Privacy
Policy

This Privacy Policy explains how Sully's Academy Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you visit our website, purchase our products, or use any of our services.

Sully's Academy Ltd is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Registered address: Noble One Accountants, 114 Ripplewaters, St Marys Island, Chatham, Kent, ME4 3AY, England.

Company number: 15411421

Contact email: support@sullysacademy.com

We take your privacy seriously. We will only ever collect data we genuinely need, use it only for the purposes described in this policy, and never sell it to third parties.

Depending on how you interact with us, we may collect the following categories of personal data:

Identity data

• Full name
• Username or display name on Whop or Discord

Contact data

• Email address

Transaction data

• Details of products or services purchased
• Purchase date and amount
• Payment method type (we do not store full card details — these are handled by Whop and their payment processors)

Technical data

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and time spent on our website
• Referring URLs

Marketing and communications data

• Your preferences regarding receiving marketing communications from us
• Records of any communications between you and us

Usage data

• Information about how you use our website and services
• Interactions within our Discord community (subject to Discord's own privacy policy)

We do not knowingly collect data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately.

We collect personal data through the following means:

• Direct interactions — when you purchase a product, create an account on Whop, contact us by email, or communicate with us on Discord
• Automated technologies — when you visit our website, we may automatically collect technical data through cookies, web beacons, and similar technologies
• Third parties — we may receive data about you from analytics providers such as Google, advertising platforms such as Meta (Facebook), and payment processors such as Whop and Stripe

The table below sets out how we use your personal data and the lawful basis we rely on under UK GDPR for each use.

Where we rely on legitimate interests as our lawful basis, we have considered whether our interests are overridden by your rights and interests and concluded they are not. You have the right to object to processing based on legitimate interests — see Section 10 for how to exercise this right.

We do not sell your personal data. We share it only with trusted third parties who help us deliver our services, and only to the extent necessary. These include:

Whop — our membership and payment platform. Whop processes your payment information, manages your subscription, and hosts our course content and community access. Whop acts as a data processor on our behalf. Their privacy policy is available at whop.com/privacy.

Discord — our primary community platform. When you join our Discord server, your data is also subject to Discord's privacy policy available at discord.com/privacy. We are not responsible for Discord's data practices.

Meta (Facebook and Instagram) — we use Meta's advertising platform to run paid campaigns. The Meta Pixel is installed on our website to measure ad performance and serve you relevant advertising. You can control or disable cookies through your browser settings, as described in the Cookies section below. Meta acts as an independent data controller for data collected through the Pixel. Their data policy is available at facebook.com/privacy/policy.

Google Analytics — we may use Google Analytics to understand how visitors use our website. This involves the collection of anonymised usage data. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on available at tools.google.com/dlpage/gaoptout.

Stripe — payment processing may be handled by Stripe as a sub-processor of Whop. Stripe's privacy policy is available at stripe.com/gb/privacy.

We require all third parties to respect the security of your personal data and to treat it in accordance with applicable data protection law. We do not allow them to use your data for their own purposes beyond what is described above.

Some of the third parties we work with, including Whop, Discord, Meta, and Google, are based outside the United Kingdom and the European Economic Area. As a result, your personal data may be transferred to and processed in countries that do not have the same level of data protection laws as the UK.

Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including reliance on adequacy decisions, standard contractual clauses approved by the Information Commissioner's Office (ICO), or other legally recognised transfer mechanisms.

By using our services you consent to these transfers taking place on the basis described above.

Our website uses cookies and similar tracking technologies to improve your experience and to help us understand how our website is used.

Cookies are small text files placed on your device when you visit a website. We use the following types:

• Essential cookies — necessary for the website to function. These cannot be disabled.
• Analytics cookies — help us understand how visitors interact with our website by collecting anonymised information such as pages visited and time spent on site.
• Marketing cookies — used to measure the effectiveness of our advertising campaigns, including through the Meta Pixel. You can control or disable these through your browser settings, as described below.

You can control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. For more information about cookies and how to manage them, visit allaboutcookies.org.

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our general retention periods are as follows:

• Customer and transaction records — retained for 7 years from the date of your last transaction, in line with HMRC requirements for financial records
• Email communications — retained for 3 years from the date of the communication, or for the duration of your membership relationship with us, whichever is longer
• Marketing preferences — retained until you withdraw consent or request deletion
• Website analytics data — retained in anonymised form for up to 26 months
• Support and complaint records — retained for 3 years from resolution

When data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or disclosure. These measures include:

• Use of reputable third-party platforms with industry-standard security certifications
• Encrypted connections (HTTPS) across our website
• Restricted access to personal data within our organisation on a need-to-know basis
• Not storing payment card details directly — all payment processing is handled by PCI-DSS compliant providers

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and to contact us immediately if you suspect any unauthorised access to your account.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) in accordance with our obligations under UK GDPR.

Under UK data protection law you have the following rights in relation to your personal data:

• Right of access — you have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR).
• Right to rectification — you have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to erasure — you have the right to request that we delete your personal data in certain circumstances, for example where it is no longer necessary for the purpose it was collected.
• Right to restrict processing — you have the right to request that we limit the way we use your personal data in certain circumstances.
• Right to data portability — where we process your data by automated means on the basis of your consent or a contract, you have the right to receive your data in a structured, commonly used, machine-readable format.
• Right to object — you have the right to object to our processing of your personal data where we rely on legitimate interests as our lawful basis. You also have the right to object to processing for direct marketing purposes at any time.
• Rights related to automated decision-making — you have the right not to be subject to decisions made solely by automated processing that produce legal or similarly significant effects. We do not currently carry out any such processing.

To exercise any of these rights, please contact us at support@sullysacademy.com. We will respond within one month of receiving your request. In some cases we may need to verify your identity before processing your request.

There is no charge for exercising your rights in most circumstances. However, we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive.

We may send you marketing emails about our products, services, and updates where you have given us consent to do so, or where we have a legitimate interest in doing so as an existing customer.

You can opt out of marketing communications at any time by:

• Clicking the unsubscribe link in any marketing email we send you
• Contacting us directly at support@sullysacademy.com

Opting out of marketing communications will not affect transactional emails related to your membership or purchases, which we are required to send as part of our contract with you.

Our services are not directed at individuals under the age of 18 and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at support@sullysacademy.com and we will take steps to delete that information.

Our website and communications may contain links to third-party websites including Whop, Discord, YouTube, Instagram, and others. These websites have their own privacy policies and we are not responsible for their content or practices. We encourage you to read the privacy policy of any third-party website you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. When we make material changes we will update the date at the top of this page and, where appropriate, notify you by email or through our Discord community.

We encourage you to review this policy periodically to stay informed about how we are protecting your data. Your continued use of our services after any changes constitutes your acceptance of the updated policy.

If you have any concerns about how we handle your personal data, please contact us in the first instance at support@sullysacademy.com. We will do our best to resolve any concern promptly and fairly.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority.

You can contact the ICO at:

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF