Privacy Policy

Effective Date: 2025-10-13

Last Updated: 2025-10-13

This Privacy Policy outlines the commitment of (“the Company,” “we,” “us”) to the protection of personal data for all users of the learn.finopsweekly.com website and its associated services (collectively, “the Services”). The purpose of this document is to provide clear, comprehensive, and transparent information regarding the collection, use, storage, sharing, and protection of personal data.

This policy is designed and implemented in strict compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Spain’s Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). As a business based in Spain, the Company is fully subject to the jurisdiction and guidance of the Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD).

The principles of fairness, transparency, and accountability are central to our data processing operations. This policy is not merely a legal document but a declaration of our dedication to safeguarding user privacy. It explains what personal data is collected, the specific purposes for which it is used, the legal justification for each processing activity, the rights available to individuals regarding their data, and the measures taken to ensure its security. Providing this information in an accessible and intelligible format is a core tenet of data protection law, intended to empower users to make informed decisions about their personal information.

Who We Are: The Data Controller

1.1. Identity of the Controller

The entity responsible for the processing of your personal data (the “Data Controller”) is:

• Legal Name: Cloud Cost Control SL
• NIF (Número de Identificación Fiscal):  B19340702
• Registered Address: Passeig d’Angel Guimera 67, 08230
  Matadepera, Spain

This identification is a fundamental requirement under data protection law, ensuring that individuals know which entity is accountable for their data. The clear and prominent placement of this information is the first step in enabling users to exercise their rights effectively.

1.2. How to Contact Us for Privacy Matters

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us through our dedicated privacy channel:

• Email: [email protected]

Providing a specific and monitored contact point for privacy inquiries is essential for facilitating communication and ensuring timely responses to data subject requests, as mandated by the GDPR.

1.3. Data Protection Officer (DPO)

Under the GDPR and LOPDGDD, the appointment of a Data Protection Officer (DPO) is mandatory only under specific circumstances, such as when an organization’s core activities involve large-scale, regular, and systematic monitoring of individuals or large-scale processing of special categories of data.

Based on our current data processing activities, the Company is not legally required to appoint a formal DPO. However, we have designated an internal team responsible for overseeing data protection compliance. This team can be reached via the contact email provided in Section 1.2. Should our processing activities change in a way that necessitates the appointment of a DPO, this policy will be updated accordingly, and their contact details will be made publicly available.

2. The Personal Data We Collect and How We Collect It

The Company collects personal data through various means to provide and improve the Services. The structure of this section—separating data provided directly by the user from data collected automatically or received from third parties—is intentional. This categorization helps to clarify the context of collection, which directly relates to the legal basis for processing that is detailed in Section 3. It provides transparency not just on what data is collected, but how and when it enters our systems.

2.1. Data You Provide Directly

This category includes information you knowingly and actively provide when you interact with our Services.

• Account Registration Data: When you create an account on learn.finopsweekly.com, we collect essential information to establish and manage your user profile. This includes your full name, email address, and a password (which is stored in a hashed, non-readable format). You may also voluntarily provide additional professional information, such as your job title or company name, to enhance your profile. This data collection is a standard and necessary function of Learning Management Systems (LMS) like the one we use.
• Course Purchase & Billing Data: To process payments for on-demand courses, live cohorts, or enterprise subscriptions, we collect billing information. This includes your name, billing address, and, for business clients, a NIF or VAT number for invoicing purposes. It is important to note that sensitive payment details, such as full credit card numbers, are not stored on our servers. This information is sent directly to and processed by our secure third-party payment gateways.
• Course Participation Data: Your engagement with our educational content generates data. This includes your progress through courses, answers to quizzes, submissions for assignments, and any comments, questions, or discussions you post in course-related forums or Q&A sections. This data is fundamental to the learning experience, allowing both you and the instructors to track progress and facilitate interaction.
• Communications Data: When you contact us for customer support, provide feedback, or participate in surveys, we collect the information you include in those communications. This typically includes your name, email address, and the content of your message or responses. This allows us to address your inquiries and improve our Services.

