Privacy Policy

1. Introduction

Welcome to MatSync. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, admin panel, and mobile applications (iOS and Android) (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide when:

• Creating an account or registering for our Services
• Updating your profile information
• Making payments or managing subscriptions
• Contacting us for customer support
• Participating in surveys or promotions

Personal information may include:

• Contact Information: Name, email address, phone number, mailing address
• Account Credentials: Username, password (encrypted)
• Profile Information: Date of birth, gender, profile photo, skill level, belt rank
• Payment Information: Billing address, payment card details (processed securely through third-party payment processors)
• Health & Fitness Data: Progress tracking, workout history, attendance records, performance metrics
• Communication Data: Messages, feedback, support requests

2.2 Information Automatically Collected

When you access our Services, we automatically collect certain information about your device and usage patterns:

• Device Information: Device type, operating system, unique device identifiers, mobile network information
• Usage Data: Pages visited, features used, time spent on pages, navigation paths, session duration
• Technical Data: IP address, browser type and version, time zone, location data (with your consent)
• Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to enhance user experience and analyze usage patterns

2.3 Information from Third Parties

We may receive information about you from:

• Payment processors (transaction details, payment status)
• Analytics providers (aggregated usage statistics)
• Facility managers or gym owners (membership status, class attendance)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Maintain Our Services

• Create and manage user accounts
• Process payments and manage subscriptions
• Enable scheduling, attendance tracking, and progress monitoring
• Facilitate communication between members and facility managers
• Provide customer support and respond to inquiries

3.2 To Improve and Optimize Our Services

• Analyze usage patterns and user preferences
• Develop new features and functionality
• Conduct research and statistical analysis
• Troubleshoot technical issues and bugs

3.3 For Communication and Marketing

• Send service-related notifications and updates
• Provide promotional offers and marketing communications (with your consent)
• Send newsletters and educational content
• Request feedback and conduct surveys

3.4 For Security and Legal Compliance

• Protect against fraudulent, unauthorized, or illegal activity
• Enforce our Terms of Service and other policies
• Comply with legal obligations and respond to legal requests
• Protect the rights, property, and safety of our users and the public

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Services and fulfill our contractual obligations
• Consent: You have given explicit consent for specific processing activities
• Legitimate Interests: Processing necessary for our legitimate business interests (e.g., improving Services, fraud prevention)
• Legal Obligations: Processing required to comply with applicable laws and regulations

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

• Hosting and Infrastructure: Supabase (database and authentication services)
• Payment Processing: Stripe and other payment processors
• Analytics: Web and mobile analytics providers
• Email and Communications: Email service providers

5.2 Business Partners

With your consent, we may share information with:

• Facility managers and gym owners (for members of their facilities)
• Training partners and instructors (for scheduling and progress tracking)

5.3 Legal Requirements

We may disclose information if required by law or in response to:

• Subpoenas, court orders, or legal processes
• Requests from government authorities or law enforcement
• Protection of our legal rights or the safety of others

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity.

6. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

We ensure appropriate safeguards are in place for international transfers:

• EU-U.S. Data Privacy Framework: Our service providers comply with applicable frameworks
• Standard Contractual Clauses: We use EU-approved standard contractual clauses
• Adequacy Decisions: Transfers to countries with adequate data protection levels as recognized by the European Commission

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods:

• Account Information: Retained for the duration of your account plus up to 10 years for legal and tax purposes
• Transaction Records: Retained for 7-10 years as required by applicable financial regulations
• Usage Data: Typically retained for 2-3 years for analytics and improvement purposes
• Marketing Data: Retained until you withdraw consent or request deletion

After the retention period, we will securely delete or anonymize your personal information.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 General Rights

• Access: Request a copy of your personal information
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal obligations)
• Data Portability: Receive your data in a structured, machine-readable format
• Withdraw Consent: Withdraw consent for processing based on consent
• Object to Processing: Object to processing based on legitimate interests

8.2 Rights Under GDPR (EEA/UK/Switzerland)

• Right to restrict processing
• Right to lodge a complaint with your local supervisory authority
• Right to object to automated decision-making and profiling

8.3 Rights Under CCPA (California Residents)

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising privacy rights

8.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: [email protected]
• Settings: Access your account settings in the admin panel or mobile app

We will respond to your request within 30 days (or as required by applicable law).

