Privacy Policy

Privacy Policy

& Data Processing Agreement

Annex I  |  Last updated: 20/04/2026


This Privacy Policy forms an integral part of MAAT’s Terms and Conditions. It explains how we handle your Personal Data when you use the MAAT Platform, who is responsible for it, and what rights you have. We have written this in plain language because we believe you deserve to understand exactly what happens with your data — not just tick a box.


Article 1. Who Is Responsible for Your Data

Depending on what you are doing on MAAT, more than one party may be responsible for your data. Here is how that works.

Dual Controller Structure

  • Data Controller (EEA users)

  • Responsible Party: MAAT IBERIA S.L.

  • Address: Calle Conde de Peñalver 38, 6th floor, D door

  • VAT/Company No.: B26901454

  • What it covers:

  • Your account and login

  • Platform usage

  • Customer support

  • Applies if you are located in the EEA

  • Data Controller (non-EEA / UK users)

  • Responsible Party: MAAT HOLDINGS LTD (the “Principal”)

  • Address: Pear Tree Street, Dance Square 232, London, EC1V 3AG, United Kingdom

  • What it covers:

  • Your account and login

  • Platform usage

  • Customer support

  • Applies if you are located outside the EEA

  • Data Controller (Academy)

  • Responsible Party: Your Academy

  • What it covers:

  • Your membership

  • Attendance records

  • Training services

  • Data Processor

  • Responsible Party: MAAT (on behalf of the Academy)

  • What it covers:

  • Membership management

  • Class bookings

  • Attendance tracking 

MAAT as Controller

When you create an Account, log in, browse the Platform, or contact our support team, MAAT determines how and why your data is processed. Depending on your location:

  • EEA users: the data controller is MAAT IBERIA S.L., Calle Conde de Peñalver 38, 6th floor, D door. VAT/Company No. B26901454

  • Non-EEA users (including UK users): the data controller is MAAT HOLDINGS LTD, Pear Tree Street, Dance Square 232, London, EC1V 3AG, United Kingdom

References to ‘MAAT’ throughout this Policy should be read accordingly.

Your Academy as Controller

Your Academy independently decides how to manage your membership and training data. MAAT does not control that processing — your Academy does.

MAAT as Processor

For specific operations — managing your membership, processing class bookings, and tracking attendance — MAAT processes your data on behalf of your Academy, following its documented instructions. In those cases:

  • Your Academy is the data controller.

  • MAAT is the data processor.

MAAT and the Academy are bound by a written Data Processing Agreement (DPA), incorporated by reference into these Terms, pursuant to: [Spain / EU] Article 28 GDPR; [United Kingdom] Article 28 UK GDPR and the Data Protection Act 2018.

Not Sure Who to Contact?

If your question is about your account or the Platform:

  • Contact: MAAT

  • EEA users: MAAT IBERIA S.L.

  • Non-EEA / UK users: MAAT HOLDINGS Ltd

  • Email: info@joinmaat.com

If your question is about your membership or training:

  • Contact your Academy directly

Article 2. What We Do With Your Data

What Data We Collect

We only collect what we actually need.

We only collect what is necessary:

  • Identification data

  • Name

  • Email address

  • Phone number

  • Account data

  • Username

  • Encrypted password

  • Profile photo

  • Payment data

  • Payment method details

  • Processed securely by Stripe

  • Usage data

  • Login history

  • Features used

  • Booking history

  • Session duration

  • Device data

  • IP address

  • Device type

  • Operating system

  • Browser type

  • Communication data

  • Support messages

  • Feedback

  • Enquiries 

A note on special category (sensitive) data. MAAT does not collect or process special category data (including health, biometric, or medical data) as a data controller. If an Academy uploads such data (e.g. fitness certificates, injury records, medical notes), MAAT processes it solely as a data processor acting on the Academy’s documented instructions. The Academy is the data controller for such data and is solely responsible for establishing a valid legal basis under Art. 9 GDPR / Art. 9 UK GDPR before uploading. MAAT will not use special category data uploaded by Academies for any purpose other than delivering the contracted Services.

Why We Use Your Data and Our Legal Basis

To deliver the Platform to you

Legal basis: Performance of contract, Art. 6(1)(b) GDPR / Art. 6(1)(b) UK GDPR

  • Create and manage your Account.

  • Authenticate your identity, including via third-party login platforms.

  • Process your payments securely via Stripe.

  • Enable class bookings and attendance tracking.

  • Respond to your support requests and enquiries.

  • Fulfil our pre-contractual and contractual obligations to you.

