Privacy Policy

Last updated: March 21, 2026 · Effective: March 21, 2025

The short version: SessionEasy is a local-first app. Your sessions, invoices, and financial data never leave your device unless you explicitly share them (e.g. sending a PDF invoice). The only data we transmit to our servers is the minimum required for two features: AI-powered features and purchase management. For AI session logging, we transmit your voice or text input along with your student names (not contact details) and lesson types so the AI can accurately parse what you said. This policy explains exactly what that data is, why we need it, and how it is handled.

1. Who We Are

SessionEasy is developed and operated by Arealit Group ("we", "us", "our"). If you have questions about this policy, contact us at support@arealit.ca.

2. Scope of This Policy

This policy applies to the SessionEasy iOS application and the website at which this policy is hosted. It describes:

What personal information we collect and why
How we use, store, and share that information
The third-party services we rely on and their data practices
Your rights regarding your personal data

3. Data That Stays on Your Device

Local only The following data is stored exclusively on your device using Apple's local storage technologies and is never transmitted to our servers or any third party:

Your name and contact details
Student contact details (phone numbers, email addresses, notes)
Session records (date, duration, type, attendees)
Invoice files, invoice history and payment status
Pricing configurations for lesson types
Revenue and earnings summaries
Any other coaching or business data you enter manually

Exception:Student first/last names and lesson type names are transmitted to our backend when you use the AI voice session logging feature, solely to allow accurate parsing of your input. Contact details (phone numbers, email addresses, and any other student information) are never transmitted. We also transmit the prompt you entered if you use AI-baed lesson type addition solely to convert it to lesson type object and understand pricing. See Section 4 for full details.

All other data listed above is managed entirely by you and can be deleted at any time by removing the app from your device. We have no ability to access, recover, or export that data on your behalf.

4. Data We Collect and Transmit

When you use specific features of SessionEasy, the following data is transmitted to our servers or directly to third-party service providers:

4.1 AI-Powered Session Logging

When you use the voice or text session logging feature, we send the following to our backend, which then forwards it to the OpenAI API for processing:

Data element	Why it is needed
Voice recording or typed text description of the session	The core input the AI uses to understand and parse the session
Your list of lesson types (e.g. "Figure Skating", "Drills")	Allows the AI to match spoken words to the correct lesson type in your app
Your list of student names	Allows the AI to match spoken names to the correct students, including fuzzy matching for mispronunciations

Important: Student names and lesson types sent in this context are your data labels, not sensitive records. No financial amounts, invoice history, payment status, or any other session details are transmitted. The AI response is used only to pre-fill the session form on your device; no AI output is stored on our servers.

Voice recordings are transmitted securely (HTTPS/TLS) and are not stored by us after being forwarded to OpenAI. OpenAI's processing is governed by the OpenAI Privacy Policy. We use OpenAI's API under a data processing agreement; by default, OpenAI does not use API-submitted content to train its models.

4.2 AI-Powered Lesson Type Creation

When you use the AI feature to create a new lesson type, we send the following to our backend, which forwards it to the OpenAI API for processing:

Data element	Why it is needed
The text prompt you entered describing the lesson type (e.g. "45-minute private skating lesson, $80 for one student, $50 each for two or more")	The AI converts your free-text description into a structured lesson type object with the correct name, duration, and pricing tiers

Important: Only the prompt text you type is transmitted. No student names, session history, financial records, or other app data are included. The AI response (the structured lesson type) is returned to your device and saved locally; no output is stored on our servers.

The prompt is transmitted securely (HTTPS/TLS) and is not retained by us after being forwarded to OpenAI. OpenAI's processing is governed by the OpenAI Privacy Policy. By default, OpenAI does not use API-submitted content to train its models.

4.3 App Integrity (Firebase App Check)

To protect our backend API from abuse and ensure only legitimate copies of SessionEasy can access our services, we use Firebase App Check with Apple's DeviceCheck attestation service. This process transmits:

A cryptographic attestation token generated by Apple's DeviceCheck framework — this confirms the request comes from a genuine Apple device running an authentic copy of SessionEasy
App identity information (bundle ID, team ID)

This attestation does not include your Apple ID, personal identity, or any personally identifiable information. The token is opaque and cannot be used to identify you. Firebase App Check is provided by Google; its data practices are described in the Firebase Privacy and Security documentation and Google Privacy Policy.

