Privacy Policy

1. Introduction and Scope

This Privacy Policy explains how OrangeGuide Academy, S.L.U. ("we", "us", or "our") processes your personal data when you visit orangeguide-academy.com (the "Website") or use our Services as defined in our Terms and Conditions (the "Services").

​

This Policy implements Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"); Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights ("LOPDGDD"); Spanish Law 34/2002 on Information Society Services and Electronic Commerce ("LSSI-CE"); the German Federal Data Protection Act ("BDSG") where it supplements the GDPR for users in Germany; and Section 25 of the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz ("TDDDG") regarding storage of and access to information on terminal devices.

​

This Privacy Policy is published in English, German, and Spanish. As an information notice under Articles 13 and 14 GDPR, each language version stands on its own for users who read it; no single language version is asserted to prevail over the others.

We process your data only on the legal bases set out in Section 6. Reading this Policy does not, in itself, constitute consent to any processing; specific consents (for example for marketing communications, non-essential cookies, or the recording of live sessions) are collected separately at the point of collection.

​

2. Data Controller

The controller for the processing described in this Policy is:

​

OrangeGuide Academy, S.L.U.

Rambla Catalunya 57-59, 4º 1ª

08007 Barcelona, Spain

CIF: B26946160  ·  EU VAT: ESB26946160

​

Economic activity codes: CNAE 8559 / IAE 933.9 (Other non-regulated education).

​

Privacy contact: privacy@orangeguide-academy.com

General contact: info@orangeguide-academy.com

​

Data Protection Officer

OrangeGuide Academy is not subject to mandatory appointment of a Data Protection Officer (DPO) under GDPR Art. 37, LOPDGDD Art. 34, or German BDSG § 38. We are a small-scale education business; none of the activity-based triggers in LOPDGDD Art. 34(1) applies (we are not a school subject to Ministry of Education authorization, a hospital, a telecom operator, a financial institution, or any of the other listed categories); we do not engage in regular and systematic monitoring of data subjects on a large scale; and we do not carry out large-scale processing of special categories of data. For any data protection question, please write to the privacy contact above.

​

3. Categories of Personal Data We Process

Depending on how you interact with the Website and the Services, we process the following categories of personal data:

​

1. Identification and contact data: name, email address, telephone number, postal address (where required for invoicing), preferred language.

2. Account credentials: username and login session. Where you create a user account on the Wix platform, passwords are stored by Wix in hashed form and are not accessible to us.

3. Booking and session data: course chosen, session date and time, time zone, special requirements, questions submitted at registration, and any feedback you provide.

4. Payment data: transaction reference, amount, currency, payment method type, and the last four digits of the card. Full card details are processed exclusively by Adyen N.V. or Stripe Payments Europe, Limited via Wix Payments, or — where you choose to pay with PayPal — by PayPal (Europe) S.à r.l. et Cie, S.C.A.; we never see or store full card details.

5. Billing data: name and address on invoice, and tax identification number (where applicable for the EU reverse-charge mechanism).

6. Correspondence and support data: emails, messages, and support requests you send us, including their content and metadata. Email is hosted by Google Workspace (Gmail).

7. Session recording data: only if a live session is recorded with your prior express consent given at the start of the session - see Section 9. May include image, voice, and any chat content from within the meeting.

8. Newsletter and subscriber data: email address, subscription confirmation (double opt-in record), language preference, pricing plan status, and engagement metadata (opens and clicks) provided by Wix Email Marketing and Wix Pricing Plans.

9. Technical and usage data: IP address, browser type and version, device type, operating system, referrer URL, pages visited, session duration, language preference, approximate geographic location derived from IP, and cookie identifiers.

10. Fraud-prevention data: IP address and country derived from IP, used by Blocky (Effective Apps) to enforce geo-blocking of US/Canada visitors and to detect bot or abusive traffic.

​

We do not knowingly collect or process special categories of personal data within the meaning of GDPR Art. 9 (such as data revealing racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation). Please do not submit such data; if you do, we may delete it without further use.

