Privacy & Data Protection Policy (GDPR-Compliant)
IMPORTANT — READ CAREFULLY:
This Privacy & Data Protection Policy (“Policy”) explains in depth how Timeless Galaxy LLC (“Timeless Galaxy,” “we,” “our,” or “us”) collects, uses, discloses, protects, stores, and otherwise processes your Personal Data when you access or use www.timelessgalaxy.com (the “Site”), purchase any of our mini-courses, join our mailing list, or interact with us in any manner—online or offline.
This Policy is drafted to fully comply with the EU General Data Protection Regulation (“GDPR” 2016/679), the UK GDPR, the ePrivacy Directive (“Cookie Directive”), and, where relevant, complementary privacy laws such as the California Consumer Privacy Act (“CCPA”), Virginia CDPA, and Quebec Law 25. Where those laws impose stricter requirements, we apply the stricter standard by default.
________________________________________
1. Definitions & Interpretation
For ease of reference, capitalised terms have the meanings set out below. Unless otherwise indicated, terms defined in Article 4 GDPR carry the same meaning in this Policy.
| Term | Meaning (summary) |
| Personal Data | Any information that can identify, directly or indirectly, a natural person (the “Data Subject”). |
| Processing | Any operation performed on Personal Data—collection, storage, use, disclosure, deletion, etc. |
| Controller | The entity that determines the purposes & means of Processing Personal Data. |
| Processor | A third party that Processes Personal Data on behalf of the Controller. |
| Supervisory Authority | An independent public authority established under GDPR Article 51. |
| EEA | European Economic Area (EU Member States + Iceland, Liechtenstein, Norway). |
| Standard Contractual Clauses (“SCCs”) | European Commission-approved data-transfer safeguards for transfers outside the EEA/UK. |
2. Categories of Personal Data We Collect
We endeavour to collect only the minimum amount of data necessary (“data-minimisation principle”) for the purposes described in Section 5.
| Category | Examples | Source |
| Identity & Contact Data | Full name, billing/shipping address, telephone, email. | Provided by you via forms, checkout, or customer-service interactions. |
| Account Credentials | Username, encrypted password, authentication tokens. | Provided by you when creating an account. |
| Payment & Transaction Data | Partial card PAN (last 4 digits), transaction ID, course(s) purchased, price, currency, refund history. We never store full card numbers. | Payments handled through our processors; we receive tokenised data & receipts. |
| Course Progress Data | Completion status, quiz scores, certificates earned, time spent on lessons. | Generated automatically by our learning-management system when you take a class. |
| Marketing & Communications Data | Newsletter opt-in status, marketing preferences, communication history. | Provided by you or recorded when you interact with marketing emails. |
| Technical & Usage Data | IP address, browser type/version, device identifiers, time-zone, page-views, clickstream, referring URL, session length, error logs. | Collected automatically via cookies, pixels, and similar tech (see Section 6). |
| Support & Correspondence Data | Customer-support tickets, chat logs, email threads, satisfaction ratings. | Provided by you during support requests. |
| Special Categories | We do not intentionally collect “special categories” of data (GDPR Art. 9) such as health, biometric, or political-opinion data. If you volunteer such info in a message, we will treat it with heightened security and may promptly erase it if not strictly required. | |
| Children’s Data | Our Site & courses are not directed at children under 16 years (see Section 14). |
3. How We Collect Personal Data
1. Direct Interactions:
• Creating an account, purchasing a mini-course, filling out “Contact Us,” joining our newsletter, or entering a giveaway.
2. Automated Technologies:
• Cookies and server logs capture Technical & Usage Data each time you visit the Site.
3. Third-Party Sources:
• Payment processors (e.g., Stripe, PayPal) send us tokenised transaction data;
• Advertising partners and social media platforms (when you engage with our ads).
4. Publicly Available Sources:
• Limited open-source lookup to verify VAT/Tax registrations for EU B2B invoicing.
