Privacy Policy

1. About This Policy

This Privacy Policy explains what data Session For STR collects, why we collect it, and how we protect it. Session for Business is operated by JK Creative LLC, a Washington State limited liability company, at str.jkcreative.store.

The platform is built on Supabase (database and authentication infrastructure), with payment processing through Square, email delivery through Resend, and error monitoring through Sentry.

This policy applies to all Operators and Team Users of the platform, regardless of location, with specific provisions for California and Washington State residents noted where applicable.

2. Data We Collect

Operator account data:

• Business name and contact information
• Name and email address of the account holder
• Billing information (processed and stored by Square)
• Subscription tier and plan details

Team user data:

• Name and email address
• Role and access level within the platform

Client and deal data:

• Client records, appointment data, deal information, and other business data entered by Operators and Team Users
• This data is owned by the Operator (see our Terms of Service, Section 9)

Payment data:

• We do not store credit card numbers, bank account details, or financial information. All payment data is processed and stored directly by Square
• We store only a Square customer ID for subscription management

Usage data:

• Pages visited, features used, and general interaction patterns
• Browser type, device type, and operating system
• IP address and approximate geographic location

Error and performance data:

• Application errors and performance metrics collected through Sentry for the purpose of maintaining and improving the platform
• Sentry data may include browser information, error stack traces, and the page URL where the error occurred

3. How We Use Your Data

• To provide and operate the Session For STR platform
• To manage your subscription and process payments via Square
• To send transactional emails (account confirmations, billing notifications, service updates) via Resend
• To monitor and fix errors and performance issues via Sentry
• To respond to support requests
• To comply with legal obligations, including tax reporting and law enforcement requests

We do not sell your data. We do not share it with third parties for advertising or marketing purposes.

4. Third-Party Services

We use the following third-party services to operate Session for Business:

Each of these services has its own privacy policy governing how they handle data. We encourage you to review their policies. JK Creative is not responsible for the privacy practices of third-party service providers.

5. Cookies

Session For STR uses cookies and similar technologies for:

• Essential cookies: Required for the platform to function, including session management and authentication
• Analytics cookies: Used to understand how the platform is used and to improve the service

We do not use cookies for third-party advertising or cross-site tracking.

6. Data Retention

We retain your account data for as long as your subscription is active. When you cancel, we retain your data for 30 days to allow for data export requests, after which it is permanently deleted.

If you request deletion of your data, we will delete it within 7 days. Some data may be retained longer if required by law (e.g., tax and billing records).

Error logs in Sentry are retained for 90 days and then automatically purged.

7. Your Rights

Regardless of where you are located, you can at any time:

• Access your data — email us and we will provide a copy of all data we hold about you
• Correct inaccurate data — email us and we will update any inaccurate information
• Export your data — request an export of your CRM data in a standard format
• Delete your data — email us at support@jkcreative.store and we will delete your account and all associated data within 7 days
• Cancel your subscription — cancel at any time, no questions asked

8. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it
• Right to delete: You may request deletion of your personal information, subject to certain legal exceptions
• Right to correct: You may request correction of inaccurate personal information
• Right to opt out of sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your rights, email support@jkcreative.store. We will respond within 45 days as required by law.

9. Washington State Residents

Data breach notification (RCW 19.255.010): In the event of a security breach that compromises your personal data, JK Creative will notify affected users within 30 days of discovering the breach. Our notification will describe what data was affected, what we have done to contain it, and what steps you can take to protect yourself.

Washington State residents who believe their consumer protection rights have been violated may contact the Washington State Attorney General's Consumer Protection Division at 1-800-551-4636 or atg.wa.gov/consumer-protection.

10. Children's Privacy (COPPA)

Session For STR is intended for adult business operators and their authorized team members. This service is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13.

If we become aware that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us at support@jkcreative.store.

This is consistent with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501).

11. CAN-SPAM Compliance

We send two types of email: transactional emails (account confirmations, billing notifications, service updates) and occasional commercial emails (product announcements). Every commercial email we send includes:

• A clear identification of who sent the email
• Our physical mailing address
• A working unsubscribe mechanism

We will honor any unsubscribe request within 10 business days, as required by the CAN-SPAM Act (15 U.S.C. § 7704). Once you unsubscribe from commercial emails, we will not send further marketing email to that address, though we may still send essential account and billing notifications.

12. Data Security

• All data is encrypted at rest in Supabase using AES-256 encryption
• All connections to the platform use HTTPS/TLS encryption in transit
• Database access is protected by Row Level Security (RLS) policies
• Input validation is enforced at both client and server level using Zod schema validation
• API keys and secrets are stored in environment variables, never in source code or logs

While we take reasonable measures to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

13. Do Not Track

Some browsers send a “Do Not Track” (DNT) signal to websites. There is currently no universally accepted standard for how websites should respond to DNT signals. At this time, Session for Business does not respond differently to DNT signals. However, we do not engage in cross-site tracking or sell your data to third parties regardless of your DNT setting.

14. Changes to This Policy

If we make material changes to how we handle your data, we will email you at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the most recent version.

15. Contact

Questions about this Privacy Policy? Contact us at support@jkcreative.store

JK Creative LLC  |  Washington State, United States