Skip to main content
Skillup.gg

Privacy policy

Last updated: 3 May 2026

⚠️ Draft. Before production launch the content must be verified by legal counsel.

The Polish version is legally binding — the English version below is provided for information only.

1. Data Controller

The controller of your personal data is AVERN STUDIO Sp. z o.o., with its registered office in Warsaw, ul. Marszałkowska 1, 00-001, VAT ID PL000000000. GDPR contact: rodo@skillup.gg.

2. What data we process

  • Account data: first name, last name, email, password hash, email verification date, interface language.
  • Invoice data: full name / company name, address, postal code, VAT ID (optional).
  • Payment data: Stripe customer ID (we do not store card numbers).
  • Technical data: IP address, browser user-agent, session identifiers, cookie identifiers.
  • Behavioural data: lesson progress, purchased courses, cart, marketing consents, ratings.
  • Communications: messages submitted through the contact form and email correspondence.

3. Purposes and legal bases

  • Contract performance (Art. 6(1)(b) GDPR): Account servicing, delivering purchased Courses, issuing invoices.
  • Tax obligations (Art. 6(1)(c) GDPR + Polish Tax Ordinance): retention of invoices for 5 years.
  • First-party marketing (Art. 6(1)(a) GDPR — your consent): newsletter, new-course notifications. Revocable at any time.
  • Security and abuse detection (Art. 6(1)(f) GDPR — legitimate interest): IP logs, rate limiting.
  • Customer support (Art. 6(1)(f) GDPR): responding to questions submitted through the contact form.

4. Recipients of your data

  • Stripe Payments Europe Ltd. (Ireland) — payment processing.
  • Resend Inc. (USA, EU-US Data Privacy Framework) — transactional email delivery.
  • Cloudflare Inc. (USA, DPF) — CDN, DDoS protection, R2 storage.
  • VdoCipher Media Solutions Pvt Ltd (India, SCC) — DRM video hosting.
  • Railway Corp. (USA, DPF) — application and Postgres hosting.
  • Discord Inc. (USA, DPF) — optional Discord account integration (if you sign in with Discord).

We have a data processing agreement (DPA) or appropriate transfer mechanism (SCC / DPF) in place with each of the above.

5. Retention

  • Account data: until the User deletes the account.
  • Invoices and proofs of purchase: 5 years from the end of the tax year (Polish Tax Ordinance, Art. 70 §1).
  • Technical logs: max. 90 days (except where investigating abuse).
  • Marketing / cookie consents: until consent is withdrawn.
  • Customer support tickets: 2 years from closure.

6. Your rights

You have the right to:

  • Access your data — download the full JSON file with your data via Account → Data export.
  • Rectify incorrect data — Account → Profile.
  • Erase your Account — Account → Delete account. Invoices remain anonymised for 5 years (statutory obligation).
  • Restrict processing and object to marketing.
  • Portability in a machine-readable format (JSON).
  • Lodge a complaint with the President of the Personal Data Protection Office (UODO, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

7. Cookies and similar technologies

We use cookies in accordance with our Cookies policy. Your first visit to the Service displays a banner allowing you to choose accepted categories.

8. Security

  • All communication is encrypted with TLS 1.3.
  • Passwords are hashed with bcrypt.
  • Administrative access is role-restricted and recorded in an audit log.
  • Regular backups (see OPS-BACKUP runbook).

9. Policy changes

We will notify you about material changes to this Privacy policy by email and an in-Service banner 14 days in advance.

Cookies on Skillup.gg

We use cookies for the site to function correctly and so we can improve it. Essential cookies (login, cart) are always active. You can opt in to the rest. Cookie policy