Privacy Policy

Version 1.4 · Last updated: 6 May 2026

This Privacy Policy sets out the rules for the processing of personal data of Users of the website seminars.alex666cold.com (the "Service") in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR"), the Polish Act of 10 May 2018 on the Protection of Personal Data (Dz.U. 2018 poz. 1000), and the Polish Act of 12 July 2024 — Electronic Communications Law (Prawo komunikacji elektronicznej, Dz.U. 2024 poz. 1221, the "PKE").

§ 1. Controller

The Controller of personal data within the meaning of Article 4(7) GDPR is:

Alex Vasilevko, conducting sole-proprietorship business activity registered in the Polish Central Register and Information on Economic Activity (CEIDG), with the following identifiers:

NIP (Tax Identification Number): 7972058054
REGON (National Business Registry Number): 365012977
Principal PKD activity code: 96.99.Z
Place of business: Wrocław, Republic of Poland
Registered address available in CEIDG under the NIP indicated above.

The Controller has not appointed a Data Protection Officer, as the conditions set out in Article 37 GDPR are not met (the core activities of the Controller do not consist of large-scale monitoring of data subjects nor of processing of special categories of data).

Contact with the Controller in matters relating to the processing of personal data is possible via:

e-mail: [email protected]
WhatsApp: +48 531 609 827
Telegram: @alex666cold

§ 2. Source and categories of personal data processed

All personal data is collected directly from the User. In connection with the use of the Service and the lead-magnet form, the Controller processes the following categories of personal data:

e-mail address provided by the User in the form;
declaration (or absence thereof) of consent to receive marketing communication;
technical data: IP address, user-agent string of the browser, locale (en/ru/pl);
marketing identifiers: UTM parameters of the source link, identifiers of analytical and advertising cookies (_ga, _fbp, _fbc) — only after the User's consent;
aggregated behavioural data collected via Google Analytics 4 (measurement identifier G-267DEDP3FZ) — only after the User's consent;
server-to-server conversion events transmitted to Google Analytics (Measurement Protocol) and to Meta (Conversions API) using a hashed e-mail address (SHA-256) and a unique event_id for deduplication; for Users located in the European Economic Area or the United Kingdom, server-to-server transmission to Meta is performed only after the User's consent.

§ 3. Purposes and legal bases of processing

The Controller processes personal data for the following purposes and on the following legal bases:

Delivery of the lead-magnet PDF and entry of the User onto the early-access list for upcoming online masterclasses — pursuant to Article 6(1)(b) GDPR (steps taken at the request of the data subject prior to entering into a contract).
Performance of a contract for the sale of an online masterclass — pursuant to Article 6(1)(b) GDPR (processing necessary for the conclusion and performance of the purchase contract, including transmission of the order to our merchant of record for payment processing and invoice issuance).
Sending marketing communication about the launch of the masterclasses and related materials — pursuant to Article 6(1)(a) GDPR (consent expressed by ticking the appropriate checkbox in the form). Consent may be withdrawn at any time, in the same manner in which it was given (Article 7(3) GDPR), without affecting the lawfulness of processing carried out before its withdrawal.
Storage of and access to information on the User's terminal equipment (cookies, local storage, pixel tags) — pursuant to Article 6(1)(a) GDPR and Articles 398–399 PKE (in force from 10 November 2024, replacing Article 173 of the former Telecommunications Law).
Maintenance of the security of the Service, prevention of abuse, rate-limiting and recording of operational logs — pursuant to Article 6(1)(f) GDPR (legitimate interests of the Controller consisting in ensuring the operational security of the Service).

§ 4. Recipients and joint controllership

The Controller entrusts the processing of personal data to the following entities (data processors within the meaning of Article 28 GDPR):

Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA — hosting infrastructure (Cloudflare Pages, Workers, D1, R2), bot-protection (Turnstile). Transfers to the United States are based on the EU-US Data Privacy Framework adequacy decision of 10 July 2023 (Cloudflare, Inc. is DPF-certified) and, as additional safeguard, Standard Contractual Clauses adopted by the European Commission.
Third-party payment provider — merchant of record for the sale of online masterclasses (payment processing, VAT collection, invoice issuance). Legal basis: Article 6(1)(b) GDPR (performance of a contract). Where this provider processes data outside the EEA, onward transfers rely on Standard Contractual Clauses adopted by the European Commission and, where applicable, a recognised adequacy mechanism. The categories of data transmitted are: e-mail, billing name, billing address, country, payment-card token (handled by the payment provider, never seen by the Controller), and the purchased product identifier.
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland — analytical service Google Analytics 4 with IP-truncation enabled. Onward transfers to Google LLC (USA) are made on the basis of the EU-US Data Privacy Framework (Google LLC is DPF-certified) and Standard Contractual Clauses.
Resend, Inc., San Francisco, CA, USA — transactional and marketing email delivery (sign-in magic links, purchase confirmations, lead-nurture and launch announcements). Categories of data transmitted: e-mail address, message subject and body. Legal basis: Article 6(1)(b) GDPR for transactional messages and Article 6(1)(a) GDPR for marketing messages. Onward transfers to the United States are based on the EU-US Data Privacy Framework (Resend, Inc. has been DPF-listed since 2023) and, as additional safeguard, Standard Contractual Clauses adopted by the European Commission.
Telegram FZ-LLC, Dubai, United Arab Emirates — receipt of administrative notifications generated when a User submits a masterclass-request or consultation-request form. Categories of data transmitted: name, e-mail address, optional Telegram handle, free-text message. Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller in promptly handling business-pipeline enquiries). Transfer to the United Arab Emirates is performed on the basis of Standard Contractual Clauses adopted by the European Commission.

