Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how ordvienta ("we", "us") collects, uses, and protects your personal data when you visit our website or contact us about our educational training. Our website is intended to provide information about our online course in curtain and tulle design, sewing techniques, and interior textile craftsmanship.

The data controller responsible for processing your personal data is:

We do not appoint a Data Protection Officer (DPO) at this time because our processing does not involve large-scale monitoring or large-scale processing of special-category data. If this changes, we will update this policy and provide DPO contact details.

2. Personal Data We Collect

We collect only the data needed to operate our website, respond to enquiries, and improve our course information. Depending on how you use the site, we may collect the following categories of personal data:

• Identity and contact data: name, email address, and optionally telephone number if you choose to provide it in a message.
• Form content: any text you write in a contact message, such as questions about the learning program, preferred start timing, sewing experience level, or project context.
• Technical data: IP address, browser type and version, device type, operating system, language preferences, and approximate location derived from IP (city/region level).
• Usage data: pages visited, time spent, referrer URLs, click paths, and interaction events (for example, opening the cookie preferences panel or clicking a navigation item).
• Cookies and identifiers: cookie values and similar identifiers described in Section 4 and in our Cookie Policy.
• Conversion events: events that indicate the outcome of an interaction, such as sending a registration request or a contact enquiry (recorded as an event for attribution if marketing consent is enabled).

We do not intentionally collect special-category personal data (such as health information, political opinions, religious beliefs), financial account details, or government identification numbers through this website. Please do not include sensitive information in your message forms.

3. Why We Process Data & Legal Basis (GDPR Art. 6)

We process personal data only when we have a valid legal basis under the GDPR and applicable local law. The purposes and legal bases typically include:

• Responding to registration requests and enquiries: to reply to your message, send course details, and answer practical questions about the program. Legal basis: GDPR Art. 6(1)(b) (steps prior to entering into a contract) and Art. 6(1)(a) (consent) where you explicitly agree to be contacted.
• Website analytics (optional): to understand how visitors use the site so we can improve clarity, lesson descriptions, and navigation. Legal basis: GDPR Art. 6(1)(a) (consent).
• Marketing and remarketing (optional): to measure advertising performance and show relevant ads to people who have expressed interest in the course. Legal basis: GDPR Art. 6(1)(a) (consent).
• Security and fraud prevention: to protect the website, prevent abuse, and maintain system integrity. Legal basis: GDPR Art. 6(1)(f) (legitimate interests).
• Legal and compliance obligations: where required to comply with applicable law, respond to lawful requests, or maintain records. Legal basis: GDPR Art. 6(1)(c) (legal obligation).

Automated decision-making (GDPR Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. Any advertising audiences created through marketing platforms are used for measurement and broad targeting and do not determine eligibility for a service or outcome.

4. Cookies & Tracking

Our website uses cookies and similar technologies. Cookies are small text files stored on your device. Some cookies are required for the site to function, while others are used for analytics and marketing and require your consent. We also use pixel tags and may use server-side event forwarding depending on how the site is configured.

Examples of cookie names and typical retention periods are listed in our Cookie Policy. Cookie lifetimes may vary by browser settings and platform updates. When marketing consent is enabled, cookie identifiers may be combined with event data (such as page views or form submissions) to attribute conversions and build audience segments.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie (typically for 12 months).

You can withdraw or change consent at any time by selecting “Manage cookie preferences” in the footer. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

6. Sharing With Advertising & Service Partners

We share personal data only where needed to run the website, deliver communications, and measure marketing performance (if you consent). We do not sell personal data. Depending on your consent settings, data may be shared with the following partners:

• Google LLC: Google Analytics 4, Google Ads, Google Tag Manager, remarketing and conversion measurement. Data shared may include cookie identifiers, usage data, and conversion events. See: https://policies.google.com/privacy
• Meta Platforms, Inc.: Meta Pixel and related advertising tools such as custom/lookalike audiences and conversion measurement. Data shared may include page views, conversions, audience membership, and hashed identifiers where applicable. See: https://www.facebook.com/privacy/policy
• Cloudflare: content delivery network (CDN) and security services, which may process IP addresses for threat detection and performance optimization. See: https://www.cloudflare.com/privacypolicy/

We do not permit these providers to use site data for their own independent commercial purposes. They act as processors or service providers under their contractual terms, and in some cases as separate controllers for their own platform operations.

7. International Transfers

Some of our service providers (including Google and Meta) may process data outside the EEA/UK, including in the United States. Where applicable, transfers are protected using one or more of the following mechanisms:

• EU-U.S. Data Privacy Framework (DPF) (primary, since July 2023), including the UK Extension and Swiss-U.S. DPF where applicable.
• Standard Contractual Clauses (EU 2021/914) as a fallback mechanism.
• UK International Data Transfer Agreement (IDTA) as a fallback mechanism.

You can request additional information about transfer safeguards by contacting us at [email protected].

8. Data Retention

We keep personal data only as long as necessary for the purposes described in this policy. Typical retention periods are:

• Contact and registration submissions: up to 2 years from the last interaction, so we can follow up on course enquiries and maintain a reasonable record of communications.
• Analytics data: typically 14 months (where configured in GA4), subject to cookie lifetimes and your consent.
• Marketing cookies: retained according to cookie lifetimes (commonly around 90 days) and your consent choices.
• Email correspondence: for the duration of the enquiry and up to 1 additional year for context, unless a longer period is required to resolve a dispute.
• Server and security logs: typically up to 90 days for security monitoring and troubleshooting.
• Cookie consent record: up to 3 years for audit and compliance evidence.
• Legal and tax records: retained as required by applicable law (often 6–10 years for invoicing and accounting records if applicable).

9. Your Rights (GDPR & UK GDPR)

If you are located in the EEA or the UK, you may have the following rights under GDPR/UK GDPR, subject to legal limitations:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise your rights, email us at [email protected]. We typically respond within 30 days. If a request is complex, we may extend the response time by up to 60 additional days, as permitted by law.

Supervisory authority resources:

• EU: https://edpb.europa.eu
• UK (ICO): https://ico.org.uk
• Czech Republic (UOOU): https://uoou.gov.cz

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a child under 16 without verifiable parental consent, we will delete that data promptly.

11. Do Not Track

This website does not respond to Do Not Track (DNT) browser signals. Third-party providers may have their own DNT handling and opt-out mechanisms.

12. Data Deletion Requests

You can request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may need to verify your identity before acting. We aim to complete requests within 30 days, unless lawful exceptions apply (for example, where we must retain certain records for legal compliance).

13. Business Transfers

In the event of a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor entity. If such a transfer materially changes how personal data is used, we will provide notice on the website.

14. California Privacy Notice (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Over the past 12 months, we may have collected the following categories of personal information:

• Identifiers: name, email, IP address, device identifiers.
• Internet or network activity: pages viewed, interactions, and usage signals.
• Inferences: interests or preferences inferred from page interactions (used only for advertising audiences when marketing consent is enabled).

We do not sell personal information as defined by CCPA. We do share personal information for cross-context behavioral advertising when marketing cookies are enabled; California residents may opt out via our cookie preferences panel (footer link “Manage cookie preferences”).

California rights may include: right to know, right to delete, right to correct, right to opt out of sale/sharing, and right to non-discrimination. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your identity before processing.

Authorized agents may submit requests on your behalf if they provide written proof of authorization.

15. Virginia (VCDPA)

Virginia residents may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. If we decline your request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond within 60 days.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing us with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will post a notice on the website at least 14 days before the change takes effect. The “Last Updated” date at the top will be revised whenever this policy is updated.

18. Contact

For questions about privacy, requests, or how your data is used, contact: