Privacy Policy

MAAT | Privacy Policy & Data Processing Agreement

Privacy Policy & Data Processing Agreement

Annex I | Last updated: 20/04/2026

This Privacy Policy forms an integral part of MAAT's Terms and Conditions. It explains how we handle your Personal Data when you use the MAAT Platform, who is responsible for it, and what rights you have. We have written this in plain language because we believe you deserve to understand exactly what happens with your data.

Article 1. Who Is Responsible for Your Data

Depending on what you are doing on MAAT, more than one party may be responsible for your data. Here is how that works.

Controller / Processor Structure

There are three roles to be aware of:

  • Data Controller (all users): MAAT HOLDINGS LTD, Pear Tree Street, Dance Square 232, London, EC1V 3AG, United Kingdom. CRN 16800315. This covers your Account, login, platform usage, and support — globally.

  • Data Controller (Academy): Your Academy. This covers your membership, attendance records, and training services.

  • Data Processor: MAAT (on behalf of the Academy). This covers membership management, class bookings, and attendance tracking.

MAAT as Controller

When you create an Account, log in, browse the Platform, or contact our support team, MAAT HOLDINGS LTD determines how and why your data is processed. MAAT HOLDINGS LTD, Pear Tree Street, Dance Square 232, London, EC1V 3AG, United Kingdom (CRN 16800315) is the data controller for all users globally.

Your Academy as Controller

Your Academy independently decides how to manage your membership and training data. MAAT does not control that processing — your Academy does.

MAAT as Processor

For specific operations — managing your membership, processing class bookings, and tracking attendance — MAAT processes your data on behalf of your Academy, following its documented instructions. In those cases:

  • Your Academy is the data controller.

  • MAAT is the data processor.

MAAT and the Academy are bound by a written Data Processing Agreement (DPA), incorporated by reference into these Terms, pursuant to: [Spain / EU] Article 28 GDPR; [United Kingdom] Article 28 UK GDPR and the Data Protection Act 2018.

Not Sure Who to Contact?

  • If your question is about your Account or the Platform, contact MAAT HOLDINGS LTD — info@joinmaat.com.

  • If your question is about your membership or training, contact your Academy directly.

Article 2. What We Do With Your Data

What Data We Collect

We only collect what we actually need:

  • Identification data: Name, email address, phone number.

  • Account data: Username, encrypted password, profile photo.

  • Payment data: Payment method details, processed securely by Stripe.

  • Usage data: Login history, features used, booking history, session duration.

  • Device data: IP address, device type, operating system, browser type.

  • Communication data: Support messages, feedback, enquiries.

A note on special category (sensitive) data. MAAT does not collect or process special category data (including health, biometric, or medical data) as a data controller. If an Academy uploads such data (e.g. fitness certificates, injury records, medical notes), MAAT processes it solely as a data processor acting on the Academy's documented instructions. The Academy is the data controller for such data and is solely responsible for establishing a valid legal basis under Art. 9 GDPR / Art. 9 UK GDPR before uploading. MAAT will not use special category data uploaded by Academies for any purpose other than delivering the contracted Services.

Why We Use Your Data and Our Legal Basis

To deliver the Platform to you

Legal basis: Performance of contract, Art. 6(1)(b) GDPR / Art. 6(1)(b) UK GDPR

  • Create and manage your Account.

  • Authenticate your identity, including via third-party login platforms.

  • Process your payments securely via Stripe.

  • Enable class bookings and attendance tracking.

  • Respond to your support requests and enquiries.

  • Fulfil our pre-contractual and contractual obligations to you.

To comply with the law

Legal basis: Legal obligation, Art. 6(1)(c) GDPR / Art. 6(1)(c) UK GDPR

  • Meet our tax, fiscal, and regulatory obligations.

  • Respond to lawful requests from courts or public authorities.

To run and improve our business

Legal basis: Legitimate interests, Art. 6(1)(f) GDPR / Art. 6(1)(f) UK GDPR

  • Monitor and improve the security, stability, and integrity of the Platform, including detecting and preventing fraud, abuse, and unauthorised access.

