Version 2.0 — Draft · Effective Date: 31 July 2026
This is a draft privacy policy pending review by qualified legal counsel. It must be reviewed and approved before the platform accepts any subscribers. Items marked [TO CONFIRM] require finalisation once the company is incorporated. The legal text below is provided in English; translated versions will follow after legal review.
Materna by Ibiza ("Materna", "we", "us", or "our") is the data controller for personal data collected through the Materna platform at maternabyibiza.com ("the Platform"). Contact for data protection matters: hello@maternabyibiza.com.
[TO CONFIRM] A Data Protection Officer (Encarregado) for Brazilian data subjects will be designated if required at the Platform's scale; until then, data protection enquiries should be directed to the email above.
The following constitutes sensitive personal data under GDPR Article 9, Brazil's Lei Geral de Proteção de Dados (LGPD) Article 11, and UAE Federal Decree Law 45 of 2021. We apply heightened protections to this category of data.
You are never required to share health information to use the Platform. If you do, you do so voluntarily and consent to its processing as described in this Policy.
When you use the AI Concierge, the questions you send and the answers you receive are stored in our database (hosted by Supabase). To generate a response, your question is sent to OpenAI to create a text embedding (used to retrieve relevant guidance from our knowledge base) and to Anthropic, which generates the reply. These providers process the conversation content solely to deliver the service. Because messages may contain health information, please share only what you are comfortable storing. You can request deletion of your conversation history at any time by emailing hello@maternabyibiza.com.
When you submit an enquiry through our 'Work with Ibiza directly' form, we collect the details you provide — which may include your name, email address, phone number, estimated due date, location, and your message — so that we can respond to your enquiry. This information is processed through our email platform, Klaviyo.
Lawful basis: Contract (GDPR Art. 6(1)(b); LGPD Art. 7(V); UAE DPL). We use your data to create and maintain your account, provide access to the AI Concierge and Platform content, and send account-related emails. Note: paid subscriptions and payment processing are not yet active and will commence once the company is incorporated.
Lawful basis: Explicit consent (GDPR Art. 9(2)(a); LGPD Art. 11(I); UAE DPL). We process your health data — including AI conversation content — to personalise educational content and AI responses to your stage of pregnancy or parenthood. You may withdraw this consent at any time by contacting hello@maternabyibiza.com, though this may limit personalisation.
Lawful basis: Legitimate interests (GDPR Art. 6(1)(f); LGPD Art. 7(IX); UAE DPL). We may analyse anonymised, aggregated data — including anonymised AI conversation feedback — to improve the Platform. No individual user is identifiable from this analysis.
Lawful basis: Consent (GDPR Art. 6(1)(a); LGPD Art. 7(I); UAE DPL). With your consent, we may send educational content, Platform updates, and promotional communications via Klaviyo. You may unsubscribe at any time via the link in any email or by contacting hello@maternabyibiza.com.
We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law. Automated time-based deletion is not yet in place. Data we currently hold is retained until it is no longer needed and is deleted on request — email hello@maternabyibiza.com. The periods below describe our target retention policy, which will be enforced automatically as the relevant features (accounts, payments, scheduled deletion) go live.
| Data Category | Retention Period | Reason |
|---|---|---|
| AI conversation logs | Until no longer needed; deleted on request (target: 90 days once automated deletion is built) | Quality review and service delivery |
| Account email and name | Account lifetime + 2 years | Contract and dispute resolution |
| Payment records | 7 years | UAE commercial law requirement |
| Health/onboarding data | Account lifetime + 90 days | Service delivery; then deleted |
| Email marketing consent | Until withdrawn + 1 year | Evidence of consent |
| Analytics data (GA4) | 14 months (GA4 default) | Platform improvement |
We use the following third-party services which may process your personal data on our behalf. Each is subject to appropriate data protection obligations.
| Processor | Purpose | DPA Status |
|---|---|---|
| Anthropic PBC | AI language model — processes AI conversation content | DPA to be executed |
| OpenAI, L.L.C. | Text embeddings for the AI knowledge base (text-embedding-3-small) — processes AI question content | DPA to be executed |
| Supabase Inc. | Database storage — conversation logs, user data | DPA to be executed |
| Klaviyo Inc. | Email marketing and automation | Klaviyo DPA at klaviyo.com/legal |
| Google LLC (GA4) | Platform analytics — anonymised usage data (consent-gated) | Google DPA via Analytics settings |
| Vercel Inc. | Platform hosting and serverless functions | Vercel DPA at vercel.com/legal/dpa |
| Payment provider | Payment processing — card data never seen by Materna (not yet active) | To execute before subscriptions open |
We use cookies and similar technologies on the Platform. Analytics cookies require your prior consent, which is collected via the cookie consent banner when you first visit the Platform. You can change your choice at any time using the "Cookie Preferences" link in the footer.
| Cookie | Set by | Duration | Purpose / Consent |
|---|---|---|---|
| _ga | Google (GA4) | 2 years | Analytics — unique visitors. Consent required. |
| _ga_[ID] | Google (GA4) | 2 years | Analytics — session tracking. Consent required. |
| materna_cookie_consent | Materna | Persistent | Remembers your cookie choice. Functional — no consent required. |
| materna-lang | Materna | 1 year | Remembers language preference. Functional — no consent required. |
| materna_q_count | Materna | Session | Tracks free question count. Functional — no consent required. |
| materna_vid | Materna (server-set) | 1 year | Anti-abuse visitor ID for AI free-question limits. Functional — no consent required. |
| materna_tester_id | Materna | Persistent | Remembers beta-tester sign-in. Functional — no consent required. |
| materna_ai_ack | Materna | Persistent | Remembers you acknowledged the AI Concierge disclaimer. Functional — no consent required. |
| Klaviyo onsite (e.g. __kla_id) | Klaviyo | 2 years | Behavioural tracking on the waitlist page. Analytics — only active with your consent ("Accept Analytics"). |
Depending on your location, you have the following rights regarding your personal data. To exercise any right, contact hello@maternabyibiza.com. We will respond within 30 days.
We implement appropriate technical and organisational measures to protect your personal data, including row-level security on our database, encrypted transfer via HTTPS, access controls limiting who can access production data, and regular review of processor security standards. In the event of a data breach likely to result in risk to your rights, we will notify affected users and relevant authorities within the timeframes required by applicable law.
We may update this Policy from time to time. For material changes — particularly changes affecting how we process health data — we will notify you by email at least 30 days before the change takes effect and require your active re-acceptance before continuing to process your health data under the new terms. Non-material changes take effect upon posting.
For any privacy-related questions or to exercise your rights, contact us at hello@maternabyibiza.com. If you are dissatisfied with our response, you may complain to your local data protection authority: UAE — UAE Data Office (uaedataoffice.ae); Brazil — ANPD (gov.br/anpd); EU/UK — your national data protection authority.