Privacy Policy
Last updated: 18 July 2026
This Privacy Policy describes how Studio X ISH ("we", "us", or "our") collects, uses, and protects your information when you use our website and services at studioxish.com.
1. Information we collect
Account information: When you sign up, we collect your email address and any profile details you choose to provide, such as your name.
Usage data: We collect information about the classes you watch, save, and schedule, as well as your membership status and subscription history.
Optional calendar data: If you choose to connect Google Calendar, we store the connection tokens needed to add scheduled classes to your calendar and read back event confirmations.
Technical data: We automatically receive standard device and browser information (such as IP address, browser type, and operating system) to help us keep the service secure and performant.
2. How we use your information
We use your information to provide and improve the studioxish service, process your membership payments, personalise your practice library, send you class reminders, and respond to your support requests.
3. Sharing your information
We do not sell your personal information. We share data only with trusted service providers that are necessary to run the app:
- Supabase — for secure authentication, database hosting, and user management.
- Stripe — for processing membership payments and subscriptions.
- Google — only when you explicitly connect Google Calendar, to sync scheduled classes to your calendar.
4. Cookies and analytics
We use essential cookies to keep you signed in and maintain your session. We may also use analytics cookies to understand how the site is used and to improve the experience. You can control analytics cookies through your browser settings.
5. Data retention
We keep your account information for as long as your account is active. If you delete your account, we will remove or anonymise your personal data within a reasonable time, except where we are required to keep it for legal or accounting purposes.
6. Your rights
You can access, update, or delete your account information from your account settings. You may also request a copy of your data or ask us to delete it by contacting us at the email below.
7. Contact us
If you have questions about this Privacy Policy, please contact us at: ish@studioxish.com
8. Google user data & data protection
When you connect your Google Calendar, studioxish requests only the minimum scopes required to create, update, and remove the class events you schedule in the app (calendar.events), plus your email address so we can show which Google account is connected. We do not read any other events on your calendar, and we never use Google user data for advertising, resale, or training AI/ML models.
How we protect this sensitive data:
- Encryption in transit: all communication with Google APIs and with our servers uses HTTPS/TLS 1.2+.
- Encryption at rest: OAuth access tokens and refresh tokens are stored in our managed Postgres database (Supabase), which encrypts data at rest using AES-256. Tokens are held in a row-level-security protected table and are readable only by server-side code acting on your behalf.
- Access control: tokens are scoped to your user account via row-level security policies and are never exposed to the browser, other users, or third parties. Only a small number of authorised administrators can access production infrastructure, and all access is logged.
- Third-party sharing: we do not sell, transfer, or share Google Calendar tokens or any Google user data with any third party outside of the Google API calls needed to operate the calendar features you initiate.
- Retention & deletion: you can disconnect Google Calendar at any time from your account settings, which immediately revokes the tokens with Google and deletes them from our database. Deleting your studioxish account also deletes any stored Google tokens. To request deletion of your Google-connected data, contact us at ish@studioxish.com and we will remove it within 30 days.
- Security incidents: if we become aware of a breach affecting Google user data, we will notify affected users and Google without undue delay and in accordance with applicable law and our incident-response procedures.
- Limited use: studioxish's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.