Wize AthleticsWize Athletics

Dernière mise à jour : 10 juin 2026

Politique de confidentialité

Comment Wize Athletics recueille, utilise, communique et protège les renseignements personnels.

Privacy Policy

Effective date: 2026-05-28 Last updated: 2026-05-28 Status: DRAFT — pending review by legal counsel. Items flagged TBD require confirmation before publication.

This Privacy Policy explains how Wize Athletics Inc. ("Wize Athletics", "we", "us", or "our") collects, uses, discloses, and protects personal information when you access or use the Wize Athletics platform (the "Service"). It is written to satisfy our obligations under Quebec's Act respecting the protection of personal information in the private sector, as amended by Bill 64 / Law 25 (the "Quebec Act"), and Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA").

1. Who we are

Wize Athletics Inc. is a company incorporated under the laws of the Province of Quebec, Canada. The Service is a multi-tenant platform that helps sports organizations, teams, coaches, and athletes manage training, attendance, performance, and athlete wellness workflows.

Business address. TBD — to be filled in by counsel.

Privacy Officer (Responsable de la protection des renseignements personnels). As required by section 3.1 of the Quebec Act, we have designated a Privacy Officer who is responsible for ensuring our compliance with applicable privacy law and for responding to your requests and complaints:

You can reach the Privacy Officer using the contact details at the end of this Policy or through our Privacy Complaints Process.

2. Our role: controller, processor, or both

The Service has two distinct types of customers, and our role under privacy law differs depending on which one is involved.

Sports organizations (our direct customers). When a sports club, school, federation, or other organization (an "Organization") signs up for the Service to manage its own teams and athletes, the Organization is the controller of personal information about its athletes, coaches, parents/guardians, staff, and other members. Wize Athletics acts as the Organization's service provider (the "processor", in the language of the Quebec Act) and processes that personal information on the Organization's documented instructions, subject to our agreement with the Organization. The Organization is primarily responsible for:

  • determining what data to collect about its members;
  • obtaining the consents required by law (including parental or tutor consent for minors under 14 in Quebec);
  • responding in the first instance to requests from its members to access, correct, or delete information;
  • defining retention rules within the limits we offer; and
  • communicating its own privacy practices to its members.

Wize Athletics is responsible for handling that personal information securely, only for the purposes the Organization has authorized, and in accordance with this Policy and our agreement with the Organization.

Direct accounts and the platform itself. Wize Athletics is the controller of personal information that we collect directly from you for our own purposes, including:

  • account credentials and profile data you create when you register;
  • billing and contact details for Organization administrators (if applicable);
  • product analytics, security logs, and audit trails about your use of the Service;
  • communications you exchange with our team (support requests, complaints, feedback);
  • information you provide when you exercise a privacy right directly with us.

For everything else, the rest of this Policy describes our practices as if we were the controller. If you are an athlete, parent, coach, or staff member added to the Service by an Organization, you should also consult your Organization's own privacy notice for the controller-side details, and direct primary requests to them.

3. Personal information we collect

Wize Athletics collects only the personal information that is necessary for the purposes set out in Section 4. The categories below are described in more granular per-table detail in our internal Personal-Data Inventory, which we maintain as part of our accountability obligations under section 3.2 of the Quebec Act.

3.1 Identity and contact information

  • First and last name.
  • Email address.
  • Profile avatar image (if you choose to upload one).
  • Preferred language and locale.

3.2 Account credentials

  • Encrypted password (Supabase Auth, bcrypt-hashed — we never see your plaintext password).
  • Single-use tokens used for email verification, password recovery, organization and team invitations, and confirmation of account deletion requests. These tokens are stored only as hashes once we issue them, and the plaintext token exists only in the email message we send to you.
  • For shared-device kiosks: a per-athlete numeric PIN, stored as a salted hash. The PIN exists so an athlete can identify themselves on a kiosk without typing an email.

3.3 Organization, team, and role information

  • Your membership in an Organization, your role within it (athlete, coach, administrator, parent/guardian, etc.), and the start and end dates of that membership.
  • Your team assignments.
  • Permissions you have been granted within the Service.

3.4 Athlete profile and anthropometric data

  • Date of birth and gender, where the Organization has chosen to record them. These are used to scope age-appropriate features and to compute load and recovery indicators.
  • Anthropometric measurements such as height and body weight, where the Organization records them. These are sensitive personal information and are stored encrypted at the application layer using a key held in our key-management service.

