KulaOS Privacy Policy
Version 1.0 · 20 June 2026
Version 1.0 · 20 June 2026
KulaOS is the execution platform. The read-only AI layer (Kula Intelligence) is governed by its own Terms and Privacy Policy; where KulaOS reads studio data it applies the same data-handling baseline, and adds the execute-side controls below.
This Privacy Policy is published by Kula Holdings Pty Ltd (ABN 53 676 723 452), of Sydney, NSW, Australia ("Kula", "we", "us", "our"). It describes how we handle personal information in connection with the KulaOS platform, consistent with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
§1 What this covers
This Policy covers the KulaOS platform — the execution layer that acts on a studio's business, including bookings and cover management, messaging to members and teams, automated actions, write-backs to connected tools, and billing.
KulaOS is the superset of, and includes, the read-only Kula Intelligence layer. Where KulaOS reads studio data to answer questions, it applies the same data-handling baseline described in the Kula Intelligence Privacy Policy. This Policy then extends that baseline with the execute-side disclosures, controls, and obligations that apply because KulaOS also acts. Where this Policy and the Kula Intelligence baseline both apply, the more protective requirement governs.
§2 Our two roles
Kula operates in two distinct roles, and your rights and our obligations depend on which applies:
- Controller of account information. For information about the studio's operators and account (names, work email, role, billing and authentication data), Kula is the controller and determines how that information is handled under this Policy.
- Processor of studio data. For the operational and member data a studio connects to or generates through KulaOS, the studio is the controller and Kula acts as a processor strictly on the studio's documented instructions. We do not decide the purposes for which a studio's member data is used.
Health and sensitive information. Studio data may include health-related and other sensitive information (for example, injury notes, medical limitations, or attendance patterns). Such information receives heightened protection and is only handled as needed to provide the service on the studio's instructions.
Consents are the studio's responsibility. Each studio is responsible, as controller, for holding the consents and providing the notices required for it to collect member personal information and to instruct us to process and act on it (including consent for marketing or messaging under the Spam Act 2003 (Cth)). Kula relies on the studio's representation that it holds those consents.
§3 What we collect
3.1 Account information (Kula as controller)
- Operator identity and contact details: name, work email, role and permissions.
- Authentication and security data (managed via our identity provider).
- Billing and subscription data (plan, billing contact; card data is handled by our payment processor — we store only a last-4 reference and never full card numbers).
- Product usage, diagnostic and support data.
3.2 Studio operational data via connectors (Kula as processor)
On the studio's instructions, KulaOS reads operational data from the tools a studio connects, which may include:
- Members and contacts (names, contact details, memberships, profile notes).
- Bookings, class schedules and attendance.
- Sales and payments (transaction records and amounts; for cards, last-4 only — never full card numbers).
- Accounting and financial summaries.
- Marketing and analytics data.
3.3 Actions and write data (execute-side — additional to the read layer)
Because KulaOS acts on the business, it also creates and records execution data:
- Messages sent to members and teams (content, recipients, channel and delivery status).
- Schedule and cover changes made through KulaOS (bookings created, amended or cancelled; cover offered and accepted).
- Automated-action logs recording each action taken on the studio's behalf, the trigger, and the outcome.
- Provider credentials for connected tools, held encrypted at rest using AES-256-GCM, with the encryption key held separately from the encrypted data.
- An audit trail of privileged and write actions — who or what initiated an action, when, against which connector, and with what result.
§4 What we do and don't do
Unlike the read-only Kula Intelligence layer, KulaOS does write back to connected tools and act on the business — including sending messages, making schedule and cover changes, and processing billing — strictly within the permissions and instructions a studio grants. Even so, and in all cases, Kula:
- does not sell personal information or studio data;
- does not use one studio's data for another studio's benefit;
- does not train cross-customer or general-purpose AI models on studio data; and
- does not store the content of AI conversations.
§5 How we use data
- Provide and operate the service — including reading connected data to answer questions and executing authorised actions (messaging, schedule and cover changes, write-backs and billing) within the studio's permissions.
- Support — to diagnose and resolve issues you raise.
- Security and audit — to detect, investigate and prevent misuse, and to maintain the audit trail of privileged and write actions.
