Tatami CRM← Back to home

Privacy Policy

Last updated: June 6, 2026

Draft for review. This document was prepared as a working draft and has not been reviewed by an attorney. Please have qualified legal counsel review it before relying on it.

This Privacy Policy explains how Keller Services LLC (“Tatami CRM,” “we,” “us,” or “our”) handles information in connection with Tatami CRM, a software-as-a-service application for Brazilian Jiu-Jitsu academies (the “Service”).

Our role: controller vs. processor

Tatami CRM is a business-to-business tool. The academy that subscribes (the “Academy”) decides what information about its students, guardians, leads, and staff to put into the Service. For that information, the Academy is the data controller and Tatami CRM is a data processor acting on the Academy’s behalf. If you are a student or guardian and have questions about your information, please contact your Academy first — they control how that data is used. We process Academy account information (for the people who sign up and administer an Academy) as a controller.

Information we collect

Academy & account data: name, email, and login credentials for the people who create and manage an Academy account; academy details (name, address, contact info, timezone).

Customer Data the Academy enters: student and member records (name, contact details, address, date of birth, gender, belt/program, status, notes), guardian information for minors, leads, attendance/check-ins, schedules, events, competitions, and messages sent through the Service.

Payment data: we use Stripe to process payments. We store payment metadata only (e.g., card brand, last four digits, Stripe customer/payment-method tokens, amounts, status). We never store full card numbers — card data is handled directly by Stripe.

Technical data: standard server and security logs (e.g., IP address, user agent, timestamps), used to operate and secure the Service.

How we use information

  • to provide, maintain, and support the Service;
  • to process subscription billing and the Academy’s student charges (via Stripe);
  • to deliver email and SMS the Academy chooses to send (via Resend and Twilio);
  • to secure the Service, prevent abuse, and debug issues;
  • to comply with legal obligations.

We do not sell personal information, and we do not use Customer Data for advertising.

Sub-processors & sharing

We share information only with service providers that help us run the Service, under appropriate contractual protections:

  • Supabase — database, authentication, and file storage;
  • Stripe — payment processing and Stripe Connect;
  • Resend — transactional and broadcast email delivery;
  • Twilio — SMS delivery;
  • Vercel — application hosting;
  • U.S. Census Geocoder and OpenStreetMap — to power the optional student map.

We may also disclose information if required by law, to enforce our agreements, or to protect the rights, safety, and security of our users and the public. If we are involved in a merger or acquisition, information may transfer as part of that transaction.

Minors

The Service may store information about minors (for example, children enrolled in an Academy’s kids’ programs) and their guardians. That information is entered and controlled by the Academy, which is responsible for obtaining any required parental or guardian consent and for complying with laws relating to minors’ data. Tatami CRM does not knowingly create accounts for minors or market the Service to children.

Cookies

We use only essential cookies — those required to keep you signed in and to keep your session secure. We do not currently use advertising or third-party tracking cookies. If we add analytics in the future, we intend to use a privacy-friendly, cookieless approach and will update this policy accordingly.

Data retention

We retain Customer Data for as long as the Academy’s account is active or as needed to provide the Service. When an Academy cancels, we make Customer Data available for export for a reasonable period where practicable, after which it may be deleted in the ordinary course. We may retain limited records as required for legal, accounting, or security purposes.

Your rights & choices

Depending on your location, you may have rights to access, correct, delete, or export personal information, or to object to or restrict certain processing. Because most personal information in the Service is controlled by the Academy, students and guardians should direct such requests to their Academy; we will assist the Academy in responding. For account-level data we control, or to reach us about any privacy matter, contact us at the address below.

Security

We use reasonable technical and organizational measures to protect information, including per-academy tenant isolation (row-level security) and tokenized payment handling. No system is perfectly secure, and we cannot guarantee absolute security.

Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date and, for material changes, provide additional notice where appropriate.

Contact

Questions or requests about this Privacy Policy? Contact Keller Services LLC at legal@tatamicrm.com.