Sylvanity

Privacy Policy

Data Controller: Sylvanity B.V.

Services: Sylvanity Academy Platform & Sylvanity.eu Website

Effective Date: November 12, 2025

Last Updated: November 12, 2025

1. Collection of Personal Data

Sylvanity B.V. collects personal data through the following methods:

1.1 Automatic Data Collection

When you access our Services (Sylvanity Academy Platform and Sylvanity.eu website), our servers automatically record the following information:

  • Internet Protocol (IP) addresses, browser type and version, and operating system information
  • Pages accessed, device identifiers, and search query terms entered
  • Device configuration data including operating system type, settings, and error reports
  • Usage analytics including content interaction patterns and session duration

1.2 Cookies and Tracking Technologies

Our Services utilize cookies and similar technologies in the following categories:

  • Strictly Necessary Cookies: Required for core platform functionality, authentication sessions (Supabase), and secure payment processing (Stripe)
  • Performance and Analytics Cookies: Used to analyze visitor behavior and platform performance
  • Marketing and CRM Cookies: HubSpot tracking cookies for visitor intelligence and marketing automation (Sylvanity.eu only)
  • Advertising Cookies: Enable the delivery of targeted advertisements and measurement of advertising campaign effectiveness through Google Ads conversion tracking

Google Consent Mode v2: For users in the European Economic Area, we implement Google Consent Mode v2 via our Google-certified consent management platform (CookieYes). This ensures that user consent choices are properly communicated to Google services (Google Ads, Google Analytics) in compliance with Google's requirements for EEA users. Tags are adjusted based on consent status to respect your privacy preferences.

1.3 Third-Party Data Sources

The following third parties may collect and process information about your interactions with our Services:

  • Google: Browsing activity for advertising campaign effectiveness measurement through Google Ads conversion tracking
  • HubSpot: Visitor intelligence, form submissions, and marketing engagement data (Sylvanity.eu only)
  • Stripe: Payment method information and transaction details for payment processing

1.4 Detailed Cookie Declaration

For a complete list of cookies used on our Services, including cookie names, providers, purposes, and expiration periods, please refer to our Cookie Declaration. This declaration is automatically maintained and updated by our consent management platform to reflect the current state of cookie deployment.

The Cookie Declaration can be accessed through the cookie settings interface on our Services or by contacting us at the address provided in Section 11.

2. Consequences of Not Providing Personal Data

Pursuant to Article 13(2)(e) of the GDPR, we inform you of the consequences of not providing certain categories of personal data:

  • Account and Authentication Data: Failure to provide name, email address, and password will prevent account creation and access to the Sylvanity Academy Platform, as this data is necessary for contract performance pursuant to Article 6(1)(b) GDPR.
  • Payment Information: If you do not provide payment details (processed by Stripe), we cannot process purchases of paid training courses or services, as payment processing is necessary for contract performance.
  • Contact Form Data: Failure to provide contact information in inquiry forms will prevent us from responding to your requests, though this does not affect access to other Services.
  • Cookies and Tracking: Rejection of non-essential cookies will not prevent access to the Services but may limit functionality such as personalized content, analytics-driven improvements, and advertising effectiveness measurement. Strictly necessary cookies are required for core functionality.

3. Purpose and Legal Basis for Processing

Sylvanity B.V. processes personal data exclusively for specified, explicit, and legitimate purposes in accordance with Article 5(1)(b) of the GDPR. The processing of personal data is conducted pursuant to the following legal bases set forth in Article 6 of the GDPR:

  • Performance of Contract (Article 6(1)(b) GDPR): Processing necessary for the performance of a contract to which the data subject is party, including but not limited to: (i) provision of educational services through the Sylvanity Academy Platform; (ii) processing of payments for services; (iii) account management and authentication; and (iv) delivery of purchased content or services
  • Legitimate Interests (Article 6(1)(f) GDPR): Processing necessary for the purposes of legitimate interests pursued by Sylvanity B.V. or third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, including: (i) improvement and optimization of Services; (ii) ensuring network and information security; (iii) fraud prevention; (iv) direct marketing to existing customers regarding similar services; and (v) responding to inquiries and communications
  • Consent (Article 6(1)(a) GDPR): Processing based on freely given, specific, informed, and unambiguous consent, including: (i) deployment of non-essential cookies and tracking technologies; (ii) Google Ads conversion tracking and remarketing; and (iii) HubSpot marketing automation and visitor intelligence (Sylvanity.eu)
  • Legal Obligations (Article 6(1)(c) GDPR): Processing necessary for compliance with legal obligations to which Sylvanity B.V. is subject under Union or Member State law, including: (i) retention of financial records pursuant to Dutch tax law; (ii) response to lawful requests from competent authorities; and (iii) compliance with applicable data protection legislation

Purpose Limitation: Personal data collected for the purposes specified above shall not be further processed in a manner incompatible with those purposes. Any processing for direct marketing purposes requires explicit opt-in consent which may be withdrawn at any time.