3.5 Health, wellness, and performance data

  • Subjective wellness questionnaire answers (for example: sleep quality, soreness, mood, fatigue).
  • Session-level training data such as session rate of perceived exertion ("sRPE"), body weight at check-in, and attendance status.
  • Trend baselines and coaching alerts computed automatically from the above.

This data is considered sensitive personal information under the Quebec Act and PIPEDA. The columns that hold this data are encrypted at the application layer with category-specific keys, in addition to the encryption-at-rest provided by our database host. Access is further constrained by row-level security policies that limit each user to records they are entitled to see.

3.6 Consents and acknowledgements

  • The privacy and terms-of-service consents you have given, when you gave them, and the version of the documents you accepted.
  • Any subsequent changes (withdrawals, additions).

3.7 Technical and usage data

  • Audit-log entries describing significant actions taken in your account (logins, role changes, sensitive reads), the timestamp, and the IP address and user-agent associated with the action.
  • Server logs containing request paths, status codes, response times, and user identifiers (UUIDs).
  • Device and session information when you sign in on a shared kiosk.

We do not run third-party advertising trackers in the Service. We do not currently use a behavioural analytics provider; if we add one, this Policy will be updated and an entry will be added to our public list of sub-processors before the change goes live.

3.8 Communications

  • The content of any message you send to our support or privacy team, including attachments, plus our reply.

4. How we use personal information

We use personal information only for the purposes that are necessary to deliver the Service, to comply with our legal obligations, or for which you (or the relevant Organization, where it is the controller) have given consent. Specifically:

  • To provide the Service. Create and manage accounts; organize Organizations, teams, and rosters; run the check-in / kiosk flow; record and display training, attendance, questionnaire, and performance data; deliver coaching workflows.
  • To compute coaching alerts and a daily habits score. Each night, we run automated processing on athlete health and performance data to produce coaching alerts and a daily habits score. See Section 10 (Automated decision-making) for details.
  • To send service communications. Account verification, password recovery, organization and team invitations, security alerts, and changes to this Policy or our Terms of Service.
  • To keep the Service secure. Detect, prevent, investigate, and respond to fraud, abuse, security incidents, and violations of our Terms of Service. Maintain audit logs and incident records.
  • To support you. Respond to your support requests and questions.
  • To comply with the law. Respond to lawful requests from authorities, exercise or defend legal claims, satisfy our accountability and record-keeping obligations under the Quebec Act and PIPEDA.
  • To improve the Service. Diagnose and fix bugs, measure reliability, and evolve the product. Where this involves personal information, we minimize it (for example, by aggregating or pseudonymizing) wherever possible.

We do not sell personal information. We do not use your personal information for behavioural advertising. We do not use personal information for purposes that are materially different from the purposes for which it was collected without first obtaining your consent or the consent of the relevant Organization.

5. Legal bases for processing

Under the Quebec Act and PIPEDA, our processing of personal information rests on one or more of the following bases, depending on the activity:

  • Performance of a contract with you (or with the Organization that has invited you) — for everything required to deliver the Service to that Organization and its members.
  • Compliance with a legal obligation — for accountability records, audit logs, tax records (where applicable), responses to authorities, and breach-notification activities.
  • Legitimate interests of Wize Athletics or the Organization (as applicable) — for security, fraud prevention, and improving the Service — provided those interests do not override your rights.
  • Consent — for processing that goes beyond what is necessary to deliver the Service, for sensitive information that requires express consent under the Quebec Act, and for any communication that is not strictly necessary. You can withdraw consent at any time as described in Section 11.

For Organizations that have signed up as our customer, the lawful basis for their own processing of member data is determined by them; we process that data on their documented instructions.

6. Sharing and disclosure

We share personal information only as described in this Policy.

6.1 Within an Organization

Members of an Organization may see personal information about other members of the same Organization to the extent their role permits. For example, a coach may see the health questionnaires of athletes on a team they coach; an administrator may see the roster and roles for the Organization they administer. Access is enforced in the database by row-level security policies and additional application-level checks.