  • Conduct internal analytics and aggregated reporting to understand how users interact with the Platform and to develop new features (using anonymised or pseudonymised data where possible).

  • Manage our legal risks, enforce our Terms and Conditions, and bring or defend legal claims.

  • Communicate with you about material updates to the Platform, this Policy, or our Terms that are not purely marketing in nature.

  • Carry out business continuity planning, network security, and IT infrastructure management.

  • Share personal data within the MAAT group for internal administrative purposes.

Before relying on legitimate interests, we carry out a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of that assessment at info@joinmaat.com.

With your consent

Legal basis: Consent, Art. 6(1)(a) GDPR / Art. 6(1)(a) UK GDPR

  • Send you promotional materials, offers, and marketing communications.

  • Conduct market research using automated and traditional methods.

You can withdraw your consent at any time by emailing info@joinmaat.com or using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

How Long We Keep Your Data

We do not keep your data longer than necessary.

  • Contract performance. Spain/EU: Duration of relationship + 5 years (Art. 1964.2 Código Civil). Accounting and tax records retained 4–6 years as required (Art. 30 Código de Comercio; Ley 58/2003). UK: Duration of relationship + 6 years (Limitation Act 1980, s.5).

  • Legal disputes. Spain/EU: Duration of proceedings + until all appeal deadlines expire. UK: Duration of proceedings + until all appeal deadlines expire.

  • Legitimate interests. Spain/EU: Until the interest is fulfilled; deleted upon valid objection. UK: Until the interest is fulfilled; deleted upon valid objection.

  • Legal obligations. Spain/EU: As required by applicable law. UK: As required by applicable law.

  • Consent-based processing. Spain/EU: Until you withdraw consent. UK: Until you withdraw consent.

Where a specific statutory obligation requires retention beyond the general limitation period, data will be retained for the period prescribed by that specific law and no longer. Data retained solely to defend potential legal claims will be kept in a restricted state and accessed only if a claim is made.

When the retention period ends, your data is permanently deleted or anonymised so it can no longer identify you.

Who We Share Your Data With

We do not sell your data. We only share it where necessary:

  • Your Academy: for class bookings, attendance tracking, and membership management.

  • Stripe: our payment processor, for secure transaction processing.

  • Cloud and hosting providers: to operate and maintain the Platform.

  • Legal and regulatory authorities: where required by law or court order.

  • Professional advisers: lawyers, accountants, and auditors, under strict confidentiality obligations.

Where Personal Data is disclosed to third parties who process it on MAAT's behalf, such recipients are bound by a written Data Processing Agreement (DPA) under Art. 28 GDPR / Art. 28 UK GDPR and are required to implement appropriate technical and organisational security measures.

International Data Transfers

Some of our service providers may be located outside the EEA or the United Kingdom. When we transfer your data internationally, we ensure it is protected.

[Spain / EU] — From the EU/EEA

Transfers outside the EEA are governed by Chapter V GDPR, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU).

  • European Commission adequacy decisions.

  • Binding Corporate Rules (BCRs), where applicable.

[United Kingdom] — From the UK

Transfers outside the UK are governed by UK GDPR / DPA 2018, including:

  • UK International Data Transfer Agreement (IDTA), or

  • UK Addendum to EU Standard Contractual Clauses, in accordance with s.119A of the Data Protection Act 2018.

UK ↔ EU/EEA Transfers

Transfers between the UK and the EU/EEA are currently permitted under mutual adequacy decisions (European Commission decision of 28 June 2021 and UK Adequacy Regulations 2021). Adequacy decisions are not permanent and may be amended, suspended, or revoked.

If any adequacy decision ceases to apply, MAAT will implement an alternative transfer mechanism without undue delay and notify affected users. Available alternatives include Standard Contractual Clauses (Art. 46(2)(c) GDPR), UK International Data Transfer Agreements, and the UK Addendum to EU SCCs (s.119A DPA 2018).