- Billing — to administer subscriptions and payments.
- Optional, opt-in semantic search — only where a studio explicitly enables it, to make connected data easier to search.
§6 Connected AI clients and permission levels
As with the read layer, a studio may connect an AI client and grant it scoped access at defined permission levels. Access is least-privilege by default, is bound by the studio's grant, and is revocable at any time by the studio. On the execute side, permissions additionally govern which actions a client may initiate (see §10 on approval controls for consequential actions). All privileged and write actions are recorded in the audit trail (§3.3, §10).
§7 Sub-processors
We use the sub-processors below to provide KulaOS. Read-layer sub-processors support storage, hosting, authentication and notifications; execute-side processors are the providers a studio connects so that KulaOS can act, and they operate under the studio's instructions.
| Sub-processor | Purpose | Layer |
|---|---|---|
| Neon | Managed database storage | Read baseline |
| Google Cloud | Cloud infrastructure and hosting | Read baseline |
| Kinde | Authentication and identity | Read baseline |
| Vercel | Application hosting and delivery | Read baseline |
| Resend | Transactional email | Read baseline |
| Twilio | Messaging / SMS delivery | Read baseline |
| Stripe | Payment processing (last-4 only stored) | Read baseline + execute |
| Studio's booking system | Reading and writing bookings, schedules and cover (execute-side) | Execute — under studio instructions |
| Studio's payment processor | Processing payments and billing actions (execute-side) | Execute — under studio instructions |
| Studio's messaging / SMS / email provider | Sending messages to members and teams (execute-side) | Execute — under studio instructions |
This list is indicative and may change. The current list of sub-processors is maintained as part of our trust documentation; material changes will be notified in accordance with §14.
§8 Storage and cross-border handling
Studio data is stored in-region. Data belonging to Australian studios is stored in Australia. Where any handling of personal information occurs overseas (for example, through a sub-processor), we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles, including APP 8.
§9 Retention
- Active account data is retained while the account is active and in use.
- Raw imported copies of connected data are retained for 30 days, then refreshed or removed.
- Write and action logs (the audit trail of privileged and write actions) are retained for audit and accountability purposes.
- On account closure, we purge studio data within 30 days, subject to any legal, tax or accounting retention obligations and to retention of minimal audit records required for those purposes.
§10 Security
- Per-studio isolation — each studio's data is logically separated; one studio's data is never used for another.
- Encryption — data is encrypted in transit and at rest; provider credentials are encrypted with AES-256-GCM and their key held separately (§3.3).
- Scoped, least-privilege access with a full audit of privileged and write actions.
- Revocable access — a studio can revoke any connected client's or integration's access at any time.
- Approval controls on consequential actions — actions that send messages, change schedules or affect billing can require explicit approval before execution, according to the studio's configuration.
Notifiable Data Breaches. Where an eligible data breach occurs, we will act in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth), including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) where required, and supporting controller studios in meeting their own notification obligations.
§11 Your rights
Operators. Studio operators may request access to, or correction of, their account information by contacting privacy@kula.digital.
Members. Because the studio is the controller of member data, members should direct access, correction and other privacy requests to their studio. Where we act as processor, we will support the studio in responding to such requests.
§12 Complaints
If you have a privacy complaint, contact privacy@kula.digital. We will acknowledge your complaint within 5 business days and work to resolve it promptly. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
§13 Children
KulaOS is a business tool intended for use by studio operators and is not directed at children. We do not knowingly collect personal information directly from children. Where a studio's records include information about minors, that information is handled on the studio's instructions and the studio remains responsible, as controller, for holding any required consents.
§14 Changes
We may update this Policy from time to time. Where changes are material, we will take reasonable steps to notify studios in advance. The version and date at the top of this page indicate the current edition.
§15 Contact
For questions about this Policy or our privacy practices:
- Privacy: privacy@kula.digital
- Security: security@kula.digital
- Legal: legal@kula.digital
- Support: support@kula.digital
Kula Holdings Pty Ltd
ABN 53 676 723 452
Sydney, NSW, Australia
Governing law: New South Wales, Australia. The parties submit to the non-exclusive jurisdiction of the courts of New South Wales.
Version 1.0 · 20 June 2026.