To comply with the law

Legal basis: Legal obligation, Art. 6(1)(c) GDPR / Art. 6(1)(c) UK GDPR

  • Meet our tax, fiscal, and regulatory obligations.

  • Respond to lawful requests from courts or public authorities.

To run and improve our business

Legal basis: Legitimate interests, Art. 6(1)(f) GDPR / Art. 6(1)(f) UK GDPR

  • Monitor and improve the security, stability, and integrity of the Platform, including detecting and preventing fraud, abuse, and unauthorised access.

  • Conduct internal analytics and aggregated reporting to understand how users interact with the Platform and to develop new features (using anonymised or pseudonymised data where possible).

  • Manage our legal risks, enforce our Terms and Conditions, and bring or defend legal claims.

  • Communicate with you about material updates to the Platform, this Policy, or our Terms that are not purely marketing in nature.

  • Carry out business continuity planning, network security, and IT infrastructure management.

  • Share personal data within the MAAT group for internal administrative purposes, subject to intra-group data sharing arrangements.

Before relying on legitimate interests, we carry out a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of that assessment at info@joinmaat.com.

With your consent

Legal basis: Consent, Art. 6(1)(a) GDPR / Art. 6(1)(a) UK GDPR

  • Send you promotional materials, offers, and marketing communications.

  • Conduct market research using automated and traditional methods.

You can withdraw your consent at any time by emailing info@joinmaat.com or using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

How Long We Keep Your Data

We do not keep your data longer than necessary.

Contract performance

  • Spain / EU:

  • Duration of the relationship + 5 years (Art. 1964.2 Código Civil)

  • Accounting and tax records: retained 4–6 years as required (Art. 30 Código de Comercio; Ley 58/2003)

  • United Kingdom:

  • Duration of the relationship + 6 years (Limitation Act 1980, s.5)

Legal disputes

  • Spain / EU and United Kingdom:

  • Duration of proceedings + until all appeal deadlines expire

Legitimate interests

  • Spain / EU and United Kingdom:

  • Until the interest is fulfilled

  • Deleted upon valid objection

Legal obligations

  • Spain / EU and United Kingdom:

  • Retained as required by applicable law

Consent-based processing

  • Spain / EU and United Kingdom:

  • Retained until you withdraw your consent

Where a specific statutory obligation requires retention beyond the general limitation period, data will be retained for the period prescribed by that specific law and no longer. Data retained solely to defend potential legal claims will be kept in a restricted state and accessed only if a claim is made.

When the retention period ends, your data is permanently deleted or anonymised so it can no longer identify you.

Who We Share Your Data With

We do not sell your data. We only share it where necessary:

  • Your Academy: for class bookings, attendance tracking, and membership management.

  • Stripe: our payment processor, for secure transaction processing.

  • Cloud and hosting providers: to operate and maintain the Platform.

  • Legal and regulatory authorities: where required by law or court order.

  • Professional advisers: lawyers, accountants, and auditors, under strict confidentiality obligations.

Where Personal Data is disclosed to third parties who process it on MAAT’s behalf, such recipients are bound by a written Data Processing Agreement (DPA) under Art. 28 GDPR / Art. 28 UK GDPR and are required to implement appropriate technical and organisational security measures.

International Data Transfers

Some of our service providers may be located outside the EEA or the United Kingdom. When we transfer your data internationally, we ensure it is protected.

[Spain / EU] — From the EU/EEA

Transfers outside the EEA are governed by Chapter V GDPR, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU).

  • European Commission adequacy decisions.

  • Binding Corporate Rules (BCRs), where applicable.

[United Kingdom] — From the UK

Transfers outside the UK are governed by UK GDPR / DPA 2018, including:

  • UK International Data Transfer Agreement (IDTA), or

  • UK Addendum to EU Standard Contractual Clauses, in accordance with s.119A of the Data Protection Act 2018.

UK ↔ EU/EEA Transfers

Transfers between the UK and the EU/EEA are currently permitted under mutual adequacy decisions (European Commission decision of 28 June 2021 and UK Adequacy Regulations 2021). Adequacy decisions are not permanent and may be amended, suspended, or revoked.

If any adequacy decision ceases to apply, MAAT will implement an alternative transfer mechanism without undue delay and notify affected users. Available alternatives include Standard Contractual Clauses (Art. 46(2)(c) GDPR), UK International Data Transfer Agreements, and the UK Addendum to EU SCCs (s.119A DPA 2018).

For more information about the safeguards in place, contact us at info@joinmaat.com.

