X UNIVERSITY
Draft for review - not legal advice.

Legal

Privacy Policy

Last updated: [REVIEW: effective date, e.g. 24 May 2026]

1. Who is responsible for your data

The data controller for the X University Services is [REVIEW: Safa Studios legal entity name and company number], operating X University (full legal name Excellence University) in alliance with Excellence University, part of SGV. Our registered address is [REVIEW: full registered legal address]. For any privacy question, contact [REVIEW: privacy or data protection contact email]. [REVIEW: include Data Protection Officer name and contact if one is appointed.]

2. Information we collect

  • Account data: name, email, handle, headline, locale, and password (stored hashed).
  • Purchase data: programs and memberships you buy, billing records, and the last digits and type of your payment method. We do not store full card numbers.
  • Learning activity: course progress, journey data, bookmarks, event attendance, certificates, and leaderboard standing.
  • Community content: posts, messages, and other content you submit.
  • AI interactions: prompts and conversations with AI features such as the AI mentor.
  • Technical data: IP address, device and browser information, and usage data collected through cookies and similar technologies.

3. How we use your information

  • to provide, operate, and improve the Services;
  • to process payments, renewals, and refunds;
  • to deliver courses, community access, events, and AI features;
  • to communicate with you about your account, transactions, and support requests;
  • to send marketing communications where permitted, which you can opt out of at any time;
  • to maintain security, prevent fraud, and comply with legal obligations.

4. Legal bases

Where data protection law such as the GDPR applies, we rely on the following legal bases: performance of our contract with you to deliver the Services, your consent for optional communications and certain cookies, our legitimate interests in operating and securing the Services, and compliance with legal obligations. [REVIEW: confirm legal bases mapping with counsel for each processing activity.]

5. Service providers and processors

We share data with trusted providers who process it on our behalf, under contract, including:

  • Payments: [REVIEW: Stripe entity, e.g. Stripe Payments Europe, Ltd.], which processes your payment in local currency.
  • Hosting and database: [REVIEW: hosting and database provider(s), e.g. Vercel and database host].
  • Email: [REVIEW: email delivery provider].
  • AI providers: [REVIEW: AI model provider(s) powering AI features].
  • Analytics: [REVIEW: analytics provider, if any].

We do not sell your personal data.

6. International transfers

Because we operate internationally, your data may be transferred to and processed in countries other than your own. Where required, we use appropriate safeguards such as Standard Contractual Clauses. [REVIEW: confirm transfer mechanisms and destination countries with counsel.]

7. Data retention

We keep your data for as long as your account is active and as needed to provide the Services, then for the periods required to meet legal, accounting, and tax obligations. [REVIEW: specify retention periods, for example billing records kept for the statutory period in the relevant jurisdiction.]

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your data, to object to certain processing, and to withdraw consent. To exercise these rights, contact [REVIEW: privacy or data protection contact email]. You also have the right to lodge a complaint with your local data protection authority [REVIEW: name the lead supervisory authority if applicable].

9. Cookies

We use cookies and similar technologies for sign-in sessions, preferences, security, and, where applicable, analytics. You can control non-essential cookies through your browser or any cookie settings we provide. [REVIEW: confirm cookie categories and whether a consent banner is required in target markets.]

10. Children

The Services are not directed to children under [REVIEW: minimum age, e.g. 18], and we do not knowingly collect their data. If you believe a child has provided us data, contact us so we can delete it.

11. Security

We use technical and organizational measures designed to protect your data. No method of transmission or storage is fully secure, so we cannot guarantee absolute security.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and, for material changes, provide additional notice.

13. Contact

For privacy questions, contact [REVIEW: privacy or data protection contact email], or write to [REVIEW: full registered legal address].

Terms of ServiceRefund Policy