Privacy Policy

Last Updated: [December 15, 2025]

CGD Vibes – Create, Grow, Dream

TABLE OF CONTENTS

1. Introduction & Scope
2. Who We Are & Contact Information
3. Data Controller & Data Processor Roles
4. Information We Collect
5. How We Use Your Information
6. Legal Bases for Processing
7. Automated Decision-Making & Profiling
8. How We Share Your Information
9. Third-Party Services & Subprocessors
10. International Data Transfers
11. Data Retention
12. Data Security
13. Data Breach Notification
14. Cookies & Tracking Technologies
15. Your Privacy Rights
16. Children's Privacy
17. Marketing Communications & Your Choices
18. California-Specific Disclosures
19. Changes to This Privacy Policy
20. Contact Us & Complaints

1. INTRODUCTION & SCOPE

1.1 Our Commitment to Privacy

At CGD Vibes, we protect your privacy and handle your personal information responsibly, transparently, and in compliance with:

• Quebec Law 25 (Act respecting the protection of personal information in the private sector)
• Canada's PIPEDA (Personal Information Protection and Electronic Documents Act)
• GDPR (General Data Protection Regulation) - EU/UK
• CCPA/CPRA (California Consumer Privacy Act/Rights Act)
• Other applicable privacy laws worldwide

This Privacy Policy explains what personal information we collect, how we use and share it, your rights, and how to exercise them.

1.2 Who This Policy Applies To

This policy applies to all CGD Vibes users:

• Students/Buyers: Purchase courses, products, services
• Sellers/Creators: List and sell products, courses, services
• Community Members: Participate in platform communities
• Affiliates: Enrolled in affiliate programs
• Website Visitors: Browse cgdvibes.com

1.3 Acceptance

By accessing CGD Vibes, you acknowledge and agree to this Privacy Policy and our Terms of Service. If you disagree, you may not use our platform.

1.4 Language Rights (Quebec Residents)

English version is authoritative except for Quebec consumers.
French version available upon request: email [email protected] (provided within 30 days).
For Quebec consumers, French version governs where required by law (Bill 101).

2. WHO WE ARE & CONTACT INFORMATION

Company: CGD Vibes is operated by N.W. Marketing Inc. (Quebec, Canada).

Address: 204 rue du Saint-Sacrement, Espace 300, Montréal, Quebec, Canada, H2Y 1W8

Email: [email protected] | Privacy Officer: [email protected]

3. DATA CONTROLLER & PROCESSOR ROLES

3.1 CGD Vibes as Data Controller

CGD Vibes controls:

• Platform accounts and operations
• Payment processing (as Merchant of Record)
• Analytics and improvements
• Legal compliance
• Customer support
• CGD Vibes marketing

3.2 Sellers = Independent Controllers

Sellers operate independent businesses and control:

• External customer communications
• Data collected outside the platform
• Their own marketing
• Their business compliance

CGD Vibes is NOT responsible for sellers' independent data practices.

3.3 Data Boundaries

Platform Data (CGD Vibes controls):

• Account info, payments, transactions
• Platform usage, analytics
• Platform communities
• Support tickets

Seller Access (limited to orders):

• Buyer name, email
• Order details for fulfillment
• Platform messages

Seller Independent Data:

• External websites/forms
• Own email lists
• External customer relationships

4. INFORMATION WE COLLECT

4.1 You Provide Directly

All Users:

• Name, email, password, username
• Profile info (bio, photo, links)
• Country, language preferences

Sellers Additional:

• Business name, description
• Tax IDs (SSN/EIN for US, Business Number for Canada)
• Bank account (via Stripe Connect - secure)
• ID verification documents
• Product listings

Buyers:

• Billing name/address
• Payment info (via Stripe/PayPal - we don't store full card numbers)
• Purchase history

All Users:

• Course progress, community posts
• Support tickets, messages
• Survey responses

4.2 Collected Automatically

Technical:

• IP address, browser, device type
• OS, screen resolution, language
• Time zone

Usage:

• Pages visited, features used
• Clicks, navigation, session duration
• Content interactions
• Approximate location (IP-based for tax/compliance)

Logs:

• Server logs (security)
• Error reports
• Performance metrics

4.3 Cookies & Tracking

We use cookies, pixels, beacons for:

• Authentication (keep you logged in)
• Preferences
• Analytics (Google Analytics, Stripe server-side)
• Advertising (Facebook, Google, TikTok Ads)
• Affiliate tracking
• Bot protection (Cloudflare, hCaptcha)
• Embedded video content (YouTube)
• Error monitoring (Bugsnag)
• Alternative payment processing (Paystack)
• Consent management (Cookiebot).

