Privacy & Legal

Privacy Policy

Last updated: 23 April 2026

MyMua Ltd (“MyMua”, “we”, “us”, or “our”) is committed to protecting your personal data. This policy explains how we collect, use, store, and protect information about you when you use our platform, and sets out your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.Who We Are

MyMua Ltd is the data controller responsible for your personal data collected via the MyMua platform (mymua.net). We are registered in England and Wales.

As data controller, MyMua determines the purposes and means of processing your personal data. If you have any questions about how we handle your information, please contact us at privacy@mymua.net.

2.Data We Collect

We collect the following categories of personal data depending on how you use MyMua:

Account & identity data

Full name — used to identify you on the platform and in booking records.
Email address — used for account authentication and transactional communications.
Password — stored as a secure cryptographic hash; we never store your password in plain text.
Profile photo — uploaded voluntarily; displayed on your public profile.
Account role — whether you are a client or a makeup artist.

Location data

City or region — provided by artists so clients can find local MUAs. We collect general location only; we do not collect precise GPS coordinates.

Artist profile data

Professional biography, specialisms (e.g. bridal, editorial, SFX), years of experience, and listed services including pricing and duration.
Portfolio photographs uploaded to your gallery.
Availability calendar data.

Booking & transaction data

Booking requests, confirmed bookings, service selections, dates, and booking status.
Reviews and star ratings submitted after a completed booking.

Payment data

Payment card details and bank account information are processed entirely by Stripe. MyMua does not store, process, or have access to full card numbers, CVV codes, or bank account details. We retain only Stripe-issued identifiers (e.g. customer ID, payment intent ID) to reconcile bookings.
Artists connect a Stripe account for payouts; we store the Stripe Connect account ID.

Communications data

Messages exchanged between clients and artists through the MyMua messaging system.

Technical & usage data

IP address, browser type and version, device type, operating system, referring URLs, and pages visited on MyMua.
This data is collected automatically via server logs and is used for security, fraud prevention, and platform improvement.

3.How We Use Your Data

We use your personal data only for the purposes set out below:

To provide the platform — creating accounts, displaying profiles, processing bookings, facilitating payments, and enabling messaging between clients and artists.
To verify identity and prevent fraud — confirming you are who you say you are and protecting both clients and artists from fraudulent activity.
To send transactional communications — booking confirmations, payment receipts, booking reminders, and account notifications. These are necessary for the service and are not marketing.
To enable reviews — displaying verified reviews on artist profiles to maintain trust on the platform.
To improve MyMua — analysing usage patterns (in aggregate and anonymised where possible) to improve features and fix bugs.
To comply with legal obligations — retaining financial records as required by HMRC and responding to lawful requests from authorities.
Marketing communications — only where you have given explicit consent. You may withdraw consent at any time via your account settings or by emailing privacy@mymua.net.

4.Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for each type of processing. The bases we rely on are:

Performance of a contract

Processing your account data, booking data, and payment data is necessary to provide the MyMua service you have signed up for.

Legitimate interests

We process technical and usage data to maintain platform security, prevent fraud, and improve our service. These interests do not override your rights.

Legal obligation

We retain financial records for the period required by UK tax law and may disclose data when required by law or court order.

Consent

We rely on consent for optional marketing emails. You can withdraw consent at any time without affecting other processing.

5.How We Store Your Data

Your data is stored using Supabase, a managed PostgreSQL database platform. Supabase infrastructure used by MyMua is hosted in the European Union (EU West — Ireland), which means your data does not leave the UK/EU by default.

We apply the following security measures:

Encryption in transit — all data is transmitted over HTTPS/TLS.
Encryption at rest — Supabase encrypts data at rest using AES-256.
Row Level Security (RLS) — database-level policies ensure users can only access their own data. For example, a client cannot read another client's booking records.
Password hashing — passwords are hashed using bcrypt via Supabase Auth; plain-text passwords are never stored.
Access controls — production database credentials are restricted and rotated regularly.