8.5 Account Deletion

You have the right to request deletion of your account and associated personal data at any time. This is a permanent action that cannot be undone.

How to Delete Your Account

You can delete your account through:

• In-App Settings: Navigate to Settings → Account → Delete Account in the mobile app or admin panel
• Email Request: Send a deletion request to [email protected] from your registered email address

What Happens When You Delete Your Account

Upon account deletion:

• Immediate: Your account will be deactivated immediately and you will lose access to all Services
• Within 30 days: Your personal information will be permanently deleted from our active databases
• Backups: Data in backup systems will be deleted within 90 days as backups are cycled out

Data Retention After Deletion

Some information may be retained for legitimate business purposes or legal compliance:

• Transaction Records: Financial transaction data may be retained for 7-10 years as required by tax and financial regulations
• Legal Obligations: Data required for ongoing legal proceedings, disputes, or regulatory investigations
• Anonymized Data: Aggregated, anonymized analytics data that cannot identify you personally
• Security Logs: Access logs and security-related data retained for fraud prevention and security purposes (typically 2 years)

Note for Google Play Users: This account deletion policy complies with Google Play's data deletion requirements. If you downloaded our app from Google Play, you can request account deletion as described above.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and collect usage information.

9.1 Types of Cookies

• Essential Cookies: Required for the Services to function (authentication, security)
• Analytics Cookies: Help us understand how users interact with our Services
• Functionality Cookies: Remember your preferences and settings
• Marketing Cookies: Used to deliver relevant advertisements (with your consent)

9.2 Managing Cookies

You can control cookies through:

• Browser settings (block or delete cookies)
• Cookie preference center on our website
• Mobile device settings for app tracking

Note: Disabling essential cookies may affect the functionality of our Services.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption: All data is encrypted both in transit using TLS/SSL (Transport Layer Security) and at rest using industry-standard AES-256 encryption
• Secure Infrastructure: We use Supabase, an enterprise-grade backend platform built on PostgreSQL, which provides robust data encryption, security certifications (SOC 2 Type II, HIPAA), and compliance with international data protection standards
• Authentication: Secure authentication mechanisms including encrypted password storage (bcrypt hashing), multi-factor authentication support, and secure session management
• Access Controls: Role-based access controls (RBAC) and principle of least privilege ensure that data is only accessible to authorized users and administrators
• Database Security: Row Level Security (RLS) policies implemented at the database level to prevent unauthorized data access
• Monitoring: Regular security audits, vulnerability assessments, and automated monitoring for suspicious activities
• Incident Response: Data breach notification procedures in compliance with GDPR, CCPA, and other applicable laws
• Backup and Recovery: Regular automated backups with point-in-time recovery capabilities to protect against data loss

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information using industry-leading security practices, we cannot guarantee absolute security.

11. Children's Privacy

Our Services are not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information from our systems.

For minors aged 13-18 (or 16-18 in the EEA), parental consent may be required depending on your jurisdiction.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of material changes by:

• Posting the updated Privacy Policy with a new "Effective Date"
• Sending an email notification to your registered email address
• Displaying a prominent notice in our Services

Your continued use of our Services after the effective date constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

15. Additional Information for Specific Jurisdictions

15.1 European Economic Area (EEA), UK, and Switzerland

Our data controller contact information is provided in Section 14. You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights.

15.2 California Residents (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Please refer to Section 8.3 for details on your rights.

Notice at Collection: We collect the categories of personal information described in Section 2 for the purposes outlined in Section 3.

Shine the Light: California residents may request information about disclosures of personal information to third parties for direct marketing purposes.

15.3 Other Jurisdictions

If you are located in a jurisdiction with specific data protection laws (e.g., Brazil's LGPD, Canada's PIPEDA), you may have additional rights. Please contact us for more information.