See Section 14 for cookie details.

4.4 From Third Parties

• Payment confirmations (Stripe, PayPal)
• Fraud assessments
• Social media profile (if you use social login)
• Affiliate referral data

4.5 Sensitive Information (Limited)

Tax IDs (Sellers Only):

• Required by law for payments/tax reporting
• Stored securely via Stripe Connect
• Used only for legal compliance

Government ID (Sellers Only):

• Required for verification/fraud prevention
• Encrypted storage
• Retained per legal requirements

We Do NOT Collect:

• Health info
• Biometric data
• Precise GPS location
• SSNs from buyers

5. HOW WE USE YOUR INFORMATION

5.1 Platform Operations

• Create/manage accounts
• Process purchases, deliver products
• Buyer-seller communication
• Communities and forums
• Customer support
• Personalization

5.2 Payments & Financial (As Merchant of Record)

• Process all payments
• Calculate/collect taxes (GST/HST, VAT, sales tax)
• Issue receipts
• Process seller payouts
• Handle refunds, chargebacks
• Financial record-keeping

5.3 Improvement & Analytics

• Understand platform usage
• Identify trends, patterns
• Research & testing
• Develop new features
• Optimize performance

5.4 Communications

Transactional (cannot opt out):

• Order confirmations, receipts
• Security alerts, verification
• Policy updates
• Support responses
• Tax docs (1099-K, T4A)

Marketing (can opt out):

• Promotions, sales
• Newsletters
• Product recommendations
• Surveys

5.5 Security & Fraud Prevention

• Detect/prevent fraud, abuse
• Monitor suspicious activity
• Verify identity
• Enforce Terms of Service
• Protect IP rights
• Respond to security incidents
• Risk management for sellers
• Prevent chargebacks

5.6 Legal Compliance

• Respond to legal requests, court orders
• Tax reporting (IRS, CRA, authorities)
• Financial regulations (AML, KYC)
• Law enforcement cooperation
• Defend legal claims

5.7 Business Operations

• Mergers, acquisitions
• Due diligence
• Internal admin, audits
• Staff training

6. LEGAL BASES FOR PROCESSING (GDPR/UK GDPR)

Where GDPR applies, we process data only with valid legal basis:

Contract Performance:

• Account creation, purchases
• Seller payouts, services
• Platform features
• Support

Legal Obligation:

• Tax reporting/remittance
• Financial record-keeping (7 years)
• AML/KYC regulations
• Court orders, legal process
• Regulatory reporting

Legitimate Interests:

• Security, fraud prevention
• Platform improvement
• Business operations
• Marketing to existing customers
• Legal defense
• IP protection

You can object to legitimate interest processing (Section 15.4).

Consent:

• Non-essential cookies/tracking
• Marketing (where required)
• Sensitive data processing (where applicable)

You can withdraw consent anytime (doesn't affect prior processing).

Vital Interests:

• Rare: protecting life/physical safety

7. AUTOMATED DECISION-MAKING & PROFILING

7.1 Overview

We use automated systems for efficiency and security. You have rights regarding automated processing.

7.2 Automated Systems

Fraud Detection:

• Purpose: Prevent fraud, chargebacks
• How: Analyze transaction patterns, device info, IP, behavior (via Stripe)
• Decisions: Flag for review, decline high-risk, require verification
• Impact: May delay/decline transactions

Payment Verification:

• Purpose: Verify seller identity, comply with regulations
• How: Automated verification via Stripe Connect
• Decisions: Approve/reject seller verification, payout eligibility
• Impact: May delay seller activation/payouts

Account Security:

• Purpose: Detect compromised accounts, spam
• How: Monitor login patterns, posting behavior
• Decisions: Trigger security alerts, restrict accounts, flag content
• Impact: May restrict access pending verification

Content Moderation (Flagging Only):

• Purpose: Identify prohibited content
• How: Keyword/pattern detection
• Decisions: Flag for human review (not automatic removal)
• Impact: Flagged content reviewed by moderators

Personalization:

• Purpose: Recommend relevant products
• How: Analyze browsing, purchases, preferences
• Decisions: What to display/recommend
• Impact: Personalized experience (doesn't affect access)

7.3 NO Solely Automated Significant Decisions

Important: We do NOT make solely automated decisions with legal/significant effects without human involvement.