For more information about the safeguards in place, contact us at info@joinmaat.com.

Article 3. Your Rights

You are in control of your Personal Data. Here is what you can do.

Rights Available to Everyone

  • Right to be informed: Know how and why we use your data (this Policy).

  • Right of access: Request a copy of the data we hold about you.

  • Right to rectification: Ask us to correct inaccurate or incomplete data.

  • Right to erasure: Ask us to delete your data ("right to be forgotten").

  • Right to restrict processing: Ask us to pause processing in certain circumstances.

  • Right to data portability: Receive your data in a structured, machine-readable format.

  • Right to object: Object to processing based on legitimate interests or for direct marketing (absolute right).

  • Rights on automated decisions: Not be subject to solely automated decisions with legal or significant effects.

  • Right to withdraw consent: Withdraw consent at any time, without affecting prior processing.

Additional Rights — Spain (LOPDGDD)

[Spain / EU] These rights are granted under GDPR and complemented by Ley Orgánica 3/2018 (LOPDGDD):

  • Digital testament (Art. 3 LOPDGDD): Designate a person to exercise your data rights after your death.

  • Right to update information (Art. 85 LOPDGDD): Request correction of outdated information in digital media.

  • Right not to be subject to automated decisions, including profiling, with legal or similarly significant effects (Art. 22 GDPR, developed by LOPDGDD).

Additional Rights — United Kingdom (UK GDPR / DPA 2018)

[United Kingdom] These rights are granted under UK GDPR and, where applicable, the Data Protection Act 2018. All rights listed above apply, with the following specifics:

  • Right of access: Art. 15 UK GDPR / s.45 DPA 2018.

  • Right to object to direct marketing: absolute right, no balancing test required.

  • Rights on automated decisions: Art. 22 UK GDPR.

We will respond to your request within one calendar month. For complex or multiple requests, we may extend this by a further two months — we will notify you if this applies.

We will not charge a fee unless your request is manifestly unfounded or excessive (Art. 12 GDPR [Spain/EU] / Art. 12 UK GDPR [United Kingdom]).

How to Exercise Your Rights

Email us at info@joinmaat.com with your request. We will confirm receipt promptly and respond within the applicable deadline.

How to Complain

We would always appreciate the chance to address your concerns first, but you have the right to go directly to your data protection authority.

  • [Spain / EU]: Agencia Española de Protección de Datos (AEPD) — www.aepd.es — C/ Jorge Juan, 6, 28001 Madrid.

  • [United Kingdom]: Information Commissioner's Office (ICO) — www.ico.org.uk — 0303 123 1113.

Article 4. How We Protect Your Data

We take security seriously. We implement appropriate technical and organisational measures (TOMs) in line with Art. 32 GDPR and Art. 32 UK GDPR, including:

  • Encryption of data in transit and at rest.

  • Access controls and least-privilege principles.

  • Regular testing and evaluation of the effectiveness of our security measures.

  • Ongoing confidentiality, integrity, availability, and resilience of our systems.

Article 5. Data Breaches

If a personal data breach occurs that is likely to affect your rights and freedoms, we will act quickly:

  • [Spain / EU] Notify the AEPD within 72 hours where required under EU GDPR (Art. 33 GDPR).

  • [United Kingdom] Notify the ICO within 72 hours of becoming aware (Art. 33 UK GDPR / s.67 DPA 2018).

  • Inform you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR / Art. 34 UK GDPR).

Article 6. Cookie Policy

What Are Cookies?

Cookies are small text files placed on your device when you use a website or application. They help the Platform recognise your device, remember your preferences, and function securely.

Our Own Cookies

The MAAT Platform uses only strictly necessary session cookies. These cookies:

  • Are essential for secure login, session management, and navigation.

  • Expire automatically when you close the application or browser.

  • Do not track your activity across other websites.

  • Do not collect personal data for marketing or analytics purposes.