​

4. Sources of the Data

We collect personal data from the following sources, in accordance with Articles 13 and 14 GDPR:

​

1. Directly from you when you register for an account, book a Service, subscribe to the newsletter, contact us, or otherwise provide information through the Website.

2. Automatically when you visit the Website, through cookies, the consent management platform, server logs, and analytics tools - only to the extent consented to where consent is required.

​

Data collected through tools on our Website (Wix Bookings, Wix Members, Wix Pricing Plans, Wix Payments) is collected directly from you by these tools acting on our behalf as our processors; it is not received from independent third parties.

​

5. Statutory or Contractual Nature of Data Provision

Provision of identification, contact, and billing data is a contractual requirement: without it we cannot enter into and perform the contract for the Service you have requested. Provision of newsletter data, consent to non-essential cookies, and consent to record a live session is entirely voluntary; withholding consent has no effect on your access to the booked Service.​​​​​​​

​

6. Purposes and Legal Bases of Processing

We process your personal data only for the purposes set out below and only on the corresponding legal bases:

​​​

​

 

​​​​

​

​

​

​

​​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​​

​

​​

​

​

​

​​

​

 

​

​

​

 

Where processing is based on legitimate interests, we have carried out a balancing test under GDPR Art. 6(1)(f) (a Legitimate Interest Assessment) and concluded that our interests in the integrity, security, and lawful operation of the Services are not overridden by your rights and freedoms. You may obtain a summary of that assessment on request to the privacy contact in Section 2.

​

7. Recipients of Personal Data and International Transfers

We share your personal data with the recipients listed below. Except for PayPal (Europe) S.à r.l. et Cie, S.C.A., each recipient acts as a processor on our behalf under a written data processing agreement that meets the requirements of GDPR Art. 28. Where you pay using PayPal, PayPal acts as an independent controller (see the note below the table).

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​​

​

​

​

​

​

​

​

​

​​

 

​​​

​

​

​​

​

​

​

​

​

​

Where you pay using PayPal, PayPal processes your data as an independent data controller under its own privacy policy, available at https://www.paypal.com/uk/legalhub/privacy-full. We receive only the transaction confirmation and the data necessary to fulfil your order and meet our accounting obligations.​​​​​​​​

​

 

International Transfer Safeguards

​

Israel — The European Commission's adequacy decision for Israel (Decision 2011/61/EU) was confirmed valid by the Commission's first periodic review on 15 January 2024 and provides the legal basis for transfers to Wix.com Ltd. and EFFECTIFY LTD (Blocky). Both providers additionally use the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for any onward transfers from Israel to third countries.

​

United States - Transfers to Google LLC, Microsoft Corporation, Stripe, Inc., and PayPal, Inc. rely on (i) the recipient's certification under the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) where applicable and (ii) the EU Standard Contractual Clauses (Decision (EU) 2021/914) as a fallback safeguard. We have conducted Transfer Impact Assessments for these transfers in line with EDPB Recommendations 01/2020 v2.0.

​

We do not sell or rent your personal data, nor do we share it with third parties for their own marketing purposes. We may disclose personal data to public authorities or courts where we are legally required to do so (for example, a valid order from the Spanish Tax Agency or a competent court).​​​​​​​​

​

8. Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

​

 

 

 

 

 

 

 

 

 

 

 

 

 

​​

​​

​

​

​

​

​

​

​​

​

​

​

​

​

 

​

​

​

​

 

​​

​​

 

​

 

At the end of the applicable retention period, data is deleted or anonymised. Some data may be retained beyond the periods above where this is strictly necessary to defend legal claims or to comply with an order from a competent authority.

​

9. Live Session Recordings

We may, on occasion, record a live session (online via Google Meet or Microsoft Teams) for educational follow-up purposes. We only record where:

1. We have announced in advance, before the session begins, that the session will be recorded and what the recording will be used for;

2. You have given your express consent within the meeting tool (or by a separate confirmation) at the start of the session, after this announcement;

3. You have been informed that you may decline; declining has no effect on your right to attend or your access to other materials.

