title: Tempo — Privacy Policy status: DRAFT — pending lawyer review last_updated: 2026-04-27 effective_date: TBD (set on launch) review_status: drafted by Paige (technical writer); NOT reviewed by counsel
⚠️ This is a draft. It has been written to Termly / TermsFeed-style structure, tailored to Tempo's actual data flows, and is intended as a starting point for review by Robin's lawyer-friend before going live. Anywhere this draft makes a legal call that needs professional review is flagged inline as ****. Do not publish without that review.
Each section starts with a plain-English In short summary. The legal language sits below it. If the two ever drift apart, the legal language controls — but the plain-English version is what we mean and what we'll honour.
This Privacy Policy works alongside the Terms of Service. Capitalised terms not defined here have the meanings given in the Terms.
1. Who we are
In short: Tempo is software for any business that rents equipment, runs lessons, or hosts guided activities — whether as their main thing or as a side offering alongside accommodation, food and drink, or retail. Hostels, hotels, campgrounds, surf and dive schools, bike rentals, retreat centres, beach bars with paddleboards out front — anything in that family. We're a Canadian sole proprietorship. We collect personal data in two different roles — sometimes we decide what to do with it, sometimes we just store it for the business that does. The next section explains the difference.
The Service is provided by Robin Mazure, carrying on business as Tempo , a sole proprietorship incorporated in [Canadian province TBD] ("Tempo", "we", "us", or "our").
This Privacy Policy describes how we collect, use, share, and protect personal data in connection with the Service.
For privacy questions or requests, contact: privacy@usetempo.net (see §11 for response times and procedures).
2. Scope of this policy
In short: This policy covers usetempo.net, our dashboard, our public booking pages, the instructor portal, and the emails we send. It does not cover the websites or services of the businesses that use Tempo — those have their own privacy policies.
This Privacy Policy applies to:
- The marketing website at
usetempo.net. - The Tempo workspace dashboard (the app a Customer's staff uses).
- The slim instructor / guide self-service portal.
- The public guest booking pages we host on behalf of our Customers at
usetempo.net/{your-slug}. - The automated transactional emails we send on behalf of our Customers.
- Any direct communications with us (sales, support, billing).
It does not cover:
- The Customer's own website, marketing channels, or social-media presence.
- Any third-party service the Customer uses to collect payments from its guests (the Customer's own Stripe account, Mollie account, or any other payment rail).
- Any third-party service linked to from a Tempo page (Stripe's checkout page, our hosting providers' status pages, etc.).
3. Our two roles: Controller and Processor
In short: When a business signs up for Tempo, that business's account data is our responsibility. When one of its guests books a surf lesson, a bike rental, or any other activity through it, the guest's data is the business's responsibility — we just store it on their behalf. This distinction matters legally.
Under the EU General Data Protection Regulation ("GDPR") and equivalent laws elsewhere, two roles exist:
- A data controller decides why and how personal data is processed.
- A data processor processes personal data only on the instructions of a controller.
Tempo plays both roles, depending on whose data is involved:
| Whose data | Tempo's role | Who is the controller |
|---|---|---|
| Customer Workspace data — names, emails, billing addresses, and account information of the Customers and their staff who subscribe to Tempo | Controller | Tempo |
Customer marketing-website visitor data — analytics and contact-form submissions on usetempo.net | Controller | Tempo |
| Instructor / guide portal account data — names, emails, schedules, availability, profile info of instructors using the slim portal | Controller for the account itself; Processor for any schedule/availability data that is also the Customer's operational data | Tempo (account); Customer (operational schedule data) |
| Guest booking data — names, emails, phones, dates of birth, emergency contacts, waiver signatures, and booking history of the people who book activities, lessons, or rentals from our Customers | Processor | The Customer (the business) |
| Workspace audit log | Controller for security/compliance purposes; Processor for the Customer's operational visibility | Tempo (compliance); Customer (operational visibility) |
Sections 4, 5, 6, and 7 of this Policy cover Tempo as Controller — what we do with the data we own.
Section 8 covers Tempo as Processor — what we do with the data the Customer owns. Sections 9–12 apply across both roles.
