Privacy Policy
Last updated · May 2026
This policy explains what personal information Pelagio collects, how we use and share it, the lawful bases we rely on, and the rights you have — including the rights of California residents under the CCPA/CPRA and EU/UK residents under the GDPR/UK GDPR. Pelagio Inc. (“Pelagio”, “we”, “us”) is the controller of personal information described here.
Scope and who we are
This policy covers the Pelagio marketing site, web application, mobile applications, and related services (the “Service”). When a dance studio uses Pelagio to manage its clients and accept payments, the studio is the controller for its own client records and Pelagio acts as a processor on its behalf under a separate Data Processing Agreement. For our own marketing site visitors, account holders at studios, and prospective customers, Pelagio is the controller.
Pelagio operates the Service as a Payment Facilitator. Finix Payments, Inc. is our payment processor and sponsor for sub-merchant onboarding (KYC/AML and underwriting). Studios are the merchants-of-record for the classes and packages they sell.
Information we collect
We collect the following categories of personal information:
- Identifiers — name, email, phone, address, studio account details, and unique account IDs.
- Commercial information — subscriptions, transactions, classes and packages sold, refund and chargeback records.
- Payment information — tokenized card data and bank account references processed by Finix; we do not store full card numbers.
- Government identifiers (studios only) — tax ID, business formation details, and beneficial-owner information required by Finix for KYC.
- Internet activity — pages viewed and features used; collected only after you opt in via our cookie banner.
- Device and log data — IP address, browser, and approximate region for security, fraud prevention, and abuse detection.
- Communications — messages you send to support, sales, or privacy@pelagioapp.com.
Lawful bases (EU/UK residents)
We process personal information on the following lawful bases under GDPR Article 6:
- Contract — to provide the Service, process payments, and send service messages.
- Legitimate interests — to secure the Service, detect fraud, and improve product reliability, balanced against your rights.
- Consent — for product analytics and any marketing communications; you can withdraw consent at any time.
- Legal obligation — to comply with tax, AML, and other applicable laws.
How we use information
- Provide, maintain, and secure the Pelagio Service.
- Process payments and send service messages such as receipts, password resets, and security alerts.
- Understand product usage and improve features — analytics are loaded only after you accept in the cookie banner.
- Send marketing communications when you have opted in; you can unsubscribe at any time.
- Detect, prevent, and investigate fraud or abuse, and meet legal obligations including tax and AML reporting.
Recipients and sub-processors
We share personal information with the following categories of recipients: (a) sub-processors acting on our behalf under written agreements, listed on our Subprocessors page; (b) Finix Payments, Inc. as our payment processor and sponsor; (c) authorities where required by law; and (d) acquirers in the event of a merger, acquisition, or asset sale, subject to this policy. We do not sell personal information for money and do not engage in cross-context behavioral advertising.
International transfers
Pelagio is headquartered in the United States and our primary infrastructure is hosted in US regions of DigitalOcean. When personal information of EU/UK/Swiss residents is transferred to the United States, we rely on the EU Standard Contractual Clauses (and the UK Addendum and Swiss equivalents where applicable) with each receiving party, and implement supplementary technical and organizational measures including encryption in transit and at rest.
Retention periods
We retain personal information for the periods set out below:
| Category | Retention period | Basis |
|---|---|---|
| Marketing-site analytics (PostHog) | 13 months | Limit on cookie lifetime; consent required |
| Account records (studios and end-users) | Life of account + 90 days | Contract; cooling-off to reactivate |
| Transaction and payout records | 7 years | US tax and AML record-keeping obligations |
| KYC documents (studios) | 5 years after account closure | Bank Secrecy Act / Finix sponsor requirements |
| Support communications | 3 years | Service improvement and dispute resolution |
| Server and security logs | 90 days | Security and incident investigation |
Sensitive personal information
We do not use or disclose sensitive personal information for purposes beyond providing the Service, and we do not infer characteristics about you from such information. California residents may ask us to limit any such use at any time using the contact details below.
Cross-context behavioral advertising
We do not engage in cross-context behavioral advertising. We do not load advertising pixels, build cross-site profiles, or share personal information with advertising networks for targeting. Our product analytics (PostHog) are first-party, gated on your consent, and are not used to target advertising.
Your California privacy rights (CCPA/CPRA)
California residents have the right to:
- Know and access the personal information we hold about you, including categories, sources, purposes, and recipients.
- Delete personal information, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information — we honor Global Privacy Control (GPC) signals automatically.
- Limit the use and disclosure of sensitive personal information.
- Not be discriminated against for exercising these rights.
Your EU/UK rights (GDPR)
If you are in the EU, UK, or Switzerland, you also have the right to: access and receive a copy of your data; rectify inaccurate data; erase data; restrict or object to processing; and data portability in a structured, machine-readable format. You may lodge a complaint with your local supervisory authority. You can withdraw any consent at any time without affecting the lawfulness of prior processing.
How to exercise your rights
Email privacy@pelagioapp.com with your request. We respond within 30 days; where a request is complex, we may extend by up to 60 additional days and will notify you within the first 30 days. We may need to verify your identity and may decline a request only as permitted by law. You may use an authorized agent if you provide written, signed authorization (such as a power of attorney) confirming the agent’s authority to act on your behalf.
EU Representative
Until we have appointed an Article 27 representative, Pelagio does not knowingly accept registrations from residents of the European Economic Area, the United Kingdom, or Switzerland. If you believe you have registered in error, please contact privacy@pelagioapp.com and we will close the account and delete the data.
Security and incident notification
We protect personal information with encryption in transit and at rest, least-privilege access controls, audit logging, and regular vulnerability review. If we become aware of a personal data breach affecting you, we will notify the relevant supervisory authority within 72 hours where required by law, and notify affected individuals without undue delay where the breach poses a risk to their rights and freedoms.
Automated decision-making
We do not make decisions producing legal or similarly significant effects on you based solely on automated processing. Fraud-detection signals may inform a human reviewer, but a person is responsible for any account action.
Children
Pelagio is intended for users aged 16 and older. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact privacy@pelagioapp.com so we can delete it.
Changes to this policy
We may update this policy from time to time. For material changes affecting your rights, we will provide at least 30 days’ notice by email or in-product notice before the change takes effect.
Contact
Pelagio Inc., privacy@pelagioapp.com. California residents may also use the “Do Not Sell or Share” link in the footer.