Skip to main content

Privacy Policy

Last Updated: March 12, 2026

1. Introduction & Controller Identity

This Privacy Policy explains how Creative Drawing Academy ("we", "us") collects, uses, and protects your personal data when you visit this website or when you submit the registration form for our drawing and illustration education. This Privacy Policy applies to interactions with our pages and to communications you send through our forms and email.

The data controller responsible for your personal data is:

  • Legal entity: Cozrvelis Ltd
  • Business name: Creative Drawing Academy
  • Registered address: Vlkova 532/8, Žižkov (Praha 3), 130 00 Praha, Czechia
  • Email: [email protected]
  • Telephone: +420 233 090 418

We do not appoint a Data Protection Officer (DPO) at this time because we do not carry out large-scale processing of special-category data. If that changes, we will update this policy and provide a dedicated privacy contact.

2. Personal Data We Collect

We collect personal data in a few straightforward ways: when you send us a message through a form, when you email us, and when your browser requests pages (which creates basic technical logs). The specific categories of data we may collect include:

  • Identity and contact data: first name, last name, email address. If you choose to call us, we will see your caller ID according to your phone settings and telecom provider.
  • Form content: messages you type into our registration form, such as your learning goals, the topics you want to study (for example: perspective, value grouping, gesture), and any project context you decide to share.
  • Communication data: emails you send to us and our replies, including timestamps and delivery metadata.
  • Technical data: IP address, approximate location derived from IP (city/region), browser type, device information, operating system, language settings, and the pages requested.
  • Usage data: pages viewed, time spent on pages, referrer URLs, and interaction events (for example, whether a page section was viewed or whether a form submission completed).
  • Cookies and identifiers: cookie identifiers and consent settings stored in your browser as described in Section 4.
  • Conversion events: signals that indicate a registration form was submitted or that a visit originated from an advertisement campaign, when those features are enabled with consent.

We do not intentionally collect special-category data (such as health information, religious beliefs, political opinions), financial account details, or government identification numbers through our forms. Please do not include such information in your messages.

3. Why We Process Personal Data & Legal Basis (GDPR Article 6)

We process personal data only for purposes that are connected to running and improving Creative Drawing Academy, responding to registration requests, maintaining site security, and measuring the effectiveness of our marketing when you allow it. The legal bases under the GDPR (and UK GDPR where applicable) are:

  • Registration and contact requests: we use your name, email address, and learning goals to respond and provide next steps. Legal basis: Article 6(1)(b) (steps prior to entering a contract) and, where you provide consent to be contacted, Article 6(1)(a).
  • Analytics (optional): we measure aggregated usage to understand which lessons and pages are most useful. Legal basis: Article 6(1)(a) consent.
  • Marketing / remarketing (optional): we may measure advertising performance and show relevant ads to people who have visited our site. Legal basis: Article 6(1)(a) consent.
  • Security and fraud prevention: we protect the site from abusive traffic, spam submissions, and suspicious activity. Legal basis: Article 6(1)(f) legitimate interests (site security and abuse prevention).
  • Legal obligations: if required by law, we may retain certain records or respond to lawful requests from authorities. Legal basis: Article 6(1)(c).

Automated decision-making (Article 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. Any recommendations we send (for example, a suggested sequence like gesture → construction → value grouping) are educational guidance based on your stated goals, not automated decisions with legal impact.

4. Cookies & Tracking

Cookies are small text files stored on your device. We also use similar technologies (pixel tags and server-side event signals) that can help measure traffic and conversions. Our site uses three categories of cookies and tracking:

Essential (always active)

These are required for basic site functionality and to remember your cookie choices. They do not require consent in most jurisdictions. Examples include:

  • _site_session (first-party): session continuity and basic security. Retention: session to 12 months depending on implementation.
  • cookie_consent (first-party): stores your cookie preference choices. Retention: 12 months.

Analytics (optional, consent-based)

If you opt in, we may enable Google Analytics 4 (GA4) to understand how visitors use the site and which content is most helpful. We configure analytics in a privacy-minded way, including IP anonymization where supported. Example cookies include:

  • _ga (third-party): GA4 user identifier. Retention: 2 years.
  • _ga_XXXXXXXXXX (third-party): GA4 session state. Retention: 2 years.

Analytics data retention is typically 14 months for event-level data (as configured in GA4), but cookie lifetimes may differ.

Marketing (optional, consent-based)

If you opt in, we may enable marketing tags for advertising measurement and remarketing. These may set cookies that help attribute ad clicks and measure conversions. Example cookies include:

  • _gcl_au (third-party): Google Ads conversion linker. Retention: 90 days.
  • _fbp (third-party): Meta Pixel browser identifier. Retention: 90 days.
  • _fbc (third-party): Meta Pixel click identifier when a click ID exists. Retention: 90 days.

Beyond cookies, these tools may use pixel tags or server-side event transmission (for example, conversion APIs). Where implemented, server-side events may include hashed identifiers to improve matching (for example, a hashed email), along with technical signals like IP address and User-Agent. We use these signals for conversion attribution and to build remarketing and lookalike audiences only when you consent.