Recordings are stored on Google Drive (or, where Microsoft Teams is used, on Microsoft's storage) in folders accessible only to OrangeGuide Academy. Recordings are deleted within 90 days of the session, unless you have separately consented to a longer retention (for example, where you have purchased ongoing access to the recording as part of the Service). You can withdraw consent and request deletion of a recording at any time by writing to the privacy contact.

Recording without your consent would, in addition to GDPR, raise concerns under criminal law for the protection of confidential communications - for Spanish participants, Article 197 of the Spanish Criminal Code and Article 18.3 of the Spanish Constitution; for German participants, § 201 of the German Criminal Code (Verletzung der Vertraulichkeit des Wortes). We therefore do not record unless consent is captured.

​

10. Newsletter and Marketing Communications

We send marketing emails (newsletter, course announcements, educational content) only to subscribers who have given prior consent through a double opt-in process:

1. You enter your email address in the subscription form;

2. We send a confirmation email containing a confirmation link;

3. Your subscription becomes active only after you click the confirmation link.

Until you click the confirmation link, we retain the email address only to send the confirmation email, and we delete it within 30 days if you do not confirm. Once active, we keep a record of your consent (timestamp, IP at the time of subscription, content of the form, and confirmation event) for as long as we send you communications, in order to demonstrate compliance with GDPR Art. 7.

You can withdraw your consent at any time, free of charge, by clicking the unsubscribe link at the bottom of any marketing email, by changing your preferences in your account, or by emailing privacy@orangeguide-academy.com. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

​

11. Geo-Blocking and Fraud Prevention

The Services are not directed at users in the United States or Canada (see our Terms and Conditions). To enforce this restriction and to protect the Services from bot traffic and abuse, we use the Blocky app developed by Effective Apps (EFFECTIFY LTD, Israel) on the Wix platform. Blocky processes the IP address of each Website visitor in order to:

1. Determine the approximate country of origin from the IP address;

2. Block access from the United States and Canada;

3. Identify and block automated (bot) traffic patterns and known abusive IP ranges.

The legal basis for the geo-blocking is Article 6(1)(f) GDPR (legitimate interests), in conjunction with the territorial restriction set out in our Terms and Conditions; our legitimate interest is in operating only within the markets we have chosen and excluding jurisdictions we do not serve, in order to limit our regulatory exposure and avoid the unauthorised cross-border provision of educational services subject to other legal regimes. The legal basis for bot and abuse protection is likewise Article 6(1)(f) GDPR (our legitimate interest in the security and integrity of the Services). The IP address is processed transiently for the blocking decision and not stored beyond the brief period needed to enforce the rule, save for limited security logging.

​

12. Cookies and Similar Technologies

The Website uses cookies and similar technologies. We distinguish between:

1. Strictly necessary cookies, which are required to operate the Website (for example, session and security cookies). These do not require consent under GDPR, LSSI-CE, or § 25(2) TDDDG;

2. Functional, analytics, and marketing cookies, which are set only with your prior, specific, and informed consent.

Consent to non-essential cookies is collected through our Consent Management Platform, Cookiebot™ for Wix, provided by Usercentrics GmbH (Germany). The banner offers Accept, Reject, and granular preference controls, with no pre-ticked boxes and with equally prominent options for acceptance and rejection (in line with EDPB Guidelines 03/2022 v2.0 on deceptive design patterns). You can withdraw or change your cookie consent at any time by clicking the cookie icon in the bottom-left corner of the Website.

The legal bases are Article 6(1)(a) GDPR (consent), Article 22.2 LSSI-CE, and § 25(1) TDDDG. A complete list of cookies, their purposes, durations, and providers is set out in our separate Cookie Policy. Where we add analytics or marketing tools in the future (such as Wix Analytics or Google Analytics), they will only be activated after you have granted the corresponding consent through our cookie banner.

