Last Updated: 05.01.2026

1. Controller (Data Controller)
   Responsible for processing your personal data:

Zoriana-Sofiia Hulka
Wasagasse 23, 1090 Wien, Austria
Phone: +43 676 410 5406
Email: hello@candlemakingcourse.com

2. What this Privacy Policy covers
   This Privacy Policy explains how we process personal data when you:

• visit candlemakingcourse.com and related subdomains (including course.candlemakingcourse.com) (the “Website”),

• create an account, purchase, and access our online course via our own backend,

• receive transactional or marketing emails from us,

• interact with our marketing and analytics technologies (only after consent where required).

  
  

3. Categories of personal data we may process
   Depending on how you use the Website and course, we may process:

   
   a) Website / device data (log data)

• IP address, date/time, accessed pages, referrer URL, browser type/version, device information, and similar technical data.

b) Newsletter data

• Email address (and if provided: name), consent timestamp, subscription status, and email interaction data (e.g., opens/clicks).

c) Course purchase & access data (own platform)

• Account data (e.g., email address, login identifiers),

• purchase and transaction data (e.g., product purchased, payment status, country, timestamps, order IDs),

• course access data (e.g., enrollment status, access rights).

• Payment card and payment method data are processed exclusively by our payment provider (Paddle). We do not store full payment card details.

d) Order/account data stored in our backend database
We store “accounts” and “orders” in our database. This may include identifiers (e.g., email address or user ID), purchase status, order IDs, product, timestamps, and related metadata necessary for providing access and administration.

4. Purposes and legal bases (GDPR Art. 6)
   We process personal data for the following purposes and legal bases:

a) Providing the Website securely and reliably
Purpose: website delivery, IT security, abuse prevention, troubleshooting.
Legal basis: legitimate interests (Art. 6(1)(f)).

b) Providing the course, access, and customer administration
Purpose: purchase processing via Paddle, course access, account administration, technical operations.

Legal basis: contract performance (Art. 6(1)(b)).

c) Accounting and legal obligations
Purpose: bookkeeping, tax, compliance, handling legal claims.
Legal basis: legal obligation (Art. 6(1)(c)) and/or legitimate interests (Art. 6(1)(f)).

d) Newsletter marketing
Purpose: sending newsletters and marketing emails.
Legal basis: consent (Art. 6(1)(a)).
You can withdraw consent at any time (see Section 10).

e) Analytics and advertising (Google Analytics, Google Ads, Meta Pixel/CAPI)
Purpose: measuring website performance, conversion attribution, improving campaigns, remarketing/audience building.
Legal basis: consent (Art. 6(1)(a)) where required for cookies/tracking technologies.
We load these tools only after consent via our cookie consent settings.

5. Cookies, consent management, and your choices
   We use a cookie consent tool (Framer consent) that lets you accept or reject optional cookies and tracking.

• Essential cookies may be set without consent because they are necessary for the Website to function.

• Analytics and marketing cookies/tags (Google Analytics, Google Ads, Meta Pixel, Conversions API, Google Tag Manager used for these tags) are activated only after your consent.
  You can change or withdraw your consent at any time via “Cookie Settings” on the Website.

  
  

6. Services and recipients (processors / third parties)
   We use the following categories of service providers to operate the Website and deliver the course:

a) Website frontend (Framer)

We use Framer to build and host the public Website. Framer processes technical data (e.g., IP address, access logs) for hosting and security purposes.

b) Backend hosting (Vercel)

We host our backend infrastructure (course logic, APIs, access control) on Vercel. Vercel processes technical data such as server logs and request metadata to provide hosting, security, and reliability.

c) Database (Supabase – region us-east-2)

We store account and order-related data in Supabase. Supabase acts as a processor and provides database hosting and security services.

d) Payments & checkout (Paddle)

We use Paddle as our payment provider and merchant of record. Paddle processes payment, billing, tax, and transaction data. We do not receive or store full payment card details. Paddle acts as an independent controller for payment processing under its own privacy policy.

e) Transactional emails (Resend)

We use Resend to send transactional emails such as account confirmations, purchase confirmations, and access-related messages. Resend processes email addresses and message metadata on our behalf.

f) Video hosting (Cloudflare Stream)

We use Cloudflare Stream to host and deliver course videos. Cloudflare may process IP addresses and technical playback data to provide secure and performant video delivery.

g) Newsletter (Kit.com)

We use Kit.com to manage newsletter subscriptions and send marketing emails based on your consent.

h) Analytics and advertising partners (only after consent)

• Google Analytics (GA4) for website analytics.

• Google Ads for conversion tracking and campaign measurement/remarketing.

• Meta Pixel and Meta Conversions API for conversion measurement and campaign optimization.

  
  

7. International data transfers (outside the EEA)
   Some providers listed above (including Supabase, Vercel, Paddle, Resend, and Cloudflare) may process data in the United States.
   Where required, we rely on appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) and/or

• adequacy mechanisms available for specific providers (where applicable),
  plus additional technical/organizational measures as appropriate.

Important note: Our database is hosted in the United States (Supabase region us-east-2), meaning account/order data is stored and processed there.

8. How long we keep your data (retention)
   We keep personal data only as long as necessary for the purposes described:

• Website/server logs: typically for a short period for security and troubleshooting (unless needed longer for incident investigation).

• Newsletter data: until you unsubscribe or we no longer need it for the newsletter purpose.

• Course access/account/order data: for as long as needed to provide the course and manage the customer relationship.

• Accounting/legal records: for the retention periods required under applicable law.

  
  

9. Security
   We apply technical and organizational measures to protect personal data (e.g., access controls, principle of least privilege, encryption where available, and vendor DPAs where applicable). No method of transmission or storage is 100% secure, but we work to protect your data to the best of our ability.

   
   

10. Your rights (GDPR)
    If you are in the EU/EEA, you have the following rights, subject to legal requirements:

• Right of access (Art. 15)

• Right to rectification (Art. 16)

• Right to erasure (Art. 17)

• Right to restriction of processing (Art. 18)

• Right to data portability (Art. 20)

• Right to object (Art. 21)

• Right to withdraw consent at any time (Art. 7(3)) — this does not affect processing done before withdrawal.

To exercise your rights, contact us at: hello@candlemakingcourse.com

11. Right to lodge a complaint
    You have the right to lodge a complaint with a supervisory authority. In Austria, this is:

Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien, Austria

12. Changes to this Privacy Policy
    We may update this Privacy Policy from time to time to reflect changes in our processing, tools, or legal requirements. The “Last updated” date at the top shows the latest version.