PRIVACY POLICY (GDPR NOTICE)

for www.guidelines.pl and www.guidelineshub.com

and for courses delivered via the SOMBA.io platform

Effective date: 20.01.2026

Last updated: 20.01.2026

This Privacy Policy explains how we process personal data when you visit our websites, sign up for our courses, purchase access, use the course platform, or subscribe to our newsletter. This notice is provided in particular to meet the information duties under Article 13 GDPR.

1) WHO IS RESPONSIBLE FOR YOUR DATA (DATA CONTROLLER)

The controller (the entity responsible for the processing of your personal data) is:

Guidelines Monika Kosiedowska

Address: Ignacego Paderewskiego 178, 04-438 Warsaw, Poland

Email (privacy contact): [email protected]

Websites: www.guidelines.pl, www.guidelineshub.com

If you have questions, requests, or complaints related to privacy, contact us at [email protected].

2) WHAT THIS POLICY COVERS

This policy applies to personal data processed:

- on our websites (www.guidelines.pl and www.guidelineshub.com),

- during course enrollment and delivery via the SOMBA.io platform (including any pages hosted on SOMBA.io or under a custom domain connected to SOMBA.io),

- when you contact us (email or forms),

- when you subscribe to our newsletter,

- when you purchase course access and payments are processed through a payment provider.

3) KEY DEFINITIONS

- “Personal data” means any information relating to an identified or identifiable natural person.

- “Processing” means any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).

- “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).

- “EEA” means the European Economic Area.

4) WHAT PERSONAL DATA WE COLLECT

Depending on how you interact with us, we may process the following categories of personal data:

A. Data you provide directly

- Identity and contact data: name, email address, (optionally) company/organization, country, billing address.

- Account data (course platform): login and access details needed to create and manage your course account (e.g., email/username and password or equivalent authentication data).

- Purchase and transaction data: what you purchased, purchase date, amount, currency, invoice/receipt data, transaction identifiers.

- Communication data: emails and messages you send to us, support requests, and our replies.

- Marketing preferences: newsletter subscription status and communication preferences.

B. Data generated when you use our websites/platform

- Technical and usage data: IP address, device and browser information, language settings, log data, pages viewed, approximate location derived from IP, timestamps, and cookie identifiers (where applicable).

- Course usage data: information about your access to and use of the course content (e.g., enrollment status, progress/completion data).

We do not ask for “special categories” of data (sensitive data, such as health data) and we request that you do not submit such data to us through the course platform or in messages to us.

5) WHY WE PROCESS YOUR DATA (PURPOSES) AND OUR LEGAL BASES

We process personal data only when we have a valid legal basis under GDPR. Below are the main purposes and typical legal bases we rely on:

A. Providing course access and delivering the service

Purpose: create your account, provide course access, manage enrollments, deliver digital content, provide support.

Legal basis: performance of a contract or steps taken at your request before entering into a contract (GDPR Art. 6(1)(b)).

B. Handling payments and accounting

Purpose: handle purchases, confirm payments, issue receipts/invoices, keep accounting records, handle refunds/chargebacks (if applicable).

Legal basis: contract (GDPR Art. 6(1)(b)) and compliance with legal obligations (GDPR Art. 6(1)(c)).

Important: payment details (e.g., card number) are handled by the payment provider. We do not intentionally store full payment card details.

C. Customer service and communications

Purpose: respond to your questions, provide assistance, handle complaints.

Legal basis: legitimate interests (GDPR Art. 6(1)(f)) and/or contract (GDPR Art. 6(1)(b)) depending on the situation.

D. Security and abuse prevention

Purpose: protect our websites and the course platform, prevent fraud/abuse, secure accounts, maintain logs for security.

Legal basis: legitimate interests (GDPR Art. 6(1)(f)).

E. Newsletter and marketing emails

Purpose: send newsletters and marketing updates (only if you sign up / opt in).

Legal basis: your consent (GDPR Art. 6(1)(a)).

You can withdraw consent at any time (see Section 10).

F. Cookies and similar technologies (where applicable)

Purpose: ensure the websites/platform work, maintain sessions, security, and (if enabled) optional analytics or marketing features.

Legal basis:

- strictly necessary cookies: legitimate interests / necessity for service operation (and where required under ePrivacy rules, as permitted for strictly necessary storage),

- optional cookies (analytics/marketing): your consent.