Article 3. Your Rights

You are in control of your Personal Data. Here is what you can do.

Rights Available to Everyone

You are in control of your Personal Data. Here’s what you can do:

  • Right to be informed

  • Know how and why we use your data (this Policy)

  • Right of access

  • Request a copy of the data we hold about you

  • Right to rectification

  • Ask us to correct inaccurate or incomplete data

  • Right to erasure

  • Ask us to delete your data (“right to be forgotten”)

  • Right to restrict processing

  • Ask us to pause processing in certain circumstances

  • Right to data portability

  • Receive your data in a structured, machine-readable format

  • Right to object

  • Object to processing based on legitimate interests or for direct marketing (absolute right)

  • Rights on automated decisions

  • Not be subject to solely automated decisions with legal or significant effects

  • Right to withdraw consent

  • Withdraw consent at any time, without affecting prior processing

Additional Rights — Spain (LOPDGDD)

[Spain / EU] These rights are granted under GDPR and complemented by Ley Orgánica 3/2018 (LOPDGDD):

  • Digital testament (Art. 3 LOPDGDD): Designate a person to exercise your data rights after your death.

  • Right to update information (Art. 85 LOPDGDD): Request correction of outdated information in digital media.

  • Right not to be subject to automated decisions, including profiling, with legal or similarly significant effects (Art. 22 GDPR, developed by LOPDGDD).

Additional Rights — United Kingdom (UK GDPR / DPA 2018)

[United Kingdom] These rights are granted under UK GDPR and, where applicable, the Data Protection Act 2018. All rights listed above apply, with the following specifics:

  • Right of access: Art. 15 UK GDPR / s.45 DPA 2018.

  • Right to object to direct marketing: absolute right, no balancing test required.

  • Rights on automated decisions: Art. 22 UK GDPR.

We will respond to your request within one calendar month. For complex or multiple requests, we may extend this by a further two months — we will notify you if this applies.

We will not charge a fee unless your request is manifestly unfounded or excessive (Art. 12 GDPR [Spain/EU] / Art. 12 UK GDPR [United Kingdom]).

How to Exercise Your Rights

Email us at info@joinmaat.com with your request. We will confirm receipt promptly and respond within the applicable deadline.

How to Complain

We would always appreciate the chance to address your concerns first, but you have the right to go directly to your data protection authority.

You have the right to lodge a complaint with your data protection authority:

  • Spain / EU

  • Authority: Agencia Española de Protección de Datos (AEPD)

  • Website: www.aepd.es

  • Address: C/ Jorge Juan, 6, 28001 Madrid

  • United Kingdom

  • Authority: Information Commissioner’s Office (ICO)

  • Website: www.ico.org.uk

  • Phone: 0303 123 1113

Article 4. How We Protect Your Data

We take security seriously. We implement appropriate technical and organisational measures (TOMs) in line with Art. 32 GDPR and Art. 32 UK GDPR, including:

  • Encryption of data in transit and at rest.

  • Access controls and least-privilege principles.

  • Regular testing and evaluation of the effectiveness of our security measures.

  • Ongoing confidentiality, integrity, availability, and resilience of our systems.


Article 5. Data Breaches

If a personal data breach occurs that is likely to affect your rights and freedoms, we will act quickly:

  • [Spain / EU] Notify the AEPD within 72 hours where required under EU GDPR (Art. 33 GDPR).

  • [United Kingdom] Notify the ICO within 72 hours of becoming aware (Art. 33 UK GDPR / s.67 DPA 2018).

  • Inform you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR / Art. 34 UK GDPR).


Article 6. Cookie Policy

What Are Cookies?

Cookies are small text files placed on your device when you use a website or application. They help the Platform recognise your device, remember your preferences, and function securely.

Our Own Cookies

The MAAT Platform uses only strictly necessary session cookies. These cookies:

  • Are essential for secure login, session management, and navigation.

  • Expire automatically when you close the application or browser.

  • Do not track your activity across other websites.

  • Do not collect personal data for marketing or analytics purposes.

Because these cookies are strictly necessary for the Platform to function, they do not require your consent under Art. 5(3) of the ePrivacy Directive, Reg. 6 PECR, and Art. 22.2 LSSI-CE.

We do not use analytics, advertising, targeting, social media, or any other persistent tracking cookies of our own.

Types of Cookies We Use

Strictly Necessary Cookies

  • Purpose:

  • Secure login

  • Session management

  • Navigation

  • Duration:

  • Session (deleted when you close the application or browser)

  • Can you opt out?

