MartialFlow Privacy Policy

Last Updated: July 29, 2025

MartialFlow ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how MARTIALFLOW LTD (the provider of the MartialFlow SaaS platform) collects, uses, discloses, and safeguards personal information when you use our website and services (collectively, the "Service"). It also outlines your rights regarding your personal data. We aim to comply with all applicable data protection laws, including the UK Data Protection Act 2018 and UK GDPR, and, as we expand, other relevant laws such as the EU GDPR, Canada's PIPEDA, and U.S. privacy regulations.

By using MartialFlow (for example, by visiting hub.martialflow.app or signing up for an account), you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service. We may update this Privacy Policy from time to time (see Section 10 on changes).

1. Information We Collect

We collect different types of information from or about you and your end-users (students, members, parents, etc., as entered into our platform) to provide and improve the Service. This includes:

  • Account Information: When you register as an instructor/admin or create an organization account, we collect information such as your name, email address, phone number, club/school name, business address, and login credentials. If you are a student or parent user (in future scenarios), we might collect your name, email, and other contact details when you are invited or create an account.
  • Profile and Demographics: Within the platform, you may input personal details of your students or members. This can include names, dates of birth (for age calculations), gender, contact information of students or their parents/guardians, emergency contact details, and possibly relevant health or demographic information (e.g., medical conditions, disabilities, special needs, or other notes to ensure safe training). Providing sensitive information (like health/disability) is typically optional and should only be entered with proper consent; if provided, we treat it with heightened care due to its sensitivity.
  • Training and Attendance Data: The Service allows you to log student attendance, belt ranks or levels, test or grading results, class registrations, and related training progress data. This information, while about individuals, is related to their participation in your martial arts programs.
  • Payments and Financial Data: If you use our Stripe or GoCardless integration to collect payments, we might record transaction details such as the amount paid, date, and the payer's name or identifier. We do not collect or store full payment card numbers or bank account numbers for your students – that sensitive information is handled directly by the payment processor. MartialFlow itself may store limited financial info related to your own subscription (if you pay us) such as billing name, address, and partial payment card info (last 4 digits, expiration) via our secure payment vendor, but again, full payment data is handled by a third-party processor.
  • Images and Media: You and your users can upload photos or images to the Service (for example, a profile picture for a student or staff member, or images attached to a student's file). These images are stored on our servers. If you upload an image, ensure you have the right to do so and (if it depicts others, like minors) that you have proper consent.
  • Communications Content: The platform might enable sending emails or SMS to students. If used, we will process the content of those communications (email text, SMS text) and the recipient contact info to send on your behalf. We also collect any messages you send to MartialFlow support or feedback you provide.
  • Technical and Usage Data: When you use the Service, we automatically collect certain information about your device and usage. This may include your IP address, browser type, device type, operating system, referring URLs, pages or features accessed, dates/times of access, and other statistics. We may use cookies or similar tracking technologies to collect some of this data (see Section 2 on Cookies). We collect this to help operate and secure our Service and to understand how users interact with it (for example, to see which features are most used).
  • Location Data: We do not specifically track your GPS location, but your IP address may give a general indication of the city or country you are in. This is used for security (e.g., account login alerts from new locations) and possibly to localize content (such as time zones, regional settings). If we ever offer mobile apps with optional location-based features, we will clarify any additional collection at that time.
  • Third-Party Data: We may receive information about you from third-party sources. For example, if you login via a third-party single-sign-on or if you integrate other systems with MartialFlow, those services might send us some information (according to your settings with that service). Another example: if a student registers through a hosted form we provide on behalf of a club, the data entered in that form is sent into our system.

Special Note on Children's Data:

MartialFlow's platform may host personal data about children under 18 provided by their instructors or parents. We do not knowingly allow children under 13 to sign up on their own. Any data on children under 13 is supposed to be entered by a parent or by an authorized club staff member with proper consent. If you are a parent or guardian and believe your child under 13 has provided personal information directly to us without your consent, please contact us so we can delete the information. As per COPPA (a U.S. law) and similar regulations, parental consent is required for collecting personal data of children under 13. In the UK and EU, the age threshold for online consent is 13 in the UK (and up to 16 in some EU countries), so we also adhere to those requirements. Our Service is directed at martial arts clubs (instructors/adults), not at children to use independently. Any profile data on minors in our system is provided with the understanding that the club obtained proper consent from the parent/guardian. We use such data only to provide the Service (e.g., class management) and do not share it for secondary purposes.

2. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to run our website and Service. Cookies are small text files placed on your device to store data that can be recalled by a web server in the domain that placed the cookie. Here's how we use them:

  • Necessary Cookies: These are essential for the operation of our Service (for example, to keep you logged in during your session, or remember your language and other preferences). Without these, certain functionalities may not work.
  • Analytics Cookies: We may use analytics providers (like Google Analytics or similar, unless we host our own analytics) to collect information on usage patterns. These cookies allow us to see aggregate statistics about how users navigate the Service, so we can improve the user experience. The information collected is typically de-identified. You can opt out of Google Analytics by using a browser addon if you wish.
  • Security Cookies: These cookies help identify and prevent security risks. For example, we might use cookies to store a token to verify your identity or detect suspicious logins.
  • No Third-Party Advertising Cookies: MartialFlow does not use third-party advertising networks or cookies for targeting ads to you. We do not sell or share your usage information with advertisers. Any use of cookies is primarily to ensure our Service functions and to understand usage for improvement.

You have some choices with cookies. Most browsers allow you to refuse cookies or alert you when cookies are being used. However, if you disable cookies entirely, our Service might not function properly (especially login sessions).

3. How We Use Your Information

We use the collected information for the following purposes, and we always strive to do so on a lawful basis (see Section 4 on legal bases):

  • To Provide the Service: This includes using personal data to set up your account, host your martial arts club data, and allow you to perform the platform's functions. For example, we use student data you input to populate your attendance sheets or to send communications you initiate. If you provide an email to invite a user (like a parent to access a portal), we use that to send the invite.
  • Service Operations and Maintenance: We internally use data (especially technical and usage data) to monitor and improve the performance of our Service. For instance, we might log usage to detect outages, troubleshoot problems, and ensure the security of the platform (like monitoring for malicious login attempts). We also use data to develop new features or enhance existing ones – in doing so, we may aggregate or anonymize data to analyze trends (ensuring it's no longer tied to specific individuals).
  • Communications: We use your contact information to send you Service-related communications. These include:
    • Account and Transactional Messages: such as welcome emails, billing invoices or receipts, password reset emails, alerts about important changes or security issues.
    • Support Responses: if you contact us with a question or issue, we will use your info to respond.
    • Product Updates and News: We may send occasional emails about new features, tips on using MartialFlow, or company news. You can opt out of non-essential communications like newsletters or updates by following the unsubscribe instructions in those emails. (But emails related to your account or legal notices are not optional.)
  • Facilitating Payments: If you are paying for a subscription, we use your provided payment details to charge your subscription fee via our secure payment processor. For clubs collecting payments, we use the data you input to initiate charges through Stripe/GoCardless (for example, sending the customer ID and amount to Stripe) and record the result. We might also send you notifications about payment statuses (like a failed payment or upcoming due date).
  • Compliance with Legal Obligations: We may process personal data where necessary to comply with laws or regulations. For example, keeping proper transaction records for tax and accounting, or responding to lawful requests from authorities. If you or your users exercise privacy rights (like data access or deletion requests), we will use personal data to fulfill those requests as required by law.
  • Enforcing Terms and Policies: We use data to prevent misuse of the Service and enforce our Terms and Conditions. For example, we might review logs or user activity if we suspect violations like spamming through our system. We also may use data to protect our rights, property, and safety, or that of our users or the public, as necessary. This can include sharing information with law enforcement if we, in good faith, believe it's required to investigate illegal activities or threats.
  • Improvement and Research: We may use de-identified or aggregated data (that cannot reasonably identify an individual) to understand trends, such as how many clubs use a certain feature or the average retention rates of students. This helps us make data-driven decisions about new features or improvements. If we were to publish or share insights (for example, "X% of martial arts students attend classes weekly"), it would be in an aggregated form with no personal details.

Importantly, we do not use personal data for any kind of advertising targeting. We also do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals, except possibly basic filtering (like flagging an account for spam sending, which would involve human review). If that changes, we will update this policy and ensure such processing complies with legal requirements.

5. How We Share Information

We do not sell your personal information to third parties for advertising or any other purposes. We only share information in the following circumstances:

  • With Your Consent or Direction: We will share or disclose your information if you instruct us to do so. For example, if you use a feature to integrate with another service (and that requires sending data to that service), we will do so with your authorization. If in the future our platform has a feature to publish something (like a public-facing class schedule or a student ranking list you choose to share on your website), we would only make data public that you choose to make public.
  • Service Providers (Processors): We use trusted third-party companies to help us deliver our Service. These include:
    • Hosting/Infrastructures: e.g., cloud hosting providers or data center services where our databases and servers reside.
    • Email/SMS Delivery: services that send out emails or SMS messages on our behalf (for system notifications or your communications through the platform).
    • Payment Processors: e.g., Stripe, GoCardless, which handle payment transactions. If we share info with them, it's to facilitate your charges (for instance, we send your customer's name and email or an invoice number to link the payment).
    • Analytics/Crash Reporting: tools that help us understand performance issues or errors in the app (these may collect technical data).
    • Customer Support Tools: if we use any third-party platform to manage support tickets or chat, and you use that to contact us, obviously some of your info (like email and the query) would go through that platform.

