Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how xavdrilo (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit this website and when you submit a registration or contact request. Our website supports an online course that teaches practical retail sales skills for clothing and furniture teams, including customer service, product presentation, sales psychology, merchandising, inventory management, online sales methods, and retail operations.

Data Controller: Xavdrilo Education Ltd (the “Controller”). Registered address: Vyšehradská 1280, 687 25 Hluk, Czech Republic. Contact email: [email protected].

Effective Date: March 14, 2026. This policy applies to personal data processed through this website. If you contact us by email or phone, we will also handle that correspondence under the principles described here.

We do not appoint a Data Protection Officer (DPO) because we do not carry out large-scale systematic monitoring or large-scale processing of special-category data as our core activity. If you have privacy questions, contact us using the email above.

2. Personal Data We Collect

We collect only the data we need to operate the website, respond to enquiries, and improve the course information we publish. Depending on how you interact with the site, we may collect the following categories of personal data:

• Identity and contact data: name (if provided), email address, and any company or store name you add in a form.
• Form content: the messages you type into registration and contact forms, including details such as team size, store format, operational routines, and training goals.
• Technical data: IP address, browser type, device and operating system information, language, and basic diagnostic data.
• Usage data: pages viewed, approximate time on pages, referrer information, and interaction paths that help us understand what content is most useful.
• Cookies and identifiers: small files stored in your browser, including your cookie consent choice and identifiers used by analytics and marketing tools (where enabled by you).
• Conversion events: events related to form submission and page navigation that help us measure whether the site content is clear and functional.

We do not intentionally collect special-category data (such as health data, religious beliefs, political opinions), financial account details, or government-issued identification numbers through this website. Please do not include such information in form messages.

3. Why We Process Personal Data & Legal Basis

We process personal data for clear, limited purposes. Where the GDPR (and UK GDPR) applies, we rely on the legal bases below (GDPR Article 6):

• Registration and contact forms: to respond to your request, provide course details, and discuss a potential training plan. Legal basis: Article 6(1)(b) (steps prior to entering a contract) and Article 6(1)(a) (consent, where you provide it via the required checkbox).
• Website analytics (optional): to understand which pages are useful and improve the clarity of curriculum and course information. Legal basis: Article 6(1)(a) (consent) when analytics cookies are enabled.
• Marketing and remarketing (optional): to measure advertising performance and show relevant messages to visitors who opted in. Legal basis: Article 6(1)(a) (consent) when marketing cookies are enabled.
• Security and fraud prevention: to protect the website, prevent abuse, and investigate suspicious traffic. Legal basis: Article 6(1)(f) (legitimate interests) in maintaining a secure service.
• Legal compliance: to meet lawful obligations where applicable. Legal basis: Article 6(1)(c) (legal obligation).

Automated decision-making (GDPR Article 22): we do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you. Any communication we send in response to a form is handled by a human, based on the information you provide.

4. Cookies & Tracking Technologies

Cookies are small text files stored in your browser. We also use similar technologies (such as pixel tags) and may use server-side events to measure site usage and advertising performance. This website uses three cookie categories that match our Cookie Policy:

You can control non-essential cookies using the “Manage cookie preferences” link in the footer. You can also delete cookies via your browser settings. Note that if you disable essential cookies, parts of the website may not function as intended.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Marketing and analytics cookies activate only after explicit, informed, freely given consent (Article 6(1)(a)). Consent is recorded in the cookie_consent browser cookie (12 months).

You may withdraw consent at any time by updating preferences in the cookie panel or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

6. Sharing With Advertising & Service Partners

We share limited data with service providers to operate the website and, where you consent, to measure and improve marketing performance. We do not sell personal data. Providers act as processors or independent controllers depending on the tool and configuration.

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, and conversion events. Policy: https://policies.google.com/privacy
• Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API): page views, conversions, audience membership signals, and (where applicable) hashed identifiers. Policy: https://www.facebook.com/privacy/policy
• Cloudflare (CDN and security): IP-based threat detection and performance delivery. Policy: https://www.cloudflare.com/privacypolicy/

We do not permit these providers to use site data for their own independent commercial purposes beyond what is described in their policies for the services they provide (for example, security, measurement, and ad delivery). Where tools provide configurable settings (such as data retention), we apply settings intended for education websites and minimal collection.

