Legal
Privacy policy
This notice explains who controls the site, what categories of personal data are processed, why they are processed, who receives them, how long they are kept, and how visitors and users can exercise their rights.
Last updated 2026-04-18
Scope of this notice
This privacy notice covers personal-data processing that happens through the Dark Blue Cave Academy website, account system, admissions workflows, learning operations, transactional email delivery, public publishing surfaces, optional media playback, and any direct-purchase flow that is active on the site.
It is written to meet the transparency duties described by Law No. 06/L-082 on Personal Data Protection and the recent AIP focus on website transparency, privacy notices, and cookie disclosures.
Categories of personal data processed on the site
Depending on the page and workflow, the platform may process IP addresses, online identifiers, device and browser details, account identity, admissions details, course and certificate records, transactional email delivery metadata, publicly approved content, payment metadata, and optional-media interaction data.
Not every visitor uses every feature. The processing activities below explain which categories are relevant to which part of the site.
Your rights
You may exercise the rights granted by the applicable personal-data law, subject to the scope and limits set by law.
- Access: Ask for confirmation about whether your personal data is being processed and request a copy where the law gives that right.
- Rectification: Ask for incorrect or incomplete personal data to be corrected.
- Erasure: Request deletion where the legal grounds for continued processing no longer apply.
- Restriction: Ask for processing to be limited while accuracy, lawfulness, or objections are being reviewed.
- Objection: Object to processing that relies on legitimate interests, subject to the controller showing overriding grounds where the law allows it.
- Data portability: Receive data you provided in a structured form where the law gives that right.
- Withdraw consent: Change or withdraw optional-cookie consent at any time from the site-wide cookie settings control.
- Complain to AIP: If you believe your personal data rights were infringed, you may complain to the Agency for Information and Privacy.
Complaints and transparency
If you have a concern about how your personal data is processed, contact the site controller first using the contact details published below. You may also complain directly to the Agency for Information and Privacy.
Whenever the site adds new processors, cookie categories, or personal-data fields, this notice and the related cookie notice should be updated before release.
Controller and legal contact
Publish a monitored email, phone number, and location here so the privacy and cookie notices identify the site controller clearly.
- Controller
- Dark Blue Cave Academy
- Controller email
- Controller location
- Prishtina, Kosovo
- Data protection contact
- No separate contact has been published. Use the controller email above.
Processing activities on this site
The entries below describe the main operational processing activities currently active on the platform.
Site access, security, and server diagnostics
Deliver pages, keep the service available, prevent abuse, diagnose operational failures, and maintain evidence of security-relevant events.
Data categories
- IP address
- browser and device details
- requested URLs and timestamps
- referrer and response diagnostics
- cookie-consent state
Legal basis
Legitimate interests in operating a secure public website and documenting security-relevant events.
Recipients and retention
- Dark Blue Cave Academy admins and operators
- hosting, database, and infrastructure processors
Operational logs stay only as long as reasonably needed for security, uptime, debugging, backups, and recovery.
Account creation, Google sign-in, and session management
Create accounts, let users sign in, protect sessions, manage approval status, and route users through the requested auth flow safely.
Data categories
- name
- email address
- profile image
- role and approval status
- account identifiers
- authentication and anti-forgery cookies
Legal basis
Steps requested by the user to access the service, performance of the account service, and legitimate interests in account security.
Recipients and retention
- Google as authentication provider
- Dark Blue Cave Academy admins
- hosting, database, and session processors
Account records stay while the account is active and afterward only for legitimate operational, security, dispute, backup, or audit needs.
Applications, admissions, and direct contact follow-up
Review applications, evaluate fit, contact applicants, moderate admissions, and manage follow-up for courses, workshops, and related academy workflows.
Data categories
- name
- email address
- phone number
- application answers
- selected program details
- review notes and timestamps
Legal basis
Steps taken at the user's request before entering a training relationship, plus legitimate interests in reviewing admissions and managing academy operations.
Recipients and retention
- Dark Blue Cave Academy admins and reviewers
- hosting and database processors
Admissions records stay while the review, follow-up, support, dispute, and reasonable archive windows remain necessary.
Learning operations, certificates, and user-visible progress
Run courses and workshops, track participation and completion, issue certificates, and keep account dashboards and related admin records accurate.
Data categories
- enrollment records
- lesson and progress data
- certificate metadata
- event and session participation
- role and access status
Legal basis
Performance of the learning service and legitimate interests in operating the academy, documenting completions, and resolving support issues.
Recipients and retention
- Dark Blue Cave Academy admins and mentors where needed
- hosting and database processors
Learning records stay as long as needed to operate programs, document completions, support alumni requests, and maintain reasonable archive and backup copies.
Transactional email delivery from the notification outbox
Send queued operational email about access decisions, application outcomes, certificates, and schedule changes, and keep delivery-attempt records for support and launch operations.
Data categories
- name
- email address
- notification subject and transactional message content
- delivery state, timestamps, and failure diagnostics
Legal basis
Performance of the requested service where the email is part of account or learning operations, plus legitimate interests in reliable operational communication, support, and auditability.
Recipients and retention
- configured SMTP or email-delivery processor
- Dark Blue Cave Academy admins
- hosting and database processors
Queued notification records and delivery metadata stay as long as reasonably needed for support, operational troubleshooting, audits, and backup or recovery needs.
Public publishing of approved content
Publish approved courses, tutorials, portfolio items, associates, podcast pages, and selected public proof that the academy intentionally makes visible.
Data categories
- public titles and summaries
- approved profile or portfolio content
- public image and media assets
- publication timestamps and slugs
- visitor IP address and browser details when externally hosted media assets are loaded
Legal basis
Legitimate interests in publishing the academy's public content and, where applicable, fulfilling public-profile or portfolio visibility requested by the user.
Recipients and retention
- site visitors
- search engines and public web crawlers
- hosting and CDN or asset processors where used
- external asset hosts when admins intentionally configure remote media URLs
Public content stays live until removed, archived, or replaced, with backups and operational archives retained as reasonably necessary.
Optional YouTube embedded playback
Play podcast video inside the site only after the visitor accepts optional media cookies.
Data categories
- IP address
- browser and device details
- player interaction data
- cookies or online identifiers set by YouTube or Google
Legal basis
Consent.
Recipients and retention
- YouTube / Google
- Dark Blue Cave Academy only for the local consent record
Consent preference is stored for 180 days. Any third-party retention applied by YouTube or Google is governed by their own policies.
Course checkout and payment reconciliation when direct purchase is enabled
Initiate checkout, reconcile callbacks, confirm payment status, and connect verified purchases to course-access operations.
Data categories
- account identity and email
- order reference
- course identifier
- amount and currency
- payment callback metadata
- purchase status and timestamps
Legal basis
Steps requested by the user to buy a course, performance of the purchase flow, and legitimate interests in fraud prevention, support, accounting, and reconciliation.
Recipients and retention
- Paysera as payment processor
- Dark Blue Cave Academy admins
- hosting and database processors
Payment and reconciliation records stay as long as reasonably required for accounting, support, fraud prevention, and audit obligations.
Legal references and complaints
The privacy and transparency standard on this site tracks the Kosovo personal-data law and AIP complaint path.