    We only share the data with these providers that is necessary for them to perform their function. They are contractually obligated to protect the information and use it only for the purposes we specify (for example, our contracts will include confidentiality clauses and data protection addendums as needed). They are not allowed to use your data for their own purposes. We undertake due diligence to ensure these processors are reputable and comply with relevant privacy standards (like GDPR if applicable). A list of key sub-processors can be provided upon request.

  • Within our Corporate Group: If MartialFlow is part of a group of companies (subsidiaries, affiliates), we may share data with our corporate family as necessary to operate the Service (for example, if we have a parent company or branch office providing some part of the service). All such entities will honor this Privacy Policy.
  • Business Transfers: If MartialFlow (MARTIALFLOW LTD) is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of that transaction. We would ensure the new owner continues to uphold privacy protections at least as strong as those described here. You would be notified (for example, via email or notice on our website) of any change in ownership or use of your personal information, as well as any choices you may have regarding your personal information in that event.
  • Legal Compliance and Protection: We may disclose personal information to third parties (such as courts, law enforcement or government agencies, or opposing counsel) if we have a good-faith belief that such disclosure is necessary to:
    1. Comply with a legal obligation – such as a law, regulation, search warrant, subpoena, or court order. If a government authority legally compels us to provide user data, we will attempt to redirect the request to the user or notify the user to the extent allowed by law.
    2. Protect Rights and Safety – enforce our Terms and other agreements, investigate potential violations, or protect the rights, property, or safety of MartialFlow, our customers, or others. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.
  • Anonymized or Aggregated Data: We may share information that has been anonymized or aggregated (so it is no longer tied to an identifiable individual) with third parties for any legitimate purpose. For example, we might publish industry benchmarks or insights (like average attendance rates) or share aggregated usage statistics with a research partner or in marketing materials. This data will not contain personal information. Any anonymous visitor or usage information (that cannot identify you) may also be used by us or shared – for instance, we might allow a partner to use anonymous usage data to improve their services to us.

We do not disclose any personal information to outside parties except as described above. Specifically, we do not give your members' data to other martial arts clubs or users; each organization's data is isolated. For instance, if you manage "Tiger Martial Arts Club" on our platform, another club using our platform cannot see your students or data, unless you actively collaborate and authorize some sharing. We treat each organization's data as confidential (see Terms & Conditions confidentiality commitments) and do not treat it as our asset to exploit – we only handle it to provide the service to that organization.

6. International Data Transfers

MartialFlow is based in the United Kingdom. However, the data you enter into our Service could be stored and processed in other countries, depending on where our service providers' servers are located or where we have infrastructure. Currently, we aim to host UK customer data on servers within the UK or European Economic Area (EEA) if possible, to ease compliance with UK/EU data laws. But as a cloud-based service, some data processing might occur outside of the UK/EEA (for example, our email delivery service might operate in the USA, or our support personnel might be in Canada or another country).

Whenever we transfer personal data out of the UK or EEA to countries that are not deemed by regulators to have "adequate" data protection (such as transfers to the USA), we will ensure appropriate safeguards are in place as required by law. Typically, this means using the European Commission's Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreement with our service providers, and implementing any supplementary measures needed to protect data. We also verify that our service providers commit to uphold privacy standards.

For example, if a processor in the US will access EU/UK data, we will have them sign a contract committing to GDPR-level protections and possibly add additional encryption or access controls. We continually monitor legal developments around data transfers (like the status of EU-US agreements).

By using our Service or providing us with your information, you acknowledge that your information may be transferred to, stored, and processed in countries outside of your country of residence. Different countries may have different privacy laws and standards; however, we will always protect your information as described in this Privacy Policy, wherever it is processed.

If you have questions about our data transfer mechanisms, please contact us (see Contact Us section).

