Privacy Policy
Last updated: 26 February 2026
1. Who we are
Mayura Arts (KvK 98987151) is the data controller for all personal data processed through this platform (mayuraarts.nl). If you have questions about this policy or wish to exercise your rights, contact us at info@mayuraarts.nl.
2. Personal data we collect
We collect the following categories of personal data when you use our platform:
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, first and last name, password (hashed) | Authentication and account management |
| Profile | Title, date of birth, phone number, profile photo, postal address(es) | Invoicing, communication, and service delivery |
| Student record | First and last name, date of birth, phone number, photo | Enrollment administration and course delivery |
| Enrollment & attendance | Course session, enrollment status, attendance records, leave periods | Delivering the contracted course service |
| Financial | Invoice details, billing amounts, payment records | Billing, accounting, and legal tax obligations |
| Security & audit | IP address, login attempts, record change history | Fraud prevention, account security, audit trail |
3. Legal basis for processing
We rely on the following legal bases under GDPR Article 6:
- Performance of a contract (Art. 6(1)(b)): Processing your account, student, enrollment, and attendance data is necessary to provide the courses you have signed up for.
- Legal obligation (Art. 6(1)(c)): Invoice and payment records are retained for seven years to comply with Dutch bookkeeping obligations (Boekhouding).
- Legitimate interests (Art. 6(1)(f)): IP addresses and login attempts are logged to protect accounts from unauthorised access and brute-force attacks. Audit logs are retained to enable dispute resolution and detect errors.
4. How long we keep your data
- Account and profile data: For the duration of your account and a reasonable period thereafter for dispute resolution purposes.
- Financial records (invoices, payments): Seven years, as required by Dutch fiscal law.
- Audit logs (record change history): 12 months, after which they are automatically deleted.
- Session cookie: 24 hours (deleted when you log out or when the session expires).
- Failed login records: 1 hour, used only for brute-force protection.
5. Who we share your data with
We do not sell, rent, or trade your personal data. We share data only with the sub-processors listed below, each under a Data Processing Agreement:
| Sub-processor | Data shared | Purpose |
|---|---|---|
| Resend | Email address, email content | Transactional email delivery (account activation, invoices, password reset) |
| Hosting provider | All data stored in the platform database | Infrastructure and database hosting |
No personal data is transferred outside the European Economic Area (EEA) without appropriate safeguards in place.
6. Cookies
This platform uses only strictly necessary cookies. No tracking, advertising, or analytics cookies are set.
| Cookie name | Purpose | Expiry |
|---|---|---|
| sid | Keeps you logged in across page requests | 24 hours |
Because we use only strictly necessary cookies, no prior consent is required under the Dutch Telecommunicatiewet (ePrivacy Directive).
7. Your rights
Under the GDPR you have the following rights regarding your personal data. To exercise any of them, email us at info@mayuraarts.nl. We will respond within 30 days.
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Correct inaccurate data via your account profile, or contact us for data you cannot edit yourself.
- Right to erasure (Art. 17): Request deletion of your account and associated personal data. Note that financial records subject to a statutory retention obligation cannot be deleted early.
- Right to data portability (Art. 20): Request a machine-readable export of personal data you have provided to us.
- Right to restriction (Art. 18): Ask us to restrict processing while a dispute is being resolved.
- Right to object (Art. 21): Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
8. Right to lodge a complaint
If you believe we are not handling your personal data lawfully, you have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP)
Hoge Nieuwstraat 8, 2514 EL Den Haag
9. Changes to this policy
We may update this policy when our processing activities change. The date at the top of this page reflects the most recent revision. For material changes, we will notify registered users by email.