4. Data we collect (Tempo as Controller)
In short: We collect what we need to run the Service: your name and email so you can sign in, your billing details so we can bill you, basic usage data so we can debug crashes and fix bugs.
4.1 Account data
When you create a Tempo Workspace, we collect:
| Field | Why | Required? |
|---|---|---|
| Email address | Account identity, sign-in, billing emails, transactional notifications | Yes |
| Password (hashed, never stored in cleartext) | Authentication | Yes |
| Full name | Personalisation, support context | Yes |
| Business name | Workspace identity | Yes |
Workspace slug (usetempo.net/{your-slug}) | Public booking-page URL | Yes |
Self-declared business size (small_ops or larger_ops) | Subscription pricing tier | Yes |
| Country, time zone, default currency | Tax calculation, time-zone-aware emails, currency display | Yes |
| Phone (optional) | Account-recovery contact | Optional |
4.2 Billing data
For paid Subscriptions, we collect (or our payment processor Stripe collects on our behalf):
- Billing address (used by Stripe Tax to determine tax jurisdiction).
- Payment method (card details — these are handled directly by Stripe and never touch Tempo's systems).
- VAT / tax ID, if applicable, for B2B EU buyers eligible for reverse-charge VAT.
- Subscription history: plan tier, billing currency, start date, renewal date, payment status, dunning history.
4.3 Workspace member data
When a Customer invites teammates to a Workspace, we collect:
- Email addresses of invitees.
- Roles assigned (Admin / Staff).
- Names and login activity once the invitee accepts.
4.4 Instructor / guide portal account data
When a Customer invites an instructor or guide to the slim portal:
- Email address of the instructor.
- Name, profile information, hourly rate (set by the Customer).
- Login activity, session timestamps.
If an instructor is invited to a second Customer using the same email address, we associate the existing instructor account with the new Customer rather than creating a duplicate. The first Customer does not see that the instructor has another association; the second Customer does not see the first one. This is privacy-preserving by design.
4.5 Usage and technical data
When you use the Service we automatically collect:
- IP address (used for rate-limiting, abuse prevention, and approximate geolocation for tax / locale).
- Browser type, operating system, device type.
- Pages and features visited within the Service.
- Performance metrics and crash reports (collected via Sentry).
- Cookies and similar technologies — see §13.
4.6 Communications with us
If you contact us by email, through a contact form, or via in-app chat, we keep the message content, your contact details, and any attachments you send for support and record-keeping.
4.7 What we do NOT collect
- Card details. All payment-card data is handled directly by Stripe and never touches our systems. Stripe is PCI-DSS Level 1 certified.
- Special-category data about Workspace users (race, ethnicity, political opinions, religious beliefs, sexual orientation, health data, biometric data, or genetic data). We do not ask for and do not knowingly process special-category data about our Customers or their staff.
- Children's data about Workspace users. The Service is not intended for users under 18.
5. How we use the data (Tempo as Controller)
In short: To run the Service, bill you, support you, and improve the product. We don't sell your data, and we don't use it to train AI.
We use the data in §4 for:
| Purpose | GDPR legal basis |
|---|---|
| Providing the Service to you | Performance of contract (Art. 6(1)(b)) |
| Authenticating sign-in and protecting accounts | Performance of contract; legitimate interest in security (Art. 6(1)(b), (f)) |
| Billing, payment processing, dunning | Performance of contract; legal obligation for tax/accounting records (Art. 6(1)(b), (c)) |
| Tax calculation and reporting | Legal obligation (Art. 6(1)(c)) |
| Sending transactional emails (account, billing, security, product notices) | Performance of contract (Art. 6(1)(b)) |
| Sending product-update or marketing emails to Admin contacts | Legitimate interest in product communication, with one-click unsubscribe; OR consent where required (Art. 6(1)(a) or (f)) |
| Customer support | Performance of contract; legitimate interest (Art. 6(1)(b), (f)) |
| Debugging, security monitoring, crash reporting | Legitimate interest (Art. 6(1)(f)) |
| Aggregated, de-identified analytics about Service usage | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Defending or asserting legal claims | Legitimate interest (Art. 6(1)(f)) |
We will not:
- Sell personal data to anyone, ever.
