Privacy Policy – Veya Club

Last updated: 2 December 2025

This Privacy Policy explains how Mysticvolt – Lda (“Veya Club”, “we”, “us”, or “our”) collects and uses personal data when you visit our website or use the Veya Club platform to find, book or host wellness sessions.

We are committed to protecting your privacy and treating your personal data with care. We do not sell your personal data.

1. Who we are (Controller)

The controller responsible for your personal data under the GDPR is:

Mysticvolt – Lda
Rua São João, 16, 1 Dto
Ribamar 2640-036 Santo Isidoro Mfr
Portugal
VAT / Company number: 519039025

Privacy contact email: privacy@veya.club

We have not yet appointed a formal Data Protection Officer (DPO). For any questions about this Privacy Policy or about how we process your data, please contact us at the email above.

2. Scope of this Privacy Policy

This Privacy Policy applies when:

• you browse our website (e.g. the Veya Club landing page),
• you create and use an account on the Veya Club platform, whether as:
  • a member / end consumer who discovers and books wellness experiences, or
  • a professional (such as a studio owner or solo teacher) who offers and hosts sessions and receives payouts via the platform.

This Policy does not apply to websites, apps or services that we do not control, including third-party providers we use (such as Stripe or Brevo) or external websites you may access through links on our platform. Those services are governed by their own privacy policies.

3. Who uses Veya Club (data subjects)

We mainly process data about:

• Website visitors – people who browse our landing pages and platform.
• Members / end consumers (“Members”) – individuals who create an account to discover and book wellness classes.
• Professionals (“Professionals”) – studios, wellness businesses or solo teachers who use Veya Club to list, manage and host sessions and receive payouts (subject to our commission).
• Other contacts – individuals who contact us directly (e.g. via email) with questions or requests.

We do not target children and Veya Club is intended for adults and professionals (16+). If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete it.

4. Personal data we collect

4.1 Account data

When you create a Veya Club account (as a Member or Professional), we collect:

Required:

• first name
• last name
• email address
• password

Optional:

• company name (for Professionals)
• social links
• short bio
• profile picture

We use this to create and manage your account, identify you within the service, and communicate with you about your account and bookings.

4.2 Usage and interaction data

When you use Veya Club, we process:

• actions taken in the app (e.g. creating a profile, searching, viewing or booking classes, listing sessions as a Professional),
• basic device and browser information,
• pages/screens visited and features used,
• date and time of interactions.

We also process IP addresses as part of delivering the service and protecting security (for example, as part of standard server and network communications). We do not keep IP addresses longer than necessary for these purposes.

4.3 Payment and payout data

Payments for bookings and payouts to Professionals are handled by our payment provider Stripe.

• When you pay for a session, the payment details (e.g. card information) are provided directly to Stripe.
• We do not store your full payment card details on our own servers.
• We may receive and keep limited information from Stripe such as:
  • last 4 digits of your card or card type,
  • expiry month/year,
  • transaction identifiers,
  • amount, currency and status,
  • basic billing details (e.g. name, country), if necessary.

Stripe acts as our payment processor and also as an independent controller for compliance with financial, anti-fraud and regulatory obligations.

4.4 Communications and support

If you contact us by email or through any future support channels, we collect:

• your contact details (e.g. email address),
• the content of your message and any information you choose to provide,
• metadata such as date and time of the communication.

4.5 Cookies and similar technologies

We use cookies and similar technologies on our website and platform. These may be:

• Strictly necessary cookies – required for the website/platform to function (e.g. to keep you logged in, provide basic security).
• Analytics cookies – used to understand how our product is used so we can improve it. These are used only with your consent, where required.

We explain more in the Cookies and analytics section below.

4.6 No special category data

We do not intentionally collect or process any special categories of data under Article 9 GDPR (such as health data, political opinions, religious beliefs, biometric data or sexual orientation).

Veya Club focuses on wellness experiences but does not need to record detailed health information about you to provide the service. Please avoid sharing any sensitive information in free text fields or communications unless strictly necessary.

5. Purposes and legal bases

We process personal data only when we have a valid legal basis under Article 6 GDPR. For Veya Club, this is mainly:

5.1 Operating your account and the platform

Purposes

• Creating and managing your user account (Members and Professionals).
• Allowing Members to discover and book wellness classes.
• Allowing Professionals to list and manage classes and receive payouts.
• Providing core platform features (profiles, bookings, cancellations, etc.).

Data used

Account data, usage data, limited payment metadata, profile information.

Legal basis

• Performance of a contract – processing is necessary to provide the service you requested (Article 6(1)(b) GDPR).

5.2 Communicating with you about the service

Purposes

• Sending transactional communications such as:
  • account creation confirmations,
  • booking confirmations and updates,
  • important service or security notices.

