Terms overview

Data Protection Addendum

Last updated: May 24, 2026

This Data Protection Addendum (“DPA”) is incorporated into and forms an essential part of the offhrs Partner Terms of Business (the “Agreement”) entered into between the Vendor/Studio (“Partner”) and offhrs (“Platform”). In the event of a conflict between this DPA and the general terms of the Agreement, this DPA shall take precedence regarding data-handling procedures.

1. Definitions & interpretive framework

  • Applicable privacy laws — the Personal Information Protection and Electronic Documents Act (PIPEDA, SC 2000, c 5) and any applicable provincial privacy statutes within Canada, including Ontario guidelines.
  • Data custodian (organization) — the Partner, who retains legal authority and accountability for the collection of student records.
  • Data service provider (processor) — offhrs, which provides technical database hosting, scheduling operations, and transaction infrastructure.
  • Personal data — any uniquely identifiable information relating to a student, customer, or staff member uploaded to partners.offhrs.app by the Partner, or submitted directly by a consumer to book a slot.
  • Security incident — any unauthorized database access, exposure, or leakage that compromises the confidentiality, integrity, or availability of personal data hosted on offhrs infrastructure.
  • Staff profiles — personnel data uploaded by the Partner, including names, instructor bios, availability, and dashboard access states.

2. Allocation of regulatory roles

  • The Partner’s role. The Partner is the primary organization collecting customer data and is responsible for obtaining the necessary consent from students before that data is processed through the Platform.
  • The Platform’s role. offhrs acts strictly as a data service provider. We process personal information only to maintain the scheduling, booking, and payment functions at the Partner’s direction.

3. Structural parameters of processing

3.1 Scope & purpose

The Platform processes data for the sole purpose of operating a localized workshop marketplace: scheduling, customer checkouts, registration tallies, refunds, slot reconciliation, and conflict checks.

3.2 Data categories & restrictions

  • Permitted customer data: first and last names, email addresses, mobile numbers (for automated system messages), booking history, refund history, and transaction status codes.
  • Permitted staff data: names, role titles, class specializations, and availability profiles.
  • Prohibited special-category data: Partners are strictly prohibited from using intake forms or custom fields to collect or store sensitive personal information (government IDs, health-status indicators, sensitive financial data) within the standard offhrs databases. If a Partner collects this information for studio safety, they must maintain it off-platform under their own data controller responsibilities.

4. Technical security & isolation measures

  • Storage security. All operational data is stored on managed database clusters with Row Level Security (RLS) enabled. This ensures one vendor’s dashboard cannot view, edit, or pull the records of a competing studio.
  • Authentication security. Dashboard access is protected by tokenized session protocols (JWT) and supports Google and Apple SSO. Partners must keep these credentials confidential.
  • Confidentiality. Any technical staff or automated maintenance sub-routines operating under offhrs are bound by strict system confidentiality requirements.

5. Security incident management & notifications

  • Breach reporting. In the event of a confirmed Security Incident impacting your student or studio data, offhrs will notify the impacted Partner without undue delay, and where feasible within 72 hours of technical discovery.
  • Mitigation responsibilities. offhrs will take immediate steps to patch vulnerabilities and secure the system. The Partner remains responsible for providing any required legal disclosures to their individual students or provincial privacy commissioners if mandated by PIPEDA thresholds.

6. Managing consumer data requests

  • Direct tools. partners.offhrs.app includes self-service tools that allow Partners to update, export, or remove customer data when a student makes a request.
  • Platform intervention. If a student contacts offhrs directly regarding data deletion or account removal, our system removes the consumer’s personal data from the customer-facing records and reconciles the affected workshop slots so the Partner sees accurate availability without retaining stale personal data.

7. Retaining and exporting studio data

  • Post-termination window. Upon the cancellation or termination of your SaaS subscription (Lite or Pro), the Partner has thirty (30) days to export historic booking ledgers, customer contact lists, and instructor data via the dashboard export utilities.
  • Permanent deletion. Following this 30-day window, offhrs reserves the right to permanently purge the associated database records from active production instances.
  • Regulatory exemption. offhrs will retain specific transactional tax data, HST billing logs, and Stripe settlement records beyond this period for up to six (6) years, solely to comply with Canada Revenue Agency audit requirements.

8. Limitation of liability

offhrs’ total liability for any data mishandling, server exposure, or regulatory fine issued under this DPA is subject to the overall financial limitations in the offhrs Service Terms and shall not exceed the subscription amounts paid by the Partner to the Platform over the preceding three (3) months.