Privacy Policy
Last updated: 17 May 2026
1. Who we are
Mayura Arts (KvK 98987151) is the data controller for all personal data processed through this platform (mayuraarts.nl). If you have questions about this policy or wish to exercise your rights, contact us at info@mayuraarts.nl.
2. Personal data we collect
We collect the following categories of personal data when you use our platform:
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, first and last name, password (hashed) | Authentication and account management |
| Profile (optional) | Title, date of birth, mobile phone number, profile photo, billing and shipping address | Invoicing, communication, and service personalisation. These fields are optional and processed on the basis of your consent. |
| Student record | First and last name, date of birth. Optionally: a profile photo. | Enrollment administration, age-appropriate course placement, and course delivery. Provided by the parent or guardian who holds the account. |
| Enrollment & attendance | Course and cohort details, enrollment status, attendance per session, leave periods, teacher comments. Optionally: photos of student artwork. | Delivering the contracted course service and documenting student progress |
| Financial | Invoice details, billing amounts, payment records | Billing, accounting, and legal tax obligations |
| Security & audit | IP address, login attempts, record change history | Fraud prevention, account security, audit trail |
3. Legal basis for processing
We rely on the following legal bases under GDPR Article 6:
- Performance of a contract (Art. 6(1)(b)): Processing your account, student, enrollment, and attendance data is necessary to provide the courses you have signed up for.
- Legal obligation (Art. 6(1)(c)): Invoice and payment records are retained for seven years to comply with Dutch bookkeeping obligations (Boekhouding).
- Legitimate interests (Art. 6(1)(f)): IP addresses and login attempts are logged to protect accounts from unauthorised access and brute-force attacks. Audit logs are retained to enable dispute resolution and detect errors.
- Consent (Art. 6(1)(a)): Optional profile fields (profile photo, date of birth, phone number) and optional student profile photos are processed only when you voluntarily provide them. You may withdraw consent at any time by deleting the relevant data in your account settings.
3a. Students and minors
When you enroll a student who is under 16 years of age, we process that student's personal data on the basis of the contract formed at account registration (Art. 6(1)(b)). By creating an account, the parent or guardian confirms they are authorised to provide the student's data and to agree to the processing described in this policy. We do not use student data for any purpose beyond enrollment administration and course delivery.
3b. Media consent (photography and video)
We may photograph or film students during classes and events. We only use these images for promotional purposes when you have given explicit consent. Two separate consents are available:
- Website consent: Photos and videos published on mayuraarts.nl.
- Instagram consent: Photos and videos shared on our Instagram account (@mayuraarts), operated via Meta Platforms Ireland Ltd.
Legal basis: consent (Art. 6(1)(a) AVG). Both consents are entirely optional. Declining will not affect your child's participation in classes.
Retention: Consent records are kept for the duration of the student's enrollment and one year thereafter for audit purposes.
Withdrawal: You may withdraw either consent at any time by emailing info@mayuraarts.nl. We will process the withdrawal within 30 days. After withdrawal, we will not use new photos or videos of the student. Content already published before withdrawal is not retroactively removed, as permitted under AVG Art. 7(3).
4. How long we keep your data
- Account and profile data: For the duration of your account and a reasonable period thereafter for dispute resolution purposes.
- Financial records (invoices, payments): Seven years, as required by Dutch fiscal law.
- Audit logs (record change history): 12 months, after which they are automatically deleted.
- Session cookie: 24 hours (deleted when you log out or when the session expires).
- Failed login records: 1 hour, used only for brute-force protection.
5. Who we share your data with
We do not sell, rent, or trade your personal data. We share data only with the sub-processors listed below, each under a Data Processing Agreement:
| Sub-processor | Data shared | Purpose |
|---|---|---|
| Hetzner Cloud GmbH | All data stored in the platform database | Infrastructure and database hosting (Germany, EU) |
| Cloudflare, Inc. | Encrypted backup data | Secure off-site backup storage (EU region) |
| Resend, Inc. | Email address, name, email content | Transactional email delivery (account activation, invoices, password reset). Resend is based in the USA; transfers are protected by Standard Contractual Clauses. |
| Meta Platforms Ireland Ltd | Student name, photos, videos (only where Instagram media consent was given) | Promotional content on Instagram (@mayuraarts). Only applies to students for whom Instagram consent has been given. |
| Upstash, Inc. | IP address, login identifier, short-lived rate-limit and brute-force protection counters; cached application data | Account-security rate limiting and application caching. Data is stored in the EU (Frankfurt). Upstash is based in the USA; transfers are protected by Standard Contractual Clauses. |
| Functional Software, Inc. (Sentry) | Error and performance diagnostic data, which may incidentally include personal data (e.g. in stack traces) | Application error monitoring and performance tracing. Sentry is based in the USA; transfers are protected by Standard Contractual Clauses. |
| e-Boekhouden.nl B.V. | Name, address, invoice details and billing amounts | Bookkeeping and Dutch fiscal record-keeping (seven-year retention). Based in the Netherlands (EU); no third-country transfer. |
When you settle a payment request via Tikkie, ABN AMRO Bank N.V. processes your payment data (name, amount and payment reference) as an independent controller under its own privacy statement and applicable banking law — not as a processor acting on our instructions. ABN AMRO is based in the Netherlands (EU); there is no third-country transfer.
Where personal data is transferred outside the European Economic Area (e.g. to Resend in the USA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer safeguard.
6. Cookies
This platform uses only strictly necessary cookies. No tracking, advertising, or analytics cookies are set.
| Cookie name | Purpose | Expiry |
|---|---|---|
| sid | Keeps you logged in across page requests | 24 hours |
Because we use only strictly necessary cookies, no prior consent is required under the Dutch Telecommunicatiewet (ePrivacy Directive).
7. Your rights
Under the GDPR you have the following rights regarding your personal data. To exercise any of them, email us at info@mayuraarts.nl. We will respond within 30 days.
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Correct inaccurate data via your account profile, or contact us for data you cannot edit yourself.
- Right to erasure (Art. 17): Email us to request deletion of your account and associated personal data. We process erasure requests manually within 30 days. Financial records subject to the seven-year Dutch fiscal retention obligation cannot be deleted early.
- Right to data portability (Art. 20): Email us to request a machine-readable export of personal data you have provided to us. We will prepare and send the export within 30 days.
- Right to restriction (Art. 18): Ask us to restrict processing while a dispute is being resolved.
- Right to object (Art. 21): Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
8. Right to lodge a complaint
If you believe we are not handling your personal data lawfully, you have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP)
Hoge Nieuwstraat 8, 2514 EL Den Haag
9. Changes to this policy
We may update this policy when our processing activities change. The date at the top of this page reflects the most recent revision. For material changes, we will notify registered users by email.