Privacy Policy

QuickKicks is a service of Trixy LLC, a Pennsylvania limited liability company. This policy explains what we collect, how we use it, where it lives, and who else touches it. If anything here is unclear, email hello@quickkicks.app and a person will answer.

Who is the data controller

Two different kinds of data flow through QuickKicks, and the controller depends on which one:

• Marketing-site visitors and trial signups. When you browse quickkicks.app or submit a demo, contact, or trial-signup form, Trixy LLC is the data controller for the personal data you send us (name, business name, email, phone, free-text notes).
• Members and guardians inside a QuickKicks account. When a school, gym, or studio runs its business on QuickKicks, the school is the controller for its members’ data. QuickKicks is the processor. We act on the school’s documented instructions and do not use that data for our own purposes.

What we collect

• Account data. Name, email, password hash, role, and the organization you belong to. Passwords are stored only as salted hashes by our identity provider; we never see the cleartext.
• Business data the school stores in QuickKicks. Member and guardian contact details, attendance, progression history, memberships, invoices, payment metadata (last four digits, brand, status), events, and communications you send through the platform. At a school’s discretion this can also include the health and medical notes and emergency-contact details a member provides at enrollment, and signed waivers together with their electronic-signature records (described below).
• Operational data. Device, browser, IP address, timestamps of significant actions (login, signup, payment events), and error logs. Used for security, abuse prevention, and debugging.
• What we don’t collect. We do not store full card numbers, bank account numbers, or CVV codes. Those go directly to Stripe. We do not run third-party advertising trackers or sell contact lists.

How we use it

• To create and run your account and respond to your requests.
• To deliver transactional email (verification codes, receipts, payment alerts) and the communications you choose to send to your members.
• To detect and block abuse, including rate-limiting signups and verifying that humans, not bots, are creating accounts.
• To capture and preserve electronic-signature evidence for waivers and other agreements, as required by the ESIGN Act and UETA.
• To meet accounting, tax, and other legal obligations.

Electronic signatures and waivers

When a member or guardian signs a liability waiver or other agreement electronically through QuickKicks, we capture and retain a record of that signature as legal evidence of consent: the signature image, the signer’s name and email, the exact text and version they agreed to, a timestamp, the IP address and device/browser used, and the consumer-consent disclosures the signer accepted under the federal ESIGN Act (15 U.S.C. §7001) and the Uniform Electronic Transactions Act (UETA). This evidence exists to make the signed record provable and tamper-evident.

A school can export or print these records, along with a member’s enrollment details, for its own legitimate purposes, for example to provide them to its insurer. QuickKicks acts as the processor; whether and to whom a school discloses its members’ records is the school’s decision as the data controller, governed by the school’s own privacy notice.

Where data is hosted

Production data is stored in the United States on Microsoft Azure (East/Central/West US regions). If you are in the EU, UK, or another region with cross-border-transfer rules, your data will leave that region to reach our servers. By using QuickKicks you instruct us to process it in the US for the purposes described above.

Sub-processors

We use a small set of vendors to run the service. Each is bound by its own data-protection commitments, and we use them only for the purpose listed.

• Microsoft Azure — hosting and managed Postgres. United States.
• Stripe — payments via Stripe Connect. Each school connects its own Stripe account, so the school’s members’ card data goes directly to Stripe, not to us. Stripe is the data controller for the payment transaction itself.
• Cloudflare — edge delivery, DDoS protection, and the Turnstile bot challenge on the signup form.
• Zoho (ZeptoMail) — transactional email delivery (verification codes, receipts, communications sent through the platform).

If we add or change a sub-processor we will update this list before the change takes effect for paying customers.

Multi-tenant isolation

Every business record in QuickKicks is tagged with the organization that owns it. Application queries always filter by organization, and we are rolling out database-level row security as a second layer so a missing filter cannot leak data across tenants. Staff at one school cannot see another school’s members, period.

Cookies

We use cookies for authentication (HttpOnly, secure session cookies set after you sign in or verify a trial code) and for the Cloudflare Turnstile challenge. We do not set marketing or cross-site advertising cookies on this site.

Data retention

While your account is active, we keep your business data so the platform works. After cancellation we keep it for 30 days to allow recovery and export, then delete it from production within the next 30 days. Backups roll off on a 30-day cycle. Records we are required to retain for tax or accounting reasons (invoices, payouts) are kept for seven years. Signed waivers and their electronic-signature evidence are retained for as long as the school instructs and as needed to establish or defend legal claims, which may be longer than the periods above.

Your rights

You can request access to, correction of, export of, or deletion of your personal data. If your data is in the platform as a member of a school (rather than as the account owner), please contact the school first; they are the controller. For everything else, email hello@quickkicks.app from the address on file and we will respond within 30 days. EU and UK residents have the rights set out in the GDPR / UK GDPR, including the right to lodge a complaint with a supervisory authority.

Children

QuickKicks is sold to businesses, not children. Many of those businesses teach minors, and the school’s account stores data about those members. We rely on the school to obtain the consents required by law in its jurisdiction (including COPPA in the US, where applicable). We do not knowingly collect personal data directly from children for our own purposes.

Security incidents

If we discover a security incident that affects your data, we will notify the affected account owners without undue delay and within the timeframes required by law.

Changes

We may update this policy as the platform evolves. The “last updated” date at the top reflects the most recent change. Material changes will be announced to account owners by email.

Contact

Trixy LLC
Email: hello@quickkicks.app