- Use Customer Data or any personal data we collect to train any machine-learning or AI model.
- Share personal data with any third party except the sub-processors listed in §7, each of which is engaged solely to deliver the Service.
6. Data we collect (Tempo as Processor)
In short: When a business uses Tempo to record bookings, we hold the data the Customer collects from its guests — but the Customer decides what data it asks for, why, and how long to keep it. This part of the Privacy Policy describes what we technically hold, not what we decide to do with it.
6.1 Guest booking data
When a Guest books an activity, lesson, or rental from one of our Customers — either through the public booking page at usetempo.net/{your-slug} or through a booking entered by Customer staff in the Workspace — we store the data the Customer has chosen to collect, which may include:
| Field | Notes |
|---|---|
| Full name | Required for activity records and waivers |
| Email address | Required for booking confirmation |
| Phone number | Optional; collected by some Customers |
| Date of birth | Required where minors are involved or where activities have age restrictions |
| Emergency contact name and phone | Optional; recommended for higher-risk activities |
| Waiver signature image | Required before any activity booking can complete |
| Booking history with that Customer | Booking dates, equipment rented, lessons taken, instructor assignments |
| Notes added by Customer staff | E.g., dietary restrictions, accessibility needs, customer preferences |
6.2 Public booking page interactions
When a Guest visits a public booking page at usetempo.net/{your-slug}, we collect:
- IP address (for rate-limiting and abuse prevention; see §15).
- Approximate geolocation derived from IP (for default-locale and currency display).
- Browser/device data and pages viewed (for analytics and crash reporting).
- Honeypot field interactions and (where the Customer enables it) Cloudflare Turnstile tokens, used to filter automated traffic.
6.3 Transactional emails sent on behalf of the Customer
When we send automated emails on the Customer's behalf — booking confirmation, day-before reminder, change/cancellation notices — we record:
- The recipient email address.
- The send time and delivery status (sent / bounced / complained / suppressed).
- The message ID returned by our email provider (Resend), for tracing.
We do not retain the full message body of guest emails after delivery, except where the Customer has enabled per-Customer template overrides — in which case the configured template text is retained at the Customer record.
6.4 Anti-abuse and security data
To protect the public booking surface from abuse, we may also process:
- Rate-limiting counters per IP and per Customer.
- Email-bounce and complaint signals from Resend (managed via the
email_suppressionstable).
This processing is necessary to keep the Service available and is performed under our legitimate interest in service security (Art. 6(1)(f)) — even when the underlying data subject is a Guest, the security processing is Tempo's, not the Customer's.
7. Sub-processors
In short: To run Tempo, we use a small set of trusted vendors. Each one processes data only as needed to deliver the Service. We pick vendors with strong security and GDPR posture.
We engage the following sub-processors. Each is bound by contractual obligations (a data-processing addendum or equivalent) consistent with Article 28 GDPR.
| Sub-processor | Purpose | Data categories processed | Location |
|---|---|---|---|
| Supabase, Inc. | Primary database, authentication, file storage (waivers, proof photos, Customer-uploaded logos and photos), realtime subscriptions | All Customer Data, all Guest Data, all account data | EU (default region); database can be moved per Customer request — see note below |
| Vercel, Inc. | Application hosting, edge network, serverless functions, edge rate-limiting | All data passing through the application; logs may include IP and request metadata | Global edge network (US-headquartered) |
| Stripe, Inc. | Subscription billing (Stripe Billing, Stripe Checkout, Stripe Customer Portal); tax calculation (Stripe Tax); buyer-local-currency display (Adaptive Pricing) | Billing data only — Customer name, billing address, VAT ID, payment-card data (held directly by Stripe, never by Tempo) | Global; primary processing in US and Ireland |
| Resend, Inc. | Transactional email delivery (workspace invites, instructor invites, dunning, booking confirmation, day-before reminder, change/cancellation, sick-call reassignment) | Recipient email, sender data, message content, delivery metadata | US (with EU sending region available) |
| Sentry (Functional Software, Inc.) | Error and crash reporting | Stack traces, request metadata, user ID (Workspace user), error context | US |
| Cloudflare, Inc. | Optional CAPTCHA challenge (Turnstile) on public booking pages, configurable per Customer | IP, browser metadata, Turnstile interaction data | Global |
| Crisp IM SAS | Customer support live chat (if and when enabled) | Visitor email, chat transcripts, page context | EU (France) |
: every sub-processor named above must be confirmed against:
- Their current published DPA / sub-processor list.
