Privacy policy
This Privacy Policy explains how Maivas collects, uses, discloses and protects personal information. Maivas is operated by Move Me Media Pty Ltd (ACN 699 626 385), a company based in Queensland, Australia ("Move Me Media", "we", "us", "our"). In this policy, "Maivas" or "the Service" means the Maivas application and the related work we do for your business.
We handle personal information in line with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the Spam Act 2003 (Cth), and the Notifiable Data Breaches scheme.
This policy covers the Maivas application and our work as your marketing service. It does not cover the third-party platforms you connect (your ad accounts, CRM and gym software), which are governed by your own agreements with those providers, and it does not cover any separate AI assistant you might use to talk to Maivas outside the app.
1. A plain-English summary
- Maivas is a marketing service for gyms, studios and clinics. You give it knowledge about your business, connect your own marketing accounts, and it plans and produces marketing work that a human approves before anything goes out.
- We store information about you and your business: your login, your business details, the knowledge you give us (your "Brain"), the marketing assets we produce, your chat history with Maivas, and the encrypted keys that let Maivas work inside your connected accounts.
- Your members' and leads' records are mastered in your own connected systems. Where Maivas syncs or processes them (for example lead details or booking events), it holds only what is needed to run your marketing, reporting and follow-up, acting on your instructions as your processor.
- We do not sell your data. We do not use your data to train general-purpose AI models.
- We keep the keys to your ad accounts encrypted so that even we cannot read them from the database.
- You can access, correct or delete your information, and disconnect any account, at any time.
2. Our two roles
We handle two kinds of data under two different responsibilities.
- Your account and business data. For your login, your business profile and your billing, we are the data controller. We decide how that information is handled, within this policy.
- Your operational and member data. For the data inside your own connected systems (your members, leads, bookings and the contents of your CRM and gym software), you are the controller and we act as your processor, on your instructions. You are responsible for having a lawful basis and any consent required to let us work with that data. Our Data Processing Addendum sets out these terms.
3. Information we collect
3.1 Account information
Your name, email address, avatar (if you add one), timezone and preferences. Authentication is handled by our provider, Supabase; we do not store your password.
3.2 Business information
Your business name and legal name, your sites (address, suburb, state, postcode, phone, service radius), and the knowledge you give us through onboarding and the Brain: your hours, programmes and pricing, your brand voice, your audience, your marketing goals, your competitors, and your guardrails. This is information about your business, not a roster of your members.
The onboarding survey collects business-level answers such as your membership size and growth target, audience demographics at an aggregate level, current marketing channels and spend, funnel metrics, brand tone, pricing and pain points.
3.3 Marketing work
The campaigns, briefs, plans, reports and creative assets Maivas produces or you upload, including the files (images, video, documents) stored against your workspace.
3.4 Chat history
When you talk to Maivas in the app, we store your messages and Maivas's replies so your conversation persists across sessions. Please do not paste sensitive personal information into chat that is not needed for the work.
3.5 Connection credentials
When you connect a third-party account, we store the access tokens or keys needed to act inside it. These are encrypted before they are stored, the keys that could unlock them are held separately, and they are never shown in the app or returned to your browser. See the Security and Data Handling page.
3.6 Usage, activity and audit data
Records of what happened in your workspace: which actions were taken, by whom, and when, including an audit log that can capture the IP address and a before-and-after snapshot of a change, plus agent-run metadata such as which model answered and what it cost. We use this for security, support, billing and to show you a transparent history of what Maivas did.
3.7 Aggregated performance data
Aggregated metrics and trends about how your marketing performs (member counts, cohort trends, campaign attribution). Where producing these requires syncing operational records from your connected systems (for example lead and booking events), we hold and use those records only as your processor, as described in section 6; your systems remain the master record.
3.8 Billing information
Your subscription status and a reference to your Stripe customer record. Your card details are collected and held by Stripe, not by us.
3.9 Data from connected platforms
When you connect a platform, Maivas accesses only what it needs to do your marketing, and only on your behalf:
- Meta (Facebook and Instagram): your ad account data (campaigns and performance metrics), your Page information, and leads submitted through Meta lead forms. See section 6 for how lead data is handled.
- Google: your ad account and campaign data, your Business Profile, and analytics.
- Your CRM and gym software: contacts and aggregated membership data, as described above.
We use data from a connected platform solely to provide the Service to the business that connected it. We do not sell or transfer it, we do not use it for any other purpose, and we never share it across businesses.
4. Information we do not collect or do
- We do not store your members' and leads' individual records as a master copy. They stay in your connected systems; see section 6.
- We do not store your card or bank numbers. Stripe handles those.
- We do not sell or transfer your personal information, or the data we access from platforms you connect (such as Meta), and we do not share it for third-party marketing or across businesses.
- We do not use your data to train general-purpose AI models.
- We do not use one customer's raw data to serve another customer. Our cross-business learning is de-identified and aggregated only; see section 7.
5. How we use your information
We use your information to:
- provide the Service: plan campaigns, produce marketing assets, and, once a human approves, ship them to your connected accounts;
- operate and support your account, respond to your requests, and keep the Service secure;
- power semantic search over your own content (we create embeddings of your artifacts and Brain so Maivas can find relevant context; these stay within your workspace);
- process billing and manage your subscription; and
- send you service messages (for example, an approval is waiting, a connection needs attention). We may send occasional product updates; any promotional message includes an unsubscribe option and complies with the Spam Act 2003 (Cth).
We do not build advertising profiles of your members. Maivas answers questions and produces work for your business; that is the limit of its use of the data.
How we use AI. Maivas produces marketing work using AI systems. Where we send your business content to an AI provider to generate an asset, it is sent through that provider's commercial API and, under our terms with them, is not used to train their general-purpose models. A human (you or your team) approves every output before anything is published or sent.
6. Your members and leads
Your members' and leads' personal records (names, emails, phones, bookings, payments) live in your own connected systems: your gym-management software, your CRM (GoHighLevel), and the ad platforms. Maivas connects to these with your authorisation to do the marketing work you ask for.
Your systems remain the master record. Maivas ingests the metrics and events it needs to do the work (counts, trends, stage changes, attribution), and where that includes identifiable records (for example a lead's contact details or booking events), it holds and uses them only to run your marketing, reporting and follow-up. When Maivas runs a follow-up sequence or an audience action, it operates on the contacts inside your own systems.
For any identifiable member or lead data we process on your behalf, you are the controller and we are your processor under the Data Processing Addendum. You are responsible for the consents and notices your members are entitled to, including consent to send marketing messages under the Spam Act.
Leads from Meta lead ads. When you run lead ads on Meta, the lead details a person submits (such as their name, email, phone and their answers) are received by Maivas on your behalf and passed to your CRM (for example GoHighLevel) for your follow-up. We use these leads only to provide the Service to your business. They are never sold, never shared with another business, and never used for any other purpose.
7. Cross-business learning
Maivas improves by learning what works across the businesses it serves. This learning is de-identified and aggregated. We keep only general patterns about what performs well, never your raw data, your creative, or anything that identifies a business or a person. Your data is never pooled with another customer's, one customer can never see another's data, and this learning is never used to train general-purpose AI models.
8. When we disclose information
We disclose personal information only:
- to the sub-processors that help us run the Service, listed at Sub-processors, under contracts that require them to protect it;
- to the third-party platforms you have connected, when you or Maivas (after your approval) acts inside them;
- to our internal team ("operators") who access your workspace to set it up, run and support it. This access is managed by our administrators, recorded, and visible to you (see section 11);
- where you ask us to, or direct us to share it; and
- where the law requires it, or to protect our rights, safety or property.
We do not otherwise disclose your personal information.
9. Sub-processors and where your data is held
We use the sub-processors listed at Sub-processors to run the Service. Some of them are located overseas, including in the United States. Where personal information is handled overseas, we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles, including through data-processing terms in our contracts with those providers. We aim to keep Australian customers' primary data in Australia; the sub-processor page notes the region for each provider.
10. How long we keep your information
- Account and business data: kept while your account is active, and exported then deleted within 30 days of account closure, except where the law requires us to keep certain records.
- Chat threads and marketing assets: kept while your account is active. You can ask us to delete chat history at any time. Archived content is purged on account closure.
- Aggregated performance data: kept for the life of your account to inform your Brain.
- Connection credentials: deleted within 24 hours of you removing a connection.
- Audit log: kept for 24 months to support security investigations.
- Billing and tax records: kept for 7 years to meet Australian tax record-keeping requirements.
11. Our team's access to your workspace (operators)
Members of the Move Me Media team ("operators") may access your workspace to set it up, run the Build Phase, and provide support. This access is:
- managed and levelled: access is issued and controlled by our administrators. Most operators are granted access to a specific workspace for a specific purpose; a small number of senior administrators hold standing access so that any account can be supported and fixed at any time;
- recorded and visible: who has access, and every meaningful action our team takes in your workspace, is logged, and you can see that history; and
- bounded: operators work under confidentiality obligations, and they never make your approval decisions for you. Anything that spends money still requires your approval.
If you have a concern about our team's access to your workspace, contact us and we will work with you to address it, including limiting access where appropriate.
12. Security
We protect your information with measures including:
- encryption of your connection credentials before they are stored, so the database never holds them in readable form and the keys are held separately;
- isolation between businesses, so one business can never read another's data;
- least-privilege access and an audit trail of meaningful actions;
- encryption in transit and at rest;
- revocable connections that take effect promptly; and
- a human approval gate on outbound actions, with a hard rule that spending money always requires a person to approve it.
A plain-language overview is on the Security and Data Handling page, and a detailed security overview is available to customers and reviewers on request. No system is perfectly secure, but we work to industry-standard practices and improve them over time.
13. Data breaches
If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme, and we will act to contain and remediate the incident.
14. Your rights
You can:
- access the personal information we hold about you;
- correct it if it is wrong;
- delete your information or close your account (subject to records we must keep by law);
- export your workspace data; and
- object to or ask us to restrict certain uses.
To make a request, email info@movememedia.com.au. We will respond within a reasonable time, usually within 30 days. Access is generally free; we will tell you in advance if a request is complex enough to attract a reasonable cost.
If you are a member or lead of a business that uses Maivas, and you want to access, correct or delete your information, please contact that business directly. They are the controller of your data; we will assist them as their processor.
15. Complaints
If you have a privacy concern, email info@movememedia.com.au. We will acknowledge your complaint within 5 business days and work to resolve it. If you are not satisfied, you can escalate to the Office of the Australian Information Commissioner at oaic.gov.au.
16. Children
Maivas is a business tool. It is not directed at children and we do not knowingly collect personal information from children.
17. Changes to this policy
We may update this policy from time to time. We will post the updated version here with a new date, and where a change is material we will let account owners know.
18. Contact us
- Privacy: info@movememedia.com.au
- Security: info@movememedia.com.au
- Support: info@movememedia.com.au
- Operator: Move Me Media Pty Ltd, ACN 699 626 385, 63/30 Sportsman Avenue, Mermaid Beach, Queensland 4218, Australia.