GDPR - openmat.ai

1 Data Controller Identity

The data controller responsible for your personal data is:

Legal Entity	Proscris LLC
Registration	State of Florida, United States of America
Platform	OpenMat — openmat.ai
Privacy Contact / DPO	privacy@openmat.ai
Legal Contact	legal@openmat.ai
EU Representative	To be appointed — contact privacy@openmat.ai
UK Representative	To be appointed — contact privacy@openmat.ai

⚠️ EU/UK Representative Under GDPR Article 27 and UK GDPR, non-EU/UK controllers that process EU/UK personal data are required to appoint a local representative. We are in the process of appointing an EU and UK representative. Until appointed, all data protection inquiries should be directed to privacy@openmat.ai — we respond within 30 days.

2 What This Notice Covers

This GDPR Notice applies to all processing of personal data of individuals located in:

All 27 European Union member states.
European Economic Area (EEA) countries: Norway, Iceland, and Liechtenstein.
The United Kingdom (under UK GDPR and the Data Protection Act 2018).

It covers personal data collected when you:

Create an OpenMat account or register via Google Sign-In.
Use the OpenMat app or website at openmat.ai.
Interact with community features, training tools, or coaching features.
Subscribe to a paid plan or make a purchase.
Contact our support team or respond to communications from us.
Visit openmat.ai even without creating an account (analytics only).

This notice does not apply to users located outside the EU, EEA, and UK. All other users are covered by our main Privacy Policy.

3 Personal Data We Process

We process the following categories of personal data about EU/EEA/UK users. For full detail on each category, see Section 2 of our Privacy Policy.

Category	Examples	Source	Special Category?
Identity Data	First name, @handle, full name (optional)	Provided by you	No
Contact Data	Email address	Provided by you / Google	No
Profile Data	Bio, avatar, belt rank, disciplines, academy, lineage	Provided by you	No
Training Data	Session logs, XP, streaks, game plan, drill history	Provided by you	No
Health & Body Data	Weight logs, training intensity, injury notes (if entered)	Provided by you (optional)	Art. 9 — Special
Financial Data	Subscription plan, payment status (card details held by Stripe)	Stripe / provided by you	No
Technical Data	IP address (approximate), device type, browser, OS	Collected automatically	No
Usage Data	Pages visited, features used, session length, clicks	Collected automatically	No
Community Content	Posts, photos, messages, comments, reactions	Provided by you	No
Location Data	City/country level approximation from IP (Beacon feature)	Derived / consent-based	No
Google OAuth Data	Name, email, profile picture, optional: age range, location, birthday	Google (with your consent)	No / Optional special

4 Legal Bases for Processing

Under GDPR Article 6, every processing activity must have a valid legal basis. Here are ours:

Art. 6(1)(b)

Performance of Contract

Processing necessary to provide the OpenMat service you requested — account creation, training tracking, subscription management, and core app features.

Art. 6(1)(a)

Consent

Processing based on your freely given, specific, and informed consent — marketing emails, optional Google profile data (age, location, birthday), Beacon location feature, and analytics cookies.

Art. 6(1)(f)

Legitimate Interests

Processing for our legitimate interests where not overridden by your rights — platform improvement, fraud prevention, security, and internal analytics. We conduct balancing tests for each use.

Art. 6(1)(c)

Legal Obligation

Processing required to comply with applicable law — retaining financial records for tax purposes, responding to lawful requests from authorities, and maintaining safety records.

✅ Withdrawing Consent Where we rely on consent as the legal basis, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw consent for marketing emails, use the unsubscribe link in any email or go to Settings → Notifications. To withdraw consent for Beacon or Google data, contact privacy@openmat.ai.

5 Special Category Data

GDPR Article 9 imposes stricter requirements on "special category" personal data, which includes data concerning health. OpenMat may process special category data in two scenarios:

5.1 — Health & Body Data (Weight Logs, Injury Notes)

If you voluntarily enter weight logs, body composition data, or injury notes into the OpenMat app, this constitutes health data under Article 9. We process this data exclusively on the basis of your explicit consent (Art. 9(2)(a)). This data is:

Stored only on your device in localStorage unless you choose to sync.
Never shared with other users without your explicit action.
Never used for advertising, profiling, or shared with third parties.
Deleted with your account or on request at any time.
Entirely optional — the core app works fully without entering any health data.

5.2 — Optional Google Data (Age Range, Birthday)

If you sign in with Google and grant the optional birthday/age scope, the approximate age range received may constitute data about a natural person's age — treated with equivalent care to health data. This is processed only with your explicit consent given on the Google consent screen, and is used solely to display an age note in your bio.

⚠️ Withdraw Special Category Consent You can remove health data at any time from the app (Settings → Delete Weight Data / Delete Health Notes). You can remove Google age/birthday data from your profile at Settings → Edit Profile. Withdrawal of consent for special category data does not affect prior lawful processing.

