Privacy Policy

1. Information We Collect

We collect the following categories of personal information:

• Identity & contact: name, email address, mobile phone number, billing address.
• Account & booking: account credentials (one-time codes), booking history, suite preferences, referral codes, party-size and guest details.
• Health-screening: liability waiver responses, self-reported medical conditions, emergency contact details (only when you sign the waiver before your first session).
• Payment: we do not store full payment card numbers — Stripe processes and stores card data on our behalf. We retain non-sensitive metadata (last four digits, brand, expiry) and Stripe customer IDs.
• Suite usage: session start/end timestamps, ambient sauna and plunge temperature readings during your session. These are environmental measurements; we do not collect biometric data from your body.
• Device & usage: IP address, browser type, pages viewed, timestamps, opt-in records.

2. How We Use Information

We use personal information to:

• Authenticate you and protect your account (one-time login codes, two-factor authentication).
• Schedule, confirm, modify, and bill for sessions.
• Issue suite door access codes and operational session updates.
• Provide customer support and respond to your messages.
• Send you sign-in verification codes when you sign in with your phone number, and — if you have opted in — booking-related SMS notifications tied to your account activity (see Section 5).
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms of Service.

3. How We Share Information

We share personal information only with the service providers needed to operate the Service. Each is bound by a data-processing agreement that limits use to the purposes we direct:

• Stripe, Inc. — payment processing, subscription billing, refunds.
• Twilio, Inc. — delivery of SMS messages (login codes, booking confirmations, door codes).
• SendGrid (Twilio SendGrid) — delivery of transactional and account email.
• Supabase, Inc. — database, authentication, and edge-function hosting.
• Vercel, Inc. — website and application hosting.

We may also share information when required by law (subpoena, court order, lawful request), to investigate fraud or violations of our Terms, or in connection with a merger, acquisition, or sale of assets — in which case we will notify affected users.

We do not sell your personal information, and we do not share it with third parties or affiliates for their own marketing or promotional purposes.

4. Data Retention

We retain personal information for as long as your account is active and for a reasonable period afterward to comply with legal, accounting, and dispute-resolution obligations. Booking records and signed waivers are retained for at least seven (7) years to satisfy Texas record-keeping and statute-of-limitations requirements. You may request deletion of your account at any time (Section 7).

5. SMS / Text Messaging

We operate two separate SMS streams. They are governed independently.

(a) Sign-in verification (transactional, user-initiated). When you enter your phone number into our sign-in form, we send a one-time verification code (OTP) and any two-factor authentication code to that number so you can log in. These messages are sent only in direct response to your sign-in attempt. They are not part of our A2P notifications program and do not require, and are not affected by, the opt-in described in (b) below. Providing a phone number is optional — you can sign in with email instead.

(b) Booking notifications (opt-in required). When you provide your phone number and check the unchecked "Send me text messages about my bookings" box on our website, or enable the same toggle in your account settings, we use your number to send you transactional SMS about your own bookings: booking confirmations, reschedule and cancellation notices, suite door access codes, and customer-service replies. We do not send promotional or marketing SMS. Message and data rates may apply. Message frequency varies based on your account activity. You can opt out at any time by replying STOP to any booking notification, disabling the toggle in your account settings, or emailing support@contrast-collective.com. Reply HELP to any message for help. Opting out of booking notifications does not affect your ability to receive sign-in verification codes when you request them.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

We use Twilio, Inc. as our SMS service provider. Phone numbers and message content are processed by Twilio under their privacy policy and terms, acting as a processor on our behalf.

6. Cookies & Analytics

We use first-party cookies and similar technologies to keep you signed in, remember your locale preference, and understand how the site is used. We do not use cross-site advertising trackers. You can clear or block cookies in your browser settings; some account functionality may not work if cookies are disabled.

7. Your Rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your account and associated data (subject to retention limits in Section 4).
• Withdraw consent for booking SMS notifications at any time by replying STOP, disabling the toggle in your account settings, or contacting us. Sign-in verification codes are only sent when you actively sign in using your phone number; to stop receiving them, sign in with email instead or remove your phone number from your account.
• Opt out of "sale" or "sharing" of personal information — we do not sell or share for cross-context behavioral advertising, but you can confirm this in writing.

To exercise any of these rights, email privacy@contrast-collective.com from the address on file or contact us at our address above. We will respond within 45 days. We may need to verify your identity before completing certain requests.

California residents may also designate an authorized agent to make requests on their behalf and have the right to non-discrimination for exercising privacy rights.

8. Security

We use administrative, technical, and physical safeguards to protect personal information, including TLS encryption in transit, encryption at rest, role-based access controls, and audit logs. No system is perfectly secure; please use a strong, unique account email and keep your phone with two-factor capability available.

9. Children

The Service is not directed to children under 18 and we do not knowingly collect information from anyone under 18. If you believe a child has provided us with personal information, contact privacy@contrast-collective.com and we will delete it.

10. International Visitors

Our services are operated from the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data-protection laws than your country of residence.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy here with an updated "Last Updated" date. Material changes will be communicated via email or in-app notice where appropriate.

12. Contact Us

Contrast Collective, LLC
3723 Greenville Ave STE 82372
Dallas, TX 75206
privacy@contrast-collective.com