- Their current SCC / UK IDTA / Swiss IDTA posture for international transfers.
- Their data-residency commitments (Supabase in particular allows EU-only residency, which we should default to for EU Customers).
The list should be reproduced on a public sub-processors page at usetempo.net/legal/sub-processors with a change-log and an email-subscription option for Customers who want notice of additions (some EU procurement frameworks require this). Counsel to advise on a minimum notice period (industry standard: 30 days advance notice of new sub-processors).
We may add or change sub-processors. When we do, we will:
- Update this list.
- Notify Admin contacts by email at least 30 days before the change takes effect, where reasonably practicable.
- Give Customers a reasonable opportunity to object — and, if the objection cannot be resolved, to terminate the Subscription.
8. International data transfers
In short: Some of our vendors are based outside Canada and the EU, including in the US. When data crosses borders, we use legally-recognised safeguards.
Where personal data is transferred outside the country of the data subject (in particular, transfers from the EEA, UK, or Switzerland to the US or other "third countries" under GDPR), we rely on:
- The European Commission's Standard Contractual Clauses (SCCs) for data transfers, in their most recent form, included in our agreements with each affected sub-processor.
- The UK International Data Transfer Addendum (UK IDTA) where UK personal data is involved.
- The Swiss SCC variant where Swiss personal data is involved.
- For US-based sub-processors that are certified under the EU–US Data Privacy Framework (DPF), we additionally rely on the DPF as a transfer mechanism.
Where required and where reasonably feasible, we apply additional technical measures including encryption at rest and encryption in transit (TLS 1.2+).
A summary of the transfer mechanisms used for each sub-processor is available on request to privacy@usetempo.net.
9. Data retention
In short: We keep Customer Workspace data while you have a Subscription. We keep Guest data the Customer collects for 24 months by default, unless the Customer sets a different period. We back up everything for a few weeks longer for disaster recovery.
9.1 Workspace data (Tempo as Controller)
| Data type | Retention |
|---|---|
| Workspace account, billing data, audit log | For the duration of the Subscription, plus 90 days after cancellation, then deleted (or anonymised, in the case of audit-log entries — see §9.4). |
| Tax and accounting records | At least 6 years after the end of the relevant fiscal period, as required by Canadian tax law (Income Tax Act). |
| Workspace member account data | Until the member is removed by the Workspace Admin; deleted within 30 days thereafter. |
| Crash reports and Sentry data | 90 days. |
| Marketing-website analytics | Up to 26 months (Google Analytics 4 default). |
9.2 Guest data (Tempo as Processor)
The default retention for Guest data is 24 months from the date of the Guest's last booking. This is configurable per Customer — Customers can shorten or lengthen this in their Workspace privacy settings.
After the configured retention period:
- Guest records are automatically purged by a scheduled background job.
- Waiver signature images are deleted from object storage.
- Booking history is anonymised (Guest identifiers stripped; aggregate counts retained for the Customer's analytics).
If a Customer cancels their Subscription, all Guest data they hold within their Workspace follows the deletion timeline at §9.3 — not the 24-month default.
9.3 What happens to data when a Subscription ends
| Event | Workspace data | Guest data |
|---|---|---|
| Trial expires (14 days, no Subscription) | Read-only for 30 days; then deleted unless Customer reactivates | Same |
| Customer cancels paid Subscription | Read-only at end of paid period; full deletion 90 days thereafter unless reactivated | Same |
| Subscription terminated by Tempo for cause | Deletion within 30 days | Customer is given a 30-day export window before deletion |
| Subscription terminated by Tempo for convenience | Deletion within 60 days | Customer is given a 30-day export window before deletion |
9.4 Backups and audit log
- Backups: routine database backups are retained for 30 days. Encrypted at rest. Restored only for disaster-recovery purposes. Backups expire on rolling schedule and are not separately deleted on a data-subject-erasure request — instead, the original record is deleted and the backup is allowed to age out.