All significant decisions have human review:

• Account termination
• Permanent payout denial
• Content removal (final)
• Dispute resolutions
• Refund denials

7.4 Your Rights

Right to Human Review:

• Request human review of automated decisions
• Express your perspective
• Receive explanation of logic
• Understand significance/consequences

How to Request: Email [email protected]:

• Subject: "Request for Human Review"
• Describe automated decision
• Your perspective
• Request explanation

Response: Within 7 business days.

7.5 Marketing Profiling

We analyze platform activity for:

• Personalized recommendations
• Relevant feed content
• Tailored marketing (if opted in)

You can:

• Opt out of marketing (Section 17)
• Object to profiling (Section 15)
• Doesn't affect core functionality

8. HOW WE SHARE YOUR INFORMATION

8.1 General Principles

CGD Vibes does NOT sell your personal information.

We share only when necessary for operations, legal compliance, or with your consent, and only with parties contractually required to protect your data.

8.2 Sellers (Limited Info)

When you purchase from a seller:

Shared with Seller:

• Your name
• Email address
• Order details
• Shipping address (physical products only)

Purpose: Order fulfillment, support, delivery.

Seller Obligations: Protect your info per applicable law, use only for fulfillment, comply with privacy obligations.

CGD Vibes NOT responsible for sellers' external use or violations.

8.3 Service Providers (Subprocessors)

We engage third parties bound by confidentiality who process data on our behalf:

Platform & Hosting:

• EzyCourse (platform software)
• AWS, Azure, Cloudflare (hosting, CDN)
• BunnyCDN (content delivery)

Payments:

• Stripe (processing, payouts, tax)
• PayPal (alternative payment)

Communications:

• Mailchimp, SendGrid, Postmark (email)
• Crisp (customer support chat)

Analytics:

• Google Analytics (usage)
• Stripe (server-side transaction analytics)

Marketing:

• Facebook/Meta (ads, retargeting)
• Google Ads
• TikTok Ads
• SES (transitioning out)

8.4 Affiliates

When you use an affiliate link:

• Affiliate receives purchase confirmation (anonymized or commission-only)
• No personal contact info shared (unless you provide separately)

8.5 Business Transfers

If CGD Vibes is involved in merger, acquisition, sale, bankruptcy:

• Your info may transfer to acquiring entity
• Notice provided before transfer
• Acquiring entity bound to this policy (unless you consent to new one)
• You can delete account before transfer

8.6 Legal Requirements

We may disclose when necessary to:

Legal Process:

• Court orders, subpoenas
• Governmental/regulatory requests
• Tax reporting obligations
• Data protection authority inquiries

Protect Rights:

• Enforce Terms, policies
• Investigate fraud, abuse
• Protect rights, property, safety
• Defend legal claims
• Prevent illegal activity/harm

With Your Consent: When you explicitly consent or direct us.

9. THIRD-PARTY SERVICES & SUBPROCESSORS

9.1 Key Subprocessors

[Detailed table with Service Provider, Purpose, Data Processed, Location for each category]

Platform Infrastructure:

• EzyCourse: Platform software | Account data, content, usage | Germany (EU)
• AWS: Cloud hosting | All platform data | EU, US
• Azure: Additional cloud | Platform data, backups | EU, US
• Cloudflare: CDN, DDoS protection | IP, request data | Global
• BunnyCDN: Content delivery | IP, file access logs | Global
• Payment Processing: Paystack | Alternative payment checkout | Payment info, transaction data | US, Nigeria (Global)
• Video / Content: YouTube (Google) | Embedded video player for course content | Viewing behavior, device info, player preferences | US (Global)
• Security: hCaptcha | Bot detection and human verification | IP, interaction data | US (Global)
• Error Monitoring: Bugsnag (via EzyCourse) | Platform error detection and reporting | Anonymous error logs, device info | Germany (EU)
• Consent Management: Cookiebot (Usercentrics) | Cookie consent banner and preference management | Consent records | Denmark (EU)
• Social / Sharing: ShareThis | Social sharing functionality and cookie test | Minimal interaction data | US (Global)
• Chat Support: b.chatconnect.cloud | Live chat support widget | Name, email, messages, language preference | Global