Because these cookies are strictly necessary for the Platform to function, they do not require your consent under Art. 5(3) of the ePrivacy Directive, Reg. 6 PECR, and Art. 22.2 LSSI-CE.

We do not use analytics, advertising, targeting, social media, or any other persistent tracking cookies of our own.

Types of Cookies We Use

  • Strictly Necessary cookies. Purpose: Secure login, session management, navigation. Duration: Session (deleted on close). Can you opt out? No — required for the Platform to work.

Third-Party Cookies

Some features of the Platform rely on third-party service providers, for example, Stripe for payment processing. These providers may set their own cookies on your device when you interact with their services.

MAAT does not control these cookies. Where any such cookies go beyond what is strictly necessary, we will ensure:

  • They are only activated with your prior consent, in accordance with Art. 5(3) ePrivacy Directive / Reg. 6 PECR / Art. 22.2 LSSI-CE.

  • You are informed of their purpose and the identity of the third party setting them.

  • You can withdraw your consent at any time.

For more information on how Stripe uses cookies, please refer to Stripe's Cookie Policy at stripe.com/cookie-settings.

Managing Cookies

Because the MAAT Platform currently uses only strictly necessary session cookies, no cookie consent banner is required under:

  • [United Kingdom] Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) and the ICO's Cookie Guidance.

  • [Spain / EU] Art. 5(3) of Directive 2002/58/EC (ePrivacy Directive), as implemented by Art. 22.2 of Ley 34/2002 (LSSI-CE) and the AEPD Cookie Guidelines (2023 edition).

You may still manage or delete session cookies at any time through your browser settings. Please note: disabling strictly necessary cookies may prevent parts of the Platform from functioning correctly.

You can manage cookies through your browser settings:

  • Chrome: Settings → Privacy and Security → Cookies.

  • Safari: Preferences → Privacy → Manage Website Data.

  • Firefox: Options → Privacy & Security → Cookies and Site Data.

  • Edge: Settings → Cookies and Site Permissions.

Cookie Law Compliance

Our cookie practices comply with:

  • [United Kingdom] Privacy and Electronic Communications Regulations 2003 (PECR) and the ICO's Cookie Guidance.

  • [Spain / EU] Directive 2002/58/EC (ePrivacy Directive), as implemented by Ley 34/2002 (LSSI-CE) and the AEPD Cookie Guidelines (2023 edition).

  • [EU] Regulation (EU) 2016/679 (GDPR), Art. 5(1)(e) data minimisation principle.

Article 7. Electronic Marketing

[Spain / EU] — LSSI-CE and ePrivacy Directive

Our email and electronic marketing to EEA users complies with Ley 34/2002 (LSSI-CE) and Directive 2002/58/EC (ePrivacy Directive):

  • We will only send commercial communications by electronic means where you have given your prior express consent (Art. 21.1 LSSI-CE), or where there is a prior commercial relationship (Art. 21.2 LSSI-CE — soft opt-in equivalent).

  • Every commercial communication will clearly identify it as such and include the identity of MAAT HOLDINGS LTD as sender.

  • Every marketing email includes a clear and simple opt-out mechanism. You may also unsubscribe at any time by emailing info@joinmaat.com.

  • We do not send unsolicited commercial electronic communications to individuals without a valid legal basis.

[United Kingdom] — PECR 2003

Our email marketing to UK users complies with the Privacy and Electronic Communications Regulations 2003 (PECR):

  • We rely on soft opt-in only where you are an existing customer and we are marketing similar products or services (Regulation 22 PECR).

  • Every marketing email includes a clear and simple opt-out mechanism.

  • We do not make unsolicited calls to numbers registered with the Telephone Preference Service (TPS).

  • We do not send unsolicited commercial emails to individuals without a valid legal basis.

Both regions: You may withdraw your consent to marketing at any time by emailing info@joinmaat.com or using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Article 8. Applicable Legal Framework

This Policy is governed by and complies with the following legal instruments:

  • European Union / Spain: Regulation (EU) 2016/679 (GDPR). Supervisory authority: Agencia Española de Protección de Datos (AEPD).

