant entries, gift-card issuance and redemption) — retained for a minimum of seven (7) years from the end of the financial year to which they relate, in line with the Income Tax Assessment Act 1936 (Cth), the A New Tax System (Goods and Services Tax) Act 1999 (Cth) and the Corporations Act 2001 (Cth).
• Health information — retained while you are an active member; on account closure, anonymised within 90 days unless you request immediate destruction.
• Application logs — retained for 90 days, then automatically purged.
• Backups — held in a 30-day rolling retention, then automatically destroyed.
• Audit-log records — retained for 7 years to satisfy our regulatory and dispute-resolution obligations.
• Marketing-consent records — retained for 5 years after the last consent action (grant or withdrawal), to evidence compliance with the Spam Act.

12. Notifiable Data Breaches

Fresh Air Pilates is subject to the Notifiable Data Breaches (NDB) scheme established by Part IIIC of the Privacy Act. If we suffer a data breach that is likely to result in serious harm to any individual whose information is involved, and we are unable to remediate the breach so as to prevent that likely serious harm, we will:

1. As soon as practicable, prepare a statement that includes the identity and contact details of Fresh Air Pilates, a description of the breach, the kinds of information involved, and the steps we recommend you take to protect yourself.
2. Provide the statement to the Australian Information Commissioner.
3. Notify each individual whose information was involved by email (or, if email is not practicable, by SMS or by publishing the statement on this website with reasonable steps to publicise the notification).

We will also voluntarily notify the Information and Privacy Commission NSW where the breach involves health information held in respect of services provided in NSW, as a matter of best practice and to discharge our obligations under the HRIP Act.

13. Your rights and how to exercise them

13.1 Access (APP 12 / HPP 7)

You have the right to access the personal information we hold about you. To exercise this right, contact us via the Contact page; our Privacy Officer will provide your data within 30 days, in a machine-readable JSON file (or your preferred format) containing your profile, bookings, waitlist entries, memberships, passes, payments (less full card numbers), saved-card metadata, hub watch-history, hub favourites, hub purchases, class feedback, achievements, audit log, and any Pilates Flow run analytics. We may need to verify your identity before we release the data.

13.2 Correction (APP 13 / HPP 8)

If any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you may correct it directly under Account → Profile, or notify our Privacy Officer. We will correct the information as soon as practicable and notify any third party to which we have disclosed the information of the correction, where this is reasonable.

13.3 Deletion / "right to be forgotten"

You may ask us to permanently delete your account at any time by contacting us via the Contact page. On a verified deletion request, we anonymise your profile (your name is replaced with "Deleted User", your email and phone are cleared, your health notes and emergency-contact details are removed) and detach all saved cards. Your booking and payment history is preserved in a de-identified form because we are required to retain it for the seven-year financial-record period; the rows are no longer linked to a real person and cannot be re-identified by us. We aim to complete deletion within 30 days of a verified request.

13.4 Marketing opt-out

You may withdraw consent for marketing communications at any time, either by toggling the marketing-consent slider in your profile, or by clicking the unsubscribe link in any marketing email, or by replying STOP to a marketing SMS. We will give effect to any opt-out within 5 business days, and well before the 5-business-day maximum imposed by the Spam Act.

13.5 Objection / restriction (where GDPR applies)

If you are a resident of the European Economic Area or the United Kingdom and the GDPR or UK GDPR applies to our processing of your personal data, you have the additional rights to object to certain processing, to restrict processing, and to data portability. Contact our Privacy Officer (section 18) to exercise any of these rights.

13.6 Withdrawal of consent

Where we rely on your consent to collect or use information (in particular, for sensitive information and for marketing), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of any use that occurred before the withdrawal.

14. Anonymity and pseudonymity (APP 2)

Wherever practicable, we offer the option of dealing with us anonymously or by pseudonym. In particular:

• You can browse our website (the public pages) without identifying yourself.
• You can submit a contact-us inquiry using a pseudonym, although we may need a real email address to reply.
• You can join the Pilates Flow leaderboard under a chosen display name; only a first-name + last-initial format is exposed to other members.

However, we cannot operate a booking, payment or member-hub account anonymously, because we need to know who has booked which class for safety and insurance reasons, and because our payment processors require true identification under their anti-money-laundering obligations.

15. Children and minors

Our services are not directed at children under 16 years of age. We do not knowingly collect personal information from a child under 16 without the verifiable consent of a parent or guardian. If you become aware that a child under 16 has provided personal information to us without such consent, please contact our Privacy Officer and we will delete the information promptly.

For young people aged 16 and 17 enrolled by a parent or guardian, the parent or guardian is responsible for managing the account, including marketing-consent decisions, until the young person turns 18.

16. Complaints process

We take complaints about our handling of personal information seriously. If you believe we have breached the Australian Privacy Principles, the Health Privacy Principles, the Spam Act, or any other privacy-related law, please follow the steps below.

1. Contact us first. Email our Privacy Officer at the address in section 18 with the subject "Privacy complaint" and a description of the issue, what outcome you are seeking, and any supporting material.
2. We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days. Complex complaints may take longer; if so, we will tell you.
3. If you are not satisfied with our response, you may lodge a complaint with one of the following regulators (no charge):
   • The Office of the Australian Information Commissioner (OAIC) for Privacy Act matters — phone 1300 363 992 or online at oaic.gov.au.
   • The Information and Privacy Commission NSW (IPC NSW) for HRIP Act / health-information matters arising from services delivered in NSW — phone 1800 472 679.
   • The Australian Communications and Media Authority (ACMA) for Spam Act / Do Not Call Register matters.

17. Updates to this policy

We may update this policy from time to time to reflect changes in our practices, legal obligations or services. The version number and "Last updated" date at the top of this page will be incremented on any change. For material changes — for example, a new category of information collected, a new third-party recipient, a new overseas data flow, or a change to your rights — we will notify members by email at least 14 days before the change takes effect, and provide a summary of what has changed and why.

You are encouraged to review this policy periodically. Continued use of our services after a change takes effect constitutes acceptance of the updated policy.

18. Contact us / Privacy Officer

All privacy enquiries, access requests, correction requests, complaints, and general questions about this policy should be directed to our Privacy Officer:

• Email: via the contact form on our Contact page
• Phone: via the contact details on our Contact page

© Fresh Air Pilates Pty Ltd · ABN 41 687 766 150. This policy is provided for transparency and does not create any contract between us and you. Where any provision of this policy is inconsistent with the Privacy Act 1988 (Cth), the HRIP Act, the Spam Act 2003 (Cth) or any other applicable law, the relevant statute prevails.