Payment Processing:

• Stripe: Payments, payouts, tax, KYC | Payment info, transactions, tax IDs, bank accounts | US, Global
• PayPal: Alternative payment | Payment info, email | US, Global

Communications:

• Mailchimp: Marketing emails | Email, name, preferences | US
• SendGrid: Transactional email | Email, content | US
• Postmark: Transactional email | Email, content | US
• Crisp: Customer support chat | Name, email, messages | EU
• AnyChat: Customer support chat | Name, email, messages | EU

Analytics:

• Google Analytics: Usage analytics | IP (anonymized), behavior | US, Global
• Stripe Analytics: Server-side transaction | Purchase data, behavior | US

Marketing:

• Facebook Pixel/Meta: Ads, retargeting | IP, behavior, device info | US, Global
• Google Ads: Advertising | IP, behavior, device info | US, Global
• TikTok Ads: Advertising | IP, behavior, device info | US, Global

9.2 Data Processing Agreements

All subprocessors bound by:

• DPAs meeting GDPR Article 28
• Contractual protection obligations
• Security requirements (encryption, access controls)
• Confidentiality obligations

9.3 Subprocessor Changes

Notification:

• We update Subprocessor List when adding/changing
• 30 days' advance notice for material changes (if you request notifications)
• You can object (see 9.4)

To Receive Notifications: Email [email protected]: Subject "Subprocessor Notification Request"

9.4 Objecting to Subprocessors (GDPR)

If you object to new subprocessor:

1. Submit objection to [email protected] within 30 days
2. Provide reasons
3. We'll either implement alternatives OR allow termination without penalty + pro-rated refund

Limitation: If subprocessor essential and no alternative exists, may be unable to accommodate; you may terminate account.

10. INTERNATIONAL DATA TRANSFERS

10.1 Data Storage Locations

Primary storage:

• EU (Germany - Frankfurt) via EzyCourse
• Canada for corporate operations
• US for certain providers (Stripe, analytics, communications)

10.2 Cross-Border Transfers

When transferring from EEA/UK/Switzerland to countries without adequate protection (US, Canada), we implement appropriate safeguards.

10.3 Transfer Safeguards

Standard Contractual Clauses (SCCs):

• European Commission-approved SCCs for EEA transfers
• UK International Data Transfer Addendum for UK transfers
• SCCs in contracts with all subprocessors receiving EEA/UK data

Adequacy Decisions:

• Rely on EC adequacy decisions where applicable (e.g., Canada for certain commercial transfers)

Additional Safeguards:

• Encryption (transit + rest)
• Strict access controls
• Regular security audits
• Contractual data protection commitments

10.4 EzyCourse GDPR Compliance

EzyCourse operates GDPR-compliant infrastructure:

• Primary location: EU (Germany - Frankfurt)
• Implements appropriate technical/organizational measures
• Uses SCCs for transfers outside EU

10.5 Your Rights

Right to Information: Request info about:

• Which data is transferred internationally
• Countries where processed
• Safeguards in place

Right to Object: In certain circumstances, may object to international transfers. If transfer necessary for services, may be unable to accommodate; you may terminate account.

How to Request: Email [email protected]: Subject "International Data Transfer Inquiry"

10.6 Copies of Safeguards

Request copies of SCCs, UK Addendum, etc. by emailing [email protected]. Provided within 30 days (confidential commercial info redacted).

11. DATA RETENTION

11.1 General Principle

We retain personal information only as long as necessary for collection purposes, legal obligations, dispute resolution, and legitimate interests.