6) WHO WE SHARE DATA WITH (RECIPIENTS)

We share personal data only when necessary for the purposes described above. Depending on your use of our services, recipients may include:

A. Course platform provider (processor)

We use SOMBA.io as our course platform provider. Personal data you enter into the course platform is processed within that platform.

B. Platform sub-processor / underlying technology provider

SOMBA.io uses an underlying platform provider for data storage and processing (HighLevel). This may involve processing in the United States (see Section 7).

C. Payment providers

Payments are processed by the payment provider presented to you at checkout. Depending on the checkout flow, this may include:

- PayU (PayU S.A.) if you choose PayU as the payment method; and/or

- Stripe if payments are processed through Stripe within the platform’s payment integration.

Each payment provider processes personal data under its own privacy documentation and may act as an independent controller for some processing activities.

D. Professional advisers and legal requirements

If necessary, we may share data with:

- accountants, legal advisers, auditors (only as needed),

- competent public authorities, courts, or law enforcement where required by law.

We do not sell your personal data.

7) INTERNATIONAL TRANSFERS (OUTSIDE THE EEA)

Because we use the SOMBA.io course platform, your personal data processed within the platform may be stored and processed in the United States.

When personal data is transferred outside the EEA, we rely on appropriate safeguards required under GDPR. For the SOMBA.io platform, this includes safeguards described by the platform provider, including mechanisms such as:

- EU-U.S. Data Privacy Framework certification (where applicable), and

- Standard Contractual Clauses (SCCs) and other legally required safeguards (where applicable).

You can request additional information about the safeguards we rely on by contacting us at [email protected].

8) HOW LONG WE KEEP YOUR DATA (RETENTION)

We keep personal data only as long as needed for the purposes described in this policy, taking into account legal requirements. Typical retention criteria:

- Course account data: for as long as you maintain an account and/or have access to the course, and until deletion is requested and legally possible.

- Purchase and accounting records: for the period required by applicable tax/accounting laws and to handle disputes/claims.

- Newsletter data: until you unsubscribe or withdraw consent.

- Communications and support: as long as needed to resolve the matter, and then for a reasonable period for record-keeping and legal defense.

- Technical logs: for a limited period appropriate for security and troubleshooting.

9) YOUR RIGHTS (EEA/UK/CH USERS AND GDPR RIGHTS)

If GDPR applies to you, you have the right to:

- request access to your personal data,

- request rectification (correction),

- request erasure (deletion) in certain cases,

- request restriction of processing,

- request data portability (for data processed based on consent or contract and by automated means),

- object to processing based on legitimate interests,

- object to direct marketing at any time,

- withdraw consent at any time (where processing is based on consent) without affecting the lawfulness of processing before withdrawal,

- lodge a complaint with a supervisory authority.

To exercise your rights, contact us at: [email protected]

10) NEWSLETTER / DIRECT MARKETING

If you subscribe to our newsletter, we will send you marketing emails based on your consent.

- You can unsubscribe at any time using the unsubscribe link in the email or by emailing [email protected].

- If you object to direct marketing, we will stop sending marketing messages.

Service emails (transactional emails) related to your purchase, account, or course access are not marketing and may still be sent when necessary to perform the contract.

11) COOKIES AND SIMILAR TECHNOLOGIES

Our websites and the course platform may use cookies or similar technologies.

- Some cookies are strictly necessary to make the websites/platform function (e.g., security, login sessions).

- Optional cookies (e.g., analytics/marketing) will be used only if you provide consent where required.

You can manage cookies via your browser settings and (where implemented) through the cookie consent tool on the site/platform.

12) SECURITY

We apply reasonable technical and organizational measures to protect personal data, including access controls and measures aimed at preventing unauthorized access, disclosure, alteration, or destruction.

Please also protect your login credentials and do not share them with others.

13) CHILDREN AND PROHIBITED DATA

Our services are not intended for individuals under 18 years old. We do not knowingly collect or process personal data of individuals under 18.

We also request that you do not submit sensitive personal data (special categories) through our websites, course platform, or communications. If such data is provided, we may remove it where feasible and necessary.

14) CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time (e.g., if we change the platform, add features, or due to legal changes). The newest version will be published on our websites. The “Last updated” date will show when changes were made.

15) COMPLAINTS

If you believe your data protection rights have been violated, you can contact us first at [email protected].

You also have the right to lodge a complaint with the relevant supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO).