Who we are
AutomateDojo (operated by Hyder Media, Inc., the “Company”) provides website hosting, lead-capture, paid-advertising management, and CRM tooling to martial-arts schools (“Dojo Clients”) at https://automatedojo.com. This policy explains what data we collect, why, and what choices you have.
What we collect
We collect three kinds of data:
- From Dojo Clients (the business owners who subscribe): business name, address, phone, email, payment method (via Stripe — we never store full card numbers), brand assets, login credentials, and ad-account authorization tokens you grant us.
- From visitors to a Dojo Client's website or ads (the prospects and lead form respondents): name, email, phone, child age, program interest, and any other information voluntarily entered into a lead form on a site we host. We also receive standard browser data (IP, user agent, referrer) and ad-click identifiers from Meta and Google.
- From public sources during sales research: publicly listed business names, addresses, websites, and Google Business Profile data to prepare introductory pitches. If you're a martial-arts business owner who would prefer we don't do this, see “Your choices” below.
How we use it
- To operate, secure, and improve the platform our Dojo Clients pay for.
- To deliver leads and conversion events from the websites we host directly to the Dojo Client's CRM (Spark Membership, GoHighLevel, etc.) and inbox.
- To run, optimize, and report on paid advertising campaigns we manage on behalf of Dojo Clients (Meta Ads, Google Ads).
- To send transactional notifications (welcome, password reset, subscription confirmations).
- To audit changes our staff make to client accounts (compliance + collaboration).
- For aggregate, de-identified analytics that help us improve the product.
Who we share it with
We share data with the following categories of third parties strictly as needed to operate the service:
- Meta (Facebook + Instagram) — to run ads, measure conversions via the Meta Pixel and Conversions API, and retrieve Lead Ads form submissions on behalf of Dojo Clients who have authorized us as their agency.
- Google — for Google Ads campaigns, Google Tag Manager, Google Analytics 4, and reCAPTCHA on lead forms.
- Supabase — primary database and authentication provider for the platform.
- Stripe — payment processing for Dojo Client subscriptions.
- Vercel — hosting infrastructure for the platform and Dojo Client preview sites.
- Resend — transactional email delivery.
- Anthropic — AI extraction of content from Dojo Client websites and AI-assisted copy refinement.
- Spark Membership / GoHighLevel / Zapier — only when a Dojo Client has explicitly connected one of these CRMs and authorized us to forward leads to it.
Conversions API + ad-targeting events
Where a Dojo Client has connected their Meta or Google ad account, we may send server-side conversion events (page view, lead submission, schedule, purchase) to those platforms on behalf of that client. Personally identifiable fields (email, phone, name, location) are SHA-256 hashed before transmission in accordance with Meta's Conversions API specification. Hashing is one-way; the receiving platform cannot reverse the hash to recover the original identifier.
Where data lives
The platform's primary database and authentication service is hosted in the AWS us-west-2 region (Oregon, USA) via Supabase. Static assets are served via Vercel's global CDN. We do not intentionally route data through jurisdictions outside the United States.
How long we keep it
- Active Dojo Client data: for the lifetime of the subscription, plus 12 months after cancellation to support reactivation.
- Lead form submissions: 24 months by default; clients may request shorter retention.
- Audit log entries: indefinite (these contain who-did-what, no PII beyond staff email).
- Webhook payloads from Meta Lead Ads: 90 days, then auto-purged after CRM forwarding.
- Backups are retained for 30 days.
Your choices
- You are a Dojo Client: contact us at kenny@hyder.me to export, modify, or delete your data, or to cancel your subscription (which triggers data deletion per the retention schedule above).
- You filled out a lead form on a site we host: contact the dojo directly — they own that data, we just store it on their behalf. If the dojo is unresponsive, email us and we'll forward your request.
- You're a martial-arts business owner who doesn't want us to research / cold-email you: email kenny@hyder.me with your business name + domain and we'll add you to a permanent suppression list.
California (CCPA / CPRA) + EU (GDPR) residents
You have the right to know what we hold about you, to correct it, to delete it, and to opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising. We do not sell personal information. The conversion events sent to Meta + Google may qualify as “sharing” under CPRA; opt out by emailing kenny@hyder.me with the subject “Opt-out: ad sharing.”
Children
Our platform is operated for adult Dojo Clients. Some of those clients run programs for children, and their lead forms collect child age (e.g. “Lil' Dragons ages 4-6”) submitted by a parent or guardian. We rely on the Dojo Client to obtain appropriate parental consent in their jurisdiction. We do not knowingly collect data from children under 13 directly.
Security
All connections are TLS 1.3. Passwords are hashed with bcrypt. Stripe, Meta, and other third-party API tokens are stored encrypted at rest. Production access is limited to named admin users with audit logging on every action. Report security issues to kenny@hyder.me.
Changes to this policy
Material changes will be announced via in-app notice and email to active Dojo Clients 14 days before taking effect. Non-material changes (clarifications, new vendor additions in the same category) take effect on the date posted.