​

13. Your Rights

You have the following rights in relation to the personal data we process about you:

1. Right of access (GDPR Art. 15): obtain confirmation of whether we process your data, and a copy of that data.

2. Right to rectification (Art. 16): correction of inaccurate or incomplete data.

3. Right to erasure / right to be forgotten (Art. 17), subject to legal retention obligations.

4. Right to restriction of processing (Art. 18).

5. Right to data portability (Art. 20) for data processed on the basis of consent or contract performance.

6. Right to object to processing based on legitimate interests, including a right at any time to object to direct marketing (Art. 21).

7. Right to withdraw consent at any time where processing is based on consent (Art. 7(3)). Withdrawal does not affect the lawfulness of processing before withdrawal.

8. Right not to be subject to a decision based solely on automated processing, including profiling (Art. 22). See Section 14.

If you reside in Spain, you additionally benefit from the digital rights set out in Title X of the LOPDGDD (Articles 79-97), including the right to be forgotten in internet searches, the right to digital portability of social-media content, and the right to digital wills.

​

How to exercise your rights

​

To exercise any of these rights, write to privacy@orangeguide-academy.com from the email address associated with the data, or attach evidence linking you to the data in question. We will respond within one month of receipt (GDPR Art. 12(3)). This period may be extended by up to two further months where the request is complex or numerous, in which case we will inform you within the first month of the reasons for the extension. We will only request additional identification where we have reasonable doubts about your identity (Art. 12(6)).

​

Right to lodge a complaint

​

You may lodge a complaint at any time with a competent supervisory authority. The Spanish Data Protection Agency is the lead authority for OrangeGuide Academy: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan, 6, 28001 Madrid, www.aepd.es. You may also lodge a complaint with the supervisory authority of your country of habitual residence, including: the German Federal Commissioner for Data Protection (BfDI) or the State Data Protection Authority of your Land; the Austrian Datenschutzbehörde (DSB).

​

14. Automated Decision-Making and Profiling

We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, within the meaning of GDPR Art. 22. The geo-blocking and bot-detection described in Section 11 do not constitute Article 22 decisions; they are technical access-control measures applied uniformly to all visitors and they do not evaluate the individual.

​

15. Security of Processing and Data Breach Notification

We implement appropriate technical and organisational measures to protect your personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, in accordance with GDPR Art. 32. These measures include:

1. Transport encryption (TLS) for all data transmitted between your browser and the Website and between us and our processors;

2. Encryption at rest on the storage layers used by Wix, Google, Microsoft, and Holded;

3. Strong authentication, including two-factor authentication on all administrator accounts;

4. Within OrangeGuide Academy, access is on a strict need-to-know basis; in practice the sole administrator is the only natural person with access to your data on our side. Our processors have technical access only to the extent necessary to deliver their services to us, governed by the data processing agreements in Section 7;

5. Use exclusively of processors that have provided documented guarantees of GDPR compliance, supported by a written processing agreement and a published list of sub-processors;

6. Periodic review of the processing activities, processor list, and retention schedule.

No system of electronic transmission or storage can be guaranteed to be 100% secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours of becoming aware of the breach in accordance with GDPR Art. 33, and we will notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Art. 34).

​

16. Minors

The Services are not directed at minors. Our Terms and Conditions require all users to be at least 18 years old. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a minor, we will delete that data without undue delay. The GDPR Art. 8 digital age of consent (16 in Germany; 14 in Spain and Austria) is therefore not relevant to access to the Services.

​

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, the recipients we engage, or applicable law. The version number and date at the top of this Policy identify the current version. Material changes will be notified by email (where you have given us your email) and by a prominent notice on the Website before they take effect. Changes will not be applied retroactively to processing already carried out.

​

18. Contact

OrangeGuide Academy, S.L.U.

Rambla Catalunya 57-59, 4º 1ª, 08007 Barcelona, Spain

Privacy queries: privacy@orangeguide-academy.com

General queries: info@orangeguide-academy.com

​

Commercial Register

Registered with the Mercantile Registry of Barcelona (Registro Mercantil de Barcelona)

IRUS: 1000472505965

Folio: 1

Hoja: B656040

Inscripción: 1​

​

Full corporate identification (Mercantile Registry data) is set out in our Legal Notice.