Privacy Policy

MAHA Evolution Studio

Last updated: 14 May 2026

NOTICE

This Privacy Policy explains how MAHA Evolution Studio collects, uses, shares, and protects the personal data you provide when you visit the website at majamaha.com, complete the Growth Clarity Assessment, subscribe to the newsletter, book an introductory call, or pay for a service. It also explains your rights under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Croatian data-protection law (Zakon o provedbi Opće uredbe o zaštiti podataka).

This policy applies together with the Terms and Conditions of Use above. Please read both before sharing any personal data with MAHA.

We may update this Policy. The version in force is the one shown above with the most recent "last updated" date. We will notify subscribers of material changes by email. Your continued use of the website or the services after an update means you have read and accepted the revised Policy.

1. WHO WE ARE (DATA CONTROLLER)

The data controller for the personal data collected through the website and the services is:

Maja Jurišić, vlasnica obrta MAHA Evolution Studio Osječka 26, 21000 Split, Croatia OIB: 64542093989 Email: maja@majamaha.com

For any questions about this Policy or about how your personal data is processed, write to maja@majamaha.com.

2. PERSONAL DATA WE COLLECT

We collect the following categories of personal data.

2.1 Data you provide directly.

  • Identification and contact data: your name, email address, and any other information you choose to share when you contact us, complete the Growth Clarity Assessment, book an introductory call, subscribe to the newsletter, or book a paid service.

  • Assessment responses: the answers you submit through the Growth Clarity Assessment.

  • Booking data: the date and time of your booking, the service booked, and any context you provide when booking.

  • Session content: information you share with Maja during 1:1 Guidance sessions or during a Leaders and Organizations engagement.

  • Billing data for paid services: the name and contact details required for invoicing in line with Croatian law.

2.2 Data collected automatically when you visit the website.

  • Standard server log data: IP address, browser type, device type, the pages you view, and the date and time of access. This is collected by Squarespace, the platform that hosts the website.

  • Squarespace built-in analytics: aggregate usage information about which pages are visited and how visitors arrive at the site. This is used to understand site usage in aggregate and is not linked back to identifiable individuals by MAHA.

We do not run Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any other third-party advertising or retargeting tracker on the website.

2.3 Payment data.

When you pay for a service, your card or payment details are collected and processed directly by Stripe. MAHA does not see, store, or process your full card number. MAHA receives confirmation of payment, the amount, and the data needed for invoicing.

3. HOW WE USE YOUR DATA AND THE LEGAL BASIS

We process your personal data for the following purposes and on the following legal bases under Article 6 of the GDPR.

3.1 To deliver the services you have requested. Booking and delivering 1:1 Guidance sessions, Leaders and Organizations engagements, the introductory call, and the personal reflection that follows the Growth Clarity Assessment. Legal basis: performance of a contract with you (Art. 6(1)(b)).

3.2 To send the newsletter. Adding your email to the newsletter list and sending you the emails you have subscribed to. Legal basis: your consent (Art. 6(1)(a)). You can withdraw consent at any time using the unsubscribe link in any email or by writing to maja@majamaha.com.

3.3 To process payments and meet accounting obligations. Processing your payment through Stripe, issuing invoices, and keeping the accounting records required by Croatian law. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c)).

3.4 To respond to your messages. Replying to questions sent through the contact form, by email, or through the booking flow. Legal basis: your consent for general inquiries (Art. 6(1)(a)) or, where you are a client or prospective client, our legitimate interest in responding to your message (Art. 6(1)(f)).

3.5 To improve the website and the services. Reviewing aggregate usage data from Squarespace's built-in analytics to understand which content is useful. Legal basis: our legitimate interest in maintaining and improving our services (Art. 6(1)(f)).

3.6 To protect our rights and comply with legal obligations. Keeping records to defend against legal claims, complying with tax law, and responding to lawful requests from public authorities. Legal basis: compliance with a legal obligation (Art. 6(1)(c)) and our legitimate interest in protecting our rights (Art. 6(1)(f)).

We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

4. WHO WE SHARE YOUR DATA WITH

We share your personal data only with the third-party processors that are needed to run the website and the services. These processors act on documented instructions from MAHA.

4.1 Squarespace. Hosts the website and provides built-in site analytics. Operated by Squarespace, Inc., based in the United States.

4.2 Substack. Manages the newsletter list and delivers newsletter emails. Operated by Substack Inc., based in the United States.

4.3 Stripe. Processes payments for paid services. Operated by Stripe Payments Europe Limited (Ireland) for EU-based clients, with onward involvement of Stripe entities outside the EEA where required to complete a payment.

4.4 Public authorities. We disclose personal data to public authorities only when we are required to do so by law (for example, in response to a lawful request from a tax authority or a court).

We do not share your personal data with any third party for their own marketing purposes.