11.2 Retention Periods

[Comprehensive retention table by data category]

Account & Profile:

• Active accounts: Duration + 2 years | Platform ops, security, disputes
• Closed accounts: 2 years, then anonymized | Fraud prevention, disputes
• Seller listings (unpurchased): 90 days after deletion
• Seller listings (purchased): As long as buyers have access

Transaction & Financial:

• Transaction records: 7 years | Tax, audits, legal
• Payment info (Stripe): Per Stripe policies (typically 7 years)
• Refund/chargeback records: 7 years
• Tax documents: 7 years minimum (permanent for authorities)
• Seller payout records: 7 years

Communications:

• Support tickets: 3 years after resolution
• Platform messages: 1 year after send
• Transactional emails: 2 years
• Marketing emails: Until opt-out + 30 days
• Community posts: May remain unless removal requested

Security & Compliance:

• Fraud records: 10 years
• Abuse/violation reports: 7 years after account closure
• Legal hold data: Duration of matter + 3 years
• Audit logs: 3 years
• ID verification (sellers): 7 years after closure

Analytics & Usage:

• Aggregated/anonymized: Indefinitely
• Individual usage logs: 1 year
• IP address logs: 90 days (unless flagged)

11.3 Extended Retention

May retain beyond standard periods for:

• Legal holds/litigation
• Regulatory investigations
• Active disputes
• Specific legal obligations
• Fraud prevention (confirmed patterns)

Notification: Where permissible, we notify affected users.

11.4 Data Minimization

We regularly:

• Delete unnecessary data
• Anonymize/pseudonymize where possible
• Aggregate for statistics when individual records unneeded

11.5 Post-Deletion

After retention expires:

• Permanent deletion from active systems + backups, OR
• Anonymization (stripped of identifiers, can't be re-linked)

Anonymized data:

• Retained indefinitely for analytics
• Cannot identify individuals
• Not "personal information" under law

11.6 Backups

Backup Retention:

• Up to 90 days for disaster recovery
• Encrypted, accessible only to authorized personnel
• After 90 days, overwritten/deleted

If You Delete:

• Data marked for deletion immediately in active systems
• Backup copies overwritten within 90 days
• Cannot selectively remove from backups (but backups temporary/isolated)

11.7 User-Initiated Deletion

You Control Your Data:

• Marketplace sellers: Delete account anytime via account settings
• Regular members: Request deletion via [email protected]

Data Download Before Deletion:

• Sellers: Download data (products, sales, content) in CSV
• Members: Request data export

What Happens When You Delete:

• Profile/PII deleted within 30 days
• Purchased content may remain accessible (you lose access)
• Created/sold content remains for buyers who purchased it
• Transaction records retained 7 years (anonymized where possible)
• Community posts may remain (request removal before deleting)

12. DATA SECURITY

12.1 Our Commitment

CGD Vibes implements reasonable administrative, technical, and organizational measures to protect your information from unauthorized access, disclosure, alteration, destruction.

12.2 Technical Measures

Encryption:

• Data in transit: TLS 1.2+ (HTTPS)
• Data at rest: Sensitive data encrypted (passwords, payment info, tax IDs)
• Backups: Encrypted in transit + at rest

Authentication & Access:

• Passwords: Hashed (bcrypt or similar - we can't access your actual password)
• 2FA: Available for all (required for high-volume sellers)
• Role-Based Access (RBAC): Limited internal access by job function
• Least Privilege: Access only to necessary data

Network Security:

• Firewalls, intrusion detection
• DDoS protection (Cloudflare)
• Regular vulnerability scanning, penetration testing
• Secure hosting (AWS, Azure, EzyCourse)

Payment Security:

• PCI-DSS compliance (via Stripe, PayPal)
• Tokenization (we never store full card numbers)
• Secure payment forms (isolated iframes)

12.3 Organizational Measures

CGD Vibes implements reasonable organizational practices to protect your data:

Access Controls:

• Limited access to personal data based on business need
• Confidentiality obligations for anyone with data access
• Account access logged and monitored

Vendor Management:

• Third-party providers (Stripe, hosting, email) contractually required to protect data
• We use reputable, security-conscious service providers
• Data Processing Agreements in place where required by law

Incident Response:

• Documented procedures for responding to security incidents
• Immediate containment and investigation of suspected breaches
• Notification to affected users and authorities as required by law (see Section 13)

12.4 Limitations & User Responsibility

No System is 100% Secure: Despite measures, no system guarantees absolute security. Internet transmission and electronic storage have inherent risks.

Your Responsibilities:

• Protect your password: Strong, unique, don't share
• Enable 2FA: Strongly recommended (especially sellers)
• Secure your devices: Up-to-date antivirus, OS
• Beware phishing: We never ask for passwords via email/phone
• Report suspicious activity: Notify us immediately if unauthorized access suspected

CGD Vibes Not Liable For:

• Unauthorized access from your failure to secure credentials
• Breaches from your own actions (sharing passwords, phishing)
• Vulnerabilities in your devices/connection

Subject to applicable law and Terms of Service Section 15.