4.4 In-App Purchases (RevenueCat)

SessionEasy uses RevenueCat to manage subscriptions and in-app purchases. When you make or restore a purchase, RevenueCat receives and processes:

App Store receipt and transaction identifiers provided by Apple
Product identifiers for the subscription or purchase
An anonymous app user ID (generated by RevenueCat; not linked to your Apple ID or personal identity)
Device platform, operating system version, and app version
Purchase timestamps and subscription status
Locale and storefront country (as provided by the App Store)

RevenueCat does not receive payment card details — these are handled exclusively by Apple. RevenueCat's data practices are described in the RevenueCat Privacy Policy. We use RevenueCat's SDK under a data processing agreement.

5. How We Use Your Data

Data	Purpose	Legal basis
Voice / text input, student names, lesson types	Parse your spoken or typed session description into structured data using AI	Performance of the service you requested (legitimate interest / contract)
Lesson type creation prompt (text)	Convert your free-text description into a structured in-app lesson type object	Performance of the service you requested (legitimate interest / contract)
App Check attestation token	Verify API requests come from a genuine, unmodified app installation	Legitimate interest in protecting service integrity
Purchase and subscription data	Grant access to premium features; manage subscription state; support purchase restoration	Performance of contract (subscription agreement)

We do not use your data for advertising, profiling, or sale to third parties.

6. Data Sharing and Third-Party Services

We share data only with the service providers listed below, and only to the extent necessary to operate SessionEasy:

Service	Provider	Data shared	Purpose
AI processing	OpenAI, LLC (USA)	Voice / text input, student names, lesson types; lesson type creation prompt	Natural language understanding for session logging and lesson type creation
App integrity	Google LLC (Firebase) (USA)	App Check attestation token, app identity	API abuse prevention
Purchase management	RevenueCat, Inc. (USA)	App Store receipts, anonymous user ID, device metadata	Subscription and purchase management

All third-party providers are contractually bound to process your data only as instructed and in accordance with applicable data protection laws. We do not sell personal data.

7. Data Retention

Voice recordings: Forwarded to OpenAI in real time and not stored on our servers. OpenAI's API data retention policy applies (currently 30 days for abuse monitoring under their API terms).
Session text / names: Not stored on our servers beyond the duration of a single API request.
App Check tokens: Short-lived tokens managed by Firebase; not retained by us.
Purchase data: Retained by RevenueCat for as long as your account is active plus any period required for financial record-keeping. You may contact us to request deletion.

8. Data Security

All data transmitted from SessionEasy to our backend and to third-party services is encrypted in transit using TLS 1.2 or higher. Your on-device data benefits from iOS's built-in device encryption and app sandbox protections. We do not store sensitive personal data on our own servers beyond the transient processing described above.

Despite our precautions, no transmission over the internet is 100% secure. If you believe your data has been compromised, please contact us immediately at support@arealit.ca.

9. Children's Privacy

SessionEasy is designed for use by coaches and adult professionals. The app is not directed at children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

Note regarding student names: Coaches may enter the names of minor students (e.g. child athletes) into the app. Student names are transmitted to our backend as part of AI session logging requests (Section 4.1) so the AI can match spoken names to the correct students. Student contact details are never transmitted. If you coach minors, we recommend using first names only or initials within the app to minimise the personal data involved in AI requests.

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your personal data
Portability: Receive your data in a structured, machine-readable format
Objection / Restriction: Object to or request restriction of certain processing
Withdrawal of consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

Because most of your data stays on your device (Section 3), you can delete it at any time by removing the app. For any data held by our third-party providers, or to exercise any of the rights above, contact us at support@arealit.ca and we will respond within 30 days.

If you are in the European Economic Area, you also have the right to lodge a complaint with your local data protection authority.

California Residents (CCPA / CPRA)

We do not sell or share personal information as defined by the California Consumer Privacy Act. California residents may exercise the rights listed above by contacting us at support@arealit.ca.

11. International Data Transfers

Our third-party service providers (OpenAI, Google/Firebase, RevenueCat) are based in the United States. If you are located in the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions, please be aware that your data may be transferred to and processed in the United States. Such transfers are carried out under appropriate safeguards (e.g. Standard Contractual Clauses or equivalent mechanisms).

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will provide notice within the app. Continued use of SessionEasy after a policy update constitutes acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy, please contact us:

Arealit Group

Email: support@arealit.ca

App: SessionEasy – Coach Invoice App