FREEDOM ENGINE ACADEMY
PARTICIPANT PRIVACY POLICY
Effective Date: 19 March 2026
Controller
Mathew Jonson, sole trader operating under the trade name Freedom Engine Academy
AV. Almirante Reis 258 e 258 B 4º E
1000-058 Lisbon, Portugal
NIF: 324834870
VAT number (if applicable): N/A
Email: [email protected]
1. Introduction
This Participant Privacy Policy explains how Mathew Jonson, sole trader operating under the trade name Freedom Engine Academy ("Freedom Engine Academy", the "Academy", "we", "us" or "our"), collects, uses, stores, shares and otherwise processes personal data in connection with:
(a) applications, enrolment and participant onboarding;
(b) delivery of the Freedom Engine Academy program and related services;
(c) live online workshops and related communications;
(d) workshop recordings, including voice contributions, where applicable;
(e) participant access to course materials, archives and the Resources Folder;
(f) billing, payment, withdrawal, cancellation and refund administration;
(g) code of conduct, security, anti-abuse and rights-protection measures;
(h) testimonials and marketing communications where separate consent or another lawful basis applies; and
(i) legal, tax, accounting and compliance administration.
For the purposes of Regulation (EU) 2016/679 ("GDPR"), Mathew Jonson operating as Freedom Engine Academy is the controller of the personal data described in this Privacy Policy.
2. Scope
This Privacy Policy applies to personal data processed in connection with the Academy's educational services and related participant administration.
This Privacy Policy does not replace or supersede the Enrollment Agreement. It should be read together with the Enrollment Agreement and any separate consent forms, including any testimonial or marketing consent form.
This Privacy Policy does not govern third-party platforms under their own independent terms and privacy documentation, except to the extent that such providers process personal data on our behalf as processors or sub-processors.
3. Personal Data We May Collect
Depending on the circumstances, we may collect and process the following categories of personal data:
3.1 Identity and Contact Data
(a) full name;
(b) email address;
(c) residential or billing address;
(d) date of birth;
(e) parent or legal guardian name, address and relationship to the participant where required;
(f) other contact details voluntarily provided by the participant.
3.2 Enrolment and Contract Data
(a) application and enrolment details;
(b) course selection and participation status;
(c) signed agreements, acknowledgements and consents;
(d) communications relating to enrolment, withdrawal, cancellation, refunds or support.
3.3 Payment and Transaction Data
(a) invoice records;
(b) payment status;
(c) transaction reference data supplied by payment providers;
(d) subscription status relating to the Resources Folder;
(e) tax or accounting data required by law.
We do not intentionally store full payment card details where payments are processed by third-party payment providers.
3.4 Participation and Educational Data
(a) workshop attendance and participation records;
(b) communications submitted in connection with the program;
(c) participant questions, comments and discussion contributions;
(d) notes reasonably necessary for educational delivery, administration or support.
3.5 Technical and Usage Data
(a) Zoom display name and session participation metadata;
(b) device, browser, IP address or access-log data made available through our platforms or providers;
(c) account access records for participant resources or subscription materials;
(d) security and authentication-related logs.
3.6 Audio and Recording Data
(a) workshop recordings;
(b) voice contributions made by participants during workshops;
(c) related contextual discussion content captured in workshop sessions.
3.7 Marketing and Testimonial Data
Only where voluntarily provided and where a valid lawful basis exists, including consent where required:
(a) written testimonial text;
(b) participant name, whether full or partial;
(c) professional title, city or similar identifying details;
(d) participant photograph supplied by the participant;
(e) correspondence relating to testimonial or marketing permissions.
4. Sources of Personal Data
We may collect personal data:
(a) directly from the participant;
(b) from a parent or legal guardian where applicable;
(c) from forms, contracts, correspondence or other communications submitted to us;
(d) from workshop participation itself;
(e) from payment providers, platform providers, and other service providers involved in delivery and administration;
(f) from internal records generated during the participant relationship.
5. Purposes of Processing and Legal Bases
We process personal data only where we have a valid legal basis under the GDPR.
5.1 Contract Performance
We process personal data where necessary to take steps at the participant's request prior to entering into a contract, and to perform the Enrollment Agreement, including for:
(a) enrolment and onboarding;
(b) participant identity and contact administration;
(c) workshop delivery and educational support;
(d) provision of course access, materials, archives and the Resources Folder;
(e) participant communications;
(f) processing withdrawals, cancellations and refunds;
(g) operational administration of the participant relationship.
Legal basis: Article 6(1)(b) GDPR.
5.2 Compliance with Legal Obligations
We process personal data where necessary to comply with legal obligations, including:
(a) tax and accounting compliance;
(b) invoicing and financial recordkeeping;
(c) responding to lawful requests by courts, regulators or public authorities;
(d) maintaining records required under applicable law.
Legal basis: Article 6(1)(c) GDPR.
5.3 Legitimate Interests
We may process personal data where necessary for our legitimate interests, provided such interests are not overridden by the participant's rights and freedoms, including for:
(a) service administration and internal organisation;
(b) quality control and operational management;
(c) technical support, troubleshooting and platform security;
(d) prevention, detection and investigation of misuse, fraud, unauthorised access, unauthorised sharing, piracy or other violations of our contractual or intellectual property rights;
(e) maintaining internal records relating to participation and service delivery;
(f) protecting the safety, integrity and proper functioning of workshops and participant spaces;
(g) investigating and addressing alleged breaches of the Code of Conduct;
(h) establishing, exercising or defending legal claims.
Legal basis: Article 6(1)(f) GDPR.