Data used

Name, email address, account identifiers, booking details.

Legal basis

• Performance of a contract (Article 6(1)(b) GDPR) where messages are necessary to provide the service you use;
• Legitimate interests (Article 6(1)(f) GDPR) in some cases, for example to keep you informed about important changes to the service, while respecting your rights.

We currently do not send regular marketing newsletters or promotional campaigns. If this changes, we will ask for your consent where required and update this Policy.

5.3 Security, fraud prevention and service integrity

Purposes

• Protecting accounts and the platform against fraud, abuse and misuse.
• Monitoring for suspicious activity and ensuring service reliability.

Data used

Usage and log data, IP address (processed but not stored more than necessary), basic device/browser information, account identifiers.

Legal basis

• Legitimate interests – our legitimate interest in keeping the platform secure, preventing fraud and ensuring the stability of our services (Article 6(1)(f) GDPR).

5.4 Analytics and product improvement

Purposes

• Understanding how the platform is used (which features are popular or confusing).
• Measuring engagement (e.g. session counts, screens visited).
• Improving UX, performance and reliability based on aggregated usage patterns.

Data used

Pseudonymous analytics data such as page views, events, basic device/browser information, features used and similar. We configure our analytics to avoid collecting more personal data than necessary and to respect your choices.

Legal basis

• Consent – we use analytics cookies and similar technologies only if you give consent via our banner or in-app settings (Article 6(1)(a) GDPR and applicable e-privacy rules).

You can withdraw consent at any time using the cookie/analytics settings available on our site or app.

5.5 Legal obligations and compliance

Purposes

• Complying with applicable legal and tax obligations (e.g. accounting rules, record-keeping).
• Responding to lawful requests from public authorities where required.

Data used

Depending on context, this may include identity details, booking and transaction details and other records necessary to demonstrate compliance.

Legal basis

• Legal obligation (Article 6(1)(c) GDPR), where we are required by law (for example, to keep certain financial records for a prescribed period under Portuguese law).

6. Cookies and analytics

We use a home-made consent management solution to manage your preferences regarding cookies and analytics.

6.1 Types of cookies we use

1. Strictly necessary cookies
   Required for the basic operation of the site and platform (e.g. to keep you logged in, store security tokens, maintain your session).
   These are set based on our legitimate interests and/or because they are strictly necessary for providing the service you requested.
   You cannot disable these from our banner, but you can still control cookies via your browser settings.
2. Analytics cookies (consent-based)
   We use analytics tools such as PostHog and possibly Amplitude to understand how users interact with Veya Club and improve our product.
   These tools may set cookies or use similar identifiers to collect pseudonymous events and usage data.
   These are activated only if you give consent via our banner or settings.

We do not use advertising or remarketing pixels (e.g. Facebook Pixel, Google Ads remarketing) at this time.

6.2 Managing your cookie and analytics preferences

When you first visit our site or app, you will see a notice allowing you to:

• accept all non-essential cookies,
• reject them, or
• manage your preferences.

You can change your choices at any time via the cookie settings link or menu item made available on our site/app, or by adjusting your browser settings.

7. Who we share data with (recipients)

We do not sell your personal data. We share personal data only with:

7.1 Service providers (processors)

We use trusted service providers to help us operate Veya Club, such as:

• Infrastructure & database provider –
  Veya Club is hosted on Supabase, using AWS infrastructure in the Central EU (Frankfurt) region.
• Analytics provider –
  We use PostHog (and may use Amplitude) for product analytics and insights. Where possible, we configure these tools to use EU data residency options so that event and user data is stored in the EU.
• Email provider –
  We use Brevo (formerly Sendinblue) to send transactional emails (e.g. verification, booking confirmations). Brevo hosts its data in the EU (France, Germany and Google Cloud in Belgium).
• Payment processor –
  We use Stripe to process payments from Members and payouts to Professionals. Stripe may process personal data in the EU and other countries (such as the US) and relies on mechanisms such as Standard Contractual Clauses and the EU–US Data Privacy Framework to protect transfers.

These providers act as our processors when they process personal data on our behalf and under our instructions. We enter into data processing agreements (DPAs) with them, as required by Article 28 GDPR.

We may update this list as our service evolves. An up-to-date list of key processors can be provided on request.

7.2 Other recipients

We may also share your data when:

• required by law, regulation, court order or competent authority,
• necessary to protect the rights, property or safety of Veya Club, our users or others,
• part of a corporate transaction (e.g. merger, acquisition or sale of assets), in which case we will take appropriate steps to ensure your rights are protected.

8. International data transfers

Our aim is to keep data within the European Economic Area (EEA) where possible.