2.2. Data We Collect Automatically

This category includes information that is automatically logged by our servers and third-party services when you access and navigate our website.

• Usage & Log Data: Like most websites, our servers automatically record information that your browser sends. This log data may include your Internet Protocol (IP) address, browser type and settings, operating system, device information, the date and time of your request, the pages you visited, the time spent on those pages, and the website you visited before coming to our site (referring URL). This information is crucial for monitoring the performance of our Services, diagnosing technical issues, and ensuring security.
• Cookie Data: We use cookies and similar tracking technologies to operate and personalize our Services. Cookies help us understand user preferences, secure user sessions, and analyze traffic patterns. This data collection is subject to your explicit consent, which is managed via our cookie consent banner. For a complete and detailed explanation of the types of cookies we use, their purpose, and how you can manage your preferences, please refer to our dedicated Cookie Policy.

2.3. Data We Receive from Third Parties

In some instances, we receive personal data about you from third-party services, always in connection with the Services we provide.

• Social Logins: If you choose to register or log in to our Services using a third-party social media account (such as Google or LinkedIn), we will receive certain profile information about you from that provider. This functionality is enabled through plugins integrated with our platform. The information we receive depends on the provider and your privacy settings with them but typically includes your name, email address, and profile picture. We receive this data only after you have authorized the connection.
• Payment Processors: When you make a purchase, our payment processors (e.g., Stripe, PayPal) provide us with information confirming the transaction. This includes a transaction ID, confirmation of payment success, and sometimes high-level fraud risk signals. We do not receive your full financial account information from them.

3. How We Use Your Personal Data (Purposes and Legal Bases)

Under the GDPR, every processing activity involving personal data must be justified by a valid legal basis. This section is the cornerstone of our privacy commitment, as it explicitly maps each purpose for which we use your data to one of the legal bases defined in Article 6 of the GDPR. Presenting this information in a structured table format is a deliberate choice to enhance clarity and transparency, allowing you to quickly understand why your data is being processed and the legal grounds for that activity. This approach moves beyond vague statements and provides the granular detail required by data protection authorities like the AEPD.

Purpose of Processing	Types of Personal Data Used	Legal Basis under GDPR (Art. 6)
To Provide Our Services (e.g., create and manage your account, provide access to courses, track your progress, issue certificates)	Account Registration Data, Course Participation Data, Communications Data	Performance of a Contract (Art. 6(1)(b)): Processing is necessary for the performance of the contract (our Terms of Service) to which you are a party.
To Process Transactions (e.g., process payments for one-time course purchases or recurring subscriptions)	Account Registration Data, Course Purchase & Billing Data, Data from Payment Processors	Performance of a Contract (Art. 6(1)(b)): Processing is necessary to fulfill your purchase orders and manage subscriptions as part of our contractual agreement.
To Comply with Legal Obligations (e.g., generating invoices, maintaining financial records for tax purposes as required by Spanish law)	Account Registration Data, Course Purchase & Billing Data	Legal Obligation (Art. 6(1)(c)): We are legally required to retain financial records for specific periods under Spanish commercial and tax laws.
To Communicate with You (e.g., send service-related emails like purchase confirmations, password resets, and course updates)	Account Registration Data, Communication Data	Performance of a Contract (Art. 6(1)(b)): These transactional communications are an essential part of delivering the service you have contracted.
To Send Marketing Communications (e.g., newsletters about new courses, special offers)	Account Registration Data (Name, Email), Cookie Data	Consent (Art. 6(1)(a)): We will only send you direct marketing communications if you have given us your explicit, freely given consent to do so. You may withdraw this consent at any time.
To Analyze and Improve Our Services (e.g., understand how users interact with our site, identify popular courses, troubleshoot issues)	Usage & Log Data, Cookie Data (Anonymized/Aggregated where possible)	Legitimate Interest (Art. 6(1)(f)): We have a legitimate interest in understanding how our Services are used to improve them, provided this does not override your rights and interests.
To Ensure Security and Prevent Fraud (e.g., monitor for suspicious login activity, verify payments)	Usage & Log Data, Data from Payment Processors	Legitimate Interest (Art. 6(1)(f)): We have a legitimate interest in protecting our Services, our business, and our users from fraudulent and unauthorized activity.

