Case study · 2025–2026
heysuma — studio management,
in one platform.
A fully in-house-developed all-in-one business platform for EMS studios — from database architecture down to the CI/CD pipeline. No framework wrapper, no white-label product. Our evidence of what Kitun can build for mid-market companies.
- Domains
- 36 business domains
- Frontends
- Studio-Admin + customer PWA + website
- Backend
- Python 3.13 · FastAPI async · SQLAlchemy 2.0
- Data
- PostgreSQL 16 · 62 migrations
- AI
- 5 agents · Strands Agents SDK
- Security
- Documented audit · severity-scored
- Hosting
- Hetzner DE · GDPR
- Launch
- v1.0 · May 2026
- 3 months
- Greenfield to v1.0
- 4 apps
- API · Admin · Customer · Website
- ~140k LOC
- Python + TS/Vue
- 368 commits
- solo development
01 · Situation
A business whose processes don't fit any off-the-shelf tool.
Studio operations are service business on steroids: members, contracts, appointments with limited resources, SEPA direct debit, campaigns, franchise structures — all at the same time. No existing SaaS covered the spectrum cleanly. The alternative would have been three or four tools glued together, with the friction, duplicate data entry and manual hand-offs that entails.
02 · Approach
Business model first. Architecture second. Code last.
We modelled the entire business of an EMS studio first — 36 domains with clean boundaries, an async REST API, strictly verified multi-tenancy, role-based permissions. Only then did implementation start. Coding agents handled boilerplate, tests and integrations along that architecture. Every line reviewed, every change versioned as a controlled DB migration — now 62 of them.
03 · Outcome
Four apps. One platform. v1.0 live since May 2026.
heysuma runs on Hetzner infrastructure in Germany: Studio-Admin (Vue 3), customer PWA (Vue 3), marketing website (Astro 6) and a FastAPI backend — fronted by a Caddy edge with auto-TLS. Studios manage memberships, schedule appointments, process SEPA direct debits, analyse revenue, run sales pipelines. End customers book via a PWA and chat with a booking assistant that has direct tool access to the system. The security audit is documented with severity-scored findings.
Domains
Selection from 36 business domains.
Each of these domains is in production, built as a standalone module with models, schemas, service layer and routers. Each is modelled so it can be transferred to other industries with manageable effort.
CRM & customer lifecycle
Contact and customer profiles with status lifecycle, groups, multi-location view, GDPR-compliant handling of sensitive health data with Fernet at-rest encryption and a separate audit log.
Calendar & scheduling
Three view modes (list, calendar, check-in), drag-and-drop booking, a full status model, resource management with automatic capacity release, configurable booking and cancellation windows.
Contract management
Digital contract creation, terms, billing cycles, pausing, cancellation management with automatic end-date calculation, auto-renewal with optional price changes. PDF and signature upload.
Invoicing
Full invoice lifecycle with state machine, automatic PDF generation (WeasyPrint), direct email dispatch, configurable number ranges, VAT configuration, bulk finalisation.
SEPA ISO 20022
Standards-compliant SEPA XML file generation, preview before execution, bulk debit, complete logging, digital SEPA mandates, creditor ID configurable per location.
Finance reporting
Revenue reports with flexible date filters, broken down by payment method and invoice type. Excel export via openpyxl with formatting suitable for accountants.
Sales pipeline
Configurable Kanban board with arbitrary columns and parallel pipelines, lead and opportunity tracking, task templates per phase, campaign templates.
Lead-capture widgets
Form builder, embeddable HTML widget code for external sites, real-time availability, automatic lead creation, rate-limiting and FriendlyCaptcha integration.
Self-service portal (PWA)
Separate Progressive Web App for end customers: booking, overview, cancellation with deadline check, studio branding, passwordless auth via Hanko.
Email automation
Jinja2 template engine, automated booking confirmations, reminders with configurable lead times, Celery-driven queue with 30-second dispatch cycle.
Multi-tenancy
Organisation and studio levels, header-based tenant isolation with DB verification, role-based access control (Owner, Admin, Manager, Trainer, Staff, Member, Guest).
AI agents
Three production agents (support, booking, assistant) with tool use, SSE streaming, session persistence in PostgreSQL, per-session usage logging.
Engagement scoring
Nightly score based on appointment usage vs. contingent (8-week rolling window). Lifecycle stages active / at-risk / inactive as the basis for churn prediction.
Data import
CSV import with parse-preview-confirm workflow for customers, contracts, tariffs, check-ins. Content-type validation, size limits, async task for large datasets.
Products & services
Tariffs, add-ons, products, services, packages with separate pricing models, auto-renewal, discounts and legal text.
Notifications (SSE)
Server-Sent Events for real-time notifications in the frontend, unread badge, mark-as-read, revision-based polling for reliable delivery.
AI integration
Five production AI agents. Tool use. Not ChatGPT wrappers.
Built with the Strands Agents SDK. Every agent has session persistence in PostgreSQL, streaming responses over Server-Sent Events, usage logging of input and output tokens per session, and real tool access to the business logic.
Assistant
Onboarding and general-purpose assistant for the studio team with access to system structure and workflows. Knows the data, knows the paths.
Booking
Natural-language booking in the customer app. Direct tool access to availability and booking creation.
Retention
Signal pipeline for engagement erosion. Detects fading appointment usage, recommends proactive retention — before classical reports show the trend.
Support
Context-aware chat for operational questions in the studio day-to-day. Answers directly from the system, no external search, no doc-bouncing.
Journey-Ingestor
Writes heterogeneous customer-journey events (web, email, bookings) into a unified lifecycle model. Foundation for engagement scoring and predictions.
Security
Security is design. Not checkbox.
Our security audit is fully documented, with severity scored per finding, across infrastructure, Docker setup, reverse proxy, application layer and data flow. The foundation for that is an architecture that doesn't bolt security on afterwards but guarantees it structurally.
Passwordless auth
Hanko Cloud via magic-link and passkeys. No password handling, no reset flow, no password database.
CSRF protection
HMAC-SHA256 tokens with origin validation and Sec-Fetch-Site verification on all mutating routes.
Multi-tenancy isolation
Every DB query runs through a TenantScope with verified IDs. Header manipulation meets DB verification, not data access.
Data encryption
Health data encrypted at rest with Fernet. Key validation at server start. Accesses logged with IP and user ID.
SQL-injection immune
SQLAlchemy ORM only, no raw SQL strings, no string interpolation in queries.
Rate limiting
slowapi at API level, FriendlyCaptcha on public forms.
What this means for you
The same foundation. For your company.
In ~6 weeks.
heysuma was a 3-month solo greenfield. With the AI-native workflow we run today — two senior architects orchestrating a fleet of coding agents — we replicate the same depth in ~6 weeks. We don't resell heysuma — but we build software for manufacturing, trades, services, health, education with the same architecture, the same components and the same discipline. Contracts, billing, customer portal, sales pipeline, multi-location, GDPR: none of this is new territory for us. It's craft from a running platform.