Privacy Policy

1. Introduction

This Privacy Policy describes how SubPro, operated by Let's BJJ Inc. ("we", "us"), collects, uses, and protects your information when you use our platform at sub-pro.net and related services ("Service").

2. Information We Collect

Platform Users (Studio/Academy Owners):

• Account information: name, email, password
• Business information: academy name, subdomain preference
• Payment information: processed securely by Stripe (we do not store card numbers)
• Content: videos, images, and text you upload
• Usage data: login activity, feature usage
• Browser-reported timezone (e.g. Europe/Berlin), captured at signup and used only to schedule system emails at a reasonable local hour

End Users (Students/Subscribers):

• Account information: name, email, password
• Subscription and purchase history
• Watch progress, notes, and playlists
• Payment information: processed by Stripe
• Browser-reported timezone (e.g. America/New_York), captured at signup and used only to schedule system emails at a reasonable local hour

3. How We Use Your Information

• To provide, maintain, and improve the Service
• To process payments and manage subscriptions
• To send transactional emails (account verification, password resets, receipts)
• To provide customer support
• To detect and prevent fraud or abuse

We do not sell your personal information to third parties.

3a. Legal Basis for Processing (GDPR / UK GDPR)

We process personal data on the following lawful bases under GDPR Article 6:

• Contractual necessity — to provide the Service, process payments, and manage your account
• Legitimate interests — to improve the Service, prevent fraud, maintain security, and conduct analytics (where these interests are not overridden by your rights)
• Consent — for marketing communications and newsletters (you may withdraw consent at any time)
• Legal obligation — to comply with tax, accounting, and regulatory requirements

4. Data Sharing and External Services

We share information only in the following circumstances:

• Stripe, Inc. — Payment processing and fraud prevention (Privacy Policy)
• Mux, Inc. — Video hosting, encoding, and delivery (Privacy Policy)
• Cloudflare, Inc. — Infrastructure, CDN, DNS, database, and security (Privacy Policy)
• Resend, Inc. — Transactional email delivery (Privacy Policy)
• Platform Users ↔ End Users: Platform Users can see their End Users' account information, watch progress, and subscription status as necessary to operate their academy
• Legal requirements: When required by law, court order, or government request

5. Data Storage and Security

Data is stored on Cloudflare's global network using D1 (database), R2 (file storage), and KV (key-value store). Videos are stored and delivered via Mux. We implement industry-standard security measures including:

• Encryption in transit (HTTPS/TLS)
• Password hashing (bcrypt)
• JWT-based authentication with session management
• Rate limiting on sensitive endpoints
• Daily automated backups

6. Data Retention

We retain each category of data only as long as we have a legitimate purpose to do so. A daily automated job enforces the schedule below (UTC times).

Data Category	Retention Period	Reminder Before Deletion
Soft-deleted member accounts (PII masked immediately)	Row removed 30 days after deletion request	—
Unverified signups (email never confirmed)	Removed after 7 days	One email on Day 6
Abandoned operator applications (waitlist, never activated)	Removed after 90 days (unless flagged by SubPro staff as a warm lead)	Up to three emails on Day 30 / 60 / 85
Expired auth sessions and one-time tokens	Removed 7 days after each row's own expiry	—
Stripe webhook event records (idempotency log)	Removed after 90 days	—
Cancellation feedback (optional free-text survey)	Removed after 2 years	—
Forum posts whose author has been deleted (author shown as “Deleted User”)	Retained indefinitely (content no longer attributable to any individual)	—
Platform audit log (money, access, admin actions, security events)	Retained 7 years for accounting/regulatory requirements, then deleted	—

Encrypted daily backups are kept for 90 days and then rotated out. Anonymised usage statistics (aggregated, no personal identifiers) may be retained indefinitely for product-improvement purposes.

7. Your Rights

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Opt out of marketing communications

To exercise these rights, contact us at support@sub-pro.net.

8. Cookies

Essential: We use essential cookies and browser storage for authentication, session management, and core functionality. These do not require consent.

Analytics & marketing: Academy sites may load optional analytics (e.g. Google Analytics) and marketing (e.g. Facebook Pixel) tools when the academy owner enables them. Visitors from the EEA or UK see a consent banner and may accept or reject each category. Outside the EEA/UK, analytics may load by default subject to local law; you can still manage your preferences at any time.

Billing address & tax ID: When you subscribe, Stripe collects your billing address and (optionally) a tax/VAT ID to calculate applicable tax and produce receipts. Stripe processes this data independently under its own privacy policy; for a copy of that data, please request it from Stripe directly.

Manage cookies

9. International Data Transfers

Your data may be processed in multiple countries. We rely on the following transfer mechanisms:

• Japan: The European Commission and UK government have issued adequacy decisions recognising Japan as providing adequate data protection. Transfers to Japan are made under these adequacy decisions.
• US-based processors (Stripe, Mux, Cloudflare, Resend): We use the EU/UK Standard Contractual Clauses (SCCs, 2021 version) together with supplementary measures as required. A copy of the SCCs is available on request.

10. Children's Privacy

The Service is not intended for users under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, contact us immediately.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA/CPRA: (a) the right to know what personal information we collect and how it is used; (b) the right to request deletion of your personal information; (c) the right to opt out of the sale or sharing of your personal information; (d) the right to non-discrimination for exercising your privacy rights.

We do not sell or share your personal information as defined under the CCPA/CPRA. We do not use your data for cross-context behavioral advertising. To exercise your rights, contact privacy@sub-pro.net.

12. Do Not Track

Our Service does not currently respond to Do Not Track (DNT) browser signals. You can control tracking preferences through your browser's cookie settings and our cookie consent mechanism where applicable.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities without undue delay and within 72 hours where required by GDPR, or as otherwise required by applicable law (including the Australian Notifiable Data Breaches scheme).

14. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. If we introduce such processing in the future, we will update this policy and provide information about the logic involved, as well as opt-out mechanisms as required by GDPR Article 22 and applicable law.

15. Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, a list of authorities is available at edpb.europa.eu. For UK residents, contact the Information Commissioner's Office (ICO) at ico.org.uk. For Australian residents, contact the OAIC at oaic.gov.au.

16. Data Minimization and Privacy by Design

We follow data minimization principles and collect only the personal information necessary to provide and improve the Service. Privacy considerations are embedded into the design and development of our systems and features from the outset.

17. Sub-Processors

We use the following categories of sub-processors to operate the Service: payment processing (Stripe), video hosting and delivery (Mux), content delivery and security (Cloudflare), email delivery (Resend). A current list of sub-processors is maintained on our website. We will notify you at least 30 days before engaging a new sub-processor that processes personal data.

18. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users of material changes via email at least 30 days before they take effect.

19. Related Policies

• Terms of Service
• 特定商取引法に基づく表記 (Legal Disclosure)
• Refund Policy

20. UK Representative (UK GDPR Art. 27)

As we are established in Japan and process personal data of individuals in the United Kingdom, we have appointed a UK representative for data protection matters. Contact: privacy@sub-pro.net

21. EU Representative (GDPR Art. 27)

As we are established outside the EEA and process personal data of individuals in the European Union, we have appointed an EU representative under GDPR Article 27. Contact: privacy@sub-pro.net

22. Contact

Data Controller: Let's BJJ Inc. (株式会社Let'sBJJ)
〒160-0023 東京都新宿区西新宿3丁目3番13号 西新宿水間ビル2F
Email: privacy@sub-pro.net
Phone: +81-80-5492-6225