- Audit log: entries in the Workspace audit log are retained for the lifetime of the Workspace (with the same Subscription-end deletion rules above). When a data subject's right to erasure is invoked (see §10), the audit-log entries that mention them are anonymised (their
actor_user_idis set toNULL) rather than deleted, so the security and compliance value of the log is preserved without retaining the identifier.
10. Your rights
In short: You can ask us what data we have on you, ask us to fix it, ask us to delete it, ask for a copy you can take elsewhere, and tell us to stop processing it. If you're a guest of one of our Customers, your request usually goes to the business — but we'll help.
10.1 Rights of Workspace users (Tempo as Controller)
If you are a Workspace user — a Customer's Admin, Staff, or instructor — you have the following rights with respect to your personal data, subject to applicable law:
| Right | What it means |
|---|---|
| Access | Ask us for a copy of the personal data we hold about you. |
| Rectification | Ask us to correct inaccurate or incomplete data. |
| Erasure | Ask us to delete your data ("right to be forgotten"), subject to legal exceptions (e.g., tax records). |
| Restriction | Ask us to limit processing while we resolve a dispute about accuracy or lawfulness. |
| Portability | Get a machine-readable copy of the data you have provided, to take to another service. |
| Objection | Object to processing based on legitimate interest (we will stop unless we have compelling grounds). |
| Withdraw consent | Where processing is based on consent, withdraw it at any time (without affecting prior lawful processing). |
| Lodge a complaint | File a complaint with your local data-protection authority — see §10.4. |
10.2 Rights of Guests (Tempo as Processor)
If you are a guest of one of our Customers — i.e., you booked an activity, lesson, or rental from a business that uses Tempo — your rights are exercised against the Customer, not against Tempo, because the Customer is the data controller. Please contact the Customer directly.
If a Guest contacts us first, we will:
- Forward the request to the relevant Customer within 5 business days.
- Notify the Guest that we have done so.
- Assist the Customer in fulfilling the request promptly upon their reasonable instruction.
If a Customer does not respond, the Guest may complain to the data-protection authority in their country of habitual residence (see §10.4).
10.3 How to exercise your rights
Email privacy@usetempo.net with:
- Your name and the email associated with your account (or, for a guest request you wish us to forward, the business name and your booking email).
- A description of the right you want to exercise.
We will respond:
- Within 30 days for Workspace users (extendable by a further 60 days for complex requests, with notice to you).
- Within 5 business days to acknowledge a Guest request and forward it to the relevant Customer.
Most rights can be exercised free of charge. We may charge a reasonable fee (or refuse) only where a request is manifestly unfounded or excessive, in line with Article 12(5) GDPR.
10.4 Complaints to a data-protection authority
If you believe our processing of your data infringes a data-protection law, you may complain to:
- Your local supervisory authority in the EEA. [Lookup tool: https://edpb.europa.eu/about-edpb/about-edpb/members_en — leave the URL out of the published version; it's here for the lawyer's reference. Or include it once counsel approves.]
- The UK Information Commissioner's Office (ICO) —
ico.org.uk. - The Federal Privacy Commissioner of Canada —
priv.gc.ca. - The Quebec Commission d'accès à l'information — if Tempo's chosen province is Quebec.
11. How to contact us about privacy
In short: Email is best.
| Topic | |
|---|---|
| Data-subject requests, GDPR matters | privacy@usetempo.net |
| Sub-processor change notifications (subscribe) | privacy@usetempo.net — subject line "subscribe sub-processors" |
| Security vulnerabilities | security@usetempo.net |
| All other privacy questions | privacy@usetempo.net |
Postal address (for legal notices only):
We aim to acknowledge all privacy-related emails within 3 business days and to substantively respond within the timelines in §10.3.
12. Children
In short: Tempo is not for children. Our Customers might, however, collect data about minors who book activities through their parents — that's the Customer's responsibility, not ours.
12.1 Workspace users
The Service is intended for users aged 18 or older. We do not knowingly collect personal data from children under 16 about Workspace users.