12.5 Third-Party Security

Payment Processors: Stripe, PayPal maintain:

• PCI-DSS Level 1 certification
• Advanced fraud detection
• Secure storage/transmission
• Regular third-party audits

Platform Provider: EzyCourse maintains:

• EU data centers with physical security
• Regular security audits/certifications
• Incident response, breach notification
• Contractual security commitments to CGD Vibes

13. DATA BREACH NOTIFICATION

13.1 Our Commitment

In the event of a data breach affecting your personal information, CGD Vibes commits to prompt and transparent notification.

13.2 Discovery & Initial Response (0-72 Hours)

Upon discovering a breach, we will immediately:

• Contain the breach and prevent further unauthorized access
• Assess what data was affected and how many users impacted
• Engage security experts if needed
• Document the incident for regulatory reporting

13.3 User Notification (Within 72 Hours)

We will notify affected users within 72 hours via email, including:

✓ Clear description of what happened

✓ Types of data affected (see categories below)

✓ When the breach occurred and when we discovered it

✓ Steps we're taking to secure the platform

✓ Recommended actions you should take

✓ Contact information: [email protected] 

✓ Your privacy rights under applicable laws

13.4 Data We Control (Breach Risk Categories)

CGD Vibes directly controls and could be affected by a breach:

Account & Profile Data:

• Usernames, emails, phone numbers
• Names, addresses, profile information
• Account preferences and settings

Transaction History:

• Purchase records and order history
• Sales records (for sellers)
• Transaction amounts and dates
• Product/course enrollment data

Platform Activity:

• IP addresses and device information
• Login history and session data
• Course progress and activity logs
• Messages and support tickets

User Content:

• Uploaded courses, products, and files
• Community posts and comments
• Profile photos and media

Data NOT at Risk (Managed by Stripe):

• ❌ Credit card numbers (Stripe stores these, not us)
• ❌ Bank account details (Stripe Connect manages these)
• ❌ Tax IDs/SSNs (Stripe collects these for sellers)
• ❌ Government ID documents (Stripe verifies these)

If Stripe experiences a breach of payment data, Stripe will handle notification directly as required by PCI-DSS and applicable law.

13.5 Immediate Protective Actions

If a breach occurs, we will automatically:

✓ Force password resets for all affected accounts

✓ Enable two-factor authentication (2FA) if not already active

✓ Increase monitoring for suspicious activity (90 days)

✓ Notify law enforcement if criminal activity suspected

✓ Notify regulators as required by law (PIPEDA, GDPR, state laws)

13.6 Recommended User Actions

We will advise affected users to:

✓ Change your password immediately (we'll force reset)

✓ Enable two-factor authentication

✓ Review your account for any unauthorized changes

✓ Be alert for phishing emails using your information

✓ Monitor your CGD Vibes account activity

If payment data potentially affected (via Stripe breach): 

✓ Monitor bank/card statements for unauthorized transactions

✓ Consider placing fraud alerts with credit bureaus

✓ Contact your bank if you see suspicious activity

13.7 Ongoing Communication

• Updates every 7 days until incident resolved
• Final incident report within 30 days of resolution including:
• • Root cause explanation
  • Steps taken to prevent recurrence
  • Timeline of events

13.8 Breach Support

Contact for Questions:

• Email: [email protected] 
• Response time: Within 4 hours for urgent security inquiries

No Penalties: Users affected by a breach will NOT face penalties for:

• Requesting immediate account closure
• Terminating subscriptions early without fees
• Withdrawing available funds immediately (sellers)

13.9 Regulatory Compliance

We will notify authorities as required:

• PIPEDA (Canada): 72-hour notification to Privacy Commissioner for breaches posing real risk of significant harm
• Quebec Law 25: Notification to CAI within 72 hours
• GDPR (EU/UK): 72-hour notification to supervisory authority for breaches likely resulting in risk to rights
• CCPA/CPRA (California): Notification to Attorney General if 500+ CA residents affected
• State breach laws (US): Per requirements of each affected state

13.10 What We DON'T Offer

As a small platform, we do NOT provide:

• ❌ Credit monitoring services (not applicable - we don't store SSNs or financial data)
• ❌ Identity theft insurance (Stripe manages sensitive financial data)
• ❌ 24/7 phone support hotline (email support provided)

However, if Stripe experiences a breach affecting payment data they manage on our behalf, Stripe may offer these services as required by their PCI-DSS obligations and insurance.

