Privacy Policy — Upāyosis / Schirp BV

Last updated: 25 August 2025

1) Who we are

Upāyosis / Schirp BV (KvK: 67709710, VAT: NL857142598B01)
 Egboet 47, 1671 LH Medemblik, The Netherlands
Contact: [email protected]
Website: upayosis.com (Squarespace)
Learning portal: courses.upayosis.com (Thinkific)

We are the data controller for personal data collected via our websites, courses, events, office-hours bookings, and donations.

2) What this policy covers

This policy explains what we collect, why, how we use/share it, and your choices & rights. It applies to:

• Website at upayosis.com (Squarespace)

• Learning portal at courses.upayosis.com (Thinkific)

• Live sessions (Zoom) & replays (Vimeo)

• Bookings (Google Calendar Appointment Schedules)

• Donations & payments (Stripe / Thinkific Payments)

• Forms & surveys (Tally)

• Email (Squarespace Email Campaigns)

• Community (Discord — optional, when enabled)

• Analytics & cookies (Google Analytics 4)

• Affiliate attribution (a 1st-party 90-day cookie on upayosis.com + Thinkific’s own cookies)

3) Data we collect

3.1 Provided by you

• Account & enrollment (name, email, password hash) on courses.upayosis.com

• Billing & donations (handled by Stripe/Thinkific; we don’t store full card numbers)

• Forms & surveys (e.g., intake goals/baselines via Tally)

• Support emails (messages to [email protected])

• Community data (Discord profile & posts when/if you join — optional)

3.2 Collected automatically

• Usage & device data (pages viewed, clicks, approximate IP-based region, device/browser) via GA4/platform logs

• Cookies & similar tech (see Cookie section)

• Session recordings: some live sessions are recorded for enrolled participants; recordings may include audio/video and chat of those who speak

3.3 From third parties

• Payment status (success/failure/refund) from Stripe/Thinkific

• Affiliate attribution from Thinkific if you enrolled via an affiliate link

We do not knowingly collect data from children under 16.

4) Why we collect & legal bases (GDPR)

Purposes and legal bases

• Provide services
  Examples: Account creation, course access, office-hours scheduling, replays
  Legal basis: Contract (Art. 6(1)(b))

• Process payments/donations
  Examples: Subscriptions, one-time gifts
  Legal basis: Contract + Legal obligation (tax)

• Support & communications
  Examples: Service emails, updates, troubleshooting
  Legal basis: Legitimate interests; sometimes contract

• Improve & secure
  Examples: Analytics, error logs, fraud prevention
  Legal basis: Legitimate interests

• Marketing (light)
  Examples: Program announcements to subscribers/students
  Legal basis: Consent (where required) or legitimate interests with opt-out

• Use of recordings
  Examples: Provide replays to your cohort
  Legal basis: Legitimate interests + consent where required

• Comply with law
  Examples: Tax, accounting, regulatory requests
  Legal basis: Legal obligation

You can withdraw consent at any time where consent is our basis.

5) Sharing your data (processors & partners)

We share only what’s necessary with service providers:

• Squarespace (website hosting & Email Campaigns)

• Thinkific (learning platform; payments via Thinkific Payments)

• Stripe (donations / card processing)

• Vimeo (video hosting)

• Zoom (live video)

• Google (Calendar Appointment Schedules; Analytics)

• Tally (forms & surveys)

• Discord (community space, optional)

• Bookkeeping: Exact (invoicing/accounting records)

We may share data where required by law or to protect rights, safety, or security.

International transfers. Some providers are outside the EEA (e.g., US). We rely on Standard Contractual Clauses and comparable safeguards. Details available on request.

6) Retention

• Account & enrollment: life of your account + up to 6 years (tax/audit)

• Billing/donations: transactional records 7–10 years (local tax law)

• Support emails: 24 months

• Analytics: GA4 user/event data 14 months (configured)

• Intake surveys: program duration + 12 months, then anonymized or deleted

• Recordings: available to your cohort during the program + up to 6 months after, then removed or archived with restricted access

7) Your rights (GDPR & similar)

You can access, correct, delete, or export your data, and object to or restrict certain processing. You can also withdraw consent.
Contact: [email protected] (we aim to respond within 30 days).

 You may lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens) or your local authority.

 For California residents: you may have additional CPRA rights (access, deletion, correction, limit sensitive data, opt-out of “sharing”). We do not sell personal data.

8) Cookies & tracking

8.1 Essential (cannot be turned off)

• Thinkific session cookies – keep you logged in and secure

• Stripe/Thinkific Payments – fraud prevention & checkout

• Our affiliate memory on upayosis.com

  • up_aff_ref (affiliate code) — expires after 90 days

  • up_aff_ref_ts (timestamp) — expires after 90 days
    Purpose: first-touch attribution to credit the right partner (scope: upayosis.com only)

8.2 Analytics (optional)

• Google Analytics 4 across upayosis.com ↔ courses.upayosis.com to understand site usage and improve services. We use IP anonymization, no ad-personalization, and 14-month retention. You can opt-out via browser settings or by contacting us.

8.3 Media & embeds

• Vimeo may set cookies to deliver video (e.g., player preferences)

• Google Calendar embed may set cookies to show appointment slots

Managing cookies: You can adjust your browser to block non-essential cookies. Where required, we show a consent banner on first visit to upayosis.com.

9) Recordings & community norms

We may record live sessions for enrolled participants who can’t attend. We announce recording at the start. If you prefer not to appear, you may keep your camera off and use chat or follow-up questions. Please don’t share replays or materials outside your cohort.

10) Security

We use HTTPS, account authentication on the portal, least-privilege staff access, and vendor DPAs where available. No method is 100% secure; if a breach affects you, we’ll notify you and regulators where required.

11) Marketing choices

• Emails: Every message includes an unsubscribe link.

• Analytics: You can request opt-out of analytics tagging linked to your email/account.

• Affiliates: If you used an affiliate link and want that attribution cleared, email us; we’ll remove any stored ref associated with your account.

12) Changes

We’ll post updates here and adjust the “Last updated” date. Material changes may also be emailed to enrolled students.

13) Contact

Questions or requests about this policy: [email protected]

 We’re happy to help.