Last Updated: 04.10.2025

1. Controller (Data Controller)
   Responsible for processing your personal data:

Zoriana-Sofiia Hulka (Ronaja.Home)
Wasagasse 23, 1090 Wien, Austria
Phone: +43 676 410 5406
Email: ronaja.home@gmail.com

2. What this Privacy Policy covers
   This Privacy Policy explains how we process personal data when you:

• visit candlemakingcourse.com (the “Website”),

• subscribe to our newsletter,

• purchase and access our course via Teachable,

• interact with our marketing/analytics technologies (only after consent where required).

  
  

3. Categories of personal data we may process
   Depending on how you use the Website and course, we may process:

   
   a) Website / device data (log data)

• IP address, date/time, accessed pages, referrer URL, browser type/version, device information, and similar technical data.

b) Newsletter data

• Email address (and if provided: name), consent timestamp, subscription status, and email interaction data (e.g., opens/clicks).

c) Course purchase & access data (via Teachable)

• Account data (typically email address and login-related data),

• purchase/transaction information (e.g., product purchased, payment status, country, timestamps),

• course access information (e.g., enrollment status).
  Payment card data is processed by Teachable and/or its payment partners; we do not store full payment card details.

d) Order/account data stored in our backend database
We store “accounts” and “orders” in our database. This may include identifiers (e.g., email address or user ID), purchase status, order IDs, product, timestamps, and related metadata necessary for providing access and administration.

4. Purposes and legal bases (GDPR Art. 6)
   We process personal data for the following purposes and legal bases:

a) Providing the Website securely and reliably
Purpose: website delivery, IT security, abuse prevention, troubleshooting.
Legal basis: legitimate interests (Art. 6(1)(f)).

b) Providing the course, access, and customer administration
Purpose: purchase processing via Teachable, course access, account administration, technical operations.
Legal basis: contract performance (Art. 6(1)(b)).

c) Accounting and legal obligations
Purpose: bookkeeping, tax, compliance, handling legal claims.
Legal basis: legal obligation (Art. 6(1)(c)) and/or legitimate interests (Art. 6(1)(f)).

d) Newsletter marketing
Purpose: sending newsletters and marketing emails.
Legal basis: consent (Art. 6(1)(a)).
You can withdraw consent at any time (see Section 10).

e) Analytics and advertising (Google Analytics, Google Ads, Meta Pixel/CAPI)
Purpose: measuring website performance, conversion attribution, improving campaigns, remarketing/audience building.
Legal basis: consent (Art. 6(1)(a)) where required for cookies/tracking technologies.
We load these tools only after consent via our cookie consent settings.

5. Cookies, consent management, and your choices
   We use a cookie consent tool (Framer consent) that lets you accept or reject optional cookies and tracking.

• Essential cookies may be set without consent because they are necessary for the Website to function.

• Analytics and marketing cookies/tags (Google Analytics, Google Ads, Meta Pixel, Conversions API, Google Tag Manager used for these tags) are activated only after your consent.
  You can change or withdraw your consent at any time via “Cookie Settings” on the Website.

  
  

6. Services and recipients (processors / third parties)
   We use the following categories of service providers to operate the Website and deliver the course:

a) Website platform (Framer)
We use Framer to build and deliver the Website. Framer may process technical data (e.g., IP address and access logs) to provide hosting and security.

b) Backend hosting (Vercel)
We host backend components on Vercel. Vercel may process technical data needed to provide hosting and security (e.g., server logs).

c) Database (Supabase – region us-east-2)
We store account and order data in Supabase. Supabase processes personal data on our behalf as a hosting/database provider.

d) Course platform and payments (Teachable)
We use Teachable to sell, deliver, and host parts of our course, and to process payments. When you purchase or access the course, Teachable processes account, purchase, and usage data according to their role and agreements.

e) Newsletter (Kit.com)
We use Kit.com to manage newsletter subscriptions and send emails. Kit processes your email address and related subscription data on our behalf.

f) Analytics and advertising partners (only after consent)

• Google Analytics (GA4) for website analytics.

• Google Ads for conversion tracking and campaign measurement/remarketing.

• Meta Pixel and Meta Conversions API for conversion measurement and campaign optimization.

  
  

7. International data transfers (outside the EEA)
   Some of our service providers (or their sub-processors) may process data outside the European Economic Area (EEA), including in the United States.
   Where required, we rely on appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) and/or

• adequacy mechanisms available for specific providers (where applicable),
  plus additional technical/organizational measures as appropriate.

Important note: Our database is hosted in the United States (Supabase region us-east-2), meaning account/order data is stored and processed there.

8. How long we keep your data (retention)
   We keep personal data only as long as necessary for the purposes described:

• Website/server logs: typically for a short period for security and troubleshooting (unless needed longer for incident investigation).

• Newsletter data: until you unsubscribe or we no longer need it for the newsletter purpose.

• Course access/account/order data: for as long as needed to provide the course and manage the customer relationship.

• Accounting/legal records: for the retention periods required under applicable law.

  
  

9. Security
   We apply technical and organizational measures to protect personal data (e.g., access controls, principle of least privilege, encryption where available, and vendor DPAs where applicable). No method of transmission or storage is 100% secure, but we work to protect your data to the best of our ability.

   
   

10. Your rights (GDPR)
    If you are in the EU/EEA, you have the following rights, subject to legal requirements:

• Right of access (Art. 15)

• Right to rectification (Art. 16)

• Right to erasure (Art. 17)

• Right to restriction of processing (Art. 18)

• Right to data portability (Art. 20)

• Right to object (Art. 21)

• Right to withdraw consent at any time (Art. 7(3)) — this does not affect processing done before withdrawal.

To exercise your rights, contact us at: ronaja.home@gmail.com

11. Right to lodge a complaint
    You have the right to lodge a complaint with a supervisory authority. In Austria, this is:

Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien, Austria

12. Changes to this Privacy Policy
    We may update this Privacy Policy from time to time to reflect changes in our processing, tools, or legal requirements. The “Last updated” date at the top shows the latest version.