5. Consent for Users in the EEA and UK

Users in the EEA and the UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (Article 6(1)(a)). Your consent choice is recorded in the cookie_consent browser cookie and is stored for 12 months.

You can withdraw or change consent at any time by using the cookie controls available via the footer link (Manage cookie preferences) or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before it was withdrawn.

6. Sharing With Advertising & Service Partners

We use reputable service providers to operate the website, keep it secure, and (when you consent) measure marketing and site usage. We share only what is necessary for the specific purpose, and we do not sell personal data.

  • Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): may receive cookie IDs, usage data, and conversion events. Privacy policy: https://policies.google.com/privacy
  • Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API): may receive page view and conversion events, audience membership signals, and hashed identifiers. Privacy policy: https://www.facebook.com/privacy/policy
  • Cloudflare (CDN and security): may process IP addresses and request metadata to protect against abusive traffic and improve performance. Privacy policy: https://www.cloudflare.com/privacypolicy/

We do not permit these providers to use site data for their own independent commercial purposes. They act as processors or service providers and are subject to contractual safeguards.

7. International Transfers

Some providers (such as Google and Meta) may process data in countries outside the EEA/UK, including the United States. Where required, transfers are safeguarded using:

  • EU-US Data Privacy Framework (DPF) (primary, where applicable since July 2023)
  • UK Extension to the EU-US DPF
  • Swiss-US DPF (where relevant)
  • Standard Contractual Clauses (EU 2021/914) as a fallback
  • UK International Data Transfer Addendum (IDTA) as a fallback

We also apply practical safeguards such as consent controls for marketing and analytics, and we limit the data shared to what is necessary for the chosen features.

8. Data Retention

We retain personal data only as long as needed for the purpose it was collected for, and then we delete or anonymize it unless law requires longer retention. Typical retention periods are:

  • Registration form submissions: up to 2 years from the last interaction, to allow follow-up and maintain continuity if you return later.
  • Email correspondence: for the duration of the relationship plus 1 year, unless a longer period is required for dispute handling.
  • Server logs: typically up to 90 days for security and troubleshooting.
  • Analytics data: typically 14 months (as configured), plus the cookie lifetimes described in Section 4.
  • Marketing cookies: retained per their cookie lifetimes (for example, 90 days) unless you withdraw consent earlier.
  • Cookie consent record: up to 3 years for audit and compliance purposes.
  • Legal/tax records: as required by applicable law (often 6 to 10 years for invoices and accounting documents).

9. Your Rights (GDPR and UK GDPR)

Depending on your location, you may have the following rights regarding your personal data:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Right to withdraw consent at any time (Article 7(3))
  • Right to lodge a complaint with a supervisory authority (Article 77)

To exercise your rights, email [email protected]. We aim to respond within 30 days. For complex requests, this period may be extended by up to 60 days, as permitted by law. We may ask for information to verify your identity before we act on your request.

Supervisory authority resources:

10. Children

This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has submitted personal data without verifiable parental consent, contact us at [email protected] and we will delete the data promptly.

11. Do Not Track Signals

This website does not respond to "Do Not Track" (DNT) browser signals. Third-party providers may have their own mechanisms for honoring such signals. You can control cookies through our cookie preferences panel and through your browser settings.

12. Data Deletion Requests

You may request deletion of personal data by emailing us with the subject line Data Deletion Request. We will complete the request within 30 days after verifying your identity, unless we must retain specific information to comply with legal obligations or to establish, exercise, or defend legal claims.

13. Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, reorganization, insolvency, or similar event, personal data may be transferred to a successor or affiliated entity as part of that transaction. If such a transfer materially changes how personal data is used, we will provide notice on the website.

14. California Privacy Notice (CCPA/CPRA)

This section applies to California residents where the California Consumer Privacy Act (as amended by the CPRA) applies. Over the past 12 months, we may have collected the following categories of personal information:

  • Identifiers: name, email address, IP address, cookie identifiers.
  • Internet or other network activity: browsing activity on our website, interaction data, and basic device information.
  • Inferences: preferences or interests inferred from site usage (for example, which topics were viewed), used to improve content or for advertising where enabled with consent.

We do not sell personal information as defined by the CCPA. We may share personal information for cross-context behavioral advertising when marketing cookies are enabled; California residents may opt out using our cookie preferences panel.

California residents may have the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination for exercising privacy rights. To submit a request, email [email protected] with the subject line California Privacy Request. We will verify your identity before fulfilling the request. Authorized agents may submit requests with written proof of authorization.

15. Virginia Privacy Notice (VCDPA)

Virginia residents may have rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising. We do not sell personal data. We do not engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject line Virginia Privacy Request. If we decline a request, you may appeal by emailing with the subject line Appeal of Refusal — Privacy Request. We will respond within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada Privacy Notice

Nevada residents may submit a verified request to opt out of the sale of certain personal information by emailing [email protected] with the subject line Nevada Do Not Sell Request. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the tools we use. Material changes will be announced via a prominent notice on the website at least 14 days before taking effect. The "Last Updated" date at the top of this page indicates when the latest version became effective.

18. Contact

For privacy questions or requests, contact: