Privacy Policy
1. Who we are and the scope of this notice
MA METHOD sp. z o.o. ("MA Method", "we", "us") operates the website www.mamethod.com and provides online Italian-language tuition under the brand MA Method Academy. This Privacy Policy describes how we collect, use, share and protect personal data of:
- visitors of www.mamethod.com (the "Website");
- registered users of MA Method Academy (the "Students");
- prospects who contact us by form, e-mail, WhatsApp or social media;
- recipients of our newsletter or other commercial communications.
We process personal data in accordance with:
- Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR" / Polish acronym "RODO");
- the Polish Personal Data Protection Act of 10 May 2018;
- Articles 398 (electronic direct marketing) and 399 (cookies and access to information stored in terminal equipment) of the Polish Electronic Communications Law (Prawo komunikacji elektronicznej, Act of 12 July 2024, in force since 10 November 2024, which replaced Article 173 of the former Telecommunications Act of 16 July 2004) and the ePrivacy Directive 2002/58/EC;
- the Italian Personal Data Protection Code (Legislative Decree 196/2003 as amended by D.lgs 101/2018) insofar as we offer services to natural persons located in Italy (Art. 3 (2)(a) GDPR);
- any other applicable national consumer-protection law of the country in which a Student habitually resides (Rome I Regulation, Art. 6).
2. Data Protection Officer
We have assessed our processing under Art. 37 GDPR and have determined that the appointment of a Data Protection Officer is not mandatory, because:
- our core activities do not consist of large-scale, regular and systematic monitoring of data subjects; and
- we do not process special-category data on a large scale.
For any privacy-related matter please contact us at [email protected] (subject line: "Privacy"). We respond without undue delay and in any event within one month of receipt, extendable by a further two months taking into account the complexity and number of requests, as set out in Art. 12 (3) GDPR. We will inform you of any extension and the reasons for it within one month of receipt.
3. Categories of personal data we collect
| # | Category | Examples | Source |
|---|---|---|---|
| a) | Identification & contact | first and last name, e-mail, telephone, country, time-zone, preferred language | Provided by you |
| b) | Account credentials | username, password (hashed by Wix), profile photo (optional) | Provided by you |
| c) | Service-related | Italian level, learning goals, lesson history, attendance, homework, teacher notes | Generated during the service |
| d) | Audio / video during live class | image, voice, screen content, public chat messages | Captured by Zoom or Google Meet |
| e) | Billing & tax | billing name and address, VAT number, invoice history, last 4 digits of card, payment method, transaction ID | Provided by you + generated by Stripe |
| f) | Marketing | newsletter status, consent log, open/click events | Generated by your interactions |
| g) | Technical & navigation | IP, browser, OS, device IDs, pages visited, referrer, timestamps, language headers, cookie IDs | Automatic via cookies |
| h) | Communications | content of e-mails, WhatsApp chats, social DMs, support tickets | Provided by you |
| i) | Special categories | none collected intentionally. If voluntarily disclosed (e.g. disability for accommodation), processed only on the basis of your explicit consent (Art. 9 (2)(a) GDPR). | n/a |
The service is addressed to natural persons who have reached the digital-consent age applicable in their country of habitual residence under Art. 8 GDPR: 16 years in Poland (Art. 8 (1) GDPR; the Polish Personal Data Protection Act of 10 May 2018 did not lower the threshold) and 14 years in Italy (Art. 2-quinquies of the Italian Personal Data Protection Code, D.lgs 196/2003 as amended by D.lgs 101/2018). Where the user is below the applicable threshold, processing is lawful only if and to the extent that consent has been given or authorised by the holder of parental responsibility, and we will take reasonable steps to verify this in light of available technology. Note that full contractual capacity in both jurisdictions is reached at 18 years; see § 4 of our Terms and Conditions.
