1. Definitions

1.1. For the purposes of this Privacy Policy, the following terms shall have the meanings indicated below:

a) Controller – means Kamil Krupski, operating as Master of Cigars Kamil Krupski, registered in Polish CEIDG System, with address: al. 29 Listopada 85, 31-406 Kraków, Poland, NIP: PL5842851669, REGON: 528578552.

b) Website – the online platform available at https://masterofcigars.com, operated by the Controller, which includes the online store, the e-learning platform, blog, and other functionalities.

c) User – any natural person visiting the Website, creating an Account, purchasing goods or services, participating in courses, subscribing to the newsletter, or otherwise using the Website.

d) Customer – a User who places an order or purchases digital or physical goods or services via the Website.

e) Student – a User who enrolls in and participates in online courses, modules, quizzes, or certification programs through the Website.

f) Account – an individual profile created by a User on the Website, used to manage purchases, courses, certificates, and communication.

g) Services – all functionalities of the Website, including e-commerce transactions, access to e-learning content, certification, newsletter, and customer support.

h) Personal Data – any information relating to an identified or identifiable natural person as defined by Regulation (EU) 2016/679 (GDPR).

i) Processing – any operation or set of operations performed on Personal Data, such as collection, recording, storage, adaptation, use, disclosure, or erasure.

j) Third-Party Service Providers – entities cooperating with the Controller in providing the Website and Services, including:

• kru.pl (hosting provider),
• WooCommerce (e-commerce plugin),
• WooPayments and Stripe, Inc. (payment processing),
• LearnDash (learning management system),
• MailPoet / Automattic Inc. (newsletter distribution),
• Complianz (cookie consent management),
• Google LLC (Google Analytics, Google Tag),
• Meta Platforms, Inc. (Meta Pixel),
• Vimeo, Inc. (video streaming),
• Astra Theme, Spectra Builder (website framework).

k) Certificate – a digital document generated by the Website confirming successful completion of a course or exam, containing the Student’s personal details, the course title, completion date, and unique verification ID.

l) Cookies – small text files stored on a User’s device that support functionality, analytics, personalization, and marketing. The following categories are distinguished:

• Essential Cookies – necessary for the functioning of the Website (e.g., shopping cart, login).
• Functional Cookies – support additional features such as preferences.
• Analytical Cookies – enable measurement of Website usage and traffic (e.g., Google Analytics).
• Marketing Cookies – used for advertising and remarketing (e.g., Meta Pixel, Google Ads).

m) User Content – materials voluntarily submitted by Users (such as video links or other files required for exams, assignments, or course participation). These may contain personal data (e.g., image, voice, likeness).

2. Contact

2.1. For any questions regarding this Privacy Policy or your rights, you may contact Controller by email at: contact@masterofcigars.com.

3. Introduction

3.1. This Privacy Policy explains how the Controller collects, processes, shares, and protects Personal Data of Users when they use the Website and Services.

3.2. This Privacy Policy is drafted in accordance with:
a) Regulation (EU) 2016/679 (GDPR) and the Polish Act of 10 May 2018 on Personal Data Protection,
b) The ePrivacy Directive (2002/58/EC),
c) The EU Digital Services Act,
d) Applicable United States laws, including the California Consumer Privacy Act (as amended by CPRA), CAN-SPAM Act, Telephone Consumer Protection Act, and Children’s Online Privacy Protection Act.
e) The Digital Services Act (EU 2022/2065) requirements regarding transparency, reporting mechanisms, and user rights.

3.3. The Policy applies to all Users of the Website, whether acting as Customers, Students, newsletter subscribers, or visitors.

3.4. Details regarding the use of cookies and similar technologies are governed by the Cookie Policy, which forms an integral part of this Privacy Policy.

4. Scope of Processing

4.1. We process Personal Data when User:
a) browses the Website,
b) creates and manages an Account,
c) makes purchases in Website,
d) subscribes to newsletter,
e) contacts Controller for support or submits complaints,
f) consents to marketing or analytics,
g) publishes review, testimonal or comment.

4.2. We process Personal Data when Student:
a) enrolls in courses, completes lessons, quizzes, and exams,
b) receives Certificates.

4.3. Webiste process technical and analytical data through Cookies, plugins, and Third-Party Service Providers integrations, subject to User’s consent where required.

4.4. Processing of User Content (e.g., exam video submissions), which may include the User’s likeness, voice, or other Personal Data, stored only as long as necessary to evaluate and verify course completion.

5. Categories of Data Collected

5.1. Identity and contact data (name, email, phone, address, VAT/Tax ID if applicable).

5.2. Account and platform data (username, password, course progress, quiz results, exam submissions, Certificates).

5.3. Purchase and payment data (order details, transaction IDs, Stripe fraud prevention data; no storage of full card numbers).

5.4. Communication data (messages, inquiries, complaints).

5.5. Technical data (IP address, browser type, device information, error logs).

5.6. Marketing and analytics data (cookie identifiers, engagement statistics, advertising pixel data).

5.7. We process Personal Data voluntarily published by Users in reviews, testimonials, and comments.

6. Legal Basis for Processing

6.1. The Controller processes Personal Data under the following legal bases:
a) Contractual necessity (Art. 6(1)(b) GDPR) – e.g., order fulfillment, Account creation, course access, certificate issuance.
b) Legal obligations (Art. 6(1)(c) GDPR) – e.g., tax and accounting compliance.
c) Legitimate interest (Art. 6(1)(f) GDPR) – e.g., Website security, fraud prevention, essential Cookies strictly necessary for the operation of the Website.
d) Consent (Art. 6(1)(a) GDPR) – e.g., newsletter subscription, marketing communications, analytical and marketing cookies (Google Analytics, Meta Pixel). Consent is obtained via the Complianz cookie banner and may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

7. Cookies and Similar Technologies

7.1. The Controller uses Cookies and similar technologies (such as pixels, tags, local storage) to provide Services, ensure Website functionality, measure traffic, and conduct marketing activities.

