Privacy Policy
Last Updated: 22.10.2025
1. Introduction
This Privacy Policy explains how Individual Entrepreneur “Borinskiy A.A.”, address: Nauryz St. 119, Kyrgauyldy village, Almaty Region, Republic of Kazakhstan, B42M2F1 (“we”, “us”, “our”), collects, uses, and protects your personal data when you visit https://yoptacademy.com/ (“Website”).
Depending on your location:
- If you are located in the European Union (EU) or European Economic Area (EEA), your data are processed under the General Data Protection Regulation (EU) 2016/679 (GDPR).
- If you are located in the United States, your data are processed under federal law "(FTC Act, COPPA) and Delaware state law (Delaware Online Privacy and Protection Act).
This Policy applies only to users from the EU and the US.
We process personal data to provide our services, maintain accounts, and improve your experience. Providing your personal data is necessary to access our courses and features. Failure to provide such data may limit service functionality.
2. Data Controller and Contact
Controller:
Individual Entrepreneur “Borinskiy A.A.”, address: Nauryz St. 119, Kyrgauyldy village, Almaty Region, Republic of Kazakhstan, B42M2F1. Email: yoptacademy@gmail.com
EU Representative (Art. 27 GDPR): will be appointed later. The name and contact details will be published at https://yoptacademy.com/.
Data Protection Officer (DPO): to be appointed; interim contact yoptacademy@gmail.com.
We adhere to the FTC’s Fair Information Practice Principles, ensuring transparency, user choice, access, and accountability.
3. Categories and Sources of Personal Data
We process only what is necessary:
- Identification data: name, email address, user ID, messaging handles (e.g., Telegram nickname).
- Technical data: IP address, device type, browser, OS version, region, and log information.
- Usage data: page views, clicks, time spent, participation in courses, support requests.
- Cookie data: session identifiers, language settings, analytics metrics.
We do not intentionally process sensitive (special category) data.
Sources of Personal Data: we collect data directly from you (through forms and account creation), automatically via cookies and analytics tools, and occasionally from third-party authentication or communication providers.
4. Purposes and Legal Bases
| Purpose | Legal basis | Retention |
|---|---|---|
| Contract performance (access to materials, account management) | Art. 6(1)(b) GDPR | Term of contract + 5 years |
| Legal obligation (e.g., requests from authorities) | Art. 6(1)(c) GDPR | As required by law |
| Legitimate interest (security, fraud prevention) | Art. 6(1)(f) GDPR | 12 months from event |
| Analytics & improvement of services | Art. 6(1)(a) GDPR / consent | 13 months |
| Marketing communication (optional emails) | Art. 6(1)(a) GDPR / consent | Until withdrawal |
You may withdraw consent at any time via email or browser settings.
When relying on legitimate interest, we ensure that such interests are not overridden by users’ rights and freedoms by performing a balancing test.
When relying on legitimate interests (e.g., preventing fraud, maintaining security), we have assessed and documented that such processing is proportionate and does not override users’ rights and freedoms.
5. Cookies and Consent Management
We use necessary, functional, analytical, and marketing cookies. At first visit, a banner allows you to select categories. You may update preferences at any time.
We honor “Global Privacy Control (GPC)” and “Do Not Track” signals.
You can withdraw or modify your consent anytime through the Cookie Settings link available at the bottom of each page. Refusal of non-essential cookies will not affect core functionality.
6. Disclosure to Third Parties
Data may be shared only with:
- Hosting and infrastructure providers;
- Communication tools (e.g., email, chat, form handling);
- Analytics and security providers;
- Legal and regulatory authorities (where required by law).
All processors act under data processing agreements (DPAs) with confidentiality obligations.
| Category of Third Party | Purpose of Disclosure | Opt-Out Available |
|---|---|---|
| Hosting Provider (e.g., AWS) | Infrastructure and storage | No |
| Analytics Provider (e.g., Google Analytics) | Usage analytics | Yes |
| Communication Platform (e.g., Telegram) | Messaging and authentication | Limited |
We do not sell or share personal data as defined under applicable U.S. privacy laws (e.g., Delaware, California).
We do not sell or share personal information for cross-context behavioral advertising as defined by U.S. privacy laws.
7. International Data Transfers
Transfers outside the EEA may occur to the USA or other jurisdictions.
In such cases we apply:
- Standard Contractual Clauses (SCCs);
- Transfer Impact Assessment (TIA);
- Additional technical and organizational safeguards (encryption, pseudonymization, limited access).
A copy of the Standard Contractual Clauses used for international transfers can be obtained by contacting yoptacademy@gmail.com.
8. Data Retention and Deletion
We retain personal data only for as long as necessary for the stated purposes or legal requirements.
After expiration, data are securely deleted or anonymized.
Retention periods are determined based on statutory limitation periods, business needs, and legal obligations.
9. Security Measures
We maintain appropriate technical and organizational measures, including:
- TLS/HTTPS encryption;
- Multi-factor authentication for administrators;
- Firewalls and endpoint protection;
- Regular backups and logging;
- Staff training and confidentiality obligations.
We adhere to “Privacy by Design” and “Privacy by Default”.
We regularly test, assess, and evaluate the effectiveness of our security measures through internal audits.
10. Data Breach Response
In the event of a personal data breach, we will:
- Assess the impact and risk to users;
- Notify the competent EU authority within 72 hours (if required by GDPR);
- Inform affected users without undue delay when a high risk exists;
- Document all incidents and corrective actions.
We adhere to Privacy by Design and Privacy by Default principles and perform
Data Protection Impact Assessments (DPIAs) for high-risk processing activities such as behavioral analytics.
11. Exercising Your Rights
Requests related to your personal data can be submitted to yoptacademy@gmail.com.
To verify your identity, we may ask for basic information (e.g., email used for registration). We respond within one month, extendable by two months for complex cases.
Your Rights under GDPR
- Right of access (Art. 15): obtain a copy of your data.
- Right to rectification (Art. 16): correct inaccurate data.
- Right to erasure (Art. 17): request deletion (“right to be forgotten”).
- Right to restriction (Art. 18): limit processing.
- Right to portability (Art. 20): receive data in a structured format.
- Right to object (Art. 21): oppose legitimate interest or marketing processing.
- Right not to be subject to automated decisions (Art. 22).
We do not engage in automated decision-making that produces legal or similarly significant effects on users.
If you disagree with our response, you may contact the supervisory authority in your EU member state or the FTC/Delaware DOJ for U.S. residents.
12. Children’s Privacy
We do not knowingly collect personal data from children under 13 (US) or below the age defined by national law (EU).
Parental consent is required under COPPA and GDPR Art. 8.
Data collected without such consent are promptly deleted. Parents may contact us at yoptacademy@gmail.com to review or delete their child’s data.
If we learn that a child under 13 has provided personal data without verifiable parental consent, we will delete such data within 10 business days.
13. Accessibility Statement
We strive to ensure this Policy is accessible to individuals with disabilities. If you need this document in an alternative format, please contact us at yoptacademy@gmail.com.
14. Governing Law and Dispute Resolution
For U.S. residents, this Policy is governed by the laws of the State of Delaware.
EU users retain their rights under GDPR regardless of this choice of law.
15. Changes to This Policy
We will update this Policy as necessary to reflect changes in law or operations.
Significant updates will be notified via a banner on the Website and/or email notice.
Previous versions will be archived for accountability.
We will provide advance notice (at least 7 days) before any material changes take effect. Archived versions of this Policy are available upon request.