4. Purposes, legal bases and storage periods
| # | Purpose | Legal basis (Art. 6 / 9 GDPR) | Retention |
|---|---|---|---|
| 1 | Creating and managing your Student account; authentication | Art. 6 (1)(b): contract | Account life + 12 months after deletion |
| 2 | Delivering live and on-demand lessons (Zoom / Meet) | Art. 6 (1)(b) | Duration of contract; recordings deleted within 30 days unless Student requests otherwise |
| 3 | Processing payments and renewing subscriptions | Art. 6 (1)(b) (performance of the subscription contract) + Art. 6 (1)(c) (Polish VAT and accounting law) | Card last-4 digits and transaction ID at Stripe under Stripe's own retention schedule (typically 7+ years for AML/KYC purposes); accounting records and invoices: 5 years from the end of the relevant tax year, in accordance with Art. 86 §1 of the Polish Tax Ordinance and Art. 74 (2) of the Polish Accounting Act |
| 4 | Communications about the service | Art. 6 (1)(b) and (f) | Conversation + 12 months |
| 5 | Quality assurance, teacher feedback, internal reporting | Art. 6 (1)(f): legitimate interest | Aggregated/anonymised after 24 months |
| 6 | Direct marketing of similar own services to existing Students | Art. 6 (1)(f) GDPR + Art. 398 of the Polish Electronic Communications Law of 12 July 2024 (consolidating the former Art. 10 of the Act on the Provision of Services by Electronic Means and Art. 172 of the repealed Telecommunications Act): prior consent for unsolicited electronic communications | Until objection / unsubscribe + 6 months suppression list |
| 7 | Newsletter to prospects | Art. 6 (1)(a): consent | Until consent withdrawn |
| 8 | Non-essential cookies and similar technologies | Art. 6 (1)(a): consent | See Cookie Policy |
| 9 | Strictly necessary cookies | Art. 6 (1)(f) | Session or up to 12 months |
| 10 | Fraud prevention & security incidents | Art. 6 (1)(f) | Up to 24 months |
| 11 | Legal claims (establishment, exercise, defence) | Art. 6 (1)(f); Art. 9 (2)(f) for special data | Until the applicable limitation period expires (Poland, as amended on 9 July 2018: 6 years as the general limit and 3 years for claims connected with business activity or for periodic payments, ending on the last day of the relevant calendar year — Art. 118 of the Polish Civil Code) |
| 12 | Compliance with authority requests (UODO, tax office, courts) | Art. 6 (1)(c) | As required by law |
Once a retention period ends, data are either anonymised or securely deleted.
5. Source of the data
We obtain personal data mainly from you when you fill in a form, create an account, purchase a Plan, book a lesson, attend a class, contact us, subscribe to the newsletter or interact with us on social media.
We may also receive data from third parties:
- Stripe Payments Europe, Limited: payment confirmation, country, postal code, last 4 card digits, fraud-risk score;
- Wix.com Ltd: sign-up, login and account events;
- Google Ireland Ltd / Zoom Video Communications: attendance logs of class meetings;
- Meta Platforms Ireland Ltd / TikTok Technology Ltd: aggregated insights on our social content (joint controllership, see § 8);
- WhatsApp Ireland Ltd (Meta group): phone number and message metadata when you contact us through WhatsApp.
6. Disclosure of personal data
| Category | Examples | Role | Country |
|---|---|---|---|
| Hosting / platform (main site) | Wix.com Ltd (Israel) | Processor | Israel; Wix sub-processors located in the EEA, USA, South Korea and Taiwan |
| Hosting / platform (legal subdomain) | Cloudflare, Inc. + Cloudflare Germany GmbH | Processor | USA (EU-US DPF) + Germany |
| Payment processing | Stripe Payments Europe, Limited ("SPEL", Ireland); Stripe, Inc. as sub-processor | Processor on our instructions for payment transactions; independent controller for fraud-prevention, AML / KYC and network compliance | Ireland; USA (Stripe, Inc. self-certified to EU-US DPF; SCCs apply to the SPEL-to-Stripe Inc. leg) |
| Video conferencing | Zoom Video Communications, Inc.; Google Ireland Ltd / Google LLC | Processor | USA (EU-US DPF) / Ireland |
| E-mail & productivity | Google Workspace (Google Ireland Ltd) | Processor | Ireland; Google LLC sub-processor in the USA (EU-US DPF) |
| Newsletter / e-mail marketing | Wix.com Ltd (Wix Email Marketing); Klaviyo, Inc., 125 Summer Street, Boston, MA 02110, USA | Processors | EEA (Wix sub-processors as set out above); USA (Klaviyo: active participant in the EU-US Data Privacy Framework, the Swiss-US DPF and the UK Extension, with HR and non-HR data coverage) |
| Messaging | WhatsApp Ireland Ltd (Meta group) | Independent controller for its own communication service; Meta processes message metadata under its own privacy notice | Ireland; Meta Platforms, Inc. in the USA (EU-US DPF) |
| Social-media insights | Meta Platforms Ireland Ltd; TikTok Technology Ltd | Joint controllers with us for Facebook/Instagram Page Insights (Meta) and TikTok Analytics (TikTok). See § 8 | Ireland |
| Accounting | External certified accountant established in Poland (name available on request) | Processor | Poland |
| Public authorities | President of UODO, Polish Tax Office (Urząd Skarbowy), Italian Garante (in respect of Italian residents), competent courts | Independent controllers | Poland / Italy / EU |
We sign a written data-processing agreement under Art. 28 GDPR with every processor before any data are shared.
7. International transfers
Some recipients or their sub-processors are located outside the European Economic Area, principally in the United States and in Israel. In every such case we rely on at least one of the following safeguards under Chapter V GDPR:
- a Commission adequacy decision: (a) Decision (EU) 2023/1795 of 10 July 2023 on the EU-US Data Privacy Framework, currently relied upon for transfers to Cloudflare, Inc., Stripe, Inc., Zoom Video Communications, Inc., Google LLC, Meta Platforms, Inc. and Klaviyo, Inc. (each verified as an active participant on the official list at dataprivacyframework.gov/list); (b) Commission Decision 2011/61/EU of 31 January 2011 on the adequacy of the protection of personal data in Israel (reaffirmed by the Commission in its January 2024 review of pre-GDPR adequacy decisions), for the Israeli leg of processing by Wix.com Ltd;
- the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), supplemented by additional measures and a transfer impact assessment, for transfers to non-adequate jurisdictions or to recipients not certified to the DPF (for example certain Wix sub-processors, TikTok Inc. in the USA, and any other US processor that is not on the DPF list);
- derogations under Art. 49 GDPR, including the explicit consent of the data subject, where strictly applicable.
A copy of the safeguard in use for any specific transfer can be obtained on request at [email protected].
8. Social-media joint controllership
When you visit our Facebook, Instagram or TikTok page or interact with our content there, the operator of the platform and MA Method act as joint controllers under Art. 26 GDPR for the collection and aggregation of engagement data into platform analytics (Facebook/Instagram Page Insights for Meta and TikTok Analytics for TikTok), in line with CJEU case-law (Wirtschaftsakademie Schleswig-Holstein, C-210/16; Fashion ID, C-40/17). The platform determines the technical means and acts as primary contact point for data-subject rights; MA Method only accesses aggregated statistics and uses them to evaluate the performance of its presence on the platform (Art. 6 (1)(f), legitimate interest).
The essential terms of the two joint-controller arrangements are available at:
- Meta — facebook.com/legal/terms/page_controller_addendum;
- TikTok — tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en.
Notwithstanding the joint controllership, you may exercise your data-subject rights against either party.
9. Cookies and similar technologies
Cookies, pixels, local-storage entries, SDKs and similar technologies are described in detail in our Cookie Policy. Non-essential cookies are installed only after you give consent through the cookie banner. You may at any time change your preferences by clicking "Cookie settings" in the footer of www.mamethod.com.
10. Automated decision-making and profiling
We do not take decisions producing legal effects concerning you or similarly significantly affecting you on the basis of automated processing alone within the meaning of Art. 22 (1) GDPR. In particular:
- the matching of a Student with a teacher is reviewed by a member of our team before the assignment is confirmed;
- automatic recurring billing of your Subscription and automatic suspension after three failed payment attempts (see § 6.5 of our Terms and Conditions) are necessary for the performance of the contract within the meaning of Art. 22 (2)(a) GDPR; you may always contest the suspension and obtain human review by writing to [email protected];
- our payment provider Stripe runs an independent fraud-prevention engine which may decline a transaction; in that case you retain the right to obtain human intervention from Stripe under Stripe's own privacy policy, and from us by contacting [email protected].
11. Your rights as a data subject
| Right | Article | What it means |
|---|---|---|
| Access | Art. 15 | Receive a copy of the data we hold about you |
| Rectification | Art. 16 | Correct inaccurate or complete incomplete data |
| Erasure ("right to be forgotten") | Art. 17 | Have your data deleted in the cases listed by the article |
| Restriction | Art. 18 | Suspend our processing while a request is being assessed |
| Portability | Art. 20 | Receive structured, machine-readable data |
| Objection | Art. 21 | Object to processing based on legitimate interest or to direct marketing |
| Withdraw consent | Art. 7 (3) | Withdraw consent at any time without affecting prior processing |
| Lodge a complaint | Art. 77 | File a complaint with the President of UODO, ul. Stanisława Moniuszki 1A, 00-014 Warsaw (uodo.gov.pl). If you reside in Italy, with the Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Roma (garanteprivacy.it) |
To exercise any of these rights, write to [email protected] specifying the right invoked. We may request reasonable identity verification under Art. 12 (6) GDPR. We respond without undue delay and within one month of receipt of the request, extendable by a further two months taking into account the complexity and number of requests (Art. 12 (3) GDPR).
12. Security
We apply organisational and technical measures appropriate to the risk (Art. 32 GDPR), including TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access control, multi-factor authentication for admins, EEA-located back-ups, confidentiality undertakings, and breach-notification procedures aligned with Art. 33–34 GDPR (72-hour notification to UODO).
13. Is the provision of data mandatory?
The provision of data marked as mandatory in our forms is a contractual requirement: without it we cannot create your account or deliver the lessons. The provision of optional data is voluntary and has no negative consequences.
14. Changes to this policy
We may update this policy from time to time. When changes are material we will (i) post a prominent notice on the Website at least 15 days before the new version takes effect and (ii) send an e-mail to registered Students.
15. Contact
MA METHOD sp. z o.o.
ul. Świętego Filipa 23, 31-150 Kraków, Polska
E-mail: [email protected]
Phone / WhatsApp: +39 351 400 4035