Legal
GDPR Privacy Statement
Last Updated: February 18, 2026
This Notice is for people who are located in the European Economic Area ("EEA"), Switzerland, or the United Kingdom ("UK") and supplements our general Privacy Policy. Our processing of personal data of people who are in the EEA is governed by the European Union's General Data Protection Regulation (the "GDPR"). Our processing of personal data of people who are in the UK is subject to the Data Protection Act 2018, which incorporates the GDPR as the UK GDPR.
Purposes of Processing
Our general Privacy Policy describes the personal information that we collect, use, share, or otherwise process and the purposes for that processing in the course of operating Movement Atlas as a business management platform for movement-based businesses.
Lawful Basis for Processing
We process personal information on the following lawful bases:
- Contract Performance: Processing necessary for the performance of contracts with our users, including account creation, class booking, and payment processing.
- Legitimate Interests: Processing necessary for our legitimate interests in operating and improving our platform, preventing fraud, and ensuring security.
- Consent: Where we ask for your consent, such as for marketing communications, cookies, and social media sharing features.
- Legal Obligation: Processing necessary to comply with applicable laws and regulations.
Categories of Personal Information
The categories of personal information we process include:
- Identity data: name, username, date of birth
- Contact data: email address, phone number, billing address
- Financial data: payment card details (processed through PCI-compliant gateways), transaction history
- Technical data: IP address, browser type, device information
- Usage data: class bookings, activity preferences, platform interactions
- Profile data: profile images, bio, preferences, reviews
International Data Transfers
Movement Atlas processes personal information in the United States. When you provide personal information to us, we request your consent to transfer that information to the USA. We safeguard your personal information by treating it in accordance with this GDPR Privacy Statement and implementing appropriate security measures.
We have incorporated the European Commission's Standard Contractual Clauses ("SCCs"), the UK International Data Transfer Agreement ("IDTA"), and participate in the EU-U.S. Data Privacy Framework ("DPF") to ensure compliance with GDPR data transfer requirements.
Your Data Subject Rights
Under the GDPR, you have the following rights:
- Right of Access: Request access to your personal data and a copy of the information we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your personal data ("right to be forgotten").
- Right to Restriction: Request restriction of processing of your personal data.
- Right to Data Portability: Request a transferable copy of your personal data in a machine-readable format.
- Right to Object: Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent: Withdraw consent at any time (without affecting the lawfulness of prior processing).
- Right to Lodge a Complaint: File a complaint with your national data protection authority.
Exercising Your Rights
You can exercise your GDPR rights through:
- Our Privacy Preferences page for data export, deletion, and consent management
- Our Account Settings page for data access and profile management
- Contacting us at [email protected]
We will respond to your request within 30 days and will notify you if additional time is needed.
Data Retention
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by law. When personal information is no longer needed, it is securely deleted or anonymized. This does not affect your right to request deletion before the retention period ends.
Security
We implement comprehensive security policies and procedures including encryption in transit and at rest, comprehensive data security policies, business continuity plans, and regular security testing. For more details, see our Security Disclosure page.
Sub-Processors
For a complete list of our sub-processors and Data Processing Agreement, please visit our DPA & Sub-processors page.
Contact Us
If you have questions about our GDPR compliance or wish to exercise your rights, please contact us at [email protected] or visit our Contact page.