Legal
Data, Retention & Telemetry Policy
Last updated: May 29, 2026
1. Purpose and Scope
This Policy describes how Lux Services LLC maintains operational data, audit records, telemetry, analytics, and archived information within the BJJ Track platform. It is intended to supplement our Privacy Policy and our commercial terms.
2. Data We Maintain
BJJ Track may maintain customer account records, member and lead records, forms, waivers, signatures, portal activity, billing and payout metadata, communication logs, consent evidence, AI inputs and outputs, support records, audit events, system logs, and other operational data reasonably needed to run, secure, support, and improve the Services.
Some of this data is customer-controlled business data, and some is BJJ Track-controlled operational or compliance data. Even when customer-facing records are deleted, archived, or hidden, related system integrity records, suppression lists, financial records, or security logs may remain if reasonably necessary.
3. Telemetry, Diagnostics, and Analytics
BJJ Track uses telemetry, diagnostics, and product analytics to understand service health, abuse patterns, feature adoption, performance, reliability, and product effectiveness. This may include route views, session events, usage metrics, timestamps, browser and device data, IP-based metadata, queue and job outcomes, error logs, communication outcomes, conversion signals, attribution parameters, and similar platform events.
Our marketing properties may also use advertising and attribution technologies such as cookies, pixels, analytics SDKs, campaign identifiers, or click IDs. Customer-owned or customer-managed pages built with BJJ Track may also collect analytics or advertising data when those features are enabled by the customer.
We may use telemetry and analytics to build aggregated or de-identified benchmarks, product insights, and service-quality reporting that do not reasonably identify a person.
3a. Anonymized Cross-Customer Aggregates
BJJ Track computes anonymized, aggregated statistics across customer tenants — for example, typical monthly-membership price ranges, common program names (Adult BJJ, Kids BJJ, No-Gi, etc.), average class-schedule density, and similar gym-operations baselines. These aggregates power features that benefit every customer, including AI-suggested pricing, schedule templates, program defaults at signup, and benchmark reports.
Bucketing. Benchmarks are computed by geographic bucket (ZIP code → city → metro → country) and by general gym profile (size band, program mix, urban/suburban/rural classification, median household-income band of the service area derived from public US Census or equivalent international data) so the suggestions surfaced to a Manhattan gym reflect Manhattan reality, not a national average. Where a specific bucket has too few contributing gyms to preserve anonymity (k-anonymity floor), the bucket is automatically merged upward until the floor is met or the benchmark is suppressed.
The following are never shared, exported, or surfaced across customers: gym names or brands, member identities, staff identities, contact information, financial account or payout details, individual transaction histories, or any free-form notes. Personally identifying information stays inside each tenant boundary. Demographic context is taken from publicly available statistics for the gym's ZIP / postal code — we do not collect or aggregate demographic information about individual members.
Customers may opt out of contributing to anonymized aggregates at any time from Settings → Privacy & Data. Opting out does not affect any other Service feature, and historical aggregates already computed are not rebuilt to remove the contribution — the opt-out applies going forward.
4. Data Maintenance and Quality Controls
To operate the Services, BJJ Track may normalize, deduplicate, enrich, reconcile, back up, migrate, restore, suppress, archive, or otherwise maintain data across live systems, recovery systems, and audit systems. We may also preserve immutable or semi-immutable event histories where needed for legal evidence, fraud analysis, billing reconciliation, opt-out enforcement, or service restoration.
Data maintenance activity may continue after a customer cancels if the work is reasonably necessary to complete refunds, resolve chargebacks, respond to legal requests, honor opt-outs, investigate abuse, preserve evidence, or enforce our agreements.
5. Retention Windows
Retention periods vary by data type and legal purpose. Platform-default windows (each customer may tighten these in their admin settings; the tenant's published Privacy Policy reflects their actual values):
- Voice AI call recordings: 90 days after the call. Recordings are then deleted from our voice provider (Twilio) via the Twilio API and the local URL is cleared. The tenant can shorten this in their admin settings (minimum 30 days, the practical TCPA dispute window).
- Voice AI call transcripts: 12 months after the call. Transcripts are nulled in our database.
- SMS and email consent records (the row that proves opt-in): 5 years from the date consent was given. This matches the FTC Telemarketing Sales Rule retention floor (16 CFR § 310.5) and the practical TCPA statute-of-limitations window. Tenants cannot shorten below 4 years.
- Active customer data is retained while the customer remains active and while the data is needed to provide the Services.
- Former-customer operational data may remain in recoverable or archived form for up to approximately 180 days after account lock or cancellation to support reactivation, export, dispute response, fraud review, or restoration.
- Billing, tax, refund, payout, dispute, and chargeback records may be retained longer as required by law, processor rules, accounting practice, or evidentiary needs.
- Consent, unsubscribe, suppression, audit, and security records may be retained as long as reasonably necessary to demonstrate compliance, prevent abuse, or honor legal obligations.
- Backups and disaster-recovery copies may persist for a limited period after deletion from live systems.
Every automated deletion that runs against these windows writes an audit row to data_deletion_audit with the resource type, action taken, and subject identifiers. Every consumer-initiated deletion request (CCPA / CPRA / VCDPA / CPA / CTDPA / UCPA / TDPSA / GDPR Art. 17) is tracked in data_deletion_requests with the statutory SLA (30 days for GDPR / UK GDPR, 45 days for US state privacy laws) and is fanned out across voice recordings, transcripts, members, leads, profiles, messages, and consent records on execution.
5a. Voice AI — PCI DSS handling
BJJ Track's Voice AI is configured to never solicit or accept credit card numbers, CVV / CSC / security codes, expiration dates, or cardholder names over the phone. For any payment-related action, the assistant sends a secure Stripe payment link by SMS or email.
As a second line of defense, every live transcript chunk is scanned for credit-card / CVV patterns. When the scanner fires:
- The Twilio recording is paused via the recording-control API within ~1 second of the digits being spoken, so the audio file never captures the sensitive data.
- The transcript text is replaced with
[REDACTED:card]before durable storage. - An audit row is written to
pci_redaction_eventswith the pattern type and mitigation action — never with the matched cleartext.
BJJ Track does not store sensitive authentication data (CVV / CSC / track data) under any circumstances. Per PCI DSS 3.2.1 § 3.2, this data MUST NOT be retained after authorization, even encrypted.
6. Non-Payment, Archival, and Reinstatement
If an account becomes delinquent, suspended, canceled, or locked for non-payment, certain live features may be restricted before archived data is purged. Operational data may be preserved through the standard non-payment and archival timeline so that the customer can potentially reactivate, export, or resolve disputes before final deletion or anonymization processing occurs.
7. Deletion and Suppression Requests
Deletion requests are subject to identity verification, customer-control considerations, backup cycles, legal holds, dispute preservation, and retention obligations. In some cases, suppression, de-identification, anonymization, or restricted processing is more appropriate than complete deletion.
Request procedures are described on our Data Deletion page.
8. Sensitive Data and Minors
BJJ Track is not intended to store highly regulated categories of data unless we expressly agree otherwise in writing. Customers remain responsible for determining what information they place into the platform, including information relating to minors, guardians, waivers, injuries, or other sensitive operational details.
9. Contact Information
Lux Services LLC
8801 Colorado Bend, Lantana, TX 76226
Email: contact@bjjtrack.com
Website: bjjtrack.com