5.4 Consent
Where required or where we choose to rely on consent, we process personal data on the basis of consent, including in relation to:
(a) testimonials used for marketing or promotional purposes;
(b) participant photographs, likenesses, video images or similar materials used for marketing or promotional purposes;
(c) any other processing expressly identified to the participant as consent-based.
Legal basis: Article 6(1)(a) GDPR.
Where processing is based on consent, the participant may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
6. Workshop Recordings and Audio Use
Workshops may be recorded as described in the Enrollment Agreement.
Where workshops are recorded, participant voice contributions made during workshops may be processed for educational, reference, archival, administrative and service-delivery purposes, including use within the Resources Folder and related Academy content libraries where the Enrollment Agreement permits such use.
Unless a separate written permission has been provided where required, the Academy does not use a participant's photograph, likeness or Zoom video feed in marketing or promotional materials.
Where the Enrollment Agreement provides a process for participants to raise objections or request participation accommodations in relation to recorded sessions, participants should follow that process before enrolment or as otherwise specified by the Academy.
7. Testimonials and Marketing
Testimonials are voluntary and are not a condition of participation.
If a participant voluntarily provides a testimonial and signs or otherwise provides the required consent, the Academy may use the relevant personal data for marketing and promotional purposes, which may include publication on:
(a) Academy website(s);
(b) newsletters and email communications;
(c) social media channels;
(d) digital or print promotional materials.
Where required by applicable law, marketing communications will be sent only with the necessary consent or other lawful basis. Participants may unsubscribe from non-essential marketing communications at any time.
Withdrawal of consent will not affect processing carried out lawfully before withdrawal.
8. Recipients of Personal Data
We may share personal data, strictly where necessary, with the following categories of recipients:
(a) instructors, guest mentors, administrative personnel and contractors engaged in delivery or administration of the program;
(b) hosting, storage, cloud, communications and technical support providers;
(c) videoconferencing and collaboration platform providers, including providers used to host or deliver workshops;
(d) payment processors, billing providers and accounting service providers;
(e) legal, compliance, tax and professional advisers;
(f) regulators, public authorities, courts or law enforcement where disclosure is required by law or necessary for legal claims or rights protection;
(g) service providers engaged to support security, anti-abuse, access-control or rights-enforcement functions.
Where third parties process personal data on our behalf, we seek to put in place appropriate contractual arrangements as required by applicable data protection law.
9. International Transfers
Some service providers used by the Academy may process personal data outside the European Economic Area.
Where personal data is transferred outside the European Economic Area, we will seek to ensure that appropriate safeguards are implemented in accordance with the GDPR, which may include the European Commission's Standard Contractual Clauses or another lawful transfer mechanism, together with supplementary measures where appropriate.
10. Retention
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including for contractual, educational, administrative, legal, accounting, tax, evidential, security and rights-protection purposes.
Retention periods may vary depending on the type of data and the reason for processing. In general:
(a) enrolment, contract, invoicing and transaction records may be retained for the period necessary to administer the contractual relationship and comply with legal, tax and accounting obligations;
(b) participant correspondence and support records may be retained for operational, evidential and dispute-resolution purposes;
(c) workshop recordings and related educational archives may be retained for as long as reasonably necessary for the educational, archival, administrative and contractual purposes described in the Enrollment Agreement and this Privacy Policy;
(d) consent records may be retained for as long as necessary to demonstrate consent status and compliance;
(e) security logs and access records may be retained for as long as reasonably necessary to maintain system integrity, investigate misuse and protect rights.
When personal data is no longer required, we may delete it, anonymise it, or securely archive it where continued retention is lawful and appropriate.
11. Data Subject Rights
Subject to applicable law and any relevant conditions or exemptions, participants may have the following rights under the GDPR:
(a) right of access;
(b) right to rectification;
(c) right to erasure;
(d) right to restriction of processing;
(e) right to data portability;
(f) right to object to processing carried out on the basis of legitimate interests;
(g) right to withdraw consent at any time where processing is based on consent;
(h) right to lodge a complaint with a competent supervisory authority, including the Comissão Nacional de Proteção de Dados ("CNPD").
Where a participant exercises a data protection right, we will respond in accordance with applicable law.
Requests may be sent to: [email protected]
CNPD:
https://www.cnpd.pt
12. Security
We implement reasonable technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, or other unlawful forms of processing.
No internet-based system or third-party platform can be guaranteed to be completely secure. Participants are responsible for the security of their own devices, passwords, internet connections and personal working environment.
13. Children and Guardian Data
If a participant is under eighteen (18) years of age, a parent or legal guardian may need to provide personal data and execute relevant contractual documents on the participant's behalf, as required by the Enrollment Agreement and applicable law.
We process such parent or guardian data only insofar as reasonably necessary to verify authority, administer the participant relationship, communicate regarding the services, and comply with legal obligations.
14. Third-Party Platforms
The Academy may use third-party platforms and service providers to deliver workshops, communications, billing, storage, subscription access and other operational functions.
Such providers may process personal data under their own privacy notices and terms, or on our behalf under data processing arrangements, depending on the circumstances and legal role of the provider.
Participants are responsible for reviewing the terms and privacy notices of third-party services they use to access the Academy's services.
15. Automated Decision-Making
The Academy does not make decisions producing legal effects concerning participants solely by automated means, including profiling, in connection with the ordinary delivery of the program.
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements, operational practices, service providers or Academy services.
The current version will be made available through the Academy's website, participant communications, or other appropriate channels. Material changes may be notified by email or other reasonable means.
17. Contact
For privacy-related questions or to exercise data protection rights, please contact:
Mathew Jonson
Freedom Engine Academy
AV. Almirante Reis 258 e 258 B 4º E
1000-058 Lisbon, Portugal
Email: [email protected]