4. Who We Share Your Personal Data With (Recipients and Sub-processors)

We do not sell your personal data. However, to provide our Services, we share your data with certain third parties who act on our behalf. In the language of the GDPR, these third parties are known as “processors” or “sub-processors.” We, as the “controller,” remain ultimately responsible for the protection of your data. We have entered into Data Processing Agreements (DPAs) with these service providers, which contractually obligate them to protect your data and only use it for the specific purposes we instruct. This section provides transparency about who these parties are and why we share data with them.

4.1. Instructors and Course Collaborators

To facilitate the educational experience, certain personal data is shared with the instructors of the courses you enroll in. This includes your name, email address, and data related to your course participation, such as your progress, quiz scores, and assignment submissions. This sharing is essential for instructors to provide feedback, answer questions, and support your learning journey. Our platform’s multi-instructor capabilities are designed to manage this access securely.

4.2. Service Providers (Sub-processors)

We rely on a select number of third-party service providers to perform key functions. Below is a list of our main sub-processors, the service they provide, their location, and a link to their privacy policy.

• Payment Processing: To securely process payments for our courses and subscriptions, we use:
  • Stripe, Inc. (USA): Processes credit card and other payment methods. Stripe Privacy Policy: https://stripe.com/privacy.
  • PayPal S.à r.l. et Cie, S.C.A. (Luxembourg): Provides an alternative payment gateway. PayPal Privacy Policy: https://www.paypal.com/us/legalhub/paypal/privacy-full.
• Marketing & Email Communications: For sending newsletters and other marketing communications (based on your consent), we use:
  • Beehiiv (USA): Manages our email lists and campaigns. Beehiiv Global Privacy Statement: https://www.beehiiv.com/privacy.
• Website Analytics: To understand how our users interact with the Services and to improve user experience, we use:
  • Google LLC (USA): Provides website analytics through its Google Analytics service. Google Privacy Policy: https://policies.google.com/privacy.
• Live Sessions & Cohort-Based Courses: For hosting interactive live classes and workshops, we use:
  • Zoom Video Communications, Inc. (USA): Provides the video conferencing platform for our live courses. Zoom Privacy Statement: https://www.zoom.com/en/trust/zoom-events-privacy/.
• Video Hosting: To deliver our on-demand video course content reliably and securely, we use:
  • Vimeo, Inc. (USA): Hosts the video files embedded in our courses. Vimeo Privacy Policy: https://vimeo.com/privacy.

4.3. Enterprise Clients

If your access to the Services is provided by your employer or another organization (an “Enterprise Client”), we will share information about your course progress and completion with the designated administrator(s) of that organization’s account. This sharing is necessary to fulfill our contractual obligations with the Enterprise Client.

4.4. Legal and Law Enforcement

We may be required to disclose your personal data if compelled to do so by law, regulation, or a valid and binding legal process, such as a court order or subpoena. We will only disclose data to the extent necessary to comply with such a request.

5. International Data Transfers

As a business operating within the European Union, we are subject to the strict rules of the GDPR regarding the transfer of personal data to countries outside the European Economic Area (EEA). Some of the service providers we use, as listed in Section 4.2, are based in the United States. This means that in the course of providing our Services, your personal data may be transferred to and processed in the U.S.

We only perform such transfers when a valid legal mechanism is in place to ensure that your data receives a level of protection that is essentially equivalent to that provided within the EU. The legal landscape for EU-U.S. data transfers has been subject to significant change, with previous frameworks being invalidated by the Court of Justice of the European Union. Our approach is therefore designed to be resilient and compliant with the latest legal standards.

5.1. Adequacy Decision: The EU-U.S. Data Privacy Framework

The primary legal mechanism we rely on for transfers to eligible U.S.-based companies is the EU-U.S. Data Privacy Framework (DPF). On July 10, 2023, the European Commission adopted an adequacy decision for the DPF, deeming that it provides an adequate level of protection for personal data transferred from the EU to U.S. companies that have self-certified their compliance with the DPF Principles.

We have verified that our key U.S.-based sub-processors, including Google LLC, Intuit Inc. (Mailchimp), Stripe, Inc., and Zoom Video Communications, Inc., are certified and listed on the official Data Privacy Framework List administered by the U.S. Department of Commerce. We rely on their certification as the legal basis for transferring your personal data to them.

5.2. Standard Contractual Clauses (SCCs)

In situations where a U.S.-based service provider is not certified under the DPF, or for transfers to providers in other countries that have not been granted an adequacy decision by the European Commission, we use Standard Contractual Clauses (SCCs) as the transfer mechanism. SCCs are pre-approved model data protection clauses adopted by the European Commission that contractually oblige the data importer to implement appropriate data protection safeguards.

By employing a multi-layered strategy that utilizes both the DPF and SCCs, we demonstrate a proactive and risk-aware approach to international data transfers, ensuring that your data remains protected regardless of potential future legal challenges to any single transfer mechanism.

6. How Long We Keep Your Data (Data Retention)

The GDPR principle of “storage limitation” requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Our data retention policies are designed to comply with this principle while also fulfilling our legal and operational requirements. A generic statement that data is kept “as long as necessary” is insufficient; therefore, we specify the retention periods for different categories of data.

6.1. Account Data

We retain the personal data associated with your user account—such as your name, email address, and profile information—for as long as your account remains active. This is necessary to provide you with continuous access to your purchased courses, learning history, and certificates. If you choose to delete your account, we will permanently delete or anonymize your account data within a period of 90 days, unless a specific legal obligation requires us to retain it for longer (as detailed below).

6.2. Financial and Transaction Data

This category of data is subject to specific legal retention obligations in Spain that override a user’s right to erasure in the short term. According to Article 30 of the Spanish Commercial Code (Código de Comercio), businesses are required to conserve books, correspondence, documentation, and supporting documents concerning their business for a period of 6 years from the last accounting entry.

Therefore, all invoices, payment records, and related transaction data will be retained for a minimum of 6 years from the end of the fiscal year in which the transaction occurred. This legal obligation takes precedence over requests for erasure concerning this specific data set. This retention period is longer than the 4-year period generally required for tax purposes, and we adhere to the stricter requirement to ensure full legal compliance.

6.3. Course Participation Data

Data generated through your participation in courses, such as your progress, quiz results, and assignment submissions, is considered part of your account data. It will be retained as long as your account is active to ensure you can review your learning history and access any earned certificates. Upon account deletion, this data will be either deleted or anonymized along with your main account data.

6.4. Marketing Consents and Communications

If you have consented to receive marketing communications, we will retain a record of your consent and your contact details for this purpose as long as you remain subscribed. If you choose to unsubscribe, we will cease sending you marketing materials but may retain a record of your request on a suppression list to ensure we honor your preference in the future.

7. Your Data Protection Rights

Under the GDPR and LOPDGDD, you, as a data subject, are granted a comprehensive set of rights to control your personal data. We are committed to upholding these rights and have established clear procedures to facilitate their exercise.

You have the following rights:

• The Right of Access: You have the right to request a copy of the personal data we hold about you and information about how we process it.
• The Right to Rectification: If you believe any personal data we hold about you is inaccurate or incomplete, you have the right to request its correction.
• The Right to Erasure (‘Right to be Forgotten’): You have the right to request the deletion of your personal data. This right is not absolute and may be subject to certain exceptions, such as our legal obligation to retain financial data for a specific period, as detailed in Section 6.2.
• The Right to Restrict Processing: You have the right to request that we temporarily or permanently stop processing all or some of your personal data under certain conditions.
• The Right to Data Portability: You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller.
• The Right to Object: You have the right to object, on grounds relating to your particular situation, to the processing of your personal data when that processing is based on our legitimate interests. In such cases, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• The Right to Withdraw Consent: Where we process your data based on your consent (for example, for marketing communications), you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

To exercise any of these rights, please contact us at the email address provided in Section 1.2: [email protected]. To protect your privacy and security, we may need to take reasonable steps to verify your identity before processing your request.