6 Purposes of Processing

Purpose	Data Categories Used	Legal Basis	GDPR Article
Account creation and authentication	Identity, Contact	Contract	6(1)(b)
Delivering training tracking features	Training, Profile	Contract	6(1)(b)
Processing subscription payments	Contact, Financial	Contract	6(1)(b)
AI coaching recommendations (Sensei AI)	Training, Profile	Contract / Legitimate Interest	6(1)(b)(f)
Beacon partner-finding feature	Location (approximate)	Consent	6(1)(a)
Sending training reminders and streak alerts	Contact, Training	Consent	6(1)(a)
Community features (posts, messages)	Community Content, Identity	Contract	6(1)(b)
Platform analytics and improvement	Usage, Technical (anonymized)	Legitimate Interest	6(1)(f)
Fraud prevention and security	Technical, Usage	Legitimate Interest	6(1)(f)
Responding to support requests	Contact, Account	Contract / Legitimate Interest	6(1)(b)(f)
Tax and financial record-keeping	Financial, Contact	Legal Obligation	6(1)(c)
Responding to lawful authority requests	As required	Legal Obligation	6(1)(c)
Weight / health data tracking	Health Data	Explicit Consent	9(2)(a)
Google age / birthday display in profile	Age Range / Birthday	Explicit Consent	9(2)(a)

ℹ️ Legitimate Interests Assessment Where we rely on legitimate interests (Art. 6(1)(f)), we have conducted a Legitimate Interests Assessment (LIA) balancing our interests against yours. The LIAs are available on request by emailing privacy@openmat.ai with subject "LIA Request."

7 International Data Transfers

OpenMat is operated from the United States, which is a third country for the purposes of GDPR Chapter V. When you use OpenMat as an EU/EEA/UK user, your personal data is transferred to and processed in the United States.

🇪🇺 EU / EEA / UK Your device & data

SCCs

🇺🇸 United States Proscris LLC servers

Transfer mechanism: We rely on the European Commission Standard Contractual Clauses (SCCs) — specifically the 2021 Module 1 (Controller to Controller) SCCs — as the legal mechanism for transferring personal data from the EU/EEA to the United States under GDPR Article 46(2)(c).

UK transfers: For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the Addendum to the EU SCCs approved by the UK ICO under UK GDPR Article 46.

You may request a copy of the SCCs and IDTA we use by emailing legal@openmat.ai with subject "SCC Request."

⚠️ Transfer Impact Assessment In accordance with the CJEU Schrems II judgment and EDPB guidance, we have conducted a Transfer Impact Assessment (TIA) evaluating the legal framework in the United States and the safeguards in place. The TIA concluded that SCCs with supplementary measures (encryption in transit and at rest, access controls, and data minimisation) provide an essentially equivalent level of protection. The TIA is available on request.

8 Sub-Processors & Third-Party Transfers

We engage the following sub-processors who may process EU/EEA/UK personal data on our behalf. All are bound by Data Processing Agreements (DPAs) under GDPR Article 28:

Sub-Processor	Country	Purpose	Transfer Safeguard	Privacy Policy
Stripe, Inc.	🇺🇸 USA	Payment processing and subscription management	SCCs + DPA	stripe.com/privacy
n8n GmbH	🇩🇪 Germany	Workflow automation (webhooks for analytics, registration, AI routing)	EU-based · GDPR native	n8n.io/privacy
ipapi.co	🇬🇧 UK	IP geolocation for analytics (city/country approximation)	UK GDPR compliant	ipapi.co/privacy
Cloudflare CDN	🇺🇸 USA (EU PoPs)	CDN delivery of static assets (icons, fonts)	SCCs + DPA	cloudflare.com/privacypolicy
Google LLC	🇺🇸 USA	Google Fonts (typography), Google OAuth (authentication)	SCCs + DPA	policies.google.com/privacy

We will notify you of any new sub-processor additions that materially affect the processing of your personal data. You have the right to object to new sub-processors — if you object and we cannot accommodate your objection, you may terminate your account and receive a data export.

9 Data Retention

Under GDPR Article 5(1)(e) (storage limitation principle), we retain personal data only for as long as necessary for the purposes for which it was collected. Our full retention schedule is in Section 12 of our Privacy Policy. Key periods for EU/UK users:

Data Category	Retention Period	Legal Basis for Retention
Account and profile data	Duration of account + 30 days after deletion	Contract performance
Training logs and session data	Duration of account + 30 days after deletion	Contract performance
Community content	Until deleted by user or account deletion + 30 days	Contract performance
Financial and payment records	7 years from transaction	Legal obligation (tax law)
Support communications	3 years from last contact	Legitimate interest (dispute resolution)
IP addresses	Maximum 90 days	Legitimate interest (security)
Session analytics (identified)	24 months, then permanently anonymised	Legitimate interest (platform improvement)
Session analytics (anonymised)	Indefinite (no longer personal data)	N/A — not personal data
Health data (weight logs)	Until deleted by user or account deletion	Explicit consent
Google OAuth profile data	Until account deletion or profile update	Consent / Contract

At the end of each retention period, data is permanently and irreversibly deleted. For backup systems, deletion occurs within 90 days of the primary deletion as backups are rotated.