13.11 Prevention & Continuous Improvement

After any incident, we will:

• Conduct root cause analysis
• Implement security improvements
• Update incident response procedures
• Share lessons learned (where appropriate)

14. COOKIES & TRACKING TECHNOLOGIES

14.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help remember preferences, keep you logged in, and understand site usage.

CGD Vibes uses cookies and similar tracking technologies (web beacons, pixels, local storage).

14.2 Types of Cookies

For a complete, up-to-date list of all cookies and trackers in operation on the Platform, see our Cookie Policy.

14.3 Cookie Consent

Cookie Banner: When you first visit CGD Vibes, you'll see a cookie consent banner allowing you to:

• Accept all cookies
• Reject optional cookies (only essential used)
• Customize preferences (choose categories)

Your Choices Saved: Preferences remembered for 12 months. Change anytime via cookie settings link in website footer.

Required by Law: Where required (EU, UK, certain US states), we won't set non-essential cookies until you provide consent.

14.4 Managing Cookies via Browser

Browser Settings: Control/delete cookies through browser settings. Note: Blocking essential cookies may prevent using certain features (login, purchases, etc.).

How to Manage:

• Chrome: Settings → Privacy and security → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Manage Website Data
• Edge: Settings → Cookies and site permissions → Manage and delete cookies

Third-Party Opt-Out Tools:

• NAI: networkadvertising.org/choices
• DAA: aboutads.info/choices
• EDAA: youronlinechoices.eu

14.5 Other Tracking Technologies

Web Beacons / Pixels: Small, invisible images in emails/web pages tracking:

• Email opens, link clicks
• Conversion tracking (Facebook Pixel, Google Ads)
• Affiliate referrals

Local Storage: HTML5 local storage for:

• Caching data for faster loading
• Remembering preferences locally
• Enabling offline functionality (where supported)

Server-Side Tracking: Some analytics performed server-side (via Stripe) without browser cookies:

• Not affected by cookie blockers/browser settings
• Used primarily for transaction/payment analytics
• Subject to this Privacy Policy + Stripe's protections

14.6 Do Not Track (DNT)

Current Status: CGD Vibes does not currently respond to "Do Not Track" (DNT) browser signals (no industry-wide standard).

Your Privacy Not Affected: Even without DNT response, you can:

• Manage cookies via browser settings
• Opt out of marketing cookies via cookie banner
• Exercise privacy rights (Section 15)

14.7 Cookie Policy Updates

May update cookie use from time to time. Material changes communicated through:

• Updated cookie banner
• Notice in this Privacy Policy
• Email to users opted in to marketing

15. YOUR PRIVACY RIGHTS

Your rights vary by location and applicable laws.

15.1 Rights for All Users

Access: Request confirmation of processing + copy of your personal information
Correction: Request correction of inaccurate/incomplete information
Deletion: Request deletion (subject to legal exceptions)
Withdraw Consent: Withdraw consent anytime (doesn't affect prior processing)
Complain: File complaint with appropriate data protection authority

15.2 Quebec Residents (Law 25)

Additional Rights:

Access & Correction:

• Access your personal information
• Correct inaccurate, incomplete, outdated information
• Know retention periods

Data Portability:

• Computerized personal information you provided in structured, commonly used technological format (CSV, JSON)
• Provided within 30 days (free for first request in 12 months)

Deletion:

• Request deletion
• Subject to legal retention (e.g., 7 years for financial records)
• Response within 30 days (confirming deletion or explaining retention requirement)

Withdraw Consent:

• Withdraw consent for non-essential processing
• Effective immediately
• Doesn't affect prior processing

Object to Use Beyond Consent:

• Object to use beyond original consent purposes
• We'll cease unless compelling legitimate grounds override your interests

Know & Be Informed:

• Clear, simple language in policies
• Informed of breaches posing serious risk
• Know who has access to your information

Complain: File complaint with Commission d'accès à l'information du Québec (CAI):

• Website: cai.gouv.qc.ca
• Phone: 1-888-528-7741 (toll-free in Quebec)
• Address: 525, boulevard René-Lévesque Est, bureau 1.200, Québec (Québec) G1R 5S9

