Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how Literary Retail Academy ("we", "us", or "our") collects, uses, and protects personal data when you visit our website and when you submit information through our registration form. Our website provides educational information and training resources related to bookstore management, merchandising, inventory basics, customer engagement, and literary retail marketing.

The data controller responsible for your personal data is:

Legal entity: Xeljvoryn Academy s.r.o.
Registered address: Moravská Ostrava Office Park, 28. října 3346/91, 702 00 Ostrava, Czechia
Contact email: [email protected]
Phone: +420 596 112 844

Effective date of this Privacy Policy: March 12, 2026.

We do not appoint a Data Protection Officer (DPO) because our current processing activities do not require one under applicable data protection law. If this changes, we will update this policy with relevant contact information.

2. Personal Data We Collect

We collect personal data in a few clear contexts: when you browse the site, when you complete our registration form, and when you interact with our cookie preferences. The exact fields collected depend on how you use the site.

• Identity and contact details: first name, last name, email address, and (if you choose to share it elsewhere) any other contact information you include in your message.
• Form content: learning goals, context about your store or role, and any details you include in the message field.
• Technical data: IP address, browser type and version, device type, operating system, and language settings.
• Usage data: pages visited, time spent on pages, referrer/entry pages, and click paths. This helps us understand which lessons and guidance are most useful (only when analytics consent is provided where required).
• Cookies and identifiers: cookies that keep the site functional, store your cookie preferences, and (if you opt in) cookies for analytics and marketing measurement.
• Conversion events: events such as successful form submissions or page views used to measure whether the site is working properly (and, when consent is provided, to measure advertising performance).

We do not intentionally collect special-category personal data (such as health information, religious beliefs, political opinions), financial account details, or government-issued identification numbers through our standard registration form. Please do not include such information in your message.

3. Why We Process Personal Data & Legal Basis (GDPR Art. 6)

We process personal data only when there is a lawful basis to do so. Depending on the purpose, our lawful bases under GDPR (and equivalent UK GDPR principles, where applicable) include contract necessity, consent, legitimate interests, and legal obligations.

• Responding to your registration or enquiry: to contact you, answer questions, and provide course access information. Legal basis: Art. 6(1)(b) (steps prior to entering a contract) and Art. 6(1)(a) (consent) where you provide consent to be contacted.
• Operating and securing the website: to maintain availability, prevent abuse, and detect suspicious activity. Legal basis: Art. 6(1)(f) (legitimate interests in keeping our services secure and reliable).
• Analytics (optional): to understand aggregate usage and improve content structure, navigation, and clarity. Legal basis: Art. 6(1)(a) (consent) where required.
• Marketing/remarketing (optional): to measure advertising performance and show more relevant messages to people who have interacted with the site. Legal basis: Art. 6(1)(a) (consent) where required.
• Compliance: to meet legal obligations and respond to lawful requests. Legal basis: Art. 6(1)(c) (legal obligation).

Automated decision-making (Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you.

4. Cookies & Tracking

Cookies are small text files stored on your device. We also use similar technologies such as pixel tags and server-side event signals. Our cookie categories are consistent across our Privacy Policy and our Cookie Policy.

Essential cookies (always active)

Essential cookies are required for core website functionality, such as keeping your session stable and remembering cookie preferences. These cookies do not require consent in many jurisdictions because they are necessary to provide the service you request.

• _site_session: used to maintain basic session continuity. Retention: session.
• cookie_consent: stores your cookie preference selections. Retention: up to 12 months.

Analytics cookies (optional, consent-based)

If you enable analytics cookies, we may use Google Analytics 4 (GA4) to measure aggregate usage such as page views, navigation paths, and engagement. Where supported by configuration, IP anonymization is applied. Default analytics data retention is 14 months.

• _ga (2 years) and _ga_XXXXXXXXXX (2 years) may be set by Google Analytics 4.

Marketing cookies (optional, consent-based)

If you enable marketing cookies, we may use tools such as Google Ads conversion measurement and Meta Pixel measurement. These tools help us understand which pages or content led to a registration and help us avoid showing irrelevant ads. They may create audiences for remarketing and lookalike modeling (where available), based on site activity.

• _gcl_au (90 days) may be set for Google Ads conversion linking.
• _fbp (90 days) and _fbc (90 days, when click ID is present) may be set for Meta measurement.

Beyond cookies, advertising measurement may use pixel tags (for example, gtag.js or Meta Pixel) or server-to-server event sharing (for example, Meta Conversion API or server-side tag management). When used, these systems can process identifiers derived from IP address and user agent. Where applicable, identifiers may be hashed before transmission.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent under Art. 6(1)(a). Your consent choice is recorded in the cookie_consent browser cookie and typically retained for up to 12 months.

