Legal
Privacy Policy
Effective Date: 5 Nov 2025
Version: 2.1
1. Introduction
Mastery is a wellness and performance tool and is not a covered entity or | business associate under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). We do not provide medical care, diagnosis, or treatment; any wellness or performance content is for informational purposes only. If you are using the Services under a school, team, or organizational license, such organization may be able to view certain administrative or usage information as described in this Policy.
2. Information collected and how we use it
In connection with the Services, we process the categories of personal information set forth below for the purposes described herein, which may include personalization of mental and athletic performance content, tracking of training inputs, progress analytics, security, and compliance. We may combine personal information collected across our apps, websites, and integrations, and from our service providers and partners, consistent with this Policy.
As explained further in this section, you will have the opportunity to provide us with certain personal information. In addition, we may collect certain personal information automatically through your use of the Services. The rest of this section provides a more detailed explanation of the personal information we collect, how we use that personal information, and our lawful bases for processing that personal information.
2.1 Voluntarily Disclosed Information
The following table identifies the specific purposes for which you may voluntarily disclose personal information to us, along with our lawful bases for processing that personal information.
Purpose for Collection
Type of Personal Information
How we collect that information
Lawful Basis for Processing
Account creation & communication with you about your account
Name, Email address
Directly from you or Google/Apple (or other 3rd party SSOs) if you register through that account
Your consent; Performance of a contract with you
To enable email verification, security features (e.g., multi-factor authentication)
Name, Email address, Phone number
Directly from you
Your consent; App functionality; Ensuring the security of your account
Customization of your experience with the Services
Relevant demographics, preferences, etc.
Directly from you
Your consent; Our legitimate interest of customizing the Platform for you
Your use of the Platform; Analytics
Any personal information you may include in your communications with the Platform; Product interactions; Voice recording (if using speech interaction)
Directly from you
Your consent; Performance of a contract with you; Our legitimate interest of customizing the Platform for you
Payment processing
Your payment information
Collected directly from you by our payment processor(s), as explained further in Section 3.1.
Your consent; Performance of a contract with you; Our legitimate interest of collecting payments owed to us
First-party marketing communications (messages from Mastery directly to you)
Name, Email address
Directly from you
Your consent
Performance Inputs
Performance-related information such as goals, self-assessments, training logs, session notes, mood indicators, journaling entries, and uploaded media (including text, audio, or images).
Directly from you
Your consent
Sensitive Personal Information
You are not required to submit sensitive personal information (for example, data revealing health, mental state, precise geolocation, or biometric identifiers) to use the Services. If you choose to submit such data, you direct us to process it for the purposes described in this Policy. Please do not include sensitive data that is not necessary to your use of the Services.
Directly from you
Your consent
Team Features
You may authorize designated coaches or administrators to view certain performance inputs, usage metrics, and progress dashboards for coaching and program administration.
Directly from you
Your consent
2.2. Automatically Collected Information
Whenever you interact with the Services, we automatically receive and record information on our server logs from your browser or device, which may include your IP address, geolocation data, device identification, 'cookie' and pixel tag information, the type of device you're using to access the Services, the website you came from, and the actions you take on the website and the Platform. You can learn more about our use of cookies and related technologies in our Cookie Policy. We use the data we automatically collect from you to customize content for you that we think you might like, based on your usage patterns. We may also use it to improve the Services – for example, this data can tell us how often users access a particular feature of the Services, and we can use that knowledge to make the Services interesting to as many users as possible. In addition, this data helps us watch for and address issues encountered on the Platform. We collect this information with your consent, to perform our contract with you, and for our legitimate interest of providing a smooth user experience on the Services.
a.
Device and Sensor Data
When enabled by you, the Services may access device sensors (for example, accelerometer, gyroscope, step count, and screen interaction telemetry) to support performance analytics and diagnostics. We may also collect app instance identifiers, advertising identifiers, and coarse location derived from IP address for fraud prevention, diagnostics, and analytics.
b.
Optional Health Integrations
If you connect Apple HealthKit or Google Fit (or a wearable integration you choose), we will receive only the categories you authorize (for example, heart rate, mindfulness minutes, activity, or sleep duration) and use them solely to provide wellness and performance features to you. We do not use HealthKit/Google Fit data for marketing or advertising, we do not sell such data, and we do not share it with third parties for their independent purposes. You can revoke access at any time in your device settings.
c.