French Language Rights:

• Communicate with CGD Vibes in French
• Receive French version of Privacy Policy (request via [email protected])
• File complaints in French

15.3 Canadian Residents (PIPEDA) Rights:

Access & Correction:

• Access personal information within 30 days
• Challenge accuracy/completeness, have it corrected
• Know how information used and to whom disclosed

Withdraw Consent:

• Withdraw consent for non-essential processing
• Subject to legal/contractual restrictions
• We'll inform you of implications

Complain: File complaint with Office of the Privacy Commissioner of Canada (OPC):

• Website: priv.gc.ca
• Phone: 1-800-282-1376 (toll-free)
• Address: 30 Victoria Street, Gatineau, Quebec K1A 1H3

15.4 EEA & UK Residents (GDPR/UK GDPR)

Comprehensive Rights:

Access (Article 15):

• Obtain confirmation of processing
• Receive copy of your personal data
• Information about processing (purposes, categories, recipients, retention)

Rectification (Article 16):

• Correct inaccurate personal data
• Complete incomplete personal data

Erasure / "Right to be Forgotten" (Article 17):

• Request deletion when:
• • Data no longer necessary
  • You withdraw consent and no other legal basis
  • You object and no overriding legitimate grounds
  • Data processed unlawfully
  • Required for legal compliance

Restriction (Article 18):

• Restrict processing when:
• • You contest accuracy (during verification)
  • Processing unlawful but you oppose deletion
  • We no longer need data but you need it for legal claims
  • You object (pending verification of legitimate grounds)

Data Portability (Article 20):

• Receive data you provided in structured, machine-readable format (CSV, JSON)
• Transmit data to another controller (where technically feasible)
• Applies to data processed by automated means based on consent or contract

Object (Article 21):

• Legitimate interests: Object anytime; we must cease unless compelling legitimate grounds override
• Direct marketing: Object anytime; we cease immediately
• Profiling: Object to automated decision-making/profiling

Automated Decision-Making (Article 22):

• Not subject to solely automated decisions with legal/significant effects
• Right to human review, explanation, contest (see Section 7.4)

Lodge Complaint: File with your local data protection authority:

• EEA: edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner's Office (ICO):
• • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

15.5 California Residents (CCPA/CPRA) Rights:

Know:

• Request disclosure of:
• • Categories of personal information collected, sold, shared
  • Specific pieces of personal information
  • Categories of sources
  • Business/commercial purposes
  • Categories of third parties

Delete:

• Request deletion (subject to legal exceptions)

Correct:

• Request correction of inaccurate information (effective Jan 1, 2023 under CPRA)

Opt-Out of Sale/Sharing:

• Important: CGD Vibes does NOT sell personal information
• CGD Vibes does NOT share for cross-context behavioral advertising (CPRA definition)
• No opt-out mechanism required (you can confirm this anytime)

Limit Use of Sensitive Information:

• Limit use of sensitive info (SSN, financial accounts) to permitted purposes
• CGD Vibes uses sensitive info only for permitted purposes (payments, legal compliance, fraud prevention)

Non-Discrimination:

• Exercise rights without discrimination
• We won't:
• • Deny goods/services
  • Charge different prices/rates
  • Provide different quality
  • Suggest different prices/quality

Authorized Agents:

• Designate authorized agent to submit requests
• We'll verify agent's authority (power of attorney/signed permission) + your identity

Verification: For security, we'll verify your identity before processing requests:

• Matching information (email, account details)
• May require additional information for sensitive requests

Response Timing:

• Within 45 days (may extend by 45 days if necessary, with notice)

For More: See Section 18 for detailed California disclosures.

15.6 Other U.S. State Residents

States with Privacy Laws (as of 2026): Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), others

General Rights:

• Access personal information
• Correct inaccurate information
• Delete personal information
• Opt out of sale (CGD Vibes doesn't sell)
• Opt out of targeted advertising (opt out via cookie settings)
• Appeal decisions (see 15.8)

Specific state laws may provide additional rights. Contact [email protected] for state-specific information.

15.7 How to Exercise Rights

Methods:

Email: [email protected]

Subject: "[Your Right] Request" (e.g., "Access Request," "Deletion Request")
Include:

• Full