  • Spain: Ley Orgánica 3/2018 (LOPDGDD). Supervisory authority: AEPD — www.aepd.es.

  • United Kingdom: UK GDPR & Data Protection Act 2018. Supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk.

Article 9. Contact Us

Have a question about this Policy or want to exercise your rights? We are here to help.

MAAT HOLDINGS LTD

  • Entity: MAAT HOLDINGS LTD

  • Address: Pear Tree Street, Dance Square 232, London, EC1V 3AG, United Kingdom

  • VAT / Company No.: CRN 16800315

  • Email: info@joinmaat.com

  • Supervisory Authority: ICO — www.ico.org.uk


ANNEX IData Processing Agreement

This Data Processing Agreement ("Agreement" or "DPA") forms part of the Terms and Conditions ("Principal Agreement") between:

MAAT HOLDINGS LTD, Pear Tree Street, Dance Square 232, London, EC1V 3AG, United Kingdom (CRN 16800315), and the Academy (the "Controller").

By accepting the Terms and Conditions, the Academy agrees to this Data Processing Agreement. No separate signature is required.

Recitals

(A) The Academy acts as a Data Controller in respect of Personal Data relating to its members, users, instructors, and staff.

(B) The Academy wishes to engage MAAT to provide platform services, including membership management, class bookings, attendance tracking, and payment processing, which involve the processing of Personal Data on behalf of the Academy.

(C) The Parties seek to implement a Data Processing Agreement that complies with the requirements of the current legal framework in relation to data processing, and in particular with: [Spain / EU] Regulation (EU) 2016/679 ("GDPR") and Ley Orgánica 3/2018 ("LOPDGDD"); [United Kingdom] the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018").

(D) The Parties wish to lay down their respective rights and obligations.

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalised terms used in this Agreement shall have the following meanings:

  • "Agreement" means this Data Processing Agreement and all Schedules annexed hereto.

  • "Academy Personal Data" means any Personal Data processed by MAAT on behalf of the Academy pursuant to or in connection with the Principal Agreement.

  • "Data Protection Law" means, as applicable: the GDPR; the UK GDPR and Data Protection Act 2018; the LOPDGDD; and any other applicable data protection or privacy legislation in force from time to time.

  • "EEA" means the European Economic Area.

  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

  • "UK GDPR" means the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

  • "Services" means the platform services provided by MAAT to the Academy under the Principal Agreement, including membership management, class booking, scheduling, attendance tracking, payment processing, and user account support.

  • "Sub-processor" means any third party engaged by MAAT to process Academy Personal Data on behalf of the Academy in connection with this Agreement.

  • "Data Transfer" means: (a) a transfer of Academy Personal Data from MAAT to a Sub-processor; or (b) an onward transfer of Academy Personal Data from a Sub-processor to another Sub-processor, where such transfer would be restricted or prohibited by Data Protection Law.

  • "TOMs" means technical and organisational measures implemented to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR / Art. 32 UK GDPR.

1.2 The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Supervisory Authority", "Special Category Data", and "Profiling" shall have the same meanings as in the applicable Data Protection Law.

2. Scope and Purpose of Processing

2.1 Subject Matter

MAAT processes Academy Personal Data solely to provide the Services to the Academy under the Principal Agreement, including:

  • membership management;

  • class booking and scheduling;

  • attendance tracking;

  • payment processing (via Stripe);

  • user account support;

  • display of instructor and staff information on the Platform.

2.2 Nature of Processing

Collection, storage, organisation, structuring, retrieval, use, disclosure, and deletion of Academy Personal Data through the MAAT Platform.

2.3 Categories of Data Subjects

Members, users, instructors, and staff of the Academy who use or are listed on the MAAT Platform.

2.4 Categories of Personal Data

  • Identification data: Name, email address, phone number.

  • Account data: Username, profile photo, date of birth.

