Privacy Policy

1. Who we are and the scope of this notice

MA METHOD sp. z o.o. ("MA Method", "we", "us") operates the website www.mamethod.com and provides online Italian-language tuition under the brand MA Method Academy. This Privacy Policy describes how we collect, use, share and protect personal data of:

• visitors of www.mamethod.com (the "Website");
• registered users of MA Method Academy (the "Students");
• prospects who contact us by form, e-mail, WhatsApp or social media;
• recipients of our newsletter or other commercial communications.

We process personal data in accordance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR" / Polish acronym "RODO");
• the Polish Personal Data Protection Act of 10 May 2018 (Ustawa o ochronie danych osobowych);
• Articles 398 (electronic direct marketing) and 399 (cookies and access to information stored in terminal equipment) of the Polish Electronic Communications Law (Prawo komunikacji elektronicznej, Act of 12 July 2024) and the ePrivacy Directive 2002/58/EC;
• the Italian Personal Data Protection Code (Codice Privacy, Legislative Decree 196/2003) where its national rules apply to our offering, communications or website technologies addressed to persons in Italy, including the rules on electronic marketing, cookies and rights relating to deceased persons;
• any other applicable national consumer-protection law of the country in which a Student habitually resides (Art. 6 of the Rome I Regulation).

2. Data Protection Officer and supervisory authorities

We have assessed our processing under Art. 37 GDPR and have determined that the appointment of a Data Protection Officer is not mandatory, because:

• our core activities do not consist of large-scale, regular and systematic monitoring of data subjects; and
• we do not process special-category data on a large scale.

For any privacy-related matter please contact us at [email protected] (subject line: "Privacy"). We respond without undue delay and in any event within one month of receipt, extendable by a further two months taking into account the complexity and number of requests, as set out in Art. 12 (3) GDPR. We will inform you of any extension and the reasons for it within one month of receipt.

Lead and concerned supervisory authorities. Because our main establishment is in Poland and we engage in cross-border processing (Art. 4 (23) GDPR) towards data subjects in other Member States — in particular Italy — the President of the Polish Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — UODO) is our lead supervisory authority under Art. 56 (1) GDPR. The Italian Garante per la protezione dei dati personali, and any supervisory authority of the Member State of your habitual residence, place of work or alleged infringement, is a concerned supervisory authority under Art. 4 (22) GDPR and cooperates with UODO under the consistency mechanism (Arts. 60–63 GDPR). You may lodge a complaint with any of them (see § 13).

3. Categories of personal data we collect

The Service (account creation, purchase of a Plan and use of online tuition) is addressed exclusively to natural persons who have reached the age of full contractual capacity, namely 18 years in Poland (Art. 11 of the Polish Civil Code) and in Italy (Art. 2 of the Italian Civil Code). We do not accept registrations from minors, and we do not knowingly process the personal data of persons under 18 in the context of our paid services. If we become aware that an account has been created or used by a person below 18, we will close the account and delete the associated personal data without undue delay. See § 4 of our Terms and Conditions.

4. Purposes, legal bases and storage periods

Once a retention period ends, data are either anonymised or securely deleted.

5. Source of the data

We obtain personal data mainly from you when you fill in a form, create an account, purchase a Plan, book a lesson, attend a class, contact us, subscribe to the newsletter or interact with us on social media. We do not collect personal data from publicly accessible sources.

We may also receive data from third parties:

• Stripe Payments Europe, Limited: payment confirmation, country, postal code, last 4 card digits, transaction status and fraud-risk signals;
• Wix.com Ltd: sign-up, login and account events;
• Google Ireland Ltd / Zoom Communications, Inc.: attendance logs of class meetings;
• Meta Platforms Ireland Limited / TikTok Technology Limited: aggregated insights on our social content (joint controllership, see § 8);
• WhatsApp Ireland Limited (Meta group): phone number and message metadata when you contact us through WhatsApp.

6. Disclosure of personal data

We sign a written data-processing agreement under Art. 28 GDPR with every processor before any data are shared.

7. International transfers

Some recipients or their sub-processors are located outside the European Economic Area, principally in the United States, Israel, the United Kingdom, South Korea, Singapore, Malaysia and other provider locations. In every such case we rely on at least one of the following safeguards under Chapter V GDPR:

• a Commission adequacy decision: (a) the EU-US Data Privacy Framework adequacy decision, where the relevant U.S. entity maintains a current certification, currently relied upon for transfers to Cloudflare, Inc., Stripe, LLC, Zoom Communications, Inc., Google LLC, Meta Platforms, Inc. and WhatsApp LLC as described in the providers' DPF notices and the official list at dataprivacyframework.gov/list; (b) adequacy decisions for countries such as Israel, the United Kingdom and South Korea where relevant to Wix, WhatsApp, TikTok or other provider processing;
• the EU Standard Contractual Clauses (2021), supplemented by additional measures and a transfer impact assessment, for transfers to non-adequate jurisdictions or to recipients not certified to the DPF — including certain Wix, TikTok, Google, Zoom, WhatsApp/Meta or Stripe group companies, sub-processors or service providers where adequacy does not apply;
• derogations under Art. 49 GDPR only for occasional and exceptional transfers where no adequacy decision or Art. 46 GDPR safeguard is available and the GDPR conditions are met.

A copy of the safeguard in use for any specific transfer can be obtained on request at [email protected].

8. Social-media joint controllership

When you visit our Facebook, Instagram or TikTok page or interact with our content there, the operator of the platform and MA Method act as joint controllers under Art. 26 GDPR for the collection and aggregation of engagement data into platform analytics (Facebook / Instagram Page Insights for Meta and TikTok Analytics for TikTok), consistently with established CJEU case-law on joint controllership for social-media pages. The platform determines the technical means and acts as the primary contact point for platform-side data-subject rights; MA Method only accesses aggregated statistics and uses them to evaluate the performance of its presence on the platform (Art. 6 (1)(f), legitimate interest).

The essential terms of the two joint-controller arrangements are available at:

• Meta — facebook.com/legal/terms/page_controller_addendum (joint controller: Meta Platforms Ireland Limited);
• TikTok — tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en (joint controllers: TikTok Information Technologies UK Limited and TikTok Technology Limited).

Meta Pixel and Business Tools. Where the Meta Pixel or similar Meta Business Tools are activated after cookie consent, MA Method and Meta Platforms Ireland Limited may be joint controllers for the collection and transmission of Event Data under Meta's Business Tools Terms; Meta remains an independent controller for subsequent processing described in its privacy policy.

Notwithstanding the joint controllership, you may exercise your data-subject rights against either party.

9. Cookies and similar technologies

Cookies, pixels, local-storage entries, SDKs and similar technologies are described in detail in our Cookie Policy. Non-essential cookies are installed only after you give consent through the cookie banner. You may at any time change your preferences by clicking "Cookie settings" in the footer of www.mamethod.com.

10. Automated decision-making and profiling

We do not use profiling or automated processing to make decisions producing legal effects concerning you or similarly significantly affecting you within the meaning of Art. 22 (1) GDPR, except for the limited subscription-payment automation described below if and to the extent it is considered to fall within Art. 22 GDPR. In particular:

• the matching of a Student with a teacher is reviewed by a member of our team before the assignment is confirmed;
• automatic recurring billing of your Subscription and automatic suspension after three failed payment attempts (see § 6.5 of our Terms and Conditions) are operational rules used to perform the subscription contract. Logic and consequences (Art. 13 (2)(f) GDPR): the suspension is triggered by a simple deterministic rule — three consecutive failed charges by Stripe over a maximum 7-day smart-retry window; its consequence is the temporary disabling of your access to the booking calendar until a successful charge is recorded. The rule is not used to evaluate your personal characteristics. To the extent it is considered automated decision-making under Art. 22 GDPR, it is necessary for performance of the contract under Art. 22 (2)(a), and you may contest the suspension and obtain human review by writing to [email protected];
• our payment provider Stripe processes transaction and device data for fraud and loss prevention, including through tools such as Stripe Radar, and may provide risk signals or block/decline payments depending on Stripe's and our payment settings. Stripe carries out this processing under the roles and legal bases described in its own privacy materials and Data Processing Agreement. If a payment is blocked or flagged, you may contact us for human review of the service consequence and, where relevant, exercise rights against Stripe under Stripe's privacy materials. Apart from the operations described above, MA Method does not carry out profiling of Students.