Non-Essential Cookies/SDKs
Where required by law, we obtain your consent before using non-essential cookies, SDKs, or similar technologies for analytics and personalization. You may withdraw consent at any time via available controls; withdrawal does not affect processing prior to withdrawal.
3. Disclosure of personal information
We disclose personal information to the categories of recipients below for the purposes described in this Policy and subject to appropriate contractual, technical, and organizational safeguards as detailed in this section.
3.1. Personnel and Third-Party Service Providers
We employ personnel and engage other companies and people to perform tasks on our behalf and need to share your personal information with them to provide products or services to you. Some examples include our use of third-party payment processors (Apple and/or Google) to process payments on our behalf, so the payment processor will have access to your payment information. Other examples include aspects of our Services that are processed through ElevenLabs’, OpenAI’s, and/or Deepgram’s application programming interface (API), wherein data you provide to our platform (e.g., your conversational messages, spoken input, etc.) are processed by these Third-Party Service Providers, though personally identifying information is not included unless you explicitly include such information (e.g., speaking about your team, teammates, or physical location during communication with our platform). See our Data Classification, Handling, and Retention Policy for additional information.
3.2. Analytics Services
We use Mixpanel, PostHog, Shakebugs, Sentry, Google Analytics, and Meta Pixel to understand how visitors engage with our Site and Services. Mixpanel, Posthog, and ShakeBugs will have access to certain activity that occurs through your use of the Services. Mixpanel primarily uses server-side logging and telemetry (i.e., not collecting data from your browser or | device), Posthog uses first-party cookies and Javascript-enabled tracking beacons (see our Cookie Policy below). Sentry and Shakebugs-for error reporting, performance logging, and troubleshooting—use a built-in software development kit (SDK) to help us improve the platform. By default, these services do not collect cookies or personally identifiable information (PII) such as IP address, user ID, or cookies. Where Session Replay is used, sensitive data is also masked by default. Google Analytics (GA4) and Meta Pixel use first-party cookies and unique visitor identifiers to analyze usage patterns, session behavior, and user demographics. IP addresses and app instances IDs are also processed for measurement and security. We enable IP anonymization, define data retention policies, enforce Consent Mode, and provide opt-out mechanisms to comply with applicable privacy laws. You can learn more about GA4 cookies and accessible information at the following website: https://policies.google.com/technologies/partner-sites.
3.3. Social Media Marketing
Through pixel tags and cookies placed on our website, we may measure, optimize, and build audiences for our advertising campaigns on certain social media platforms like Facebook, TikTok, Instagram, and Pinterest. Those social media platforms receive limited data about visitor interactions (e.g., site views, events) via our tagged signals—not full user session or behavioral data from our platform. Where required, we obtain your consent before placing or reading marketing pixels and you may withdraw consent through available cookie controls. You can learn more about how social media platforms use the information from our website in our Cookie Policy.
3.4. Anonymous Information
We may de-identify and/or aggregate personal information and use or disclose such data for research, product development, benchmarking, and promotional reporting, and we will maintain de-identified data in de-identified form. Anonymized data may also be shared and used for research purposes to document user experience over time and inform scientific understanding of topics such as performance psychology and conversational agent interaction.
3.5. Business Transfers
If we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, personal information could be one of the assets transferred to or acquired by a third party.
3.6. Legal Compliance
We may access, preserve, and disclose information if we believe in good faith that it is reasonably necessary to comply with law, regulation, legal process, or governmental request; to enforce our [Terms of Service] or other agreements; to protect the safety, rights, or property of Mastery, users, or the public; or to detect, prevent, or address fraud, security, or technical issues.
3.7. Schools and Teams
Where your access is provisioned by a school, district, team, or similar organization, we may disclose administrative and usage data to the organization's authorized administrators to manage seats, compliance, and program outcomes, consistent with this Policy and your in-product settings.
4. International Transfers
5. Security
6. Your Rights
6.1. Who To Exercise Your Rights With
You may have rights under data protection laws in relation to your personal information. You can learn more about your rights further down in this section. If we have collected your personal information as a result of our contractual relationship with you, we are a “controller” of that personal information and you can exercise your rights with respect to your personal information by following the instructions below. However, if we have collected your personal information as a result of agreements we have in place with our clients, we are a “processor” of your personal information and those clients control our use of your personal information and determine how and for what purpose we process your personal information.
