Data Protection Policy

Last updated: [Insert Date]

1. Data Controller Information

The data controller responsible for your personal data is:

2. Categories of Personal Data We Process

2.1 Website Visitors

Data collected automatically:

• IP address (anonymized after processing)
• Browser type, version, and language settings
• Operating system and device information
• Date, time, and duration of visit
• Pages visited and referrer URL
• Screen resolution and viewport size
• Geographic location (country/region level)

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for website functionality, security, and performance optimization.

2.2 Contact and Communication

Contact forms:

• Name and email address
• Company name and position (if provided)
• Phone number (if provided)
• Message content and attachments
• IP address and timestamp

WhatsApp Business:

• Mobile phone number
• Display name and profile picture
• Message content and media files
• Message delivery and read status
• Business inquiry details

Email correspondence:

• Email address and display name
• Email content and attachments
• Email metadata (timestamps, headers)
• Response history and conversation threads

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) to respond to inquiries and provide customer support.

2.3 Newsletter and Marketing

Mailchimp subscriptions:

• Email address
• First name (optional)
• Subscription date and source
• Email engagement metrics (opens, clicks, bounces)
• Geographic location and timezone
• Unsubscribe history

Legal basis: Consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by unsubscribing.

2.4 Course Purchases and Payments

Customer data:

• Full name and email address
• Billing address
• Purchase history and course access
• Payment method information (stored by Stripe)
• Invoice and receipt data
• Course progress and completion status

Legal basis: Contract performance (Art. 6(1)(b) GDPR) for processing purchases and providing course access.

2.5 Analytics and Performance Data

Google Analytics:

• User interactions and behavior patterns
• Page performance metrics
• Conversion tracking data
• Demographic and interest data (if opted in)
• Custom events and goals

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for website optimization and business analytics.

3. Third-Party Data Processors

3.1 Website Infrastructure

Webflow, Inc. (USA)

• Website hosting and content management
• Form submissions and user interactions
• SSL certificate management
• CDN and performance optimization

Amazon Web Services - CloudFront (USA)

• Content delivery network services
• Static asset hosting and optimization
• Geographic content distribution

3.2 Analytics and Tracking

Google Analytics (Google Ireland Limited)

• Website traffic analysis
• User behavior tracking
• Performance monitoring
• Conversion measurement

3.3 Communication Services

Mailchimp (Intuit Inc., USA)

• Email marketing campaigns
• Subscriber management
• Email performance analytics
• Automated email sequences

WhatsApp Business (Meta Platforms Ireland Limited)

• Business messaging services
• Customer support communications
• Message delivery and status updates

3.4 Payment Processing

Stripe, Inc. (USA/Ireland)

• Payment processing and verification
• Fraud detection and prevention
• Subscription management
• Financial reporting and reconciliation

Note: We do not store payment card data on our servers. All payment information is processed and stored by Stripe according to PCI DSS standards.

3.5 Social Media Integration

Meta Platforms Ireland Limited (Facebook/Instagram)

• Social media plugins and widgets
• Content sharing functionality
• Cross-platform analytics

4. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure adequate protection through:

4.1 Adequacy Decisions

• Transfers to countries with EU adequacy decisions
• Ongoing compliance monitoring

4.2 EU-US Data Privacy Framework

• Google (Analytics): Certified under DPF
• Ongoing compliance verification

4.3 Standard Contractual Clauses (SCCs)

• Legally binding data protection agreements
• Regular compliance assessments
• Additional safeguards for sensitive transfers

5. Data Retention Periods

We retain personal data only as long as necessary for the purposes collected:

6. Your Data Protection Rights

Under the GDPR, you have comprehensive rights regarding your personal data:

6.1 Right of Access (Art. 15 GDPR)

• Request confirmation of data processing
• Obtain copies of your personal data
• Information about processing purposes and recipients
• Details about data retention periods

6.2 Right to Rectification (Art. 16 GDPR)

• Correct inaccurate personal data
• Complete incomplete data
• Update outdated information

6.3 Right to Erasure (Art. 17 GDPR)

• Request deletion when data is no longer necessary
• Withdraw consent for consent-based processing
• Object to unlawful processing

6.4 Right to Restriction (Art. 18 GDPR)

• Limit processing while verifying accuracy
• Restrict unlawful processing
• Preserve data for legal claims

6.5 Right to Data Portability (Art. 20 GDPR)

• Receive data in structured, machine-readable format
• Transfer data to another controller
• Available for consent-based or contract-based processing

6.6 Right to Object (Art. 21 GDPR)

• Object to legitimate interest-based processing
• Opt-out of direct marketing
• Stop profiling for marketing purposes

6.7 Rights Related to Automated Decision-Making

• Right not to be subject to automated decisions
• Request human intervention
• Contest automated decisions

How to exercise your rights: Contact us at hello@felipesayao.studio with your request. We will respond within one month and may request identity verification for security purposes.

7. Data Security Measures

We implement comprehensive technical and organizational measures:

7.1 Technical Safeguards

• SSL/TLS encryption for all data transmission
• Encrypted data storage and backups
• Regular security updates and patches
• Multi-factor authentication for admin access
• Firewall protection and intrusion detection
• Regular vulnerability assessments

7.2 Organizational Measures

• Data access controls and role-based permissions
• Regular staff training on data protection
• Data processing agreements with all processors
• Incident response and breach notification procedures
• Regular compliance audits and reviews

8. Cookies and Tracking Technologies

Our website uses various types of cookies and tracking technologies:

8.1 Strictly Necessary Cookies

• Session management and security
• Shopping cart functionality
• Form submission handling
• SSL session management

8.2 Analytics Cookies

• Google Analytics tracking
• Website performance monitoring
• User behavior analysis
• Conversion tracking

8.3 Marketing Cookies

• Email campaign tracking
• Social media integration
• Retargeting and remarketing

Cookie Management: You can control cookies through your browser settings or by contacting us to opt-out of non-essential cookies.

9. Data Breach Procedures

In the event of a personal data breach:

• We will assess the risk to your rights and freedoms
• High-risk breaches will be reported to supervisory authorities within 72 hours
• Affected individuals will be notified without undue delay
• We will document all breaches and remedial actions taken

10. Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover such data has been collected, we will delete it promptly.

11. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. Significant changes will be communicated through:

• Email notification to newsletter subscribers
• Website banner notifications
• Social media announcements

12. Contact Information

12.1 Data Protection Inquiries

12.2 Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority:

13. Legal Framework

This privacy policy complies with:

• EU General Data Protection Regulation (GDPR) 2016/679
• German Federal Data Protection Act (BDSG)
• German Telemedia Act (TMG)
• ePrivacy Directive 2002/58/EC

This policy ensures comprehensive protection of your personal data and transparent communication about our data processing practices. For any questions or concerns, please don't hesitate to contact us using the information provided above.