11. Live classes — camera, microphone, recordings and AI processing

The live tuition we provide takes place over Zoom or Google Meet. The following clarifications apply:

• Camera and microphone. Microphone access is normally necessary to participate in a live lesson. The choice to keep the camera on or off lies with you; we recommend keeping it on for pedagogical effectiveness but it is not mandatory. The microphone may be muted at any time.
• Real-time streaming, not routine recording. By default, lessons are streamed in real time and not recorded. Neither MA Method nor the teacher records the audio or video of a lesson unless (i) the Student has expressly requested the recording for personal-study review, or (ii) exceptionally, the teacher has obtained the Student's in-class consent for a one-off quality-assurance review.
• Recording storage and retention. Where a recording is made, it is stored in a restricted-access folder on Google Workspace or Zoom Cloud (depending on the platform of the lesson), accessible only to the Student, the assigned teacher and our administrators, and deleted within 30 days of the lesson date — unless the Student has expressly requested longer retention on the basis of consent under Art. 6 (1)(a) GDPR.
• No AI speech processing. At the date of this Policy we do not use automated speech recognition, AI conversation partners, microphone-activity analytics or any other automated processing of the voice or video content of live lessons for training, profiling or quality-scoring. If we introduce any such feature, we will update this Policy in advance, separately inform you and request renewed consent where the law requires it.
• Recording by Students. § 8 of our Terms and Conditions prohibits Students from recording the lesson without the prior written consent of the teacher and the Provider; this rule protects the privacy of the teacher and any other participant.

12. Use of your image, voice or testimonial in marketing

If you would like to be featured in our marketing materials with a written testimonial, a photo, a short video clip or a voice clip (for example as a success story published on the Website or on our social channels), we will ask you to sign a release form describing exactly what we may publish, on which platforms and for how long. This is a separate, specific consent under Art. 6 (1)(a) GDPR (and, where applicable, Art. 9 (2)(a) GDPR if the testimonial reveals special-category data); it is also a consent to dissemination of the image under Art. 81 of the Polish Copyright Act and Art. 96 of the Italian Copyright Act. You may withdraw your consent at any time by writing to [email protected]; we will remove the content from any channel we control within a reasonable time, save where the content has already been redistributed by third parties beyond our control.

13. Your rights as a data subject

To exercise any of these rights, write to [email protected] specifying the right invoked. We may request reasonable identity verification under Art. 12 (6) GDPR. We respond without undue delay and within one month of receipt of the request, extendable by a further two months taking into account the complexity and number of requests (Art. 12 (3) GDPR).

Rights of deceased persons (Italy). Under Article 2-terdecies of the Italian Personal Data Protection Code, the rights of a deceased Student may be exercised by any person who has a personal interest, or acts to protect the data subject in their capacity as their representative, or for family reasons deserving protection. Unless the law provides otherwise or the deceased had expressly prohibited it in writing, requests may be submitted to [email protected].

14. Security

We apply organisational and technical measures appropriate to the risk (Art. 32 GDPR), including TLS encryption in transit, provider-side encryption at rest where offered by our processors, role-based access control, multi-factor authentication for administrator accounts, confidentiality undertakings, and an incident-response procedure.

15. Personal data breaches

In the event of a personal data breach within the meaning of Art. 4 (12) GDPR, we will notify the President of UODO without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Art. 33 GDPR). Where the breach is likely to result in a high risk to your rights and freedoms, we will also inform you without undue delay in clear and plain language (Art. 34 GDPR), unless one of the exemptions in Art. 34 (3) applies. We keep an internal register of all breaches in accordance with Art. 33 (5) GDPR.

16. Is the provision of data mandatory?

The provision of data marked as mandatory in our forms is a contractual requirement: without it we cannot create your account or deliver the lessons. The provision of optional data is voluntary and has no negative consequences.

17. Changes to this policy and further processing

We may update this policy from time to time. When changes are material we will (i) post a prominent notice on the Website at least 15 days before the new version takes effect and (ii) send an e-mail to registered Students.

Further processing for a new purpose. If we intend to further process your personal data for a purpose other than that for which the data were originally collected, we will provide information on that new purpose and any relevant further information before such processing takes place (Art. 13 (3) and Art. 14 (4) GDPR), and we will obtain renewed consent or rely on another applicable legal basis where required.

18. Language of this policy

This Privacy Policy is published in English, which is the working language of our service and the language of the contract (see § 5.2 of our Terms and Conditions). If you need clarification or assistance understanding any part of this Policy, please write to us at [email protected] and we will assist you on a case-by-case basis.

19. Contact

MA METHOD sp. z o.o.
ul. Świętego Filipa 23/3, 31-150 Kraków, Polska
E-mail: [email protected]
Phone / WhatsApp: +39 351 400 4035