Special Categories of Personal Data (Article 9 GDPR): Sylvanity B.V. does not intentionally collect or process special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). If a data subject voluntarily provides such data (e.g., in a contact form or training inquiry), we will request explicit consent pursuant to Article 9(2)(a) GDPR and implement additional technical and organizational safeguards before processing such data.

3.1 Automated Decision-Making and Profiling

Pursuant to Article 13(2)(f) and Article 22 of the GDPR, we provide the following information regarding automated decision-making and profiling:

  • Limited Profiling for Advertising: When you consent to advertising cookies, we engage in limited profiling activities that associate your on-site browsing behavior with advertising audiences for remarketing purposes via Google Ads. This does not involve decisions that produce legal effects or similarly significantly affect you.
  • Logic and Consequences: User behavior (pages viewed, content accessed) is analyzed to determine relevant advertising categories. The consequence is that you may see targeted advertisements for Sylvanity services on third-party websites.
  • Your Rights: You may withdraw consent to profiling activities at any time by adjusting your cookie preferences via the consent banner or cookie settings. You may also opt out of personalized advertising through Google Ads Settings.

We do not engage in automated decision-making that produces legal effects or similarly significantly affects you without human intervention.

4. Disclosure to Third Parties

Sylvanity B.V. may disclose personal data to third parties under the following circumstances:

4.1 Service Providers and Processors

Personal data is shared with the following processors who provide essential services:

  • Supabase, Inc.: Database hosting, authentication, and real-time data services (Privacy Policy)
  • Stripe, Inc.: Payment processing and financial transaction services (Privacy Policy)
  • Netlify, Inc.: Platform hosting and content delivery services (Privacy Policy)
  • HubSpot, Inc.: Customer relationship management and marketing automation (Sylvanity.eu only) (Privacy Policy)
  • Google LLC: Advertising measurement services (Google Ads conversion tracking) (Privacy Policy)
  • CookieYes Limited: Cookie consent management and compliance services (Privacy Policy)
  • Resend, Inc.: Transactional email delivery services (Privacy Policy)

4.2 Legal and Regulatory Obligations

Personal data may be disclosed when required by applicable law, legal process, governmental request, or regulatory authority.

4.3 Corporate Transactions

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity or acquiring party.

4.4 Consent-Based Disclosure

Personal data may be shared with third parties when you provide explicit consent for specific disclosure purposes.

Third-Party Privacy Policies: Data shared with Google through Google Ads conversion tracking is subject to Google's independent privacy policy and data processing practices.

5. Data Subject Rights Under GDPR

Pursuant to Chapter III of the GDPR, data subjects whose personal data is processed by Sylvanity B.V. are entitled to exercise the following rights:

5.1 Statutory Rights

  • Right of Access (Article 15 GDPR): The right to obtain confirmation as to whether personal data concerning you is being processed, and where applicable, access to such personal data and related information
  • Right to Rectification (Article 16 GDPR): The right to obtain rectification of inaccurate personal data and completion of incomplete personal data
  • Right to Erasure (Article 17 GDPR): The right to obtain erasure of personal data under certain circumstances ("right to be forgotten")
  • Right to Restriction (Article 18 GDPR): The right to obtain restriction of processing under specified conditions
  • Right to Data Portability (Article 20 GDPR): The right to receive personal data in a structured, commonly used, and machine-readable format
  • Right to Object (Article 21 GDPR): The right to object to processing based on legitimate interests or for direct marketing purposes
  • Right to Withdraw Consent (Article 7(3) GDPR): Where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of prior processing
  • Right to Lodge a Complaint (Article 77 GDPR): The right to lodge a complaint with a supervisory authority

To exercise any of these rights, please submit a request to academy@sylvanity.eu including proof of identity.

