Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how rihvelnox (“we”, “us”, or “our”) collects, uses, and protects your personal data when you visit our website or contact us about our online education programme for clothing sales and fashion retail business skills.

Data Controller: Rihvelnox Retail Education Ltd, 11 Boundary Street, Shoreditch, London E2 7JE, United Kingdom. If you have any questions about this Privacy Policy or our data practices, you can contact us at [email protected].

Effective Date: March 14, 2026. This policy applies to visitors, prospective learners, and anyone who submits a form on our website.

We do not appoint a Data Protection Officer (DPO) for this website because we do not conduct large-scale systematic monitoring or large-scale processing of special-category data. If your situation requires additional assurance, contact us and we will explain the controls we use.

2. Personal Data We Collect

The data we collect depends on how you interact with the site. We aim to keep forms minimal and collect only what we need to respond and to operate the website safely.

• Identity and contact data: name, email address, and (if you choose to provide it in a message) other contact details.
• Form content: any information you include in contact or registration requests (for example: course questions, business context, topics you want to learn, preferred learning format, or operational constraints).
• Technical data: IP address, browser type and version, device identifiers, operating system, language settings, and approximate location derived from IP (country/city level).
• Usage data: pages you view, time spent on pages, referring pages, click paths, and interaction events (for example: button clicks or form starts).
• Cookies and identifiers: essential cookies needed for site operation and consent management, plus optional analytics and marketing identifiers if you consent (see Section 4).
• Conversion events: events that indicate a meaningful action on the site, such as a completed form submission or a visit to a confirmation page.

We do not intentionally collect special-category personal data (such as health data, religious beliefs, or political opinions) through our standard forms. We also do not request government IDs or financial account details. Please avoid including sensitive information in free-text message fields.

3. Why We Process Personal Data & Legal Basis

We process personal data to run our educational website, respond to enquiries, and improve how we explain the course. Where the UK GDPR and EU GDPR apply, we rely on the legal bases below.

Contact and registration enquiries

When you submit a registration or contact form, we use your details to respond, provide requested course information, and follow up about your enquiry. Legal basis: Article 6(1)(b) (steps prior to entering into a contract) and Article 6(1)(a) (consent) where you explicitly consent to be contacted.

Analytics and site improvement

If you consent to analytics cookies, we use them to understand what content is most useful (for example: which modules visitors read about, or where users drop off). Legal basis: Article 6(1)(a) consent.

Marketing measurement and remarketing

If you consent to marketing cookies, we may measure advertising performance and build audiences (for example: people who visited the course overview) to show more relevant ads. Legal basis: Article 6(1)(a) consent.

Security and fraud prevention

We use basic technical signals (such as IP address and request patterns) to keep the site secure, prevent abuse, and diagnose errors. Legal basis: Article 6(1)(f) legitimate interests (security and service integrity).

Legal obligations

Where required, we may process data to comply with legal obligations (for example: responding to lawful requests, enforcing our Terms, or keeping records required by law). Legal basis: Article 6(1)(c) legal obligation.

Automated Decision-Making (Article 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you.

4. Cookies & Tracking

Cookies are small text files stored on your device. We also use similar technologies such as pixel tags, and in some configurations we may use server-side event forwarding. Our use of cookies is grouped into three categories that match our Cookie Policy.

Essential cookies (always active)

Essential cookies are required for core site functions, such as session continuity and remembering your cookie preferences. These do not require consent.

• _site_session to maintain session continuity.
• cookie_consent to store your consent choices.

Retention: session to 12 months depending on the cookie. Exact retention details are in our Cookie Policy.

Analytics cookies (consent)

If you consent, we may use Google Analytics 4 (GA4) to understand traffic and improve content. Where supported, we configure analytics to reduce data risk (for example: IP anonymisation where applicable). Analytics cookies may include:

• _ga (typical retention: 2 years).
• _ga_XXXXXXXXXX (typical retention: 2 years).

We generally retain analytics event data for 14 months. This helps us compare seasonality (for example: pre-holiday planning interest vs. spring/summer intake planning).

Marketing cookies (consent)

If you consent, marketing cookies help us measure ads and show relevant content. These cookies can be used to build remarketing audiences and to attribute conversions. Examples include:

• _gcl_au (Google Ads conversion linker, typical retention: 90 days).
• _fbp (Meta Pixel browser identifier, typical retention: 90 days).
• _fbc (Meta click identifier, typical retention: 90 days when a click ID is present).

Beyond cookies, pixels and tags can transmit event signals such as page views and form completions. Some advertisers also support server-side event forwarding (for example: Meta Conversions API or Google server-side tag management). If used, identifiers may be hashed and used only for matching and measurement.