In addition, with respect to the Meta Pixel and the Conversions API, the Controller and Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) act as joint controllers within the meaning of Article 26 GDPR for the collection of Pixel event data and its transmission to Meta Ireland, as confirmed by the judgments of the Court of Justice of the European Union in cases Wirtschaftsakademie Schleswig-Holstein (C-210/16) and Fashion ID (C-40/17). The essence of the joint-controller arrangement is set out in Meta's Controller Addendum. Subsequent processing of the data by Meta Ireland for its own purposes falls outside the joint processing and is governed by Meta's own Privacy Policy. Onward transfers to Meta Platforms, Inc. (USA) are made on the basis of the EU-US Data Privacy Framework (Meta Platforms, Inc. is DPF-certified) and Standard Contractual Clauses. The User may exercise GDPR rights against either joint controller; for matters falling within Meta's exclusive responsibility please contact Meta directly via facebook.com/help/contact/540977946302970.

§ 5. Cookies and similar technologies

The Service uses three categories of cookies and equivalent technologies. The full canonical inventory is also published at /legal/cookies.

Category	Name	Purpose	Storage period
Essential	`a666_sess`	HttpOnly JWT — keeps you logged in	7 days
Essential	`a666_refresh`	HttpOnly refresh token — silent session renewal	30 days
Essential	`lead_dl`, `lead_event`	One-shot PDF download token, conversion event ID	60 seconds
Essential	`preview_bypass`	Coming-soon preview gate (signed token; only set for staff/agency previews)	7 days
Essential	`cf_clearance`, `__cf_bm`, Turnstile	Cloudflare bot-protection and edge security	up to 30 minutes / session
Essential (localStorage)	`a666_cookie_consent`	Stores your cookie preferences in your browser only — never sent to any server	Until you clear it
Analytics (opt-in)	`_ga`, `_ga_267DEDP3FZ`	Google Analytics 4 — anonymized session and user identification	up to 2 years
Marketing (opt-in)	`_fbp`	Meta Pixel — browser identifier for ad attribution	90 days
Marketing (opt-in)	`_fbc`	Meta Pixel — click identifier from ad URL	90 days

Analytical and marketing cookies are activated only after the User's consent expressed via the cookie banner. The Service implements the Google Consent Mode v2 mechanism with default consent state denied for Users located in the European Economic Area and the United Kingdom. The User may withdraw consent at any time by re-opening the cookie banner via the link in the footer or by clearing cookies in the browser; withdrawal is performed in the same manner as consent was granted.

§ 6. Retention period

E-mail address with marketing consent — until the consent is withdrawn or until a request for erasure is made;
E-mail address without marketing consent — deleted within 30 days from the delivery of the lead-magnet PDF;
IP address and user-agent — 90 days from the date of collection, after which the data is automatically irreversibly anonymised by a weekly job;
Aggregated analytical data in Google Analytics 4 — 14 months (system default);
Encrypted backup copies of the database — 30 days, stored locally with end-to-end age encryption, not transferred to third parties.

§ 7. Rights of the data subject

In connection with the processing of personal data, the User has the following rights:

right of access to data — Article 15 GDPR;
right to rectification — Article 16 GDPR;
right to erasure ("right to be forgotten") — Article 17 GDPR;
right to restriction of processing — Article 18 GDPR;
right to data portability — Article 20 GDPR;
right to object — Article 21 GDPR;
right to withdraw consent at any time, as easily as it was given — Article 7(3) GDPR.

Each marketing message sent by the Controller contains an individual unsubscribe link with an HMAC token; activating the link results in the immediate erasure of the User's e-mail address and associated identifiers from the marketing database. Technical logs (IP, user-agent) are anonymised in accordance with § 6.

Requests for the exercise of any of the above rights should be addressed to the Controller via the channels indicated in § 1. The Controller responds within 30 days from the date of receipt of the request, in accordance with Article 12(3) GDPR.

§ 8. Right to lodge a complaint

The User has the right to lodge a complaint with the Polish supervisory authority for personal data protection or with the supervisory authority of the User's habitual residence, place of work or place of the alleged infringement (Article 77 GDPR):

Prezes Urzędu Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warszawa
uodo.gov.pl

§ 9. Voluntary nature of providing data

Provision of personal data is voluntary; however, non-provision of an e-mail address makes it impossible to deliver the requested lead-magnet PDF and to receive notification of the launch of the masterclasses.

§ 10. Age

The Service is intended for persons aged 18 years or older, as it relates to the profession of tattoo artistry. The Controller does not knowingly collect personal data of persons under the age of 16 (the threshold for valid consent under Article 8(1) GDPR as transposed in Poland). If you believe that a person under that age has provided personal data via the Service, please contact the Controller for immediate erasure.

§ 11. Automated decision-making

The Controller does not engage in automated decision-making with legal or similarly significant effects on the User within the meaning of Article 22 GDPR. Aggregated profiling for analytical and advertising purposes performed by Google Analytics 4 and the Meta Pixel does not produce such effects.

§ 12. Security of processing

In accordance with Article 32 GDPR, the Controller implements appropriate technical and organisational measures to ensure a level of security adequate to the risk, including: TLS encryption of all transmissions, end-to-end age encryption of database backups, prepared-statement parameterisation against SQL-injection, server-side bot-protection (Cloudflare Turnstile), per-IP and per-e-mail rate-limiting, hashed transmission of identifiers (SHA-256) to advertising platforms, and access restricted to the Controller alone.

§ 13. Amendments to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy. The current version is always available at the URL seminars.alex666cold.com/legal/privacy. The version number and date of the last amendment are indicated at the top of the document.

← Back to home