4. Purposes & Legal Bases for Processing
| Purpose | Categories Processed | Legal Basis (Art. 6 GDPR) |
| Account registration & management | Identity, Contact, Credentials | Contract (Art. 6 (1)(b)) – processing is necessary to create/manage your account. |
| Course delivery & progress tracking | Identity, Contact, Course Progress | Contract (Art. 6 (1)(b)). |
| Payment processing & fraud prevention | Payment & Transaction, Technical | Contract (Art. 6 (1)(b)) & Legitimate Interests (Art. 6 (1)(f)) in preventing fraud. |
| Customer support | Identity, Contact, Support | Contract (Art. 6 (1)(b)) & Legitimate Interests (Art. 6 (1)(f)) to resolve inquiries. |
| Marketing communications | Identity, Contact, Marketing | Consent (Art. 6 (1)(a)) – explicit opt-in; you may withdraw at any time. |
| Analytics & site optimisation | Technical & Usage | Legitimate Interests (Art. 6 (1)(f)) in improving Site performance & user experience. |
| Legal compliance (tax, accounting, consumer law) | Identity, Contact, Payment | Legal Obligation (Art. 6 (1)(c)). |
| Giveaway administration | Identity, Contact | Consent (Art. 6 (1)(a)) or Contract (Art. 6 (1)(b)) as applicable. |
| Security & incident response | Technical, Identity | Legitimate Interests (Art. 6 (1)(f)) & Legal Obligation (Art. 6 (1)(c)). |
No automated decision-making with legal or similarly significant effect (Art. 22 GDPR) is performed. We may use minimal profiling for personalised course recommendations (see Section 8).
5. Cookies & Similar Technologies
5.1 What Are Cookies?
Cookies are small text files stored on your device by your browser at the request of a website.
5.2 Types We Use
| Cookie Type | Function | Default Lifespan |
| Strictly Necessary | Session maintenance, checkout basket. | Session / up to 1 year. |
| Functional | Remembering preferences (language, currency). | 1 month – 1 year. |
| Analytics | Measuring traffic & behaviour (Google Analytics 4, Plausible, or Matomo self-hosted). | 1 day – 2 years. |
| Marketing/Advertising | Remarketing via Facebook Pixel or Google Ads (only if you consent). | Up to 2 years. |
5.3 Cookie Consent Mechanism
Upon first visit from the EEA/UK, a granular cookie banner appears, allowing you to:
- “Accept All,” “Reject All,” or “Customize.”
- Toggle each category (except Strictly Necessary) individually.
- Withdraw consent later via “Cookie Settings” in the footer.
5.4 Do-Not-Track & Global Privacy Control
We honour GPC signals and treat them as an opt-out of non-essential cookies.
6. Marketing Communications
• Double Opt-In: Newsletter signup requires verification via a confirmation email.
• Frequency: We send no more than two promotional emails per week.
• Unsubscribe: Every email contains a one-click unsubscribe link; alternatively email unsubscribe@timeless.wp-demo.co.in.
• Third-Party Email Providers: Currently Mailerlite [EU data-centre] / Sendinblue [France] (subject to change; see Section 9).
• Soft Opt-In (B2B): If we have obtained your email during a sale of a mini-course, we may send similar product offers under PECR (UK) or ePrivacy Directive Art. 13(2), unless you opt out.
7. Limited Profiling & Personalisation
We may analyse:
• Courses you browsed, purchased, or completed;
• Time spent on lessons, to recommend relevant next-step courses.
• Profiling is non-intrusive and does not produce legal effects.
• You may opt out at any time by toggling “Personalised Recommendations” in Account ? Privacy Settings.
8. Data Sharing & Categories of Recipients
| Recipient Category | Purpose | Safeguard |
| Payment Processors (Stripe, PayPal, Apple Pay, Google Pay) | Process payments, prevent fraud. | PCI-DSS compliant; we transmit tokenised data only. |
| Cloud Hosting (AWS EU-Central 1 / US-East 1), Content Delivery Networks (Cloudflare) | Hosting & delivering the Site globally. | GDPR Data Processing Addenda; SCCs for US transfers. |
| Learning Management Platform (Thinkific / Teachable / custom LMS) | Course delivery, progress tracking. | EU-hosted servers where possible; SCCs. |
| Email Service Provider (Mailerlite, Sendinblue) | Sending newsletters & transactional emails. | EU data centres; DPA & SCCs. |
| Analytics Vendors (Google Analytics 4, Plausible, Matomo) | Site performance & usage stats. | IP anonymisation; consent-mode for GA4. |
| Advertising Partners (Meta, Google Ads) | (Optional) remarketing where you consent. | International transfers via SCCs & Additional Safeguards. |
| Professional Advisers (lawyers, accountants, auditors) | Compliance, accounting. | Confidentiality obligations. |
| Regulators & Law Enforcement | Where legally required (court order, subpoena). | Disclosure limited to that which is legally necessary. |
We do not sell Personal Data, nor do we share it with data brokers.
9. International Transfers
9.1 EEA???United States
Certain processors (Stripe, Google, Meta) are US-based. We rely on:
1. SCCs (Commission Implementing Decision EU 2021/914);
2. Supplementary Technical & Organisational Measures, including encryption in transit & at rest;
3. Vendor-specific Binding Corporate Rules (where applicable) or EU-US Data Privacy Framework participation (if/when approved).
9.2 UK???US
We use the UK International Data Transfer Addendum to SCCs.
9.3 Onward Transfers
Downstream third-party processors are contractually bound to GDPR-equivalent standards.
10. Data Retention
| Data Category | Retention Period | Rationale |
| Purchase & Accounting Records | 7 years from transaction date. | Tax & bookkeeping laws (e.g., US 26 U.S.C. §6501, EU Directive 2006/112/EC). |
| User Accounts | Until account deletion + 90 days (backup window). | Provide access & restore accidentally deleted data. |
| Course Progress | Same as account retention. | |
| Marketing Preferences | Until withdrawal of consent or 2 years of inactivity. | |
| Cookie-Level Data | As listed in Section 6. | |
| Support Tickets | 3 years from last interaction. | |
| Server Logs | 12 months unless needed for security investigation. |
We routinely review retention schedules and anonymise or securely erase data when the retention period expires.
12. Data Security Measures
• Industry-standard encryption (TLS 1.3) for all data in transit;
• AES-256 encryption at rest for database storage;
• Least-privilege access controls;
• Multi-Factor Authentication for admin accounts;
• Routine vulnerability scanning & penetration testing;
• Incident Response Plan with 72-hour breach-notification commitment under GDPR Art. 33/34;
• Privacy by Design & Default in software development lifecycle;
• Regular staff training on information-security & data-protection best practices.
13. Your Rights Under GDPR
You may exercise the following rights free of charge (Art. 12 (5) GDPR allows a reasonable fee for unfounded or excessive requests):
| Right | Summary | How to Exercise |
| Access (Art. 15) | Obtain confirmation whether we Process your Personal Data & receive a copy. | Email dpo@timeless.wp-demo.co.in with subject “DSAR – Access”. |
| Rectification (Art. 16) | Correct inaccurate or incomplete data. | Update in “Account ? Profile” or contact us. |
| Erasure (Art. 17) | “Right to be forgotten” – have data deleted. | Use “Delete Account” tool or email. |
| Restriction (Art. 18) | Suspend Processing in specific circumstances. | Email request. |
| Data Portability (Art. 20) | Receive data in structured, machine-readable format; transmit to another controller. | Email request; we provide JSON/CSV within 30 days. |
| Object (Art. 21) | Object to processing based on Legitimate Interests or direct marketing. | Unsubscribe or email. |
| Automated Decision-Making (Art. 22) | Not subjected to decisions producing legal effects. | We do not engage in such processing. |
13.1 Identity Verification
We may request additional proof (e.g., copy ID with redacted MRZ) to confirm your identity before fulfilling a DSAR.
13.2 Supervisory Authority Complaints
If you believe we have infringed your rights, you can lodge a complaint with your local Supervisory Authority. For example:
• EEA: Data Protection Commission (Ireland) – www.dataprotection.ie
• UK: Information Commissioner’s Office – www.ico.org.uk
We would appreciate the chance to resolve concerns directly before you approach an authority.
14. Children’s Privacy
Our Site, digital courses, and marketing are directed at individuals aged 16 and older. We do not knowingly collect Personal Data from children under 16. If you believe we have inadvertently collected such data, please contact privacy@timeless.wp-demo.co.in; we will promptly delete it.
15. Links to Third-Party Sites
Our courses or blog posts may link to external websites (e.g., Canva, Pinterest, Instagram). We are not responsible for their privacy practices. Please review the privacy statements of any external sites you visit.
16. Changes to This Policy
• Versioning: Each update is assigned a sequential version number & “Last Modified” date stamped at the top.
• Notification of Material Changes: We will (i) post a notice on the Site, (ii) send an email to registered users, and (iii) require renewed consent where required by law.
• Archival Copies: Prior versions are archived and available upon request.