Despite these measures, no system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and will inform affected users without undue delay.

6.Third-Party Services

We use a small number of carefully selected third-party services to operate MyMua. Each acts as a data processor on our behalf and is bound by a Data Processing Agreement (DPA).

Stripe

Payment processing & artist payouts

All client payments and artist payouts are handled by Stripe, Inc. and Stripe Payments Europe Ltd. Stripe processes cardholder data under its own PCI-DSS Level 1 certification. We never receive or store full card numbers. Stripe may transfer data internationally under Standard Contractual Clauses.

Supabase

Database hosting & authentication

Supabase stores all MyMua application data including user profiles, bookings, messages, and reviews. Data is hosted in the EU (Ireland). Supabase is SOC 2 Type II certified.

Vercel

Web hosting & CDN

MyMua's web application is hosted and served via Vercel, Inc. Vercel processes server request logs (including IP addresses) to serve pages and handle API routes. Logs are retained for a short period for debugging purposes.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

7.Data Retention

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law.

Data type	Retention period
Account & profile data	Until account deletion, then 30 days for recovery
Booking records	7 years (UK financial records requirement)
Payment records	7 years (HMRC compliance)
Messages	2 years after the related booking, then deleted
Portfolio photos	Until removed by the artist or account deletion
Server & access logs	Up to 90 days
Marketing consent records	Until consent withdrawn, plus 1 year

When data is deleted, it is removed from active databases. Backups are purged on a rolling basis within 30 days.

8.Your Rights Under UK GDPR

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@mymua.net. We will respond within one calendar month.

Right of access

You can request a copy of all personal data we hold about you (a Subject Access Request). We will provide this in a structured, commonly used, machine-readable format.

Right to rectification

If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. You can update most information directly in your account settings.

Right to erasure ("right to be forgotten")

You can request deletion of your personal data where there is no compelling reason for us to continue processing it. Note that we may need to retain certain data for legal compliance (e.g. financial records).

Right to restriction of processing

You can ask us to pause processing of your data in certain circumstances — for example, while you contest its accuracy.

Right to data portability

Where processing is based on your consent or a contract, you can request your data in a portable format so you can transfer it to another service.

Right to object

You can object to processing based on legitimate interests at any time. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent

Where processing is based on consent (e.g. marketing emails), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Rights related to automated decision-making

MyMua does not make solely automated decisions that produce legal or similarly significant effects about you.

Right to complain to the ICO

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's independent data protection authority. We would, however, appreciate the chance to address your concerns first, so please contact us at privacy@mymua.net before raising a complaint.

ICO complaint portal

9.Cookies

MyMua uses cookies and similar technologies to operate the platform. A cookie is a small text file stored on your device by your browser.

Cookies we use

Strictly necessary cookies

Required for the platform to function. These include session authentication cookies set by Supabase Auth that keep you logged in. These cannot be disabled without breaking core functionality.

Functional cookies

Remember your preferences (e.g. search filters, account settings) to improve your experience. These are first-party cookies set by MyMua.

Analytics cookies

We may use anonymised analytics to understand how visitors use MyMua (e.g. which pages are most visited). Where we do, no personally identifiable information is included and data is aggregated.

Managing cookies

You can control and delete cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in to MyMua. For more information on managing cookies, visit allaboutcookies.org .

10.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the features of MyMua. When we make material changes, we will notify you by email (to the address on your account) and/or by posting a notice on the platform at least 14 days before the change takes effect.

The “Last updated” date at the top of this page indicates when the policy was last revised. Continued use of MyMua after the effective date constitutes acceptance of the updated policy.

11.Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our privacy team:

MyMua Privacy Team

privacy@mymua.net

We aim to respond to all privacy requests within one calendar month. For complex requests we may extend this by a further two months, in which case we will let you know within the first month.