Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how Creative Sculpture Academy ("we", "us") collects, uses, and protects personal data when you visit this website and when you contact us through our registration form. Our site provides educational information and registration interest for learning decorative figurine crafting, stone artistry, basic sculpting techniques, finishing methods, and creative design principles.

For the purposes of applicable data protection laws, the data controller is Syblvatren Studio s.r.o., Lipová 41, 400 02 Chuderov, Czech Republic. You can contact us at [email protected] or by phone at +420 475 212 648.

Effective Date: March 12, 2026. We do not appoint a Data Protection Officer (DPO) because our activities do not involve large-scale processing of special-category data. If that changes, we will update this policy and publish a contact point for privacy matters.

2. Personal Data We Collect

We collect personal data in a few limited situations, primarily when you contact us. The categories below describe what we may collect and where it comes from.

• Identity and contact data: first name, last name, and email address that you provide in our registration form.
• Form content: the text you provide in "Learning Goals" (for example, materials you use, finishes you want to learn, and project details). Please do not include sensitive personal information in this field.
• Technical data: IP address, browser type and version, device type, operating system, and language settings. This information is typically collected automatically through standard server logs and, where consent is given, through analytics tools.
• Usage data: which pages you view, time spent on pages, referring URLs, and general click paths. This is collected only where you have opted into analytics cookies.
• Cookies and identifiers: essential cookies required for site function, and optional analytics/marketing cookies where you consent. See Section 4 and our Cookie Policy for details.
• Conversion events: if marketing cookies are enabled and an advertising pixel is later added by us, we may record conversions (such as a form submission) tied to cookie identifiers.

We do not intentionally collect special-category data (such as information about health, religion, political opinions), financial account details, or government identification numbers through this website. If you choose to include such information in a free-text message, we may process it only to the extent necessary to respond, and we encourage you to avoid sharing it.

3. Why We Process Personal Data & Legal Basis (GDPR Article 6)

We process personal data only when we have a legal basis. The table below explains the main reasons we process data and which legal basis we rely on under the EU General Data Protection Regulation (GDPR) and relevant local law.

• Responding to registration form messages: We use your name, email, and learning goals to respond and guide you toward appropriate modules. Legal basis: Article 6(1)(b) (steps prior to entering a contract) and Article 6(1)(a) (consent, where required by the form consent checkbox).
• Operating and securing the website: We process technical data to keep the site working, prevent abuse, and troubleshoot errors. Legal basis: Article 6(1)(f) (legitimate interests in maintaining the security and reliability of our services).
• Analytics (optional): If enabled by consent, analytics help us understand which pages are useful and where users get stuck. Legal basis: Article 6(1)(a) (consent).
• Marketing and remarketing (optional): If enabled by consent and if we implement advertising pixels, we may measure advertising performance and build audiences for remarketing or lookalike audiences. Legal basis: Article 6(1)(a) (consent).
• Legal obligations: We may retain certain correspondence where required for legal compliance. Legal basis: Article 6(1)(c) (legal obligation).

Automated decision-making and profiling (GDPR Article 22): we do not engage in automated decision-making or profiling that produces legal or similarly significant effects. If we ever use audience-building features from advertising platforms, they are used for measurement and ad delivery only and are not intended to make decisions about eligibility, employment, or credit.

4. Cookies & Tracking

Cookies are small text files stored on your device. Some are required for core site functions; others are optional and require your consent. We also may use pixel tags or similar technologies, and we may later implement server-side measurement (for example, through a conversion API) to improve reliability of conversion attribution.

Our cookie categories are:

• Essential cookies (always active): required for site function and consent storage. Examples include _site_session and cookie_consent. Typical retention is session to 12 months, depending on the cookie.
• Analytics cookies (consent required): used to understand usage and improve content. If enabled, we expect to use Google Analytics 4 (GA4) with IP anonymization. Examples include _ga and _ga_XXXXXXXXXX. Data retention is typically 14 months within the analytics platform.
• Marketing cookies (consent required): used for advertising measurement and remarketing. Examples include _gcl_au, _fbp, and _fbc (when click identifiers are present). These support remarketing, conversion attribution, and audience creation where applicable.

In addition to cookies, advertising and analytics providers may infer device identifiers from signals such as IP address and User-Agent string. Where we implement server-side integrations, we may send limited event data (such as conversion events) and, in some cases, hashed identifiers (for example, a hashed email) for matching. Hashing is a protective measure; it does not turn personal data into anonymous data.

For a cookie-by-cookie overview and management instructions, read our Cookie Policy. You can also use the "Manage cookie preferences" link in the footer to open the consent tools.

5. Consent for Users in the EEA and UK

Users in the European Economic Area (EEA) and the United Kingdom receive a consent notice consistent with GDPR and UK GDPR requirements. Analytics and marketing cookies are disabled until you provide explicit, informed, freely given consent (GDPR Article 6(1)(a)).

Consent is recorded in the cookie_consent cookie, which is typically stored for 12 months. You can withdraw consent at any time by using the cookie preferences tools available from the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We share data only as needed to operate the website, respond to requests, and (where you consent) measure and improve marketing. We do not sell personal data.