5. INTERNATIONAL DATA TRANSFERS

Some of our processors are based in the United States (Squarespace, Substack) or may transfer data outside the European Economic Area to support a service (Stripe). When data is transferred outside the EEA, we rely on the safeguards required by Chapter V of the GDPR. In practice this means one or more of:

  • The recipient is certified under the EU-US Data Privacy Framework (or an equivalent successor framework adopted by the European Commission).

  • The transfer is covered by Standard Contractual Clauses adopted by the European Commission.

  • Additional technical and organisational measures are in place to protect the data in transit and at rest.

You can request more information about the specific safeguards applied to a transfer by writing to maja@majamaha.com.

6. HOW LONG WE KEEP YOUR DATA

We keep personal data only as long as we need it for the purpose it was collected for, unless a longer retention period is required by law.

  • Newsletter subscribers: for as long as you remain subscribed. After you unsubscribe, we keep a minimal record (your email address and the fact that you unsubscribed) so that we do not contact you again by mistake.

  • Growth Clarity Assessment respondents: your responses and email are kept for as long as you remain a newsletter subscriber. If you unsubscribe and have not become a paid client, your assessment responses are deleted within twelve months.

  • Paid clients: session notes and engagement records are kept for the duration of the engagement and for up to two years after the engagement ends, so that we can provide continuity if you return.

  • Invoicing and accounting records: kept for eleven years from the end of the financial year, as required by Croatian tax and accounting law.

  • Server logs and analytics: retained by Squarespace in line with their own retention practices.

  • Email correspondence: kept for as long as it is needed to handle your matter and then archived or deleted in line with the retention periods above.

When data is no longer needed, we delete it or anonymise it.

7. YOUR RIGHTS UNDER THE GDPR

As a data subject in the EU, you have the following rights.

  • Right of access (Art. 15): to confirm whether we process your data and to receive a copy of it.

  • Right to rectification (Art. 16): to correct inaccurate or incomplete data.

  • Right to erasure (Art. 17): to ask us to delete your data, subject to the limits set by law.

  • Right to restriction (Art. 18): to ask us to limit how we use your data in specific circumstances.

  • Right to data portability (Art. 20): to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.

  • Right to object (Art. 21): to object to processing based on our legitimate interests.

  • Right to withdraw consent (Art. 7(3)): to withdraw any consent you have given, at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, write to maja@majamaha.com. We will respond within one month, or sooner where required by law. We may ask you to confirm your identity before we act on your request.

You also have the right to lodge a complaint with the Croatian supervisory authority:

Agencija za zaštitu osobnih podataka (AZOP) Selska cesta 136, 10000 Zagreb, Croatia Web: azop.hr

You may also complain to the supervisory authority in the EU country where you live or work.

8. COOKIES AND SIMILAR TECHNOLOGIES

The website uses a small number of cookies and similar technologies to function and to measure aggregate usage.

  • Strictly necessary cookies: set by Squarespace to keep the website running, to remember security settings, and to support essential functionality. These do not require consent under EU law.

  • Analytics cookies: set by Squarespace's built-in analytics to count visits and to measure aggregate usage. Where required, we ask for your consent through the cookie banner before these are set.

We do not use advertising cookies, retargeting pixels, or social-media tracking pixels.

You can manage cookies through your browser settings. Blocking essential cookies may stop parts of the website from working.

A separate Cookie Policy provides the technical details of each cookie used and how to control it.

9. SECURITY

We take reasonable technical and organisational measures to protect your personal data against loss, misuse, unauthorised access, disclosure, or alteration. This includes using reputable hosting and processing providers, restricting access to data on a need-to-know basis, and using secure connections (HTTPS) for the website.

No system is fully secure. You acknowledge that any transmission of data over the internet carries inherent risk. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority and, where required, the affected data subjects, in line with Articles 33 and 34 of the GDPR.

10. CHILDREN

The website and the services are intended for adults. We do not knowingly collect personal data from anyone under 18. If you become aware that a minor has provided personal data through the website, please write to maja@majamaha.com so that we can delete the data.

11. SENSITIVE DATA

We ask that you do not send sensitive personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation) through public channels such as the contact form, blog comments, or unsolicited emails. If you choose to share sensitive data with Maja during a paid session, that data is treated as confidential under section 7 of the Terms of Use and is not shared with any third party except where required by law.

12. CHANGES TO THIS POLICY

We may update this Policy from time to time to reflect changes in our practices, in the services we offer, or in applicable law. The current version is always the one shown above with the most recent "last updated" date. Material changes will be communicated to subscribers by email.

13. CONTACT

For any question, request, or complaint regarding this Privacy Policy or your personal data, write to:

Maja Jurišić, vlasnica obrta MAHA Evolution Studio Osječka 26, 21000 Split, Croatia OIB: 64542093989
Email: maja@majamaha.com