6.2 Service providers (sub-processors)

We rely on a limited number of third-party service providers to operate the Service. Each of these providers is contractually bound to process personal information only on our instructions and to keep it secure. A current list of these providers, the categories of data they see, where they host the data, and the contractual basis for the processing is maintained in our Sub-processors Register (TBD — confirm public URL with counsel). Today, our material sub-processors are:

  • Supabase Inc. — managed PostgreSQL database, authentication, file storage, and realtime fan-out. Hosts data on AWS in the ca-central-1 region (Montréal, Quebec).
  • Google Cloud Platform (Google LLC) — application compute (Cloud Run), asynchronous task queue (Cloud Tasks), scheduled jobs (Cloud Scheduler), container registry (Artifact Registry), and operational logging (Cloud Logging). All runtime services run in the northamerica-northeast1 region (Montréal, Quebec).
  • Twilio SendGrid (Twilio Inc.) — outbound transactional email (invitations, password recovery, account-deletion confirmations, and similar notices). Hosted in the United States. See Section 7 for the cross-border-transfer assessment.
  • GitHub, Inc. — source-code hosting and continuous-delivery pipeline. GitHub Actions runners do not receive application personal data, but they hold the deployment credentials that grant access to it. Runners are US-hosted.

We will update the public Sub-processors Register before any new sub-processor begins processing your personal information.

6.3 At the request of the Organization

Where an Organization is the controller of your personal information, we may disclose that information to the Organization (or to people the Organization has designated within the platform, such as administrators or coaches). We are not generally in a position to override the Organization's access decisions for its own data.

6.4 Legal disclosures and successors

We may disclose personal information when we are required to by law, regulation, legal process, or enforceable governmental request; when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Wize Athletics, our users, or the public; or in connection with a merger, acquisition, financing, or sale of all or part of our business, in which case the recipient will be bound by privacy commitments at least as protective as those in this Policy.

6.5 Disclosures we do not make

We do not sell personal information. We do not rent, exchange, or otherwise commercially trade personal information. We do not allow advertisers to access personal information.

7. Transfers of personal information outside Quebec

Sections 17 and 17.1 of the Quebec Act require us to conduct a Privacy Impact Assessment ("PIA") before transferring personal information outside Quebec, and to ensure that the personal information will receive equivalent protection.

  • Supabase and Google Cloud Platform. As described in Section 6.2, our primary database and our application compute are hosted in Montréal, Quebec. Personal information stored in the Service does not, in the ordinary course, leave Quebec for these services. Vendor support personnel may access support tooling from outside Quebec under the vendor's standard data-processing addendum.
  • Twilio SendGrid. SendGrid is hosted in the United States. Every transactional email we send (for example, an invitation, a password reset, or an account-deletion confirmation) results in a transfer of the recipient's email address — and, depending on the template, the recipient's first name, the Organization or team name, and a short-lived single-use token — to a server located in the United States. We have completed (or are completing) a PIA covering this transfer; the assessment considers the categories of data transferred, the legal regime of the destination country, the vendor's security and contractual commitments, and reasonably available alternatives. The current state of the assessment is available on request from the Privacy Officer.
  • GitHub Actions. As described in Section 6.2, GitHub Actions runners are US-hosted and hold deployment credentials. They do not, in the ordinary course, see application personal data.

If you have questions about cross-border transfers or want a copy of the relevant Privacy Impact Assessment, contact the Privacy Officer.

8. Retention

We keep personal information only for as long as it is needed for the purposes set out in this Policy or for as long as the law requires us to keep it.

  • Active accounts. While your account is active and your Organization continues to use the Service, we retain the personal information associated with your account.
  • Communications and consents. We keep records of consents you have given and significant communications about your account for as long as needed to demonstrate compliance with the law (typically the life of the account plus a reasonable period thereafter).
  • Audit and security logs. Audit-log records are retained for the life of the account and, in respect of administrator actions, for a period of up to seven (7) years after the administrator role is revoked, to satisfy our accountability obligations.
  • Account-deletion ledger. When you (or an Organization on your behalf) requests account deletion, we maintain a deletion-request record permanently for accountability under sections 8 and 14 of the Quebec Act. After your account is purged, this record retains only an irreversible HMAC pseudonym of the original user identifier; no plaintext identifier remains.
  • Backups. We rely on the point-in-time recovery window provided by our database host for routine backups. Personal information may persist in backups for up to the length of that recovery window after deletion, after which it ages out automatically.
  • Vendor-side residuals. Some sub-processors retain operational logs for their own retention periods (see Section 6.2 and our Sub-processors Register for specifics). When you request deletion, we instruct sub-processors to delete or suppress your information to the extent technically possible; where a vendor's only available control is a suppression list (for example, SendGrid's global suppression list), we use that.

