Skip to content
MovementAtlas logo
Sign up

Legal

GDPR Privacy Statement

Last Updated: February 18, 2026

This Notice is for people who are located in the European Economic Area ("EEA"), Switzerland, or the United Kingdom ("UK") and supplements our general Privacy Policy. Our processing of personal data of people who are in the EEA is governed by the European Union's General Data Protection Regulation (the "GDPR"). Our processing of personal data of people who are in the UK is subject to the Data Protection Act 2018, which incorporates the GDPR as the UK GDPR.

Purposes of Processing

Our general Privacy Policy describes the personal information that we collect, use, share, or otherwise process and the purposes for that processing in the course of operating Movement Atlas as a business management platform for movement-based businesses.

Lawful Basis for Processing

We process personal information on the following lawful bases:

  • Contract Performance: Processing necessary for the performance of contracts with our users, including account creation, class booking, and payment processing.
  • Legitimate Interests: Processing necessary for our legitimate interests in operating and improving our platform, preventing fraud, and ensuring security.
  • Consent: Where we ask for your consent, such as for marketing communications, cookies, and social media sharing features.
  • Legal Obligation: Processing necessary to comply with applicable laws and regulations.

Categories of Personal Information

The categories of personal information we process include:

  • Identity data: name, username, date of birth
  • Contact data: email address, phone number, billing address
  • Financial data: payment card details (processed through PCI-compliant gateways), transaction history
  • Technical data: IP address, browser type, device information
  • Usage data: class bookings, activity preferences, platform interactions
  • Profile data: profile images, bio, preferences, reviews

International Data Transfers

Movement Atlas processes personal information in the United States. When you provide personal information to us, we request your consent to transfer that information to the USA. We safeguard your personal information by treating it in accordance with this GDPR Privacy Statement and implementing appropriate security measures.

We have incorporated the European Commission's Standard Contractual Clauses ("SCCs"), the UK International Data Transfer Agreement ("IDTA"), and participate in the EU-U.S. Data Privacy Framework ("DPF") to ensure compliance with GDPR data transfer requirements.

Your Data Subject Rights

Under the GDPR, you have the following rights:

  • Right of Access: Request access to your personal data and a copy of the information we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to Restriction: Request restriction of processing of your personal data.
  • Right to Data Portability: Request a transferable copy of your personal data in a machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time (without affecting the lawfulness of prior processing).
  • Right to Lodge a Complaint: File a complaint with your national data protection authority.

Exercising Your Rights

You can exercise your GDPR rights through:

We will respond to your request within 30 days and will notify you if additional time is needed.

Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by law. When personal information is no longer needed, it is securely deleted or anonymized. This does not affect your right to request deletion before the retention period ends.

Security

We implement comprehensive security policies and procedures including encryption in transit and at rest, comprehensive data security policies, business continuity plans, and regular security testing. For more details, see our Security Disclosure page.

Sub-Processors

For a complete list of our sub-processors and Data Processing Agreement, please visit our DPA & Sub-processors page.

Contact Us

If you have questions about our GDPR compliance or wish to exercise your rights, please contact us at [email protected] or visit our Contact page.