5.2 Cookie Consent Management

In accordance with Article 7 of the GDPR, the EU ePrivacy Directive 2002/58/EC, and guidance from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), the Services implement a consent management platform with the following characteristics:

  • Equally prominent "Accept all" and "Reject all" options without nudging or dark patterns
  • Granular control over cookie categories (strictly necessary, performance, marketing)
  • Access to Services is possible without consenting to non-essential cookies
  • Consent choices may be withdrawn or modified at any time via the cookie settings interface

Cookie consent is managed through CookieYes Limited's Google-certified consent management platform (CMP) in compliance with applicable data protection regulations.

5.3 Browser-Level Cookie Controls

You may also configure your browser settings to manage or reject cookies:

Note: Disabling strictly necessary cookies may affect platform functionality.

5.4 Advertising Preferences

Data subjects may exercise control over personalized advertising through the Google Ads Settings interface accessible at https://adssettings.google.com. Such controls are subject to Google's terms of service and privacy policy.

5.5 Industry Self-Regulatory Programs

Data subjects may opt out of interest-based advertising from participating companies through industry self-regulatory programs including the Digital Advertising Alliance (www.aboutads.info) and the European Interactive Digital Advertising Alliance (www.youronlinechoices.eu).

Do Not Track Disclosure: The Services do not currently respond to web browser "Do Not Track" (DNT) signals or similar mechanisms. No uniform technology standard for recognizing and implementing DNT signals has been finalized. Should a standard be adopted that Sylvanity B.V. is required to follow, this Policy will be updated accordingly.

6. Data Security

Sylvanity B.V. has implemented and maintains appropriate technical and organizational measures pursuant to Article 32 of the GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

Such measures include, but are not limited to:

  • Encryption of personal data in transit using Transport Layer Security (TLS) protocols
  • Implementation of access controls and authentication mechanisms
  • Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures
  • Procedures for regularly reviewing and updating security measures
  • Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems

Limitation of Liability: While Sylvanity B.V. implements security measures in accordance with industry standards and applicable law, the inherent risks of Internet-based data transmission cannot be eliminated entirely. No method of electronic transmission or storage is one hundred percent (100%) secure. Therefore, while we strive to protect personal data, Sylvanity B.V. cannot guarantee or warrant the absolute security of any information transmitted to or through the Services, and any transmission of personal data is at your own risk.

7. Minors and Children

The Sylvanity Academy Platform is not directed to individuals under the age of 16. Sylvanity B.V. does not knowingly collect personal data from children under 16 years of age. If we become aware that personal data has been collected from a child under 16 without parental consent, we will take prompt measures to delete such information from our systems.

8. Cross-Border Data Transfers

Personal data processed through the Platform may be transferred to and stored in jurisdictions outside your country of residence, where data protection laws may differ from those applicable in your jurisdiction.

8.1 Primary Infrastructure Providers

The Services utilize the following infrastructure providers, each of which may process personal data in multiple jurisdictions:

  • Netlify, Inc.: Provides platform hosting services utilizing content delivery network (CDN) infrastructure with points of presence globally distributed across multiple continents
  • Supabase, Inc.: Provides database hosting and authentication services through Amazon Web Services (AWS) infrastructure, with data residency determined by region selection during service configuration
  • Stripe, Inc.: Provides payment processing services through a globally distributed infrastructure designed to comply with regional financial regulations and data localization requirements

8.2 Third-Party Processing Locations

To the extent disclosed by our service providers in their respective privacy policies and data processing agreements, personal data is processed in the following jurisdictions:

  • Supabase, Inc.: Utilizes Amazon Web Services (AWS) infrastructure with data centers available in multiple regions including but not limited to United States (US-East-1, US-West-1), European Union (EU-Central-1 Frankfurt, EU-West-1 Ireland, EU-West-2 London), and Asia-Pacific regions, as selected during service configuration
  • Stripe, Inc.: Maintains primary data processing facilities in the United States with additional regional data centers in the European Union, Asia-Pacific, and other jurisdictions for localized payment processing in accordance with applicable financial regulations
  • Google LLC: Operates a global infrastructure with data centers in multiple jurisdictions worldwide; specific processing locations are determined dynamically based on operational requirements and may include any Google facility
  • HubSpot, Inc.: Primary data storage in United States data centers (AWS US-East-1) with optional data residency in Frankfurt, Germany (AWS EU-Central-1) for accounts configured with EU data hosting
  • Netlify, Inc.: Utilizes global content delivery network (CDN) infrastructure with primary processing in the United States and edge locations distributed across multiple continents
  • CookieYes Limited: A UK-based company providing cookie consent management services hosted on Amazon Web Services (AWS) infrastructure; according to CookieYes' privacy and hosting documentation, personal data may be processed in multiple AWS regions
  • Resend, Inc.: Maintains primary infrastructure in the United States utilizing AWS services with email delivery through globally distributed networks