• Google LLC: may provide analytics and advertising tools (for example, GA4, Google Ads measurement, tag management). Data may include cookie identifiers, usage data, and conversion events. Privacy policy: https://policies.google.com/privacy.
• Meta Platforms, Inc.: may provide advertising measurement and audience tools (for example, Meta Pixel, custom audiences, lookalike audiences, conversion APIs). Data may include page views, conversions, audience membership, and hashed identifiers where implemented. Privacy policy: https://www.facebook.com/privacy/policy.
• Cloudflare: may provide content delivery network (CDN) and security services, including IP-based threat detection. Privacy policy: https://www.cloudflare.com/privacypolicy/.

Where we use these providers, we aim to configure them to act as service providers/processors for our purposes. These providers may process data on our instructions and may not use site data for their own independent commercial purposes in the context of our service configuration, subject to their contractual terms and platform settings.

7. International Data Transfers

Some service providers are located outside the EEA/UK (including in the United States). When personal data is transferred internationally, we rely on appropriate safeguards. These may include:

• EU-US Data Privacy Framework (DPF) where applicable (and the UK Extension and Swiss-US DPF, where relevant).
• Standard Contractual Clauses (SCCs) (EU 2021/914) as a fallback safeguard.
• UK International Data Transfer Agreement (IDTA) as a fallback safeguard for UK transfers.

We also apply practical measures such as data minimization, restricted access, and event-level controls (for example, enabling marketing only when consent is provided).

8. Data Retention

We keep personal data only as long as needed for the purpose it was collected, unless a longer retention period is required or permitted by law. Typical retention periods are:

• Registration form submissions: up to 2 years from the last interaction, unless you request deletion sooner.
• Email correspondence: for the duration of the relationship plus 1 year, depending on context and legal needs.
• Analytics data: typically 14 months within GA4 (if enabled by consent).
• Server logs: typically up to 90 days for security and troubleshooting.
• Cookie consent record: up to 3 years for audit purposes where appropriate.
• Legal and compliance records: retained as required by law (often 6 to 10 years for certain records, depending on the obligation).

9. Your Rights (GDPR & UK GDPR)

If you are in the EEA or UK (and in some cases elsewhere), you may have rights over your personal data. These rights may include:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restrict processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent at any time (Article 7(3))
• Right to lodge a complaint with a supervisory authority (Article 77)

To exercise your rights, email [email protected]. We normally respond within 30 days. For complex requests, the response period may be extended by up to 60 additional days as permitted by law, and we will tell you if an extension is needed.

If you wish to contact a supervisory authority, you can start with these resources: EDPB: https://edpb.europa.eu; UK ICO: https://ico.org.uk; France CNIL: https://www.cnil.fr; Germany BfDI: https://www.bfdi.bund.de; Spain AEPD: https://www.aepd.es; Poland UODO: https://uodo.gov.pl.

10. Children

This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has provided us personal data without verifiable parental consent, contact us and we will delete the information promptly.

11. Do Not Track

This website does not respond to "Do Not Track" (DNT) browser signals. Some third-party providers may offer their own controls or opt-outs, which are described in our Cookie Policy and in their privacy policies.

12. Data Deletion Requests

You may request deletion of your personal data by emailing [email protected] with the subject line "Data Deletion Request". We may ask for reasonable information to verify your identity before completing the request. We aim to complete verified deletion requests within 30 days.

In some cases we may retain limited data where required to comply with a legal obligation, to resolve disputes, or to enforce agreements. Where retention is required, we will restrict access and keep it only for the mandated period.

13. Business Transfers

In a merger, acquisition, asset sale, financing, insolvency, or similar transaction, personal data may be transferred to a successor entity as part of the transaction. If the successor materially changes how data is used, we will provide notice on the website.

14. California Privacy Notice (CCPA/CPRA)

If you are a California resident, California privacy laws may provide additional rights. In the past 12 months, we may have collected the following categories of personal information:

• Identifiers: name, email address (if provided), IP address, cookie identifiers.
• Internet or network activity: pages viewed and interactions (when analytics/marketing is enabled by consent).
• Inferences: interests or preferences inferred from site interactions (only where marketing/analytics tools are active).

We do not sell personal information as defined by CCPA. We may share data for cross-context behavioral advertising when marketing cookies are enabled. California residents may opt out of sharing for targeted advertising by disabling marketing cookies in our cookie preferences panel.

Depending on your circumstances, you may have the right to know, delete, and correct personal information, and the right to opt out of the sale or sharing of personal information. To submit a request, email [email protected] with the subject line "California Privacy Request". We will verify your identity before responding. You may also use an authorized agent with written proof of authorization.

15. Virginia Privacy Notice (VCDPA)

If you are a Virginia resident, you may have rights to access, correct, delete, and obtain a copy of your personal data, and to opt out of targeted advertising. We do not sell personal data, and we do not engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject line "Virginia Privacy Request". If we decline a request, you may appeal by emailing with the subject "Appeal of Refusal — Privacy Request". We will respond to appeals within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject line "Nevada Do Not Sell Request". We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service providers. For material changes, we will post a prominent notice on the website at least 14 days before the changes take effect. The "Last Updated" date at the top of this page indicates when this policy was last revised.

18. Contact

For questions or requests related to privacy and personal data, contact:

• Creative Sculpture Academy (Syblvatren Studio s.r.o.)
• Lipová 41, 400 02 Chuderov, Czech Republic
• Email: [email protected]
• Phone: +420 475 212 648