How we collect and protect your data
- Who we are
- Scope of this policy
- What personal data we collect
- Sources of personal data
- Why we use your data and legal bases
- Whether you must provide personal data
- Who we share data with
- International transfers
- Cookies and similar technologies
- How long we keep your data
- Your rights
- How to exercise your rights
- Age eligibility and children
- Security
- Personal-data breaches
- Changes to this policy
- Right to lodge a complaint
1. Who we are
The SafePremium Academy course platform (the “Course”, the “Platform”, or “we”) is operated by:
036 01 Martin
Slovak Republic
Company registration number (IČO): 57 436 541
Tax identification number (DIČ): 2122729224
VAT identification number (IČ DPH): SK2122729224, registered under §7a
Contact: info@safepremiumacademy.com
For the purposes of the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and the Slovak Personal Data Protection Act (Act No. 18/2018 Coll.), we are the data controller in respect of the personal data described in this policy — except for payment data, where Lemon Squeezy LLC acts as Merchant of Record and is an independent controller for its own checkout and payment-processing purposes (see §7).
Given the size and structure of our operations, we are not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. Our internal assessment of this is documented and reviewed periodically. For all data-protection inquiries, please use the contact email above.
2. Scope of this policy
This Privacy Policy explains how we process personal data in connection with the SafePremium Academy website at safepremiumacademy.com, the member area, and the Course. It does not cover:
- The processing of payment, billing, and tax data by Lemon Squeezy LLC at checkout. Lemon Squeezy is the Merchant of Record and an independent controller for those purposes; its own privacy notice applies.
- Third-party services that you may access from links on our site, which are governed by their own privacy notices.
Separate Terms of Use, refund/withdrawal information, and risk disclaimers govern your purchase and use of the Course.
3. What personal data we collect
Account and course-access data
When you enrol in the Course and create an account, we hold:
- Your email address (used for account login and Course-related emails)
- An account password (stored only as a one-way salted hash through our authentication provider; we cannot read or recover your password)
- Your purchased entitlements (which Course components you have access to)
- The date you enrolled, used to compute your individual module-release schedule
Purchase-confirmation data
We do not collect, process, or store your payment-card details, billing address, or tax-residency information. Checkout is provided by Lemon Squeezy LLC as Merchant of Record. Lemon Squeezy is the legal seller for the checkout transaction and collects the information necessary to process the sale, issue invoices, collect and remit applicable taxes, perform fraud checks, handle refunds and chargebacks, and comply with its legal obligations. We receive only the purchase-confirmation data we need to provide Course access and maintain business records, such as your email address, product purchased, purchase status, order/transaction identifier, purchase date, and refund or cancellation status where applicable.
Communication data
If you contact us by email at info@safepremiumacademy.com, we receive your email address, the message content, and any attachments. We retain this correspondence for the period described in §10.
Technical data (server logs)
Our hosting provider, Vercel, automatically records standard server-access logs (your IP address, browser user-agent string, requested URL, and timestamp) to operate and secure the website. These logs are retained for a short period and are not linked to your account unless required for security investigation.
Visitor analytics data
On our public pages (homepage, course-information pages, login page, privacy policy, and terms) we use Vercel Web Analytics, a privacy-preserving analytics tool provided by our hosting provider, to understand aggregate traffic patterns. Vercel Web Analytics does not use cookies and does not store your IP address. Each page view is recorded as an anonymous data point containing the page URL, referrer, approximate geolocation (typically city level, derived from the incoming request and not stored alongside the IP address), browser and operating system version, and device type. Visitors are identified only by a temporary hash that is automatically discarded after 24 hours, which means we cannot reconstruct an individual’s browsing history across visits and we cannot link analytics data back to your account. Analytics is not used on authenticated member-area pages (dashboard, modules, bonus material).
Video-playback data
Course videos are hosted by Vimeo Inc. and played through Vimeo’s embedded player. When you watch a lesson, Vimeo may collect data about your interaction with the player according to its own privacy policy. We do not access individual viewer-identifying data from Vimeo; we receive only aggregated playback statistics.
Third-party assets requested by your browser
Our website currently loads typeface (font) files from Google’s Google Fonts service and icon stylesheet/font files from the cdnjs content-delivery network (operated by Cloudflare). When your browser requests these assets, the respective third-party servers receive your IP address, the requested asset URL, and standard request headers (such as your browser user-agent and referrer). These third parties act as recipients in the sense of GDPR Article 13/14 even though we do not deliberately send them personal data. See §7 for details and §8 for transfer information.
4. Sources of personal data
Most personal data we hold is provided by you directly — for example when you create an account, contact us, or watch a Course video.
In addition, we receive purchase-confirmation data from Lemon Squeezy LLC after you complete a checkout. This data includes your email address, the product purchased, the order/transaction identifier, the purchase status, the purchase date, and any refund or cancellation status. Lemon Squeezy is the source of this purchase-confirmation data. We use it only to provide Course access, maintain entitlement records, respond to purchase or support issues, and keep necessary business records.
5. Why we use your data and legal bases
We use your personal data for the following purposes, on the legal bases shown:
| Purpose | Legal basis under GDPR |
|---|---|
| Providing you with access to the Course and the materials you purchased | Performance of a contract with you (Article 6(1)(b)) |
| Sending you transactional emails about your account, purchases, and module unlocks | Performance of a contract (Article 6(1)(b)) |
| Operating, securing, and maintaining the website and member area | Legitimate interests (Article 6(1)(f)) — see specific interests below |
| Complying with our legal obligations (tax, accounting, regulatory record-keeping) | Legal obligation (Article 6(1)(c)) |
| Detecting and preventing fraud, credential abuse, scraping, and unauthorised sharing of Course content | Legitimate interests (Article 6(1)(f)) |
| Responding to support inquiries from existing customers | Performance of a contract (Article 6(1)(b)) |
| Responding to pre-sale or general inquiries from non-customers | Legitimate interests (Article 6(1)(f)) |
| Defending or pursuing legal claims, and preserving evidence in disputes | Legitimate interests (Article 6(1)(f)) |
Specific legitimate interests pursued
Where we rely on Article 6(1)(f), our legitimate interests are: securing the website and member area; preventing fraud, credential abuse, scraping, and unauthorised sharing of Course materials; maintaining service reliability; responding to non-customer inquiries; preserving evidence in disputes; and protecting our rights, property, users, and business operations.
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.
6. Whether you must provide personal data
To create an account and access the Course, you must provide an email address and create login credentials. Without this information, we cannot create your account, authenticate you, or provide access to the Course. There is no statutory obligation to provide this data — the obligation is contractual, arising from your decision to enrol.
The information requested at checkout (such as billing details and tax-related information) is required by Lemon Squeezy LLC as Merchant of Record to process your purchase, issue invoices, collect and remit applicable taxes, perform fraud checks, handle refunds and chargebacks, and comply with its legal obligations. If you do not provide the checkout information requested by Lemon Squeezy, your purchase cannot be completed.
Support inquiries are optional. If you contact us by email, we need your email address and the message content to respond.
7. Who we share data with
We share data only with the service providers we need to operate the Course. We do not sell your personal data. The table below describes each recipient, its role, and the categories of data involved.
| Provider | Role | Data shared / received |
|---|---|---|
| Lemon Squeezy LLC (USA) | Merchant of Record — legal seller for the checkout transaction; processes payments, issues invoices, collects and remits applicable taxes, handles refunds and chargebacks. Independent controller for checkout/payment data. | Information you enter at checkout (name, email, billing data) goes directly to Lemon Squeezy. We receive only purchase-confirmation data: email address, product purchased, order/transaction identifier, purchase status, purchase date, and refund or cancellation status where applicable. |
| Supabase Inc. (USA, with EU regional infrastructure) | Authentication and database for account and entitlement data (data processor on our instructions) | Email address, hashed password, entitlements, enrolment date |
| Vercel Inc. (USA) | Website and application hosting; serves the website pages and runs back-end functions; provides privacy-preserving aggregate visitor analytics on public pages (data processor) | Standard server-access logs; pages and data routed through hosting infrastructure; anonymous aggregate page-view events (no cookies, no IP storage) |
| Vimeo Inc. (USA) | Hosts and serves Course videos (independent controller for player telemetry; processor where it acts on our instructions for private video hosting) | Video-playback interactions when you watch a lesson |
| Google Ireland Ltd. / Google LLC (Google Workspace) | Email hosting and support correspondence (data processor on our instructions). Our Google Workspace account is configured for EU data regions where supported. | Email address, message headers, message content, attachments, timestamps |
| Google LLC / Google Ireland Ltd. (Google Fonts, USA / Ireland) | Font-delivery service; recipient of font-asset requests made by your browser when loading our pages | IP address, requested font/CSS URL, browser user-agent and referrer headers |
| Cloudflare Inc. (cdnjs, USA / global) | Content-delivery network for icon stylesheet and font assets; recipient of asset requests made by your browser | IP address, requested asset URL, browser user-agent and referrer headers |
We may also disclose data when required to do so by law or by a binding order from a competent authority, or where necessary to protect our rights, property, or safety, or that of others.
We are evaluating self-hosting fonts and icon assets to remove the need to disclose data to Google and Cloudflare for these purposes. This Policy will be updated when that work is complete.
8. International transfers of your data
Several of the recipients listed in §7 are located in the United States. When personal data is transferred outside the European Economic Area (EEA), we rely on one of the safeguards permitted by GDPR Chapter V. The table below identifies the transfer mechanism we rely on for each recipient.
| Provider | Country | Transfer mechanism |
|---|---|---|
| Lemon Squeezy LLC | USA | EU–U.S. Data Privacy Framework (DPF) where active certification covers the data, and/or Standard Contractual Clauses (SCCs) under the provider’s legal terms. Verification documented internally. |
| Supabase Inc. | USA, with EU regional infrastructure | Data Processing Addendum incorporating Standard Contractual Clauses; DPF where applicable. |
| Vercel Inc. | USA / global | Data Processing Addendum and SCCs as published by Vercel; DPF where applicable. |
| Vimeo Inc. | USA | DPF certification where active and within scope; SCCs where applicable. |
| Google Ireland Ltd. / Google LLC (Google Workspace) | EU regions configured where supported; Google LLC processing in the USA may occur | Data Processing Addendum incorporating Standard Contractual Clauses; EU–U.S. Data Privacy Framework certification where applicable. |
| Google LLC (Google Fonts) | USA / global | DPF certification where active and within scope; SCCs where applicable. (Self-hosting under evaluation, see §7.) |
| Cloudflare Inc. (cdnjs) | USA / global | DPF certification where active and within scope; SCCs where applicable. (Self-hosting under evaluation, see §7.) |
We maintain an internal vendor register recording the legal name, role, data categories, processing location, sub-processors, DPA status, transfer mechanism, and DPF certification verification dates for each recipient. You can request further information about a specific transfer by contacting us at the email address in §1.
10. How long we keep your data
We retain personal data only as long as we need it for the purposes described in §5, and then for any additional period required to comply with our legal obligations (such as tax-record retention). The Merchant of Record — Lemon Squeezy — maintains its own records of the checkout transaction under its own retention policies; the periods below apply only to the data we hold.
| Category | Retention period |
|---|---|
| Account and authentication data (email, password hash) | For as long as your account remains active, plus up to 30 days after a deletion request, unless retention is required for legal claims, security, or accounting records. |
| Course entitlement records | For as long as we need them to provide the access you purchased and as evidence of entitlement, then retained only as necessary for legal-claims or accounting limitation periods. |
| Purchase-reference and accounting records held by us | 10 years from the end of the calendar year of the transaction, as required by Slovak tax and accounting legislation. |
| Email correspondence with our support address | Up to 24 months after the last interaction, unless retained longer for an unresolved dispute, legal claim, abuse investigation, or specific legal obligation. |
| Server-access and security logs (held by Vercel) | Up to 90 days, as configured by our hosting provider, unless extended for security investigation. |
| Visitor analytics data points (held by Vercel) | The temporary visitor hash that links page views within a single session is discarded after 24 hours. The resulting aggregate, anonymous statistics (page-view counts, referrers, top pages, geographic and device breakdowns) are retained on the Vercel Web Analytics dashboard for the period applicable to our plan tier. |
11. Your rights
Under GDPR and the Slovak Personal Data Protection Act, you have the following rights in relation to your personal data:
- Right of access — you can ask us what data we hold about you and receive a copy.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — you can ask us to delete your data, subject to legal retention obligations described in §10.
- Right to restriction of processing — you can ask us to limit our use of your data in certain circumstances.
- Right to data portability — you can ask us to provide your data in a structured, machine-readable format, or to transmit it to another controller.
- Right to object — you can object to our processing of your data on the basis of our legitimate interests (Article 6(1)(f)).
- Right to withdraw consent — where we rely on your consent, you can withdraw it at any time. We do not currently rely on consent as the legal basis for any processing of customer data described in this Policy.
Exercising these rights is free of charge. We aim to respond within one calendar month of receiving a verifiable request, as required by Article 12(3) GDPR.
For payment, billing, and tax data held by Lemon Squeezy as Merchant of Record, you may also need to contact Lemon Squeezy directly to exercise rights against them as an independent controller. Please refer to Lemon Squeezy’s own privacy notice for the relevant contact path.
12. How to exercise your rights
To exercise any of the rights in §11, please write to us at the email address below. For security, we may need to verify your identity before acting on a request.
Postal: SafePremium Academy s. r. o., Podhorská 11577/8, 036 01 Martin, Slovak Republic
Please include “Data Protection Request” in your email subject line so we can route it appropriately.
13. Age eligibility and children
The Course is intended for adults aged 18 or older. We do not knowingly sell the Course to minors, and we do not knowingly collect personal data from children under 16 (the GDPR digital-consent age in Slovakia and several other EU Member States). If you believe a child has provided personal data to us, please contact us at the email address in §12 and we will take appropriate steps to delete the data.
14. Security
We take reasonable technical and organisational measures to protect personal data against unauthorised access, disclosure, or loss. These measures include:
- Encryption of all data in transit (HTTPS/TLS)
- Encrypted storage of authentication data and database records by our hosting providers, configured according to those providers’ documented standards
- One-way salted hashing of passwords through our authentication provider; we cannot read or recover your password
- Restricted administrative access, with strong authentication on administrator accounts
- No storage of payment-card details on our infrastructure (handled by Lemon Squeezy as Merchant of Record)
We maintain an internal security checklist that we review periodically. No system is completely secure; the measures we take aim to manage risk to a reasonable level proportionate to our processing activities.
15. Personal-data breaches
If a personal-data breach occurs, we will assess it under GDPR. Where required, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay.
16. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or applicable law. The “Last updated” date at the top of this page indicates when the most recent revision was made. If we make material changes, we will notify you by email and/or by a prominent notice on the Platform before the changes take effect.
17. Right to lodge a complaint
If you believe that our processing of your personal data infringes GDPR or Slovak data-protection law, you have the right to lodge a complaint with the Slovak supervisory authority:
Budova Park One
Námestie 1. mája 18
811 06 Bratislava
Slovak Republic
Web: www.dataprotection.gov.sk
Public inquiries: statny.dozor@pdp.gov.sk
You may also contact the supervisory authority of the EU Member State where you live or work, if different from Slovakia.