Legal Document

Privacy Policy

Effective: 1 January 2026 · Last updated: 25 March 2026 · GDPR compliant

Contents

01Who We Are (Data Controller)
02Data We Collect
03Legal Basis for Processing
04How We Use Your Data
05Third-Party Services & Data Processors
06Cookies
07Data Retention
08Your Rights Under GDPR
09International Data Transfers
10Children's Privacy
11Changes to This Policy
12Contact & Complaints

Who We Are (Data Controller)

VIT Orion Academy ("we", "us", "our") is the data controller responsible for personal data collected through this platform. We are based in the Republic of Bulgaria and subject to Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR).

Data Controller contact: [email protected]

Data Protection Officer: We have not appointed a Data Protection Officer as our processing activities do not meet the thresholds set out in GDPR Article 37(1). For all data protection enquiries, contact [email protected].

Data We Collect

We collect only the data necessary to provide our services. The table below sets out what we collect, why, and how:

Data Category	Specific Data	How Collected
Account data	Email address, username, encrypted password hash	Registration form
Profile data	Avatar image (optional, base64-encoded), plan/subscription tier, account creation date	Profile settings
Content data	Forum posts, comments, direct messages, bot strategy applications	Platform interactions
Payment data	Payment status and subscription tier (no card details — processed by Whop/Stripe)	Payment processor webhook
Technical data	IP address, browser type, session tokens, access timestamps, error logs	Automatically on platform use
Consent records	Timestamp and confirmation of Terms/Privacy/Risk acceptance at registration	Registration form
Communication data	Emails you send to our support address	Direct communication

We do not collect: full payment card details, government ID numbers, biometric data, or health data.

Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

Contract performance (Art. 6(1)(b)): Processing necessary to create and manage your account, deliver course content, and provide subscription services you have purchased
Consent (Art. 6(1)(a)): Where you have actively opted in, for example uploading a profile avatar or communicating via live chat
Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, abuse detection, and improving our services — where these interests are not overridden by your rights
Legal obligation (Art. 6(1)(c)): Where we are required by law to retain certain records

How We Use Your Data

Creating and managing your user account
Delivering purchased courses and subscription content
Granting access to the appropriate subscription tier
Operating forum, messaging, and community features
Sending transactional emails (account confirmation, password reset, subscription changes)
Responding to support requests and legal enquiries
Preventing fraud, abuse, and unauthorised access
Complying with legal obligations including tax records and data subject requests
Improving platform functionality based on aggregated, anonymised usage patterns

We do not sell your personal data to third parties. We do not use your data for advertising profiling or share it with advertisers.

Third-Party Services & Data Processors

We engage the following data processors. Each has been assessed for GDPR compliance and is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards:

Supabase Inc.

Purpose: Database hosting, user authentication, file storage, and real-time platform functionality. Your account data, profile, forum posts, and messages are stored on Supabase-managed servers.
Location: EU (Frankfurt, Germany) region — no transfer outside EEA for platform data.
Privacy: supabase.com/privacy

Whop Marketplace Inc.

Purpose: Payment processing and subscription management for bot access subscriptions. When you purchase via Whop, your payment and personal data is processed under Whop's terms.
Location: United States (Standard Contractual Clauses apply for EU transfers).
Privacy: whop.com/privacy

Telegram Messenger Inc.

Purpose: Delivery of bot signals and community access to Bot Access subscribers. When you join the Telegram signal group, Telegram processes your Telegram account data under their own policies.
Group visibility note: When you are added to the VIT Orion private Telegram group, your Telegram username and Telegram user ID become visible to other members of that group. This is an inherent characteristic of the Telegram platform and applies to all group participants equally. We do not store, export, or process your Telegram data outside of Telegram itself.
Privacy: telegram.org/privacy

Bunny.net

Purpose: Secure video hosting and delivery for course content (HLS streaming, token-authenticated playback). Viewing activity such as IP address and video load events may be logged by Bunny.
Location: EU (Netherlands).
Privacy: bunny.net/privacy

Vercel Inc.

Purpose: Web hosting and edge network for the VIT Orion Academy platform. Vercel may process request logs including IP addresses.
Privacy: vercel.com/legal/privacy-policy

Discord Inc.

Purpose: Community access for Bot Access subscribers. Joining the VIT Orion Discord server involves sharing your Discord username and Discord user ID within the server environment. Other server members will be able to see your Discord username. We do not receive your Discord email address, password, or payment information — those remain solely with Discord.
Location: United States (Standard Contractual Clauses apply for EU data transfers).
Privacy: discord.com/privacy

Cookies

This platform uses a minimal set of cookies. We do not use advertising cookies or third-party tracking cookies.

Cookie	Type	Purpose	Duration
`sb-*` (Supabase)	Strictly necessary	Authentication session token — required to keep you logged in	Session / up to 1 year if "Keep me signed in" is selected
`vit_remember`	Strictly necessary	Stores your "Keep me signed in" preference	Session
`vit_risk_dismissed`	Functional	Remembers that you dismissed the risk warning bar (session only)	Browser session

All fonts are self-hosted on our own domain. We do not load Google Fonts or other external font services that would transfer your IP address to third parties.

Strictly necessary cookies cannot be disabled as the platform cannot function without them.

Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law:

Active accounts: Data is retained for the duration of your account and for 2 years after your last login or subscription cancellation
Deleted accounts: Personal data is deleted within 30 days of an account deletion request, except where retention is required by legal obligation
Forum and community content: Public forum posts may be retained in anonymised or pseudonymised form after account deletion, as part of the community record
Payment records: Financial transaction records are retained for 7 years as required by Bulgarian accounting and tax law
Consent records: Retained for the duration of the account plus 5 years, to demonstrate compliance
Server logs (IP, technical): Retained for 90 days for security and fraud prevention purposes, then deleted

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Right of Access

Request a copy of all personal data we hold about you (GDPR Art. 15)

Right to Rectification

Request correction of inaccurate or incomplete personal data (Art. 16)

Right to Erasure

Request deletion of your personal data ("right to be forgotten") (Art. 17)

Right to Restriction

Request that we limit processing of your data in certain circumstances (Art. 18)

Right to Portability

Receive your data in a structured, machine-readable format (Art. 20)

Right to Object

Object to processing based on legitimate interests (Art. 21)

Withdraw Consent

Withdraw any consent given, at any time, without affecting prior lawful processing

Lodge a Complaint

File a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) at cpdp.bg

International Data Transfers

Your primary account and platform data is stored within the EU (Supabase EU region, Vercel EU edge). Certain third-party processors (Whop, Discord) operate in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

European Commission Standard Contractual Clauses (SCCs)
Adequacy decisions where applicable
Processor Data Processing Agreements requiring GDPR-equivalent protections

Children's Privacy

This platform is not directed at or intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, we will terminate that account and delete all associated data immediately.

If you believe a minor has created an account, please contact us at [email protected].

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and, where required by law, notify you by email or via a platform notice before the changes take effect.

Your continued use of the platform after the revised policy is posted constitutes your acceptance of the updated terms.

Contact & Complaints

For all privacy-related requests, data subject rights exercises, or concerns:

Email: [email protected]
Response time: Within 30 days of receipt of your request

You have the right to lodge a complaint with your national supervisory authority. In Bulgaria, this is the Commission for Personal Data Protection (CPDP):