When a retention period expires, we either delete the personal information or anonymize it so it can no longer be associated with you.

9. Security

We use a combination of organizational, technical, and physical safeguards to protect personal information. These include:

  • Encryption in transit. All connections between your device, the Service, and our sub-processors use TLS 1.2 or higher.
  • Encryption at rest. The underlying storage of our database host applies AES-256 encryption to every table, index, write-ahead log, and file-storage object.
  • Application-level encryption for sensitive columns. Six columns that hold particularly sensitive information — wellness questionnaire answers, anthropometric measurements, attendance and load data, certain invitation payloads, baselines, and alerts — are encrypted at the application layer using category-specific symmetric keys held in our key-management service. Plaintext access goes through controlled database functions.
  • Row-level security. Every personal-data table in our database enforces row-level security policies that limit each user to records they are entitled to see.
  • Least-privilege keys. The high-privilege service-role key is restricted to backend processes; the key shipped to browser clients can only act within the row-level security boundaries.
  • Auditing. Significant actions (logins, role changes, sensitive reads, exports, deletions) are written to an audit log.
  • Secrets management. Encryption keys and credentials for sub-processors are held in dedicated secret stores and rotated on a documented cadence.
  • Vulnerability and patch management. We monitor our dependencies and apply security updates promptly.
  • Personnel. Employees and contractors with access to personal information are bound by confidentiality obligations and access is granted on a need-to-know basis.
  • Incident response. We maintain an incident-response plan covering detection, containment, notification, and post-incident review.

No security measure is perfect. We commit to using safeguards proportionate to the sensitivity of the data, the volume of data, and the risk of harm, as required by section 10 of the Quebec Act.

10. Automated decision-making and profiling

Section 12.1 of the Quebec Act requires us to disclose when a decision based exclusively on automated processing of personal information is made about you, and to give you the right to make observations and to ask for the decision to be reviewed by a human.

The Service performs the following automated processing of athlete health and performance data:

  • Coaching alerts. Each night, we compute alerts based on patterns in attendance, questionnaire answers, sRPE, body weight, and trend baselines. These alerts are shown to the relevant coaches and to the athlete.
  • Daily habits score. Each night, we compute a daily habits score from the same data, intended as a simple indicator of training-and-recovery consistency.

These outputs are decision-support tools. They are designed to inform a coach's judgment, not to make consequential decisions about you on their own. We do not use them to determine eligibility for a team, scholarship, contract, insurance, employment, or other consequential outcome.

You have the right to:

  • Be informed of the principal factors that led to an alert about you. The Service surfaces the contributing factors in the athlete's own dashboard.
  • Make observations about a result and ask a human (a designated member of your Organization, or our Privacy Officer if no such designate is appropriate) to review it.
  • Withdraw your consent to the automated processing of your health and performance data at any time in your account settings, with the consequence that the relevant features will no longer be available to you.
  • Correct the underlying account information in your settings or by contacting your Organization administrator or our Privacy Officer.

If we introduce a new form of automated decision-making that has the capacity to materially affect you, we will update this Policy and seek your consent where the law requires it.

11. Your rights

Subject to the limits set by the Quebec Act, PIPEDA, and other applicable law, you have the following rights with respect to your personal information:

  • Access. You can ask whether we hold personal information about you and obtain a copy.
  • Rectification. You can ask us to correct information that is inaccurate, incomplete, or out of date.
  • Deletion (erasure). You can ask us to delete your account and the personal information we hold about you. We honour deletion requests through the in-product account-deletion flow described in Section 12.
  • De-indexation / cessation of dissemination. Where applicable, you can ask us to cease disseminating your personal information or to de-index a hyperlink that leads to it.
  • Withdrawal of consent. Where our processing is based on your consent, you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing that took place before the withdrawal.
  • Portability. You can ask us to provide a copy of the computerized personal information you have provided to us, in a structured, commonly used technological format, where the Quebec Act applies and the request is technically feasible.
  • Object to processing based on legitimate interests, on grounds related to your particular situation.
  • Make observations about decisions made exclusively by automated processing (see Section 10).
  • Complain to our Privacy Officer about how we handle your personal information, and escalate to the Commission d'accès à l'information du Québec (the "CAI") if you are not satisfied. See our Privacy Complaints Process.