8. Data Security

The Company takes the security of your personal data very seriously. We implement and maintain appropriate technical and organizational measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. This is a core requirement under Article 32 of the GDPR.

Our security measures include, but are not limited to:

• Data Encryption: All data transmitted between your browser and our website is encrypted using Transport Layer Security (TLS/SSL). Data at rest is also stored in an encrypted format where appropriate.
• Password Security: User account passwords are not stored in plain text. They are protected using strong, one-way hashing algorithms.
• Access Controls: Access to personal data within our organization is restricted on a “need-to-know” basis. Employees and contractors who have access to user data undergo background checks where appropriate and are bound by strict confidentiality obligations.
• Secure Infrastructure: Our servers are located in secure data centers with 24/7 physical security monitoring. We also employ measures such as firewalls and Distributed Denial of Service (DDoS) mitigation to protect our infrastructure.
• Regular Security Assessments: We conduct regular security reviews and penetration tests to identify and remediate potential vulnerabilities in our systems.
• Vendor Security: We carefully vet the security and privacy practices of our third-party service providers and require them to adhere to strict data protection standards through contractual agreements.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

9. Cookie Policy

Our website, learn.finopsweekly.com, uses cookies and similar tracking technologies. These technologies are small data files placed on your device that help us to operate the website, enhance its functionality, analyze user behavior, and deliver personalized content and advertising.

The use of cookies in Spain is regulated by both the GDPR and Article 22.2 of the Law 34/2002 on Information Society Services and Electronic Commerce (LSSI). In line with the guidance from the Spanish Data Protection Authority (AEPD), we distinguish between essential (technical) cookies, which do not require consent, and non-essential cookies (such as those for analytics, performance, and advertising), for which we must obtain your explicit and informed consent.

Due to the detailed information required, we maintain a separate Cookie Policy that provides comprehensive details on:

• What cookies are and how they work.
• The specific types of cookies we use (e.g., technical, analytics, marketing).
• Whether cookies are first-party or third-party.
• The purpose and duration of each cookie.
• How you can manage your cookie preferences and withdraw your consent at any time.

We provide a direct and prominent link to our full Cookie Policy within our cookie consent banner and in the footer of our website. You can access our detailed Cookie Policy here:

10. Children’s Privacy

Our Services are intended for a professional audience and are not directed at children. In accordance with Spanish law, which sets the age for valid consent to data processing at 14, we do not knowingly collect or solicit personal data from anyone under the age of 14.

If we become aware that we have inadvertently collected personal data from a child under the age of 14 without verification of parental consent, we will take steps to delete that information from our servers as quickly as possible. If you are a parent or guardian and you believe that your child under 14 has provided us with personal data, please contact us immediately at [email protected].

11. Changes to This Privacy Policy

The legal and operational landscape for data privacy is constantly evolving. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes, we will update the “Last Updated” date at the top of this policy. If we make material changes—that is, changes that significantly alter your rights or our data processing practices—we will provide more prominent notice. This may include sending a notification to the email address associated with your account or posting a visible notice on our website prior to the change becoming effective. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

12. How to Lodge a Complaint

We are committed to resolving any concerns you may have about our collection or use of your personal data. If you have a complaint, we encourage you to first contact us at [email protected] so that we can address your concerns directly.

However, under the GDPR, you have the right to lodge a complaint with a data protection supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data violates the regulation.

As our company is established in Spain, our lead supervisory authority is the Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD). You can contact them at:

• Name: Agencia Española de Protección de Datos (AEPD)
• Address: C/ Jorge Juan, 6, 28001-Madrid, Spain
• Website: https://www.aepd.es/
• Telephone: +34 901 100 099 / +34 912 663 517

Providing this information is a mandatory requirement to ensure you are fully aware of your right to seek redress through the appropriate regulatory channels.