7.2. Essential Cookies are processed on the basis of legitimate interest. Analytical and marketing Cookies are processed only on the basis of the User’s consent expressed via the Complianz banner.

7.3. Users may withdraw or modify their Cookie consent at any time via the Complianz banner available on the Website, or by changing browser settings. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

7.4. Cookies may be stored for varying durations depending on type: session Cookies (deleted when browser is closed) and persistent Cookies (stored for a defined period). Specific retention periods are described in the Cookie Policy.

7.5. Certain Third-Party Service Providers (e.g., Google LLC, Meta Platforms, Vimeo) may use their own Cookies when integrated into the Website, which may involve the transfer of data outside the EEA, particularly to the United States. Appropriate safeguards (such as Standard Contractual Clauses) are applied.

8. Children’s Data

8.1. Our services are intended only for Users aged 18 or older.

8.2. We do not knowingly collect personal data from children under the age of 13. If we learn that we have collected such data, we will delete it in compliance with COPPA.

8.3. If a parent or guardian believes that their child under 18 has provided personal data on the Website, they may contact us at contact@masterofcigars.com to request deletion.

9. Data Security

9.1. We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure.

9.2. Access to personal data is restricted to authorized persons bound by confidentiality obligations.

10. Recipients of Data

10.1. We may share data with trusted Third-Party Service Providers.

10.2. Service providers process data on our behalf under data processing agreements or as independent controllers where applicable.

11. International Transfers

11.1. Some of our Third-Party Service Providers are based outside the European Economic Area, in particular in the United States.

11.2. Transfers are safeguarded by adequacy decisions (e.g., EU–US Data Privacy Framework) or Standard Contractual Clauses approved by the European Commission.

11.3. Third-Party Service Providers participating in the Data Privacy Framework include Stripe, Automattic (MailPoet), Google, Meta, and Vimeo.

12. Retention of Data

12.1. Data is stored for the following periods:
a) User Accounts – for the duration of activity and up to 6 years after closure,
b) Certificates – retained for verification purposes unless invalidated,
c) purchase and invoice data – 5 years from the end of the tax year,
d) complaints and correspondence – 3 years,
e) marketing data – until consent is withdrawn,
f) analytics – in accordance with provider retention settings,
g) exam video submissions – until evaluation is completed and for a maximum of 90 days, after which they are deleted.

13. Automated Decision-Making

13.1. The Website uses automated fraud detection systems provided by Stripe (Radar).

13.2. With User’s consent, the Website may use profiling technologies (Google Analytics, Meta Pixel) for marketing purposes.

14. Your Rights under GDPR

14.1. You have the following rights:
a) access to data,
b) rectification,
c) erasure,
d) restriction of processing,
e) portability,
f) objection to processing, including profiling,
g) withdrawal of consent at any time,
h) lodging a complaint with the President of the Personal Data Protection Office (UODO).

14.2. You may also lodge a complaint with the supervisory authority in your country of residence within the EU, or with the lead authority in Poland:
President of the Personal Data Protection Office (UODO) – https://uodo.gov.pl

15. Rights of US Residents

15.1. California residents have the right to know what Personal Data we collect, request deletion, request correction, opt-out of data sharing for targeted advertising, and limit the use of sensitive information.
a) Webiste does not collect sensitive personal information (e.g., biometrics, health data, SSN) except limited identity/payment data needed for transactions.

15.2. Under the CCPA/CPRA we do not “sale” Personal Data. We “share” Personal Data for targeted advertising purposes when using Meta Pixel and Google Analytics. You have the right to opt out of this sharing.
a) To exercise this right, please use the “Do Not Sell or Share My Personal Information” link available in the Website footer or contact Controller directly.

15.3. We comply with the CAN-SPAM Act: all marketing emails include a clear opt-out option effective within 10 business days.

15.4. We comply with the TCPA: SMS messages are sent only with prior express consent.

15.5. We comply with COPPA: we do not knowingly collect data from children under 13.

16. Certificates

16.1. Certificates issued by the Website contain the Student’s first and last name, course title, date of issue, final exam score, and a unique verification ID.

16.2. Certificates are publicly verifiable at https://masterofcigars.com/verify-certificate/. Publication of limited Certificate data is necessary to provide verifiable certification services and is part of contract fulfillment.

16.3. Certificates remain valid and verifiable as long as the User’s Account is active, unless revoked due to non-compliance with the Terms of Service.

17. Digital Services Act (DSA) Notice

17.1. For DSA compliance, the point of contact for authorities and users regarding illegal content is contact@masterofcigars.com.

17.2. Reports will be handled without undue delay in accordance with applicable law.

18. Changes to this Policy

18.1. This Policy can be updated to reflect legal, technical, or business developments.

18.2. Updated versions will be published on this website with a revision date.

19. Final Provisions

19.1. This Privacy Policy and the Cookie Policy are complementary documents. In the event of inconsistencies, this Privacy Policy shall prevail in matters concerning the Processing of Personal Data, and the Cookie Policy shall prevail in matters concerning the use of Cookies and similar technologies.

19.2. Users are encouraged to regularly review both the Privacy Policy and the Cookie Policy to remain informed of their rights and obligations.