Privacy Policy
This Privacy Policy explains how Moss Inc. (“Moss”, “we”) collects, uses, and protects your information when you use our platform and the booking experiences it powers.
Last updated July 2, 2026
Information we collect
We collect information you provide and information generated as you use Moss:
- Account & contact details — name, email address, mobile phone number, and password.
- Booking & activity — classes and appointments you book, attendance, waitlists, and preferences (e.g., favorite studios and trainers).
- Purchases — memberships, packages, and order history. Card details are processed by our payment provider; we store only limited, non-sensitive metadata (e.g., card brand and last four digits).
- Communications & consent — your messaging preferences and opt-in / opt-out records for email and SMS.
- Technical data — device, browser, and approximate location (used for the “studios near me” discovery feature when you grant permission).
- Google user data — see the dedicated section below.
How we use your information
- To provide bookings, memberships, and account management.
- To send transactional messages — booking confirmations and class / appointment reminders — by email and SMS (see our SMS Terms).
- To process payments and prevent fraud.
- To operate, secure, and improve the platform.
- To comply with legal obligations.
We do not use your information — including Google user data — to serve third-party advertising, and we do not use it to train generalized artificial-intelligence or machine-learning models. AI features inside Moss (such as waitlist prediction, churn detection, and dynamic pricing) operate only on data within your studio's Moss tenant and are used solely to provide the Moss service.
Google user data (Google API Services User Data Policy)
Moss offers an optional Google Calendar integration that instructors can connect to help calculate their real-time availability for 1:1 appointments. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Google user data we access.
When an instructor connects their Google account to Moss, we request the following OAuth scopes:
https://www.googleapis.com/auth/calendar.readonly— to list the calendars on the instructor's Google account so they can choose which calendars Moss should treat as busy.https://www.googleapis.com/auth/calendar.freebusy— to read only the free/busy time ranges of the calendars the instructor selects.
From these scopes, Moss reads and stores only:
- The instructor's Google account email address (for display in the dashboard).
- The list of the instructor's calendars (id and title) and which ones they have selected as “busy” sources.
- Free/busy time ranges from the selected calendars, at query time only — we do not read event titles, descriptions, attendees, locations, attachments, or any other event content, and we do not persist individual event data.
- OAuth access and refresh tokens, so the connection remains active until the instructor disconnects it.
How we use Google user data.
Google user data is used only to provide and improve the user-facing Moss feature the instructor connected it for: computing an instructor's real-time availability for 1:1 appointment booking by subtracting Google Calendar busy time from their working hours. We do not use Google user data for any other purpose. Specifically, Moss does not:
- Sell, rent, or license Google user data to any third party.
- Transfer Google user data to third parties except the limited service providers required to host and secure it (see below).
- Use Google user data for advertising or marketing of any kind.
- Use Google user data to train, fine-tune, or evaluate generalized artificial-intelligence or machine-learning models.
- Allow humans to read Google user data, except (i) with the user's explicit consent, (ii) as strictly necessary for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) for aggregated or anonymized internal operations use consistent with the Limited Use requirements.
How we share Google user data.
We do not share Google user data with third parties for their own purposes. Google user data is stored on our infrastructure providers (currently Supabase, running on hardened cloud infrastructure) solely so that they can host it on our behalf. These providers are bound by data-processing agreements that prohibit them from using the data for their own purposes.
How we protect Google user data.
- All data is transmitted using TLS (HTTPS) in transit.
- OAuth tokens and free/busy data at rest are stored encrypted at the database provider level.
- Access is restricted by row-level security tied to the instructor's organization; only that instructor (and authorized managers within the same organization) can view the connection status and calendar selections.
- Free/busy is fetched at query time to compute availability; we do not persist individual busy events beyond the request that generated them.
Retention and deletion of Google user data.
- You can disconnect Google Calendar at any time from Dashboard → Availability. Disconnecting deletes the stored OAuth tokens, account email, and selected calendar list from Moss and revokes our refresh token with Google.
- You may also revoke Moss's access at any time via your Google Account permissions page at myaccount.google.com/permissions.
- If your Moss account (or your studio's account) is deleted, all associated Google user data is deleted from our systems within 30 days.
- To request deletion of Google user data outside of the in-product controls above, email support@practicemoss.com. We respond within 30 days.
How we share information
We share personal information only in the specific circumstances below. We do not sell personal information (including Google user data), and we do not share it with third parties for their own advertising or marketing purposes. Mobile opt-in data and consent are never shared with third parties for their own marketing.
- With the studio(s) you book with — so they can provide their services (e.g., confirm bookings, manage memberships, contact you about your appointments).
- With service providers acting on our behalf — bound by data-processing agreements that restrict their use of the data to providing services to us. This currently includes:
- Supabase — database, authentication, and file storage hosting.
- Stripe — payment processing and payouts.
- Twilio — transactional SMS delivery.
- Email delivery providers — transactional email sending.
- Vercel — application hosting.
- When required by law — to comply with a valid legal process, or to protect the rights, property, or safety of Moss, our users, or the public.
- In a business transfer — if Moss is involved in a merger, acquisition, or asset sale, personal information may be transferred, subject to the commitments in this policy.
Your choices
You can update your details in your account, opt out of SMS by replying STOP, opt out of marketing emails via the unsubscribe link, and disconnect the Google Calendar integration from Dashboard → Availability. Depending on your location, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing — contact us at support@practicemoss.com to exercise them. We do not discriminate against you for exercising these rights.
Data retention & security
We retain information for as long as your account is active or as needed to provide the service and meet legal obligations, and we delete or de-identify it after that. Payment records are retained as required by tax and financial-regulatory law. Google user data is retained only for as long as the Google Calendar integration remains connected, or as described in the Google user data section above.
We use administrative and technical safeguards to protect your information: TLS in transit, encryption at rest at the database provider level, row-level security policies scoping data to your organization, least-privilege access for our staff, audit logging, and security review of code changes. No method of transmission or storage is 100% secure.
Children
Moss is not directed to children under 13, and minors should be added and managed by a parent or guardian through a household account.
Changes & contact
We may update this policy and will revise the date above. Questions? Email support@practicemoss.com.