Notice: The specific data processing locations of third-party service providers are subject to change. For the most current information regarding data processing locations, please refer to the respective privacy policies of each service provider linked in Section 3.1.

8.3 International Transfer Safeguards

Where personal data is transferred to countries that have not received an adequacy decision from the European Commission pursuant to Article 45 of the General Data Protection Regulation (GDPR), Sylvanity B.V. ensures that appropriate safeguards are implemented in accordance with Chapter V of the GDPR:

  • Standard Contractual Clauses (SCCs): Sylvanity B.V. has executed or ensures the execution of the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with processors including but not limited to Supabase, Inc., Stripe, Inc., HubSpot, Inc., CookieYes Limited, and Resend, Inc. for transfers of personal data outside the European Economic Area
  • EU-US Data Privacy Framework: Where applicable, transfers to United States-based processors may be conducted pursuant to their certification under the EU-US Data Privacy Framework as recognized by the European Commission's adequacy decision of July 10, 2023
  • UK Adequacy Decision: Transfers to processors based in the United Kingdom (such as CookieYes Limited) benefit from the European Commission's adequacy decision for the UK pursuant to Article 45 GDPR, with additional safeguards via Standard Contractual Clauses where data is subsequently transferred to non-EEA jurisdictions
  • Data Processing Agreements (DPAs): All processors acting on behalf of Sylvanity B.V. have executed Data Processing Agreements containing the mandatory provisions set forth in Article 28 of the GDPR, including obligations regarding data security, confidentiality, and sub-processor engagement

Right to Information: Data subjects may request copies of the appropriate safeguards implemented for international data transfers by submitting a written request to the contact information provided in Section 11 of this Policy. Such copies may be redacted to protect commercial confidentiality.

9. Data Retention

Sylvanity B.V. retains personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations:

  • Account Data: Retained for the duration of your account and 30 days after deletion request
  • Transaction Records: Retained for 7 years in compliance with Dutch tax regulations (Article 2:10 Dutch Civil Code and Article 52 General Tax Act)
  • Marketing Data: Retained until consent is withdrawn or 2 years of inactivity
  • Technical Logs: Retained for up to 90 days for security and performance monitoring
  • Cookie Data: Varies by cookie type (session cookies expire when browser closes, persistent cookies as per their defined expiration periods)
  • Consent Records: Cookie consent logs and records of data subject consent (including timestamp, IP address, and consent choices) are retained for 24 months to evidence compliance with GDPR Article 7(1) requirements and to respond to supervisory authority inquiries

Upon expiration of the applicable retention period, personal data will be securely deleted or anonymized in accordance with our data retention schedule and applicable legal requirements.

10. Amendments to This Policy

Sylvanity B.V. reserves the right to modify this Privacy Policy at any time. Material changes will be reflected by updating the "Last Updated" date at the beginning of this document. Your continued use of the Platform following the posting of changes constitutes acceptance of such modifications.

We recommend that you periodically review this Privacy Policy to remain informed of how Sylvanity B.V. collects, uses, and protects your personal data.

11. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact:

Data Controller: Sylvanity B.V.

Email: academy@sylvanity.eu

Registered Address: Unit 59, FLEX Treubstraat 21, 2288EH Rijswijk, The Netherlands

Telephone: +31 84 83 32 120

Chamber of Commerce Registration: 96488646

Data Protection Officer: Sylvanity B.V. has not appointed a Data Protection Officer (DPO) as we are not required to do so under Article 37 of the GDPR. Our processing activities do not require regular and systematic monitoring of data subjects on a large scale, nor do we process special categories of data or data relating to criminal convictions on a large scale as a core activity. All data protection inquiries should be directed to the contact information above.

Supervisory Authority: If your concerns regarding the processing of personal data have not been adequately addressed, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

© 2025 Sylvanity B.V. • All rights reserved • Effective November 12, 2025