Privacy Policy

1. Introduction & Controller Identity

owlloom.buzz is an online learning platform focused on production-oriented sewing methods: stitch formation and troubleshooting, seam allowance discipline, reinforcement planning (including bartacks where appropriate), edge finishing (binding, topstitching, seam grading), and inspection routines that support repeatable quality.

The data controller for the processing described in this Privacy Policy is:

• Legal entity: Minox Czech Ltd
• Registered address: Lhotská 920, 686 22 Ostrožská Nová Ves, Czechia
• Contact email: [email protected]

Effective Date: March 12, 2026.

2. Personal Data We Collect

We collect personal data to operate the site, maintain security, and provide registration and course access. The specific data depends on how you interact with the site.

2.1 Data you provide directly

• Identity and contact information: full name and email address submitted during registration.
• Account security information: your password created during registration. Your password should be unique and strong. We recommend using a password manager.
• Form content: if you contact us by email, we will receive the content of your message and any details you choose to include.

2.2 Data collected automatically

• Technical data: IP address, browser type and version, device type, operating system, and language settings.
• Usage data: pages viewed, time spent on pages, referrer/entry page, approximate click paths, and interaction events used for site improvement.
• Cookies and identifiers: first-party cookies used for essential functions and consent storage, and optional third-party cookies for analytics and marketing (only when you consent).
• Conversion events: events that indicate a registration flow was started or completed. These can be measured through cookies or pixels if you consent to analytics/marketing.

2.3 Data we do not intentionally collect

We do not intentionally collect special-category data (such as health data, religious or political opinions), financial account details, or government-issued identification numbers through this site. Please do not send such information to us by email.

3. Why We Process Personal Data & Legal Basis (GDPR Art. 6)

If you are in the EEA or the UK, we rely on the following legal bases under the GDPR/UK GDPR. If you are outside those regions, we process your personal data on similar principles of necessity, transparency, and reasonable expectations.

3.1 Registration and course access

• Purpose: create and maintain a learner profile, provide access to educational content, and send essential service messages (for example, access instructions or important platform updates).
• Legal basis: Art. 6(1)(b) (contract) and, where applicable, Art. 6(1)(a) (consent) for specific communication choices.

3.2 Optional analytics

• Purpose: understand how the site is used, identify which pages are helpful, and reduce friction in the registration flow.
• Legal basis: Art. 6(1)(a) (consent).

3.3 Optional marketing and advertising measurement

• Purpose: measure advertising performance, build remarketing audiences, and understand which campaigns lead to registrations.
• Legal basis: Art. 6(1)(a) (consent).

3.4 Security, abuse prevention, and operational integrity

• Purpose: protect the site, prevent fraud and malicious activity, and maintain service reliability.
• Legal basis: Art. 6(1)(f) (legitimate interest).

3.5 Legal obligations

• Purpose: comply with applicable laws, respond to lawful requests, and maintain required records.
• Legal basis: Art. 6(1)(c) (legal obligation).

3.6 Automated decision-making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you (GDPR Art. 22).

4. Cookies & Tracking

Cookies are small text files stored on your device. We also use similar technologies such as pixel tags and server-side logs. We group these technologies into three categories: Essential, Analytics, and Marketing. The Cookie Policy provides additional details.

4.1 Essential cookies (always active)

Essential cookies are required for the site to function properly. They help maintain session continuity, remember your cookie choices, and support security controls. These cookies do not require consent.

• Examples: _site_session, cookie_consent.
• Retention: session to 12 months, depending on the cookie.

4.2 Analytics cookies (consent required)

If you opt in, analytics cookies help us understand what content is useful and where the site is confusing. We may use Google Analytics 4 (GA4) with IP anonymization where applicable. Analytics data retention is typically 14 months in our settings.

• Examples: _ga, _ga_XXXXXXXXXX.
• Retention: typically up to 2 years for GA identifiers; analytics event retention configured to 14 months.

4.3 Marketing cookies (consent required)

If you opt in, marketing cookies allow us to measure ad performance and build audiences for relevant offers. These technologies may include Google Ads and Meta (Facebook/Instagram) measurement tools. They can record events such as page views and registrations and associate them with a browser identifier.

• Examples: _gcl_au, _fbp, _fbc.
• Retention: commonly around 90 days for marketing identifiers.