12.2 Guests who are minors
Some activities offered by our Customers (surf lessons, guided hikes, etc.) may involve minors. In those cases:
- The Customer is the data controller and is responsible for obtaining any required parental consent.
- The Service supports a parental-consent variant of the waiver flow, where a parent/guardian signs on behalf of the minor.
- The Service supports a multi-minor consolidated variant where one parent signs once for several children at once.
- Tempo as processor stores the parent's consent record alongside the minor's booking data.
It is the Customer's responsibility — not Tempo's — to ensure that data collection from minors is lawful in the Customer's jurisdiction.
13. Cookies and similar technologies
In short: We use cookies for sign-in (essential), preferences (essential), and a small amount of basic analytics so we can fix the parts of Tempo people get stuck on. We do not use advertising or tracking cookies.
13.1 Categories
| Category | Purpose | Examples | Consent required? |
|---|---|---|---|
| Strictly necessary | Sign-in session, CSRF protection, locale preference, currency preference | Tempo-session, Tempo-locale | No |
| Functional | Workspace last-visited tab, feature-tour completion state | Tempo-tour-state | No (or yes per jurisdiction — see ) |
| Analytics | Aggregate usage analytics for product improvement; we do not use advertising trackers | First-party analytics only | Yes (consent banner required) |
| Advertising / tracking | None | None | N/A — we do not use these |
13.2 Third-party cookies
Public booking pages may set cookies originating from sub-processors (Vercel, Cloudflare, Stripe). These are governed by the sub-processors' own privacy policies; the most relevant for Tempo are:
- Stripe:
https://stripe.com/privacy - Vercel:
https://vercel.com/legal/privacy-policy - Supabase:
https://supabase.com/privacy - Cloudflare:
https://www.cloudflare.com/privacypolicy/
14. Security
In short: We take security seriously. Encryption everywhere, strict access control, multi-tenant isolation enforced at the database level, and audit logging.
14.1 Technical measures
- Encryption in transit for all connections to the Service (TLS 1.2+).
- Encryption at rest for all databases and object storage holding personal data.
- Strict tenant isolation via Postgres Row Level Security (RLS) policies on every table that holds tenant-scoped data — a failure in tenant isolation is treated as a security incident, not a bug.
- Service-role credentials scoped to trusted server contexts only and never exposed to client-side code.
- Webhook signature verification for all inbound integrations (Stripe, Resend bounce/complaint webhooks).
- Rate limiting on public-facing endpoints to mitigate abuse.
- Audit logging of every consequential change to a Workspace and every access to Guest data — see §15.
14.2 Organisational measures
- Principle of least privilege: access to production systems is limited to those who need it for operations.
- No customer data in development or staging environments: development and staging use synthetic / sample data only.
- Vendor due diligence: we evaluate sub-processors for security posture, GDPR compliance, and incident-response track record before engaging them.
- Incident response: in the event of a data breach affecting personal data, we will notify affected Customers without undue delay and, where required, the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR).
14.3 What we cannot guarantee
No system is perfectly secure. While we apply industry-standard safeguards, we cannot guarantee absolute security of any data transmitted to or stored on the Service. You are responsible for protecting the credentials of your own account and for keeping the email address on your account secure.
15. Audit log
In short: Every consequential action in a Workspace — and every access to Guest data — is recorded in an audit log. Admins can review it. We can review it for security and compliance.
The Service maintains a per-Workspace audit log recording, at minimum:
- Workspace User invites, accepts, role changes, removals.
- Equipment creation, modification, retirement.
- Booking creation, modification, cancellation.
- Waiver collection events.
- Read-only-mode toggles.
- Subscription tier changes.
- Data-export and data-deletion requests received and fulfilled.
- Access to Guest data export and bulk Guest data views (in support of GDPR DR-04 — audit log of all guest data access and modifications).
The audit log is append-only at the database level — no entries can be modified or deleted, including by Admins.
When a data-subject-erasure request is fulfilled, the affected actor identifier in audit-log entries is anonymised (set to NULL) rather than deleted, to preserve the security and compliance value of the log without retaining the identifier. See §9.4.