10 Your Eight GDPR Rights

Under GDPR Chapter III, EU/EEA/UK users have the following rights regarding their personal data:

Art. 15

Right of Access

Obtain confirmation of whether we process your data and receive a copy of your personal data along with supplementary information about the processing.

Settings → Export Data or email privacy@openmat.ai

Art. 16

Right to Rectification

Have inaccurate personal data corrected and incomplete data completed without undue delay.

Update directly in app Settings → Edit Profile

Art. 17

Right to Erasure

Have your personal data deleted ("right to be forgotten") in certain circumstances — where data is no longer necessary, consent is withdrawn, or processing is unlawful.

Settings → Delete Account or email privacy@openmat.ai

Art. 18

Right to Restriction

Have processing restricted in certain circumstances — while accuracy is contested, processing is unlawful but you prefer restriction over erasure, or you have objected pending verification.

Email privacy@openmat.ai with "Restriction Request"

Art. 20

Right to Data Portability

Receive your personal data in a structured, commonly used, machine-readable format (JSON) and transmit it to another controller. Applies to consent-based and contract-based processing.

Settings → Export Data (JSON download)

Art. 21

Right to Object

Object to processing based on legitimate interests (Art. 6(1)(f)) or for direct marketing purposes. We must stop processing unless we demonstrate compelling legitimate grounds.

Email privacy@openmat.ai with "Objection Request"

Art. 22

Right re: Automated Decisions

Not be subject to solely automated decisions that produce legal or similarly significant effects, including profiling. See Section 12 for our automated processing disclosures.

Email privacy@openmat.ai — see Section 12

Art. 7(3)

Right to Withdraw Consent

Withdraw any consent at any time, without affecting the lawfulness of processing before withdrawal. Applies to marketing, Beacon, Google data, and analytics.

Settings → Notifications or email privacy@openmat.ai

11 How to Exercise Your Rights

To exercise any of your GDPR rights, follow these steps:

Identify your request type
Refer to Section 10 above to identify which right you wish to exercise. You may exercise multiple rights in a single request.
Use the in-app options where available
Many rights can be exercised directly: access and portability via Settings → Export Data; rectification via Settings → Edit Profile; erasure via Settings → Delete Account; notification opt-out via Settings → Notifications.
Email privacy@openmat.ai for all other requests
Use the subject line "GDPR [Right Type] Request — @yourhandle". For example: "GDPR Erasure Request — @jakethompson" or "GDPR Access Request — @mariasantos". Include your registered email address.
Identity verification
We will send a verification email to your registered address. You must click the verification link within 48 hours. For sensitive requests, we may ask for one additional piece of identification. We will not ask for passwords, full payment card details, or government ID numbers.
Receive our response
We will respond to all GDPR rights requests within 30 days of receiving a verified request. For complex or multiple requests, we may extend this by a further two months and will notify you within the initial 30-day period. We do not charge a fee for reasonable requests.

ℹ️ Excessive or Manifestly Unfounded Requests Under GDPR Article 12(5), we reserve the right to charge a reasonable administrative fee or refuse to act on requests that are manifestly unfounded or excessive. We will inform you if this applies to your request and provide reasons.

12 Automated Decision-Making & Profiling

GDPR Article 22 grants you the right not to be subject to solely automated decisions that produce legal or similarly significant effects on you.

Current automated processing on OpenMat:

Processing	Description	Legal / Significant Effect?	Art. 22 Applies?
XP Calculation	Automatic calculation of XP points earned based on sessions logged	No — gamification only	No
Belt Estimator	Statistical estimate of promotion timeline based on training data	No — informational only, no official effect	No
Streak Calculation	Automatic tracking of consecutive training days	No — gamification only	No
Sensei AI Responses	AI-generated coaching suggestions based on your training data and questions	No — advisory only, no binding decisions	No
Beacon Matching	Algorithmic filtering of nearby users based on your preferences	No — you choose whether to contact matched users	No
Fraud Detection	Automated flags on unusual login patterns or payment anomalies	Potentially — may trigger account review	Human review follows

For fraud detection flags, a human member of our team always reviews automated flags before any action (such as account suspension) is taken. You will be notified of any such review and given the opportunity to contest the decision.

We do not use your personal data to make automated decisions about subscription pricing, access to features, or any other decision that produces legal or similarly significant effects without human oversight.