How to exercise your rights. Use the in-product controls where they are available (for example, the account-deletion flow in account settings). For everything else, write to the Privacy Officer at alexandre@wizeathletics.ca. We will acknowledge your request promptly and respond within the time limit prescribed by law — thirty (30) days under the Quebec Act, except where the request is complex and we notify you of an extension. We may need to verify your identity before responding, particularly for access, rectification, and deletion requests.

If an Organization holds your data as controller. If you are a member of an Organization, the Organization is the first point of contact for access, rectification, and deletion of the personal information it has caused to be collected about you. We will help the Organization respond and, in appropriate cases, will act on your request directly.

12. Account deletion

You can request deletion of your account at any time from your account settings. The flow works as follows:

  1. You confirm your intent in the product and receive a confirmation email at the address on file.
  2. You click the link in the email within thirty (30) minutes. The link is single-use.
  3. A grace period of thirty (30) days begins. Your account is marked for deletion but not yet purged. You can cancel the deletion during this period by signing in.
  4. At the end of the grace period, we purge your personal information from our primary database, delete files associated with your account from our file-storage buckets, and instruct each sub-processor that holds your data to delete or suppress it to the extent technically possible.
  5. We keep a permanent deletion-request record containing only an irreversible HMAC pseudonym of your original user identifier and the lifecycle timestamps of the request, so that we can demonstrate compliance with our deletion obligation.

Some residual personal information may persist for a limited time in backups, in vendor-side operational logs (typically aged out within thirty (30) to ninety (90) days), and in our own audit logs to the limited extent needed to demonstrate that we honoured the deletion. We do not use any of this residual information for any purpose other than legal compliance and incident investigation.

13. Children and minors

The Service is sold to sports organizations, schools, federations, and other Organizations. Where an Organization is the controller of personal information about its members, the Organization is responsible for:

  • determining the minimum age at which an individual may use the Service within that Organization;
  • obtaining the consent of the parent or tutor of a minor under 14 years of age, where the Quebec Act requires it;
  • providing minors and their parents/tutors with age-appropriate information about how their data is used;
  • responding in the first instance to access, rectification, and deletion requests for minors.

Wize Athletics processes minors' personal information on the Organization's instructions, applies the same security and confidentiality measures described in Section 9 (with extra care for sensitive categories), and does not knowingly use minors' personal information for any purpose other than delivering the Service to the Organization.

If you believe that a minor's personal information is being processed in our Service without the necessary consent, contact the Privacy Officer and we will work with the relevant Organization to address the situation.

14. Cookies and similar technologies

The Service uses cookies and similar technologies only for purposes that are strictly necessary to operate the platform — for example, to keep you signed in, to remember your preferred language, and to protect against cross-site request forgery. We do not use cookies for advertising. We do not use third-party analytics or advertising trackers as of the effective date of this Policy. If this changes, we will update this Policy and our Sub-processors Register before the change goes live, and we will provide an in-product cookie-management surface where required.

15. Breach notification

If we determine that a confidentiality incident involving your personal information poses a risk of serious injury, we will:

  • notify the CAI as required by section 3.5 of the Quebec Act;
  • notify you (or the Organization that controls your data, as applicable) as required by the Quebec Act and PIPEDA;
  • record the incident in our internal incident register, which we keep for at least five (5) years; and
  • take reasonable measures to reduce the risk of injury and to prevent similar incidents from happening again.

Each of our sub-processors is contractually required to notify us of confidentiality incidents that affect personal information we have entrusted to them. The notification timelines are set in the relevant data-processing addendum with each sub-processor.

16. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will give you reasonable notice — for example, by email, in-product notice, or a banner on the Service — before the changes take effect. The "Last updated" date at the top of this Policy will always reflect the date of the most recent change. We keep prior versions on file for accountability.

If a change reduces the protection of your personal information, we will (where the law requires it) obtain your consent before applying the change to information we already hold.

17. Contact

For any question about this Policy, to exercise a privacy right, or to make a complaint, contact our Privacy Officer:

Alexandre Paré Privacy Officer, Wize Athletics Inc. Email: alexandre@wizeathletics.ca

If you are not satisfied with our response, you may file a complaint with the Commission d'accès à l'information du Québec at https://www.cai.gouv.qc.ca/ or with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/, depending on the framework that applies to you. See our Privacy Complaints Process for details.