Data Security

Last updated: April 5, 2026

StudioPulse connects to your studio management platform to generate retention reports. Because this involves your members' personal information, we want to be fully transparent about what data we access, how it's stored, and who can see it.

What Data We Access

When you connect StudioPulse to Mindbody, we retrieve the following data from your account via the official Mindbody API:

• Member names and profile information
• Email addresses and phone numbers
• Class visit and check-in history
• Membership status and type
• Purchase and transaction history

We do not access payment card numbers, financial account details, or any data outside of what is necessary to generate your reports. All API access is read-only — StudioPulse never writes to or modifies your Mindbody data.

For studios using Mariana Tek or a CSV upload, only the data you explicitly provide is imported.

How Data Is Stored

Member data is stored in a PostgreSQL database hosted on Amazon RDS in AWS (us-east-1). The database operates in a private network and is not accessible from the public internet.

• At rest: All data is encrypted at rest using AES-256.
• In transit: All connections between your browser, our application, and external APIs use TLS 1.2 or higher.
• Credentials: Your Mindbody Site ID and API token are encrypted using Fernet symmetric encryption before being stored. The encryption key is stored separately from the database and never logged.

Access Controls

Your studio's data is scoped to your account only. No other studio can access your data, and you cannot access another studio's data. Permissions are enforced at the API layer on every request.

Brian Atkins (founder) has administrative access for the purpose of debugging and customer support only. Any access to studio data for support purposes is available in your account's activity history upon request.

Third-Party Data Processors

We share data with the following vendors only as necessary to operate the service:

• Amazon Web Services (AWS) — hosts our application, database, and scheduled import jobs in us-east-1.
• SendGrid — delivers your daily report emails to configured recipients. Member data appears in reports sent via SendGrid.
• Anthropic — generates the AI-written narrative summaries in your reports. Individual member data (name, visit count, days since last visit) is sent to the Anthropic API per member to produce report copy. Anthropic's API terms prohibit using customer data for model training.

We do not use any other vendors for data processing. We do not share, sell, or license your studio's data to any third party for marketing, advertising, or analytics purposes.

Mindbody Integration

StudioPulse connects to Mindbody via the official Mindbody Public API. We access only the API scopes required to retrieve member and attendance data. We are pursuing Mindbody Certified Partner status, which includes a formal security review of our integration.

Your Mindbody Site ID and API token are used exclusively for scheduled data imports. You can disconnect the integration at any time from your Settings panel, which immediately stops all future syncing.

Data Retention

Member data is retained for as long as your StudioPulse account is active. If you cancel your subscription and request account deletion, all data associated with your account is deleted within 30 days.

Report delivery logs are retained for 90 days to support troubleshooting and duplicate-send prevention.

Incident Response

In the event of a data breach or security incident that affects your studio's member data, we will notify you by email within 72 hours of becoming aware of the incident, as required by applicable law.

If you believe your account has been compromised or you have a security concern, contact us immediately at brian@getstudiopulse.com.

Questions

If you have questions about our security practices or want to request a copy of your data, contact us at brian@getstudiopulse.com.