13 Cookies & ePrivacy

Our use of cookies and browser storage is governed by both GDPR and the EU ePrivacy Directive (implemented as PECR in the UK). For full details, see our Cookie Policy.

Summary for EU/UK users:

Essential storage (localStorage for app function): No consent required — strictly necessary for the service you requested.
Analytics storage (session tracking): Requires your consent under ePrivacy rules. Off by default. You are asked for consent on first visit via our cookie banner.
Third-party advertising cookies: We do not use these. None are set on openmat.ai.

Your consent to analytics storage can be withdrawn at any time via Settings → Privacy → Cookie Preferences or by emailing privacy@openmat.ai.

14 Children (Under 16)

The GDPR sets the digital consent age at 16 years for most EU member states (some member states have set it as low as 13 — see below). Children below the applicable age in their country require parental or guardian consent before we can process their personal data.

Country	Digital Consent Age	Legal Reference
Germany, Netherlands, Hungary, Slovakia, Czech Republic	16 years	GDPR Art. 8 default
Austria, Bulgaria, Cyprus, Italy, Latvia, Lithuania, Luxembourg, Portugal, Romania	14 years	National derogation
Belgium, Denmark, Estonia, Finland, France, Greece, Ireland, Malta, Poland, Slovenia, Sweden, Spain	13 years	National derogation
Croatia	16 years	National law
United Kingdom	13 years	UK GDPR / Data Protection Act 2018

Where a child below the applicable age creates an account, we require verifiable parental consent. If we become aware that a child below the applicable age has registered without parental consent, we will delete the account and associated data promptly.

Parents or guardians wishing to review, correct, or request deletion of a child's data should email privacy@openmat.ai with subject "Minor Data Request — [Country]".

15 Supervisory Authorities

Under GDPR Article 77, you have the right to lodge a complaint with your national supervisory authority (Data Protection Authority — DPA) if you believe we have not complied with GDPR in handling your personal data.

We encourage you to contact us first at privacy@openmat.ai — we want to resolve all concerns directly. However, you are entitled to contact your DPA at any time without first contacting us.

🇮🇪

Ireland (Lead DPA for EU)

Data Protection Commission

dataprotection.ie →

🇬🇧

United Kingdom

Information Commissioner's Office (ICO)

ico.org.uk →

🇩🇪

Germany

Federal / Länder DPA (varies by state)

bfdi.bund.de →

🇫🇷

France

Commission nationale de l'informatique et des libertés (CNIL)

cnil.fr →

🇳🇱

Netherlands

Autoriteit Persoonsgegevens (AP)

autoriteitpersoonsgegevens.nl →

🇪🇸

Spain

Agencia Española de Protección de Datos (AEPD)

aepd.es →

🇮🇹

Italy

Garante per la protezione dei dati personali

garanteprivacy.it →

🌍

All Other EU/EEA Countries

Find your national DPA via the EDPB website

edpb.europa.eu →

16 Changes to This Notice

We may update this GDPR Notice to reflect changes in our processing activities, legal requirements, or regulatory guidance. When we make material changes that affect EU/UK users' rights or our legal bases for processing, we will:

Post the updated notice with a new "Last Updated" date.
Display a prominent in-app notification describing the key changes.
Send an email to all registered EU/UK users at least 14 days before the changes take effect.
Where changes affect consent-based processing, seek fresh consent before the new processing begins.

Minor changes (such as clarifications, formatting, or contact detail updates) may be made without prior notice. The "Last Updated" date at the top of this notice will always reflect the most recent revision.

Continued use of OpenMat after material changes take effect constitutes acceptance of the updated notice, except where fresh consent is required.

17 Contact & Data Protection Officer

For any GDPR-related questions, rights requests, or concerns:

Privacy / DPO Contact	privacy@openmat.ai
GDPR Rights Requests	Subject: "GDPR [Right Type] Request — @handle"
Legal / DPA Correspondence	legal@openmat.ai
SCC / IDTA Copies	Subject: "SCC Request" to legal@openmat.ai
LIA Copies	Subject: "LIA Request" to privacy@openmat.ai
Response Time	Within 30 days (extendable to 3 months for complex requests)
Company	Proscris LLC, State of Florida, USA
Platform	openmat.ai

✅ Complaint Resolution Commitment We take all GDPR complaints seriously. We aim to acknowledge all privacy communications within 5 business days and fully resolve them within 30 days. If you are not satisfied with our response, you have the right to escalate to your national supervisory authority (see Section 15).

This GDPR Notice was last reviewed and updated on April 1, 2026. It is reviewed at least annually and whenever significant processing changes occur. For the latest version, visit openmat.ai/gdpr. This notice is provided in accordance with GDPR Articles 13 and 14.

GDPR Privacy Notice

Table of Contents

GDPR questions or rights requests?