If we are a processor of your personal information, and you have any questions or concerns about how your personal information is handled or would like to exercise your rights as a data subject, you should contact the client who has contracted with us to use the Services to process your personal information. That client's privacy policy governs their use (and our processing) of your personal information. We will provide assistance to the client to address any concerns you may have, in accordance with the terms of our contract with them and applicable law. Where we act as a processor on behalf of a client organization (for example, a school or team), we will forward your request to that organization and will assist them in responding, consistent with our contract and applicable law.
6.2. Rights of Users in the EEA and UK
If you reside in the EEA or the UK and we are a controller of your personal information, you have the following rights:
6.2.1. Request access to your personal information
You may request a copy of the personal information we hold about you and to check that we are lawfully processing it. We may request information necessary to verify your identity and the scope of your request. Where we have good reason, and where applicable law permits, we can refuse your request for a copy of your personal information, or certain elements of the request. If we refuse your request or any element of it, we will provide you with our reason(s) for doing so. We may refuse or charge a reasonable fee for manifestly unfounded, repetitive, or excessive requests, as permitted by law.
6.2.2. Request correction of your personal information
You may request that we correct any incomplete or inaccurate data we hold about you.
6.2.3. Request erasure of your personal information
You may request that we delete or remove personal information where there is no good reason for us continuing to process it. You may also ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your personal information unlawfully, or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. You may not request the removal of de-identified, anonymous, or aggregate data from our databases.
6.2.4. Right to Object to or Restrict Processing
In certain circumstances, you have the right to object to our processing of your personal information (for example, if we are processing your personal information on the basis of our legitimate interests but there are no longer any compelling legitimate grounds to justify our processing overriding your rights and interests). You may also restrict our processing of your personal information, for example during a period in which we are verifying the accuracy of your personal information in circumstances where you have challenged the accuracy of that personal information.
6.2.5. Request the transfer of your personal information to you or to a third party
In certain instances, you have a right to receive the personal information that we hold about you (or a portion thereof) in a structured, commonly used, and machine-readable format. In such circumstances, you can ask us to transmit your personal information to you or directly to a third-party organization on your behalf. While we are happy for such requests to be made, we are not able to guarantee technical compatibility with a third-party organization's systems. We are also unable to comply with requests that relate to personal information of others without their consent.
6.2.6. Withdraw consent
You may withdraw your consent for our processing of your personal information where we are relying on consent to process that personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
6.3. Rights of All Other Users
Regardless of where you reside, you may access, edit, and delete the personal information associated with your account by emailing us. Please understand, however, that it may be impossible to delete this information completely, due to backups and records of deletions. We may retain certain information as permitted by law, including for security, fraud prevention, dispute resolution, and compliance. In addition, we may deny a deletion request if the denial is necessary for us to comply with applicable law. You may not request the removal of de-identified, anonymous, or aggregate data from our databases.
6.4. How to Exercise Your Rights
If you wish to exercise any of the rights set out above and we are the controller of your personal information, please contact our data protection officer at privacy@masteryhq.io. If you have authorized an agent to exercise your rights on your behalf, the agent may also contact us at privacy@masteryhq.io. To protect personal information, we will take reasonable steps to verify your identity (and, if applicable, your agent's authority) before acting on a request and may deny requests where we cannot verify identity or where an exemption applies. If you are not satisfied with any decision we make with respect to your request, you can let us know the reasons for your concern, and we will review your appeal. If we are the processor of your personal information, please contact the organization through which you have access to our Services in order to exercise rights you may have with respect to your information. You may appeal our decision by replying to our response and stating Appeal. We will review and respond within a reasonable period consistent with applicable law.
6.5. Supervisory Authorities
We welcome and appreciate the chance to address any concerns you may have about the Policy and our collection and use of your personal information. To the extent you feel like we have not addressed your concerns, and depending on your jurisdiction, you may have the right to make a complaint at any time to your data protection supervisory authority. For end users in the EEA, you can find contact information for each country’s supervisory authority here. For end users in the UK, you can find contact information for the Information Commissioner’s Office (ICO) on the ICO’s website here.
7. Retention of Information
8. How We Respond To Do Not Track Signals
9. Age of Users
10. Changes to Policy
11. Contact Us
Copyright © 2025 Mastery Holdings Company.
All Rights Reserved.