Privacy Policy

Last updated: 30 March 2026

1. Introduction

OpenMat ("we", "us", "our") provides academy management software for martial arts academies, CrossFit boxes, yoga studios, and similar fitness organisations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile applications (iOS and Android) and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account or your academy administrator creates one on your behalf, we collect:

  • Name and email address
  • Phone number (optional)
  • Date of birth (optional)
  • Profile photo (optional)
  • Emergency contact details (optional)
  • Role within the organisation (owner, staff, or member)

2.2 Academy & Membership Data

To provide the Service, we store data related to your academy operations:

  • Organisation name, address, and contact details
  • Member profiles, including belt rank, programme enrolments, and progression history
  • Family account relationships
  • Membership plans and subscription status
  • Staff roles and permissions

2.3 Attendance & Scheduling Data

  • Class schedules and lesson timetables
  • Attendance records (check-in timestamps, check-in method such as PIN, kiosk, or manual)
  • Lesson notes created by instructors

2.4 Billing & Payment Data

We do not store full credit card numbers. Payment processing is handled by third-party providers:

  • Stripe — processes card payments for member billing. We store Stripe customer and subscription identifiers only.
  • Apple App Store / Google Play — processes subscription payments for the OpenMat app itself. We store transaction identifiers for verification.

2.5 Device & Usage Data

  • Device type, operating system, and app version
  • IP address (used for regional pricing and security)
  • App usage analytics (screens visited, feature usage) — collected anonymously
  • Crash reports and performance data

2.6 Communications

When academy staff send messages or emails through the Service, we store message content and delivery status to provide the communication feature.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process attendance tracking, scheduling, and member management
  • Process payments and manage subscriptions
  • Send transactional communications (e.g., email confirmations, PIN reminders, membership notifications)
  • Provide customer support and respond to enquiries
  • Detect, prevent, and address technical issues and security threats
  • Generate anonymised, aggregated analytics to improve the Service
  • Comply with legal obligations

We do not sell your personal information to third parties. We do not use your data for advertising or ad targeting.

4. Data Sharing & Third-Party Services

We share data only with the following categories of service providers, and only to the extent necessary to operate the Service:

  • Supabase (database hosting) — stores your data on secure PostgreSQL infrastructure with encryption at rest and in transit. Hosted in the EU/US depending on your region.
  • Stripe (payment processing) — receives billing information necessary to process member payments. Subject to Stripe's Privacy Policy.
  • Apple / Google (app distribution and subscription billing) — receives transaction data for in-app purchases.
  • Email delivery services — receives email addresses and message content to deliver communications sent through the Service.

We may also disclose information if required by law, court order, or governmental request, or to protect our rights, property, or safety.

5. Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS/SSL) and at rest
  • Row-level security (RLS) ensures each organisation can only access its own data
  • Authentication tokens are securely managed and expire automatically
  • Staff access is controlled through role-based permissions
  • PIN codes used for member check-in are stored securely
  • Regular security reviews and dependency updates

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as your account or organisation subscription is active, or as needed to provide the Service. When an organisation cancels its subscription:

  • Organisation data is retained for 90 days to allow for reactivation
  • After 90 days, data is scheduled for permanent deletion
  • You may request immediate deletion at any time (see Section 8)

Anonymised, aggregated data that cannot identify individuals may be retained indefinitely for analytics purposes.

7. Children's Privacy

Many martial arts and fitness academies serve minors. Member profiles for children under 16 are created and managed by academy staff or parents/guardians — not by the children themselves.

We do not knowingly collect personal information directly from children under 16. If you believe a child has provided us with personal information without parental consent, please contact us and we will promptly delete it.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

For all users:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your personal data
  • Data portability — request your data in a machine-readable format

Additional rights under GDPR (EU/EEA residents):

  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your local data protection authority

Additional rights under CCPA (California residents):

  • Right to know what personal information is collected
  • Right to request deletion
  • Right to opt out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at support@openmat.fit. We will respond within 30 days.

9. Academy Administrators as Data Controllers

Academy owners and administrators who use OpenMat act as data controllers for the member data they collect through the Service. OpenMat acts as a data processor on their behalf. Academy administrators are responsible for:

  • Obtaining appropriate consent from their members to store and process personal data
  • Responding to data access or deletion requests from their members
  • Ensuring their use of the Service complies with applicable data protection laws

10. International Data Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place, including standard contractual clauses and data processing agreements with our service providers, to protect your data in accordance with applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: support@openmat.fit