  • Payment data: Payment method details (tokenised and processed by Stripe).

  • Usage data: Booking history, attendance records, session data.

  • Device data: IP address, device type, operating system.

  • Instructor / Staff data: Names, email addresses, class schedules.

2.5 Special Category Data

MAAT does not process Special Category Data as a data controller. Where the Academy uploads or causes MAAT to process Special Category Data through the Platform (including health information, medical records, fitness assessments, biometric data, or injury records), the following conditions apply:

  • (a) The Academy is the sole data controller of such Special Category Data and is exclusively responsible for ensuring that a valid condition under Art. 9(2) GDPR / Art. 9(2) UK GDPR has been satisfied before such data is uploaded to or processed via the Platform.

  • (b) MAAT processes such Special Category Data solely as data processor, acting on the Academy's documented instructions, and solely to the extent necessary to deliver the Services.

  • (c) The Academy shall notify MAAT in writing before uploading or causing MAAT to process any Special Category Data. MAAT reserves the right to decline to process Special Category Data if the Academy cannot demonstrate a valid Art. 9(2) condition.

  • (d) MAAT shall implement appropriate technical and organisational measures to protect Special Category Data in accordance with Clause 5 of this Agreement.

2.6 Duration

This Agreement shall remain in force for the duration of the Principal Agreement and until all Academy Personal Data has been returned or deleted in accordance with Clause 10.

3. Processing of Academy Personal Data

3.1 MAAT shall:

  • (a) comply with all applicable Data Protection Law in the processing of Academy Personal Data; and

  • (b) not process Academy Personal Data other than on the Academy's documented instructions, unless required to do so by applicable law. Where MAAT is required by law to process Academy Personal Data, MAAT shall inform the Academy of that requirement before processing, unless prohibited by law from doing so.

3.2 The Academy, by accepting the Terms and Conditions, instructs MAAT to process Academy Personal Data for the purposes set out in Clause 2.

4. Processor Personnel

MAAT shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Academy Personal Data. Access shall be strictly limited to those individuals who need to access the relevant data, as strictly necessary for the purposes of the Principal Agreement. MAAT shall ensure that all such individuals are subject to appropriate confidentiality undertakings or statutory obligations of confidentiality.

5. Security

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, MAAT shall implement appropriate TOMs to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR / Art. 32 UK GDPR.

5.2 In assessing the appropriate level of security, MAAT shall take account in particular of the risks presented by processing, including those arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Academy Personal Data.

5.3 MAAT may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection afforded to Academy Personal Data.

6. Sub-processing

6.1 General Authorisation

The Academy grants MAAT general written authorisation to engage Sub-processors. MAAT shall inform the Academy of any intended changes to the list of Sub-processors (additions or replacements), giving the Academy a reasonable opportunity to object to such changes.

6.2 Sub-processor Obligations

MAAT shall impose equivalent data protection obligations on each Sub-processor by way of a written contract, as required by Art. 28(4) GDPR / Art. 28(4) UK GDPR. MAAT remains fully liable to the Academy for the performance of each Sub-processor's obligations under this Agreement.

6.3 Objection

If the Academy objects to a new Sub-processor, it shall notify MAAT in writing within 14 calendar days of receiving notice of the intended change. The Parties shall cooperate in good faith to resolve the objection. If no resolution is reached within a reasonable time, either Party may terminate the affected Services on reasonable written notice without penalty.

7. Data Subject Rights

7.1 Taking into account the nature of the processing, MAAT shall assist the Academy by implementing appropriate TOMs, insofar as reasonably possible, to enable the Academy to fulfil its obligations to respond to Data Subject rights requests under applicable Data Protection Law.

7.2 MAAT shall:

  • (a) promptly notify the Academy if it receives a request from a Data Subject under any Data Protection Law in respect of Academy Personal Data; and

  • (b) not respond to that request except on the documented instructions of the Academy, or as required by applicable law. Where MAAT is required by law to respond, it shall, to the extent permitted by law, inform the Academy of that legal requirement before responding.