However, some of our providers (such as Stripe, and potentially other tools with global operations) may process data in countries outside the EEA, including the United States.

When such transfers occur, we will ensure that appropriate safeguards are in place under Chapter V GDPR, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
• reliance on the EU–US Data Privacy Framework where applicable, and/or
• configuration of EU data residency options where the provider offers them.

You can contact us at privacy@veya.club if you want more details about international transfers relevant to your use of Veya Club.

9. How long we keep your data (retention)

We keep personal data only for as long as necessary for the purposes described in this Policy, and then delete or anonymise it.

In particular:

• Account data (profile details, account identifiers):
  – kept for as long as your account is active;
  – after you close your account, we aim to delete or irreversibly anonymise most associated personal data within 3 months, unless we must keep it longer for legal, accounting or security reasons.
• Analytics data:
  – kept for around 3 months in identifiable/pseudonymous form for product improvement;
  – after that, we may aggregate or anonymise data for statistical purposes.
• Support communications:
  – emails or other communications with you are typically kept for up to 1 year after resolution, unless needed longer for legal reasons.
• Payment and transaction data:
  – full payment card details are never stored by us (only by Stripe);
  – we may retain transaction information (e.g. booking records, amounts, dates) for the period required under applicable tax and accounting laws (this is typically several years after the end of the relevant financial year).

If we need to keep data longer than the periods above (for example, because of a legal dispute), we will restrict access and keep it only for that purpose.

We are still working on automating deletion and anonymisation for certain data types. Until then, these processes may be partly manual but we will apply the retention rules stated here.

10. How we protect your data (security)

We take appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

10.1 Technical measures

These include, among others:

• encryption of data in transit (HTTPS/TLS),
• encryption of data at rest in our databases and storage,
• role-based access control (RBAC) and least-privilege access to production systems,
• logging and monitoring of key system activities,
• multi-factor authentication (MFA) for admin accounts.

10.2 Organisational measures

These include:

• internal access control and security policies,
• privacy and security awareness for team members,
• restricted access to personal data to only those who need it for their job.

No system is perfectly secure, but we work to keep your data as safe as reasonably possible for a startup at our stage. If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with Articles 33 and 34 GDPR.

11. Your rights under GDPR

Depending on your situation, you have the following rights under GDPR:

• Right of access – to know whether we process your personal data and, if so, to obtain a copy and information about it.
• Right to rectification – to have inaccurate or incomplete personal data corrected.
• Right to erasure (“right to be forgotten”) – to request deletion of your personal data in certain circumstances (for example, when it is no longer necessary for the purposes for which we collected it).
• Right to restriction of processing – to restrict our processing in certain cases (e.g. while we are verifying accuracy or handling an objection).
• Right to data portability – to receive personal data you provided to us in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to object – to object, on grounds relating to your particular situation, to processing based on our legitimate interests.
• Right to withdraw consent – where we rely on consent (e.g. for analytics), you can withdraw your consent at any time. This will not affect the lawfulness of processing carried out before withdrawal.

You also have the right to lodge a complaint with a supervisory authority (see below).

11.1 How to exercise your rights

You can contact us at:

Email: privacy@veya.club

To protect your privacy and security, we may ask you to verify your identity (for example, by responding from your registered email address or logging into your account) before we act on your request.

We aim to respond within one month of receiving your request, as required by GDPR. In certain complex cases, this period can be extended by up to two further months, in which case we will inform you.

Where possible, we will also offer self-service options (such as editing your profile or deleting your account) directly in the app.

12. Supervisory authority and complaints

If you are located in the EU, you have the right to lodge a complaint with your local data protection authority or with the Portuguese Data Protection Authority (CNPD), our lead supervisory authority, in particular if you feel that your rights have been infringed.

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1º
1200-651 Lisboa
Portugal

You can find more information about how to contact CNPD on their website.

We would, however, appreciate the chance to address your concerns first, so we encourage you to contact us at privacy@veya.club before contacting a supervisory authority.

13. No automated decision-making

We do not use your personal data to make decisions that are based solely on automated processing and that produce legal effects concerning you or similarly significantly affect you (as described in Article 22 GDPR).

We also do not use AI or machine learning models that materially affect your rights or obligations in an automated way at this time.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in:

• our services,
• our processing of personal data, or
• applicable laws and regulatory guidance.

When we make material changes, we will:

• update the “Last updated” date at the top, and
• take appropriate steps to inform you (for example, by showing a notice in the app or sending an email, where appropriate).

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

15. Contact

If you have any questions, comments or requests regarding this Privacy Policy or our processing of your personal data, please contact us at:

Mysticvolt – Lda / Veya Club
Email: privacy@veya.club