  • No — these cookies are required for the Platform to function properly

Third-Party Cookies

Some features of the Platform rely on third-party service providers, for example, Stripe for payment processing. These providers may set their own cookies on your device when you interact with their services.

MAAT does not control these cookies. Where any such cookies go beyond what is strictly necessary, we will ensure:

  • They are only activated with your prior consent, in accordance with Art. 5(3) ePrivacy Directive / Reg. 6 PECR / Art. 22.2 LSSI-CE.

  • You are informed of their purpose and the identity of the third party setting them.

  • You can withdraw your consent at any time.

For more information on how Stripe uses cookies, please refer to Stripe’s Cookie Policy at stripe.com/cookie-settings.

Managing Cookies

Because the MAAT Platform currently uses only strictly necessary session cookies, no cookie consent banner is required under:

  • [United Kingdom] Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) and the ICO’s Cookie Guidance.

  • [Spain / EU] Art. 5(3) of Directive 2002/58/EC (ePrivacy Directive), as implemented by Art. 22.2 of Ley 34/2002 (LSSI-CE) and the AEPD Cookie Guidelines (2023 edition).

You may still manage or delete session cookies at any time through your browser settings. Please note: disabling strictly necessary cookies may prevent parts of the Platform from functioning correctly.

You can manage or delete cookies through your browser settings:

  • Chrome

  • Settings → Privacy and Security → Cookies

  • Safari

  • Preferences → Privacy → Manage Website Data

  • Firefox

  • Options → Privacy & Security → Cookies and Site Data

  • Edge

  • Settings → Cookies and Site Permissions

Cookie Law Compliance

Our cookie practices comply with:

  • [United Kingdom] Privacy and Electronic Communications Regulations 2003 (PECR) and the ICO’s Cookie Guidance.

  • [Spain / EU] Directive 2002/58/EC (ePrivacy Directive), as implemented by Ley 34/2002 (LSSI-CE) and the AEPD Cookie Guidelines (2023 edition).

  • [EU] Regulation (EU) 2016/679 (GDPR), Art. 5(1)(e) data minimisation principle.


Article 7. Electronic Marketing

[Spain / EU] — LSSI-CE and ePrivacy Directive

Our email and electronic marketing to EEA users complies with Ley 34/2002 (LSSI-CE) and Directive 2002/58/EC (ePrivacy Directive):

  • We will only send commercial communications by electronic means where you have given your prior express consent (Art. 21.1 LSSI-CE), or where there is a prior commercial relationship (Art. 21.2 LSSI-CE — soft opt-in equivalent).

  • Every commercial communication will clearly identify it as such and include the identity of MAAT IBERIA S.L  as sender.

  • Every marketing email includes a clear and simple opt-out mechanism. You may also unsubscribe at any time by emailing info@joinmaat.com.

  • We do not send unsolicited commercial electronic communications to individuals without a valid legal basis.

[United Kingdom] — PECR 2003

Our email marketing to UK users complies with the Privacy and Electronic Communications Regulations 2003 (PECR):

  • We rely on soft opt-in only where you are an existing customer and we are marketing similar products or services (Regulation 22 PECR).

  • Every marketing email includes a clear and simple opt-out mechanism.

  • We do not make unsolicited calls to numbers registered with the Telephone Preference Service (TPS).

  • We do not send unsolicited commercial emails to individuals without a valid legal basis.

Both regions: You may withdraw your consent to marketing at any time by emailing info@joinmaat.com or using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Article 8. Applicable Legal Framework

This Policy is governed by and complies with the following legal instruments:

This Policy complies with the following legal frameworks:

  • European Union / Spain

  • Applicable law: Regulation (EU) 2016/679 (GDPR)

  • Supervisory authority: Agencia Española de Protección de Datos (AEPD)

  • Spain

  • Applicable law: Ley Orgánica 3/2018 (LOPDGDD)

  • Supervisory authority: AEPD

  • Website: www.aepd.es

  • United Kingdom

  • Applicable law: UK GDPR & Data Protection Act 2018

  • Supervisory authority: Information Commissioner’s Office (ICO)

  • Website: www.ico.org.uk

Article 9. Contact Us

Have a question about this Policy or want to exercise your rights? We are here to help.

EEA Users

  • Entity: MAAT IBERIA S.L.

  • Address: Calle Conde de Peñalver 38, 6th floor, D door

  • VAT / Company No.: B26901454

  • Email: info@joinmaat.com

  • Supervisory Authority: AEPD

  • Website: www.aepd.es

Non-EEA / UK Users