Skip to main content

Founding-cohort pricing: 25% off for life when you join the first 12 academies. 58% filled.

MatCommunity

Legal

Privacy Policy

Effective date: 2026-05-27 · Last updated: 2026-05-27

We’re a small team building software for jiu-jitsu academies. We collect the data we need to run the product, we don’t sell it, we don’t use it for advertising, and we’ll get out of your way if you ever want to leave. This document explains the details — written in plain English. If anything here is unclear, email [email protected].

1. Who we are

MatCommunity, LLC (“MatCommunity,” “we,” or “us”) is a software company registered in the State of Arizona, headquartered in the greater Phoenix area. We operate matcommunity.com, the admin console at admin.matcommunity.com, and the member-facing mobile applications. For privacy inquiries, email [email protected]. For everything else, [email protected].

2. What we collect

We collect data in four buckets, and we try to keep each bucket as narrow as the feature requires.

Account data

Email address, name, gym name, phone number, and the password hash for your owner / coach / staff accounts. This is what makes the login work and lets us tell you apart from the gym down the street.

Gym operations data

The day-to-day stuff your academy runs on: member roster, attendance records, belt and stripe progress, payment records, in-app messages, uploaded waivers, class schedules, and class descriptions. You are the controller of this data; we are the processor. You decide what goes in; we hold it securely and give it back on demand.

Behavioral data

Anonymous and pseudonymous usage signals: page views, click events, IP address, user agent, referrer URL, screen size, and feature interaction counts. We use this to make the product better. It’s consent-gated on our public marketing site and aggregated where possible inside the product.

AI inputs (opt-in)

If a coach opts in to AI features (workout text generation, curriculum suggestions, class descriptions), the text submitted is sent to our AI sub-processors (Anthropic and OpenAI) for processing. We do not enable this by default. We do not train any third-party model on your inputs. You can turn it off at any time from settings.

Technique videos (coach-uploaded)

When a coach uploads a technique video to the curriculum library, the file is transmitted to Mux for transcoding and adaptive-bitrate streaming. Mux generates a poster frame and stores the video asset for playback. You (the gym) remain the controller of the video content; we are the processor. Videos can be deleted from the admin console at any time; deletion is propagated to Mux within 24 hours.

Drop-in payments (visiting practitioners)

When a practitioner from another gym checks in at your academy as a drop-in, we record the visit, the drop-in fee charged, the practitioner’s display name, and the home-gym affiliation. The drop-in fee is charged to the practitioner via Stripe Connect Express and routed to your gym’s Stripe account — MatCommunity takes no platform fee on drop-ins at the alpha tier. The practitioner’s home-gym roster sees the visit on their unified training timeline.

3. Why we collect it

  • Operating the service — authenticating you, syncing attendance, generating receipts, scheduling classes.
  • Billing — charging your MatCommunity subscription and (via Stripe Connect) routing your members’ payments to your gym’s own Stripe account.
  • Customer support — so when you email us we can find your account and help.
  • Security and fraud prevention — detecting account compromise, abusive use, payment fraud.
  • AI insights (opt-in only) — generating coach-mode suggestions and curriculum drafts when you ask for them.
  • Product improvement — understanding which features actually get used so we know where to invest engineering time.

What we do not do, and will not do: we do not sell your data, we do not rent your data, we do not show third-party advertising inside the product, and we do not use your members’ data to enrich marketing profiles or feed an ad network. If those things ever change, we will tell you in advance and give you the option to leave.

4. How we share it

We use a small set of vetted sub-processors to run the service. Each one gets only the data it needs for its job. We sign a Data Processing Addendum or equivalent contractual safeguards with every sub-processor.

Sub-processorPurposeRegion
SupabasePrimary Postgres database + authentication backbone for the admin console and member apps.United States (US-East)
StripePayments for both MatCommunity subscription billing and Stripe Connect routing of your members’ payments to your gym’s own Stripe account, including drop-in fees from visiting practitioners (Stripe Connect Express, your gym holds the funds). PCI-DSS Level 1 certified.United States (global processing)
RevenueCatMobile in-app purchase entitlement for the optional Practitioner Pro subscription (Apple App Store + Google Play). Stores anonymized subscription state keyed to your user id.United States
MuxUpload, transcoding, and adaptive-bitrate playback for coach-uploaded technique videos. Stores the video asset + a generated poster frame; receives a webhook callback when transcoding completes.United States
Expo Push (EAS Notifications)Delivery of mobile push notifications to iOS / Android devices (class reminders, billing notices, milestone celebrations). Receives an opaque device token plus the notification payload.United States
AnthropicAI-powered coaching insights and curriculum suggestions (opt-in only).United States
OpenAIAI-powered text generation for class descriptions and curriculum drafts (opt-in only).United States
TwilioTransactional SMS — attendance reminders, billing notices, two-factor codes.United States
ResendTransactional email — receipts, password resets, account notifications.United States
CloudflareCDN, DNS, DDoS protection, and static hosting for the public site.Global edge / United States primary
RailwayAPI service hosting for the admin and member-facing applications.United States (US-East)
SentryError tracking and crash diagnostics for the admin console and member apps.United States
PostHogProduct analytics, feature flags, and aggregate usage measurement (consent-gated).United States

We may also share data when required by law (subpoena, court order), when we believe it is necessary to prevent imminent harm, or in the event of a merger or acquisition (in which case we’ll notify you and give you the chance to delete your data first).

5. Where we store it

Your data is stored primarily in US-East (Supabase Postgres). It is encrypted at rest with AES-256 and encrypted in transit with TLS 1.2 or higher. Backups are encrypted and retained for 30 days. Cloudflare serves the public site from its global edge network; the only data on the edge is the static marketing site itself.

6. How long we keep it

We keep your gym’s active operational data for the life of your subscription. After cancellation, you have a 90-day grace period to export everything via the built-in CSV / JSON export. After 90 days, we permanently delete your data from production systems within 30 days, and from encrypted backups within 90 additional days as backups rotate. Exceptions: data subject to a legal hold, unpaid invoices, or pending disputes.

7. Your rights

You have the right to:

  • access the personal data we hold about you;
  • correct anything that’s wrong;
  • delete your account and the data tied to it;
  • port your data out in a structured machine-readable format;
  • restrict or object to certain processing.

These mirror the rights granted under GDPR Articles 15–22 (for users in the EU / EEA / UK) and the California Consumer Privacy Act (right to know, right to delete, right to opt out of sale). We do not sell personal data, so the right to opt out of sale is honored by default for everyone.

To exercise any of these rights, email [email protected] from the email on the account. We respond within 30 days (often within 48 hours — we’re a small team and we answer our own email).

8. Cookies

We use a minimal set of essential cookies (for the login session and your consent preference) plus consent-gated analytics and error tracking cookies. The full breakdown lives at our Cookie Policy.

9. Children

MatCommunity is built for adults running businesses. We do not knowingly collect data directly from children under 13. For an academy’s kids programs, the gym is the data controller and the child’s parent or guardian provides consent at enrollment. The data remains the gym’s responsibility; MatCommunity processes it on the gym’s behalf under this policy.

10. International transfers

If you’re in the EU / EEA / UK, your data is transferred to the United States for processing. We rely on the Standard Contractual Clauses (SCCs) approved by the European Commission for these transfers, supplemented by our security controls (encryption at rest and in transit, access logging, MFA on sub-processors).

11. Changes to this policy

We’ll update this page when our practices change. For material changes — new categories of data, new purposes of use, new types of sharing — we’ll email every account owner at least 30 days before the change takes effect, and we’ll post a banner at the top of the admin console for 30 days. Minor wording or clarifications won’t trigger a notification but the “effective date” above always reflects the most recent change.

12. Contact

Questions, requests, complaints, or just want to say hi?

Privacy inquiries: [email protected]
Legal: [email protected]
Security: [email protected]
Mail: MatCommunity, LLC — [Mailing address — add before GA], Tempe, Arizona.