Skip to main content

Privacy Policy

Last updated: July 14, 2026

Matzop ("we", "us", "our") operates Matzop at matzop.com. This policy explains how we collect, use, and share personal information when you use our marketing site, create a gym account, or use the platform as staff or as a member of a customer gym. Our mailing address is 251 Little Falls Drive, Wilmington, DE 19808.

1. Information we collect

  • Account details: name, email, password hashes, and role within a gym
  • Member data: phone, date of birth, gender, address, belt rank, profile photos, emergency contacts
  • Gym and business data: academy profile, schedules, waivers, CRM records you enter
  • Billing data: subscription status and payment identifiers processed by Stripe
  • Communications: AI chat conversations, SMS messages, email campaign interactions
  • Lead and contact form submissions: name, email, phone, message content, UTM tracking parameters
  • Digital waiver signatures: typed name and timestamp
  • Usage and device data: logs, IP address, approximate location from IP, and diagnostics
  • Cookies and similar technologies as described in our Cookie Policy

2. How we use information

We use information to provide and improve the Service, authenticate users, process platform subscriptions, send transactional email and SMS, power AI-assisted front desk features, prevent abuse, and communicate product updates. We do not sell personal information.

3. Gym customers as controllers

When a gym uses Matzopto manage members, leads, and waivers, that gym is typically the controller of member data (or the "business" under CCPA). We process that data as a service provider / data processor to operate the platform. Members should contact their academy for access or deletion requests related to gym-held records; we will assist gyms as required. Gym owners who need a Data Processing Agreement (DPA) may request one by contacting privacy@matzop.com.

4. Third-party service providers

We share data with the following categories of service providers solely to operate the Service. Each processes data under contractual confidentiality and security obligations:

  • Infrastructure & hosting: Supabase (database and authentication), Vercel (hosting, US-East region), Upstash (rate limiting)
  • Payments: Stripe (subscription billing and payment processing via Stripe Connect)
  • Email: Resend (transactional and marketing email delivery)
  • SMS & messaging: Twilio (SMS), Meta WhatsApp Business API (WhatsApp messaging)
  • AI features: OpenAI (AI front desk chat — conversation content is sent to OpenAI for processing)
  • Analytics & advertising: Google Analytics (GA4), Google Ads, Meta Pixel — loaded only with visitor consent
  • Business listings: Google Business Profile, Yext (directory listings)
  • Merchandise: Printful (merchandise fulfillment — shipping address shared when orders are placed)
  • Error monitoring: Sentry (error tracking and diagnostics)

We also share data when required by law, to protect rights and safety, or in connection with a merger or acquisition.

5. Data storage and international transfers

Your data is stored on servers in the United States (Vercel US-East / iad1 region, Supabase). If you are located outside the United States, your information is transferred to and processed in the US. For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or other lawful transfer mechanisms.

6. Retention and security

We retain account and gym data while your account is active and for a reasonable period afterward for backups, dispute resolution, and legal compliance. Deleted member records are soft-deleted and purged after 90 days. We use industry-standard safeguards including encryption in transit (TLS/HSTS), row-level security, rate limiting, and access controls.

7. Your rights and choices

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information
  • Portability: Request your data in a structured, machine-readable format
  • Restrict processing: Request that we limit how we use your data
  • Object: Object to processing of your data for certain purposes
  • Withdraw consent: Where processing is based on consent, withdraw at any time
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights

You may update account details in-app, manage marketing preferences in the member portal, and manage cookie preferences via the cookie banner or our Cookie Policy. To exercise any of the above rights, contact privacy@matzop.com. We will respond within 30 days (or 45 days for complex requests, with notice).

8. California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

  • Right to know: You may request the categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties with whom we share it
  • Right to delete: You may request deletion of personal information we collected from you
  • Right to correct: You may request correction of inaccurate personal information
  • Right to opt out of sale/sharing: We do not sell or share (for cross-context behavioral advertising) your personal information. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link
  • Right to limit use of sensitive personal information: We only use sensitive personal information for purposes permitted under the CCPA

To submit a request, email privacy@matzop.com or visit our Do Not Sell or Share My Personal Information page. We will verify your identity before processing requests. You may also designate an authorized agent to make requests on your behalf.

9. Children's privacy (COPPA)

Matzop is not directed at children under 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. Gym owners who register members under 13 act as the data controller and are responsible for obtaining parental consent (e.g., through signed waivers) before entering minor data into the platform. If we learn that we have collected personal information from a child under 13 without parental consent, we will delete it promptly. Parents may contact privacy@matzop.comto review, delete, or restrict processing of their child's information.

10. New York residents

We maintain reasonable safeguards to protect private information as required by the New York SHIELD Act (NY GBL §899-aa). In the event of a data breach involving private information of New York residents, we will provide notice as required by law, including to the New York Attorney General, the Department of State, and the Division of State Police if the breach affects more than 500 residents.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect. The "Last updated" date at the top indicates when this policy was last revised.

12. Contact

Privacy questions or data subject requests:
privacy@matzop.com
Matzop
251 Little Falls Drive, Wilmington, DE 19808