You can withdraw consent at any time by selecting “Manage cookie preferences” in the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.

6. Sharing With Advertising & Service Partners

We use a limited set of service providers to operate the site and (when you consent) to measure performance of content and advertising. We do not sell personal data.

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): may receive cookie identifiers, usage data, and conversion events. Privacy policy: https://policies.google.com/privacy
• Meta Platforms, Inc. (Meta Pixel, custom/lookalike audiences, Conversion API): may receive page view events, conversion events, audience membership signals, and identifiers (including hashed identifiers where applicable). Privacy policy: https://www.facebook.com/privacy/policy
• Cloudflare, Inc. (CDN and security): may process IP addresses and device information to provide performance and threat protection. Privacy policy: https://www.cloudflare.com/privacypolicy/

We do not permit these providers to use site data for their own independent commercial purposes. They process data as service providers under their terms and applicable data processing agreements.

7. International Transfers

Some of our service providers may be located outside the EEA/UK (including in the United States). When personal data is transferred internationally, we rely on appropriate safeguards such as:

• the EU-U.S. Data Privacy Framework (DPF) (where applicable), including the UK Extension and the Swiss-U.S. DPF where relevant;
• Standard Contractual Clauses (EU 2021/914) as a fallback safeguard; and
• UK International Data Transfer Agreement (IDTA) as a fallback safeguard for UK transfers.

8. Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy, unless a longer retention period is required by law.

• Registration submissions: typically retained for up to 2 years from the last interaction, so we can respond, provide course details, and handle follow-up questions.
• Email correspondence: retained for the duration of our relationship plus 1 year for continuity and reference.
• Analytics data: retained for 14 months (where analytics cookies are enabled by consent).
• Marketing cookies: retained according to cookie lifetime (for example, 90 days for certain marketing cookies), unless deleted earlier by you.
• Server/security logs: typically retained for up to 90 days, unless needed for incident investigation.
• Cookie consent record: may be retained for up to 3 years for audit and compliance purposes.
• Legal/tax obligations: where applicable, certain records may be retained for statutory periods (commonly 6–10 years for invoice-related records).

9. Your Rights (GDPR & UK GDPR)

Depending on your location, you may have rights over your personal data. Under GDPR and UK GDPR, these typically include:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise these rights, email us at [email protected]. We aim to respond within 30 days. If requests are complex, the response period may be extended by up to 60 additional days, as permitted by law.

If you want to find your relevant authority, you can also consult the European Data Protection Board list: https://edpb.europa.eu/about-edpb/about-edpb/members_en, or the UK Information Commissioner’s Office (ICO): https://ico.org.uk/.

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has provided personal data without verifiable parental consent, contact us and we will delete the information promptly.

11. Do Not Track

This website does not respond to Do Not Track (DNT) browser signals. Third-party providers may have their own policies regarding DNT handling and similar signals.

12. Data Deletion Requests

You can request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. To protect your privacy, we may request reasonable verification of identity before fulfilling the request. When deletion is possible, we aim to complete it within 30 days.

In limited cases, we may retain certain information if required by law or to establish, exercise, or defend legal claims.

13. Business Transfers

If we undergo a merger, acquisition, asset sale, financing, or insolvency process, personal data may be transferred to a successor entity as part of that transaction. If a transfer materially changes how your data is used, we will provide notice on the website.

14. California (CCPA / CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). In the past 12 months, we may have collected the following categories of personal information:

• Identifiers: such as name, email address, IP address, and cookie identifiers.
• Internet/network activity: such as pages viewed and interactions (when analytics or marketing cookies are enabled).
• Inferences: such as interests derived from browsing activity (only when marketing measurement is enabled).

We do not sell personal information as defined by CCPA. We may share information for cross-context behavioral advertising when marketing cookies are enabled. California residents may opt out by using our cookie preferences panel (via “Manage cookie preferences” in the footer).

Depending on your situation, you may have rights to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. To submit a request, email us with the subject “California Privacy Request”. We may request verification of identity. Authorized agents may submit requests on your behalf with written proof of authorization.

15. Virginia (VCDPA)

If you are a Virginia resident, you may have rights under the Virginia Consumer Data Protection Act (VCDPA), including access, correction, deletion, portability, and opting out of targeted advertising.

To submit a request, email us with the subject “Virginia Privacy Request”. If we decline your request, you may appeal by emailing us with the subject “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days. We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing us with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will announce them on the website at least 14 days before they take effect. The “Last Updated” date at the top of this page will reflect the latest version.

18. Contact

If you have questions about privacy, data protection, or this Privacy Policy, contact:

Xeljvoryn Academy s.r.o.
Moravská Ostrava Office Park, 28. října 3346/91
702 00 Ostrava, Czechia
[email protected]
+420 596 112 844