7. Data Security

We take security seriously and implement a variety of measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: We use TLS (Transport Layer Security, successor to SSL) encryption for all data transmissions between your browser and our servers, which means the data is encrypted in transit. Within our infrastructure, sensitive data is encrypted at rest when possible (for example, database entries for passwords are hashed; any sensitive personal data fields might be encrypted at the database level).
  • Access Controls: Access to personal data is restricted to authorized personnel who need it to perform their job duties (for example, customer support, engineers investigating an issue, etc.). Our staff are trained on data security and privacy obligations. All access to the systems is logged and monitored. For our users, we also recommend you choose strong passwords; we store passwords using secure hashing algorithms and never in plain text.
  • Network and Application Security: We maintain firewalls and network monitoring to guard against external attacks. Regular security testing (including vulnerability scans and penetration tests) is performed on our platform. We keep our software and dependencies up to date to patch known vulnerabilities. We also employ measures to detect and block suspicious activities or brute-force attempts.
  • Data Backups: We perform regular backups of our databases to ensure data can be restored in case of hardware failure or accidental deletion. These backups are encrypted and stored securely. Backup data is retained for a limited period and only used for recovery purposes.
  • Secure Development Practices: Our development process includes code reviews and security checks. We follow industry best practices for coding to avoid common vulnerabilities (like SQL injection, XSS, etc.).

Despite our efforts, no system can be guaranteed 100% secure. Therefore, we cannot warrant absolute security of your data. You should also take steps to secure your account – for example, do not share your password, enable two-factor authentication if we offer it, and notify us immediately if you suspect any unauthorized access to your account. In the unlikely event of a data breach that affects your personal information, we will notify you and the appropriate authorities as required by law, and take necessary steps to mitigate the impact.

8. Data Retention

We retain personal information for as long as necessary to fulfill the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements.

In general:

  • Account Data: We keep your account information and the data in your account while your account is active. If you delete information within the Service, we may keep some residual copies in backups (for a short period), but will remove it from active databases. If you terminate your account, we will initiate deletion of your account data from active systems within a reasonable timeframe (typically within 30 days of account closure), except as noted below.
  • Club Member Data: For data that you (as a club admin) have entered about your students or members, you control how long that is kept in the system. You can delete or edit it via the interface. If your account is terminated, that data gets handled as part of your account data.
  • Backups and Archives: Our backups are cycled such that they don't keep data indefinitely. However, there may be encrypted backups stored that could retain information for a few additional weeks beyond deletion (since we can't easily remove one user's data from a snapshot backup). We ensure those backups are securely protected. When backups expire, they are deleted/destroyed.
  • Transactional Records: We may retain certain data even after account deletion if necessary for legal obligations or legitimate interests. For example, invoices, payment records, or support communications may be kept for accounting purposes or to defend legal claims. We might also keep logs to the extent they contain data needed for security (e.g., audit trails). Any such retained data will be limited to what is necessary and we will either delete or anonymize data that we no longer have a need for.
  • Legal Holds: If we are dealing with a legal dispute or compliance matter, we might retain specific information relevant to that issue until it is resolved, even if it goes beyond normal retention periods.

After the retention period, we will either securely delete the personal information or anonymize it (so it can no longer be associated with an individual) if we want to use aggregate data for analysis over longer periods.

If you need a specific piece of data deleted sooner (for example, a user makes a GDPR "right to be forgotten" request), please contact us. We will honor such requests in accordance with law (see next section on Your Rights).

9. Your Rights and Choices

Depending on your jurisdiction (UK, EU, Canada, California, etc.), you have certain rights regarding your personal data. MartialFlow is committed to enabling these rights. Below is a summary of key rights and how you can exercise them:

  • Right to Access: You have the right to request a copy of the personal data we hold about you. For example, if you are an instructor using MartialFlow, you can request a copy of your account data. If you are a student/parent whose data was input by a club, you would typically request access through that club (as they are the data controller), but you can also contact us and we will assist or direct you appropriately. We will provide this information in a commonly used electronic format.
  • Right to Rectification: If any personal data we have is incorrect or incomplete, you have the right to have it corrected. Most of the time, you can log in and update much of your profile information directly. For any other corrections, contact us and we will rectify the data. If we've shared incorrect data with others (like a subprocesser), we'll inform them of the correction where possible.
  • Right to Erasure: Also known as the "right to be forgotten." You can request that we delete your personal data. For example, if you withdraw from a martial arts club and want your data removed, or if you simply want to close your account and have data wiped. Note that this right is not absolute – sometimes we may need to retain certain data (as described in retention section) for legal reasons or legitimate interests. But we will comply to the fullest extent required. If you are an end-user (student) of a club, usually the club admin can delete your data from their records on our platform – that's often the fastest route. If you contact us directly, we might coordinate with the club. We will also inform other parties processing your data (if any) to erase it, where required by law.
  • Right to Restrict Processing: You can ask us to limit or "pause" the processing of your data in certain circumstances. For instance, if you contest the accuracy of data, or if you object to us processing based on our legitimate interests, you might ask for restriction while the issue is resolved. During restriction, we will store the data but not use it. If your account is under review or you want to keep data but not actively use the Service, we can accommodate that through account settings or support.
  • Right to Data Portability: You have the right to obtain your personal data in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible. In practice, you can export much of your data from our platform (we provide CSV export for certain lists like students, etc.). If you need assistance getting an export or want us to send it to a third-party service, we'll help as much as possible.
  • Right to Object: In certain cases, you can object to our processing of your personal data. For example, if we ever process your data for direct marketing (we currently do not send marketing without consent, but if we did, you can opt out at any time – that's an absolute right to object). You can also object to processing based on legitimate interests or public interest tasks. We will then either stop the processing or explain why we believe we have compelling legitimate grounds to continue (if allowed by law). If you object to marketing, we'll stop immediately as noted. If you've opted into any newsletter, you can always unsubscribe via the link in the email.
  • Right not to be subject to automated decisions: MartialFlow does not perform any fully automated decision-making that has legal or similarly significant effects on individuals without human intervention. In the event we introduce something like that, you would have rights to request human review or to opt-out.
  • Right to Withdraw Consent: In cases where we rely on your consent (e.g., perhaps for optional features or communications), you have the right to withdraw that consent at any time. Withdrawing consent won't affect the lawfulness of processing done before the withdrawal.
  • Right to Complain: If you have concerns about our data handling, we ask that you contact us first so we can try to address it. However, you also have the right to lodge a complaint with a supervisory authority. For UK users, that is the Information Commissioner's Office (ICO). For EU users, it would be your national Data Protection Authority (DPA). For Canada, it's the Office of the Privacy Commissioner of Canada (OPC) or relevant provincial authorities. For California, you can approach the California Attorney General's office or the California Privacy Protection Agency. We will provide details for contacting these authorities upon request, or you can find them online.
  • California Privacy Rights: If you are a California resident, the California Consumer Privacy Act (CCPA) and amendments (CPRA) provide similar rights as above (access, deletion, etc.) and also the right to know certain information about our data practices in the past 12 months. We do not sell personal information (as "sell" is defined under CCPA), and we do not share it for cross-context behavioral advertising. We also honor Do Not Track signals or global privacy controls if configured in your browser, to the extent they apply to cookies (though as mentioned, we don't do targeted advertising tracking). California law also allows you to request a notice disclosing the categories of personal information we have shared with third parties for their direct marketing purposes, but we do not share data in that way without consent, so this is generally not applicable. If you want to exercise any California rights, contact us via the methods below – we will verify your identity (or your authorized agent's identity) as required by law before fulfilling requests.
  • Canada (PIPEDA): Individuals in Canada have similar rights to access and correct personal information, and to withdraw consent. Our commitment to obtaining meaningful consent and allowing individuals to challenge accuracy or compliance aligns with PIPEDA's principles. If you are in Canada, you can reach out with requests or complaints, and you also can contact the OPC if issues are not resolved.

To exercise your rights or make any requests regarding your personal data, please contact us at the contact information in Section 11. We will respond to your request within a reasonable timeframe, and in any case within the time limits set by applicable law (for example, within one month for GDPR requests, with possible extension if necessary). We will not discriminate against you for exercising any privacy rights (e.g., we won't deny service just because you made a data request).

Please note: If you are an end-user of a martial arts club that uses MartialFlow (and not directly our customer), we may direct your request to the relevant club (who is the primary controller of your data). We will assist them in fulfilling your request as needed. For example, if you're a student asking us to delete your data, we'll likely confirm with the club or let them handle it, since they have the direct relationship with you. But we will make sure your rights are respected one way or another.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will notify users in an appropriate manner. If the changes are significant, we may provide a more prominent notice (e.g., a banner on the site or an email notification).

The "Last Updated" date at the top of this policy indicates when the latest changes were made. We encourage you to review the Privacy Policy periodically to stay informed about how we are protecting your information.

If you continue to use MartialFlow after a revised Privacy Policy has become effective, you are accepting the revised terms. If you do not agree with the changes, you should stop using the Service and, if necessary, deactivate your account.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or about how your data is handled, please contact us:

MartialFlow LTD (Data Protection)
Email: [email protected]
Address: 23 Seven Acres Lane, Batheaston BA1 7HF

We will be happy to answer your questions and will do our best to resolve any issues. If you contact us to exercise a privacy right, please provide sufficient information for us to verify your identity (for example, the email associated with your account, and perhaps a verification step) and to locate your data.

Your privacy is very important to us, and we're committed to being transparent and fair in our data practices. Thank you for entrusting MartialFlow with your information – we will continue to work hard to keep that trust.