Workspace Admins can review their Workspace's audit log via the dashboard. Tempo personnel access the audit log only for the security and compliance purposes set out in §5.
16. Marketing communications
In short: We may email Admin contacts about product updates and feature launches. One-click unsubscribe. We don't sell the list to anyone.
We may send Admin contacts:
- Transactional emails about their account, billing, security, and Service changes — these are necessary to deliver the Service and cannot be unsubscribed from while the account is active.
- Product-update emails covering feature launches, important changes, and occasionally tips. Each email contains a one-click unsubscribe link. Unsubscribing applies only to product-update emails — transactional emails continue.
We do not:
- Send promotional emails to Guests on behalf of Customers (this is outside the scope of the Service in V1).
- Sell, rent, or otherwise share email addresses with third parties for their marketing purposes.
17. Specific provisions for Canadian users (PIPEDA / Quebec Law 25)
In short: If you're in Canada, federal and provincial privacy law also applies. Quebec has the strictest rules.
For users in Canada:
- We comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
- For users in Quebec, we comply with the Act respecting the protection of personal information in the private sector as amended by Loi 25, including its requirements around privacy-impact assessments, automated-decision disclosures, and data-residency notification.
18. Specific provisions for EEA, UK, and Swiss users
In short: Standard GDPR coverage. Sub-processors use SCCs. You can complain to your local DPA.
For users in the European Economic Area, the United Kingdom, or Switzerland:
- The legal bases for processing are listed in §5 (Tempo as Controller) and §6 (Tempo as Processor).
- International transfers rely on the safeguards set out in §8.
- Data-subject rights are exercised per §10.
- For Customers, the data-processing terms in this Privacy Policy §3 and §6 constitute a Data Processing Agreement under Article 28 GDPR. By accepting the Terms of Service, you accept that DPA. A separately-signed DPA is available on request — see Terms of Service §24.
- The supervisory authority you may complain to is the one in your country of habitual residence, place of work, or place of the alleged infringement.
19. Specific provisions for US users
In short: Some US states give you specific rights. We honour them.
We currently operate without targeting any specific US state, but for Customers and Guests resident in California, Colorado, Connecticut, Virginia, and other states with comprehensive consumer-privacy laws:
- We do not sell personal data and do not engage in "sharing" for cross-context behavioural advertising.
- We do not use personal data for targeted advertising.
- You have rights of access, deletion, correction, and portability — exercised via §10 above.
- You may appoint an authorised agent to make a request on your behalf.
20. Changes to this policy
In short: If we change this policy, we'll tell you 30 days before, by email and in-app. The "Last updated" date at the top changes too.
We may update this Privacy Policy from time to time. When we make material changes — including new categories of data collected, new sub-processors, or new purposes of processing — we will:
- Email Admin contacts and post an in-app notice at least 30 days before the new policy takes effect.
- Update the "Last updated" date at the top of this document.
- Maintain a changelog at
usetempo.net/legal/privacy-policy/changelog.
For non-material changes (typo fixes, clarifications, address updates), we may update this Privacy Policy without notice.
21. Glossary
Controller / Processor — see §3.
Customer Data — all data, content, and information uploaded, entered, or generated within the Service by a Customer or its Workspace Users, including data about Guests. See Terms of Service §2.
Customer — the business or organisation that subscribes to Tempo. Tempo is built for any business that offers equipment rentals, lessons, or guided activities — whether as the core of the business or as a side offering alongside accommodation, food and drink, retail, or anything else. Examples include hostels, hotels, campgrounds, glamping sites, surf and ski schools, dive shops, bike and SUP rentals, guided-hike and food-tour operators, yoga and pilates studios, retreat centres, beach bars with rental gear, climbing gyms running outdoor sessions, and similar small-to-mid businesses.
Guest — a person who books an activity, lesson, or rental from a Customer via the Service. Guests do not have Tempo accounts.
Workspace User — a user invited to a Customer's Workspace, holding one of two roles: Admin or Staff.
Sub-processor — a third-party service provider engaged by Tempo to process personal data on Tempo's behalf in delivering the Service. See §7.
Workspace — a single Customer's instance of the Service.