Privacy Policy

Effective May 16, 2026

The short version. We collect the email and name you give us when you take a quiz, plus standard analytics. We use it to send the personalized plan you asked for and the educational emails you opted into. We do not sell your data. You can unsubscribe or delete your data anytime by emailing [email protected].

1. Who we are

Eczema Academy ("we", "us", "our") provides educational content about eczema, including videos, quizzes, written guides, and online courses. Carolyn Akinyemi is the host and founder. We are the data controller for the information described in this policy.

2. What we collect and why

We collect the minimum information needed to deliver what you asked for and to keep the service running. Specifically:

Email address — to send your personalized eczema plan, transactional confirmations, and educational follow-up emails (only when you opt in).
First name — to personalize your plan and email greetings.
Quiz answers — to compute your matched pattern and write your personalized plan PDF. Stored for 24 months then anonymized.
Analytics signals — standard server logs (IP, user-agent, referrer, page URL) used to understand which content helps people and to detect abuse. Retained 90 days.
Purchase records — if you buy a course, our payment processor stores the transaction. We see the email, course, and amount but not your card details.

3. Lawful bases (GDPR)

We rely on the following lawful bases under the UK GDPR / EU GDPR:

Consent — for marketing emails and non-essential cookies. You can withdraw consent at any time.
Contract — to deliver the quiz result and any course you purchase.
Legitimate interest — to keep the service secure, prevent fraud, and improve content.

4. Who we share with

We share data only with the processors that run the service:

Email delivery — Amazon Web Services (SES) and/or Postmark for transactional and marketing email.
Payment processing — the course platform's payment processor (Stripe / PayPal). We never store card details.
Hosting — Hetzner (EU servers).
Analytics — first-party only; we do not use Google Analytics, Facebook Pixel, or TikTok Pixel by default. If we add any, this policy is updated and consent is re-collected for EU/UK visitors.

We do not sell your personal information in the meaning of the California Consumer Privacy Act (CCPA/CPRA) or any equivalent state law.

5. International transfers

Our primary servers are in the EU. Some processors (email delivery, payment) may transfer data to the United States. Where they do, transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable.

6. Cookies

We use only essential and functional cookies by default (session, preference). We do not load analytics or advertising cookies until you give consent via the cookie banner. See our Cookie Notice for details and controls.

7. Your rights

Wherever you are, you have the right to:

Access the data we hold about you
Correct it if it is wrong
Delete it (we will retain only what we are legally required to keep, e.g. transactional records for tax purposes)
Export it in a portable format
Object to processing for marketing
Withdraw consent at any time

If you are in California, Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, or any other US state with a privacy law, you have substantially the same rights including the right to opt out of any sale or sharing of personal data (we do neither).

To exercise any of these rights, email [email protected]. We respond within 30 days.

8. Children

This service is for adults. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us information, contact us and we will delete it.

9. Security

We use industry-standard measures including TLS encryption in transit, encrypted backups, restricted server access, and least-privilege staff access. No system is completely secure; if a breach happens that affects your data, we will notify you within 72 hours where required by law.

10. Updates

We will post material changes here and, if they meaningfully affect you, email you. The Effective Date at the top of this page shows when this policy was last revised.

11. Contact

Email: [email protected]

Response time: within 30 days, usually much sooner.

If you are in the UK or EU and you are not satisfied with our response, you have the right to complain to your local supervisory authority: in the UK, the Information Commissioner's Office (ico.org.uk); in the EU, your national Data Protection Authority (edpb.europa.eu).