7.3 MAAT shall provide such assistance within a timeframe that enables the Academy to comply with its legal obligations, generally within one calendar month of the request.

8. Personal Data Breach

8.1 MAAT shall notify the Academy without undue delay, and in any event no later than 48 hours, after becoming aware of a Personal Data Breach affecting Academy Personal Data.

8.2 The notification shall include, to the extent available at the time:

  • a description of the nature of the breach, including categories and approximate number of Data Subjects and records affected;

  • the name and contact details of the relevant contact point;

  • the likely consequences of the breach;

  • the measures taken or proposed to address the breach and mitigate its effects.

8.3 The Academy remains solely responsible for notifying its competent Supervisory Authority in accordance with applicable Data Protection Law:

  • [Spain / EU Academies]: The Agencia Española de Protección de Datos (AEPD) (or other competent EU supervisory authority), within 72 hours of becoming aware of the breach (Art. 33 GDPR).

  • [UK Academies]: The Information Commissioner's Office (ICO), within 72 hours of becoming aware of the breach (Art. 33 UK GDPR / s.67 DPA 2018).

For the avoidance of doubt, these are alternative obligations based on the Academy's location, not cumulative obligations. MAAT's notification to the Academy under Clause 8.1 is designed to assist the Academy in meeting whichever notification deadline applies to it.

8.4 MAAT shall cooperate fully with the Academy and provide all reasonable assistance in managing, investigating, and mitigating the breach.

9. Data Protection Impact Assessment and Prior Consultation

Where required by Art. 35 or Art. 36 GDPR / Art. 35 or Art. 36 UK GDPR, MAAT shall provide reasonable assistance to the Academy in carrying out Data Protection Impact Assessments and, where necessary, prior consultation with the relevant Supervisory Authority, taking into account the nature of the processing and the information available to MAAT.

10. Deletion or Return of Academy Personal Data

10.1 Upon expiry or termination of the Principal Agreement, MAAT shall, at the Academy's written election, either delete or return all Academy Personal Data processed under this Agreement.

10.2 MAAT shall complete such deletion or return within 30 calendar days of the Academy's written request (the "Cessation Date").

10.3 MAAT shall provide written confirmation of deletion upon request.

10.4 MAAT may retain Academy Personal Data where required by applicable law. In such cases, MAAT shall notify the Academy of the retention, the legal basis for it, and the expected duration, and shall continue to protect such data in accordance with this Agreement.

11. Audit Rights

11.1 MAAT shall make available to the Academy all information reasonably necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits and inspections conducted by the Academy or a third-party auditor appointed by the Academy.

11.2 Audits shall be subject to:

  • (a) at least 30 calendar days' prior written notice;

  • (b) agreement on scope, timing, and confidentiality obligations;

  • (c) conduct during normal business hours and in a manner that minimises disruption to MAAT's operations; and

  • (d) a maximum of once per calendar year, unless a material breach of this Agreement has been identified or is reasonably suspected, in which case the Academy may request an additional audit on reasonable notice.

11.3 The cost of any audit shall be borne by the Academy, unless the audit reveals a material breach of this Agreement by MAAT, in which case costs shall be borne by MAAT.

11.4 Audit rights under Clause 11.1 only arise to the extent not already satisfied by information or certifications otherwise provided by MAAT that meet the relevant requirements of Data Protection Law.

12. International Data Transfers

12.1 Transfers from the EU/EEA

Any transfer of Academy Personal Data outside the EEA shall be governed by one of the following safeguards (Chapter V GDPR):

  • Standard Contractual Clauses (SCCs), Commission Decision 2021/914/EU.

  • European Commission adequacy decision.

  • Binding Corporate Rules (BCRs), where applicable.

12.2 Transfers from the United Kingdom

Any transfer of Academy Personal Data outside the UK shall be governed by (s.119A DPA 2018):

  • UK International Data Transfer Agreement (IDTA); or

  • UK Addendum to the EU Standard Contractual Clauses.