4.4 Pixels and server-side signals

In addition to cookies, measurement can occur through pixel tags and server-side requests (for example, a conversion event sent from a server environment). Where used, these signals are controlled by the same cookie preferences and should only activate after you opt in to the relevant category.

5. Consent (EEA/UK)

Users in the EEA and the UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie and stored for up to 12 months, unless you change it earlier.

You can withdraw consent at any time by using the “Manage cookie preferences” link in the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We use service providers to operate, secure, and measure the website. We do not sell personal data. When you opt in to analytics or marketing cookies, certain data may be shared with providers to perform services on our behalf.

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, conversions. https://policies.google.com/privacy
• Meta Platforms (Pixel, custom/lookalike audiences, conversion measurement): page views, conversions, audience membership, and hashed identifiers where applicable. https://www.facebook.com/privacy/policy
• Cloudflare (CDN and security): IP-based threat detection and performance optimization. https://www.cloudflare.com/privacypolicy/

We do not permit these providers to use site data for their own independent commercial purposes beyond providing services to us, subject to their platform terms and settings.

7. International Transfers

Some of our service providers may process data outside the EEA/UK, including in the United States. Where applicable, transfers may rely on:

• EU–US Data Privacy Framework (and the UK Extension or Swiss–US framework, where applicable), and
• Standard Contractual Clauses (EU 2021/914) as a fallback, or the UK IDTA as a fallback for UK transfers.

We use these mechanisms to help protect personal data when it is processed internationally.

8. Retention

We keep personal data only as long as necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

• Registration data: retained for the life of the account and up to 2 years after the last interaction, unless you request deletion earlier (subject to legal retention requirements).
• Email correspondence: retained for the duration of the relationship plus 1 year, unless we need longer to handle a dispute or comply with legal obligations.
• Analytics: event data retention set to 14 months (where enabled); cookies may persist up to their stated lifetime.
• Marketing cookies: retained according to cookie lifetime (commonly around 90 days) and your consent choice.
• Server logs: typically retained for up to 90 days for security and troubleshooting.
• Cookie consent record: retained up to 3 years for audit and compliance needs.
• Legal/tax records: retained as required by applicable law (often 6–10 years for certain records).

9. Your Rights (GDPR & UK GDPR)

If you are in the EEA or the UK, you may have the following rights, subject to conditions and exceptions under applicable law:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise these rights, email [email protected]. We typically respond within 30 days. For complex requests, we may extend the period by up to 60 additional days where permitted, and we will tell you if that happens.

Supervisory authority resources:

• EU information: https://edpb.europa.eu
• UK ICO: https://ico.org.uk
• Czech Republic authority: https://uoou.gov.cz

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own DNT handling policies.

12. Account & Data Deletion

To request deletion of personal data, email [email protected] with the subject line “Data Deletion Request.” We may need to verify identity before completing a request. We aim to complete deletion within 30 days, except where we must retain limited data for legal compliance, security, or dispute resolution.

13. Business Transfers

In a merger, acquisition, asset sale, financing, reorganization, bankruptcy, or similar event, personal data may be transferred to a successor or affiliated entity as part of that transaction. If the transfer materially changes how your personal data is used, we will provide notice via the site.

14. California (CCPA / CPRA)

This section applies to California residents where the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) is applicable.

In the past 12 months, we may have collected the following categories of personal information:

• Identifiers: name, email address, IP address, online identifiers.
• Internet or network activity: browsing and interaction data on our site.
• Inferences: preferences or interests derived from site usage for marketing purposes (only if you consent to marketing cookies).

We do not sell personal information as defined by the CCPA. We may share personal information for cross-context behavioral advertising when you opt in to marketing cookies. California residents may opt out via our cookie preferences panel (Manage cookie preferences in the footer).

California residents may have rights to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. Requests can be submitted by emailing [email protected] with the subject “California Privacy Request.” We will verify your identity before fulfilling requests.

15. Virginia (VCDPA)

Virginia residents may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request.” If we deny a request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request.” We will respond to appeals within 60 days where applicable.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request.” We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post a notice on the website at least 14 days before the change takes effect, where feasible. The “Last Updated” date at the top will always reflect the latest version.

18. Contact

If you have questions about this Privacy Policy or our data practices, contact:

• Minox Czech Ltd
• Lhotská 920, 686 22 Ostrožská Nová Ves, Czechia
• [email protected]