7. International Transfers

Some service providers operate outside the EEA/UK, including in the United States. When personal data is transferred internationally, we rely on appropriate safeguards. These may include the EU–US Data Privacy Framework (and the UK Extension where applicable) and, where needed, Standard Contractual Clauses (EU 2021/914) as a fallback. We also use comparable mechanisms for other jurisdictions, such as the UK International Data Transfer Addendum/IDTA where relevant.

We aim to share only what is necessary for the purposes described in this policy and to use reputable providers that implement security controls appropriate for their role.

8. Data Retention

We keep personal data only as long as needed for the purposes described above, unless a longer retention period is required by law. Typical retention periods include:

• Contact and registration submissions: up to 2 years from the last interaction, to maintain continuity of communication and provide follow-up details.
• Analytics data: 14 months (where enabled by consent), subject to the settings of the analytics provider.
• Marketing cookies: per cookie lifetime (for example, 90 days), where enabled by consent.
• Email correspondence: duration of the relationship plus 1 year, unless a longer period is needed for legal reasons.
• Server logs: typically up to 90 days for security and troubleshooting.
• Cookie consent record: up to 3 years for audit and compliance, stored as a browser cookie and/or associated logs where applicable.
• Legal and tax retention: where required, typically 6–10 years for invoicing or statutory records (if applicable).

If you request deletion, we will delete or anonymize data unless we have a lawful reason to retain it (for example, to comply with legal obligations or defend claims).

9. Your Rights (GDPR & UK GDPR)

If GDPR/UK GDPR applies, you may have the following rights, subject to conditions and exceptions:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent (Article 7(3))
• Right to lodge a complaint with a supervisory authority (Article 77)

To exercise rights, email [email protected]. We aim to respond within 30 days. For complex requests, we may extend the response time by up to 60 additional days as permitted by law. We may request reasonable information to verify identity before acting on a request.

Supervisory authority references: EU (general) https://edpb.europa.eu; UK https://ico.org.uk; Germany https://www.bfdi.bund.de; France https://www.cnil.fr; Poland https://uodo.gov.pl; Spain https://www.aepd.es.

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have received personal data from a child under 16 without verifiable parental consent, we will delete that information promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own handling for similar signals, depending on your browser and settings.

12. Data Deletion Requests

If you want us to delete personal data we hold about you, email [email protected] with the subject line “Data Deletion Request”. We will confirm receipt, verify identity where appropriate, and complete deletion within 30 days unless we must retain certain records for legal reasons.

If deletion is not possible for a specific record, we will explain why (for example, statutory retention requirements) and what limited processing will continue.

13. Business Transfers

If we undergo a merger, acquisition, asset sale, financing, reorganization, or insolvency, personal data may be transferred to a successor entity. If a transfer materially changes how personal data is used, we will provide notice on the website.

14. California (CCPA / CPRA)

This section provides additional disclosures for California residents where applicable. In the last 12 months, we may have disclosed the following categories of personal information to service providers and advertising partners for business purposes:

• Identifiers (such as name, email address, IP address, device identifiers).
• Internet or network activity (such as browsing and interaction data).
• Inferences (such as interests or preferences derived from browsing behavior, where marketing cookies are enabled).

We do not sell personal information as defined by the CCPA. We do share information for cross-context behavioral advertising where marketing cookies are enabled. California residents may opt out by using the cookie preferences panel accessible from the footer.

California rights may include: the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your request before responding. Authorized agents may submit requests with written permission.

15. Virginia (VCDPA)

Where applicable, Virginia residents may have rights to access, correct, delete, obtain a copy of personal data, and opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. If we decline a request, you may appeal by emailing “Appeal of Refusal — Privacy Request”. We will respond to an appeal within 60 days.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or the tools used on the website. If changes are material, we will announce them on the website at least 14 days before they take effect. The “Last Updated” date at the top of this page will be revised whenever the policy changes.