12.3 UK ↔ EU/EEA Transfers

Transfers between the UK and the EU/EEA are currently permitted under mutual adequacy decisions (European Commission decision of 28 June 2021 and the UK Adequacy Regulations 2021 (SI 2021/114)). These decisions are subject to periodic review. Where any adequacy decision is suspended, revoked, or otherwise ceases to apply, the Parties shall promptly implement an alternative transfer safeguard under Clause 12.1 or 12.2 as applicable.

12.4 MAAT shall not transfer, or authorise the transfer of, Academy Personal Data to countries outside the EU/EEA or the UK without the prior written consent of the Academy, except where a safeguard listed in Clauses 12.1 or 12.2 is in place.

13. General Terms

13.1 Confidentiality

Each Party shall keep this Agreement and all information received about the other Party in connection with this Agreement ("Confidential Information") confidential, and shall not use or disclose such Confidential Information without the prior written consent of the other Party, except: (a) where disclosure is required by applicable law or by order of a competent authority; or (b) where the relevant information is already in the public domain through no fault of the disclosing Party.

13.2 Notices

All notices and communications under this Agreement shall be in writing and delivered personally, by post, or by email to the addresses set out in the Principal Agreement, or such other address as notified in writing from time to time.

13.3 Entire Agreement

This Agreement, together with the Principal Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and representations relating to data processing.

13.4 Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.5 Amendment

  • (a) This Agreement may only be amended by mutual written agreement of both Parties, except as provided in sub-clause (b) below.

  • (b) Where an amendment is required solely to reflect a mandatory change in applicable Data Protection Law (including updated regulatory guidance from the AEPD or ICO), MAAT may propose such amendment by giving the Academy no less than 30 calendar days' written notice. If the Academy does not object in writing within that period, the amendment shall be deemed accepted.

  • (c) If the Academy objects to a proposed amendment under sub-clause (b), the Parties shall negotiate in good faith. If no agreement is reached within 30 calendar days of the objection, either Party may terminate the affected Services on reasonable written notice without penalty.

14. Liability

14.1 Each Party's liability under this Agreement is subject to the limitations and exclusions set out in the Principal Agreement.

14.2 The Academy shall indemnify and hold MAAT harmless against any claims, damages, fines, or penalties arising from the Academy's failure to comply with its obligations as data controller under applicable Data Protection Law or this Agreement.

14.3 MAAT shall indemnify the Academy against any claims, damages, fines, or penalties arising solely and directly from MAAT's failure to comply with its obligations as data processor under this Agreement or applicable Data Protection Law.

15. Governing Law and Jurisdiction

  • EEA Academies. Governing law: Laws of England and Wales. EU GDPR applies to the processing of personal data of EEA data subjects, without prejudice to mandatory EEA consumer protection laws. Jurisdiction: Courts of England and Wales. EEA consumers retain the right to bring claims in their home jurisdiction where required by applicable mandatory law. Supervisory authority: ICO — www.ico.org.uk. EEA data subjects may also lodge a complaint with their local supervisory authority.

  • United Kingdom Academies. Governing law: UK GDPR & Data Protection Act 2018. Jurisdiction: Courts of England and Wales. Supervisory authority: ICO — www.ico.org.uk.

Any dispute arising in connection with this Agreement which the Parties are unable to resolve amicably shall be submitted to the exclusive jurisdiction of the Courts of England and Wales. Nothing in this clause limits any mandatory rights of EEA consumers to bring claims in their home jurisdiction under applicable local law, nor does it affect the rights of EEA data subjects to lodge complaints with their local supervisory authority under the EU GDPR.

16. Contact Details

MAAT HOLDINGS LTD

  • Entity: MAAT HOLDINGS LTD

  • Address: Pear Tree Street, Dance Square 232, London, EC1V 3AG, United Kingdom

  • Company No.: CRN 16800315

  • Email: info@joinmaat.com