5. Consent (EEA/UK)

Users in the EEA and the UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (Article 6(1)(a)). Your choice is recorded in the cookie_consent browser cookie (typically 12 months).

You may withdraw or change consent at any time using the “Manage cookie preferences” link in the footer or by clearing cookies in your browser settings. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We share personal data only where necessary to operate the website, respond to your requests, and measure the performance of our marketing when you consent. We do not sell personal data.

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing). Data shared may include cookie identifiers, device and browser signals, usage data, and conversion events. Privacy information: https://policies.google.com/privacy.
• Meta Platforms, Inc. (Meta Pixel, custom/lookalike audiences, Conversions API if implemented). Data shared may include page views, conversions, audience membership, and hashed identifiers. Privacy information: https://www.facebook.com/privacy/policy.
• Cloudflare (CDN and security services). Data processed may include IP address and request metadata for security and performance. Privacy information: https://www.cloudflare.com/privacypolicy/.

We do not permit these providers to use site data for their own independent commercial purposes. Some providers may process data as independent controllers for certain functions; their policies explain how they handle that.

7. International Transfers

Our service providers may process data outside the EEA/UK, including in the United States. Where applicable, we rely on appropriate transfer mechanisms such as the EU–US Data Privacy Framework (DPF) and the UK Extension to the DPF (where a provider participates), and Standard Contractual Clauses (EU 2021/914) or the UK International Data Transfer Addendum/IDTA as a fallback.

We also apply practical safeguards: minimising data shared, limiting cookie activation to consented users, and restricting access to internal systems.

8. Data Retention

We keep personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law.

• Contact and registration submissions: typically up to 2 years from the last interaction, so we can respond, maintain a record of consent, and handle follow-up.
• Email correspondence: for the duration of the relationship plus 1 year, unless a longer period is needed to address a dispute.
• Server logs and security records: typically up to 90 days, unless needed to investigate abuse.
• Analytics data: typically 14 months in the analytics system, plus aggregate reports that do not identify individuals.
• Marketing cookies: retained according to cookie lifetimes (for example: 90 days for some marketing identifiers).
• Cookie consent record: up to 3 years for audit purposes, where applicable.
• Legal and tax records: retained as required by law (often 6–10 years for certain records).

9. Your Rights (GDPR & UK GDPR)

Depending on your location, you may have rights under GDPR/UK GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent at any time (Article 7(3))
• Right to lodge a complaint with a supervisory authority (Article 77)

To exercise your rights, email [email protected]. We aim to respond within 30 days. For complex requests we may extend by up to 60 additional days, and we will tell you if that happens.

Supervisory authority resources: https://edpb.europa.eu (EU) and https://ico.org.uk (UK).

10. Children

This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own DNT handling, which you can review in their privacy policies.

12. Data Deletion Requests

You can request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may need to verify your identity before completing the request. We will complete deletion within 30 days where we can, and we will explain any limited retention required by law.

13. Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, reorganisation, or insolvency, personal data may be transferred to a successor entity. If such a transfer materially changes how your data is used, we will provide notice on the website.

14. California Privacy Notice (CCPA/CPRA)

This section applies to California residents where the CCPA/CPRA is applicable. In the past 12 months, we may have collected the categories of personal information listed below:

• Identifiers: name, email address, IP address, cookie IDs.
• Internet or network activity: browsing and interaction data on our site.
• Inferences: preferences inferred from site interactions (for example: interest in modules like inventory planning or online store operations).

We do not sell personal information as defined by the CCPA. We may share information for cross-context behavioural advertising when you consent to marketing cookies. California residents may opt out of sharing for targeted advertising by using our cookie preferences panel (Manage cookie preferences in the footer) and disabling marketing cookies.

California rights may include the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. To submit a request, email [email protected] with the subject line “California Privacy Request”. We will verify your request before completing it. Authorised agents must provide proof of authorisation.

15. Virginia Privacy Notice (VCDPA)

This section applies to Virginia residents where the VCDPA is applicable. Virginia residents may have the right to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising.

We do not sell personal data. We do not engage in profiling that produces legal or similarly significant effects. To submit a request, email [email protected] with the subject line “Virginia Privacy Request”.

If we decline to take action on your request, you may appeal by emailing with the subject line “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be announced via a notice on the website at least 14 days before the change takes effect. The “Last Updated” date at the top of this page is refreshed whenever we revise the policy.

18. Contact

If you have questions about privacy, your personal data, or this policy, contact:

• Legal entity: Rihvelnox Retail Education Ltd
• Address: 11 Boundary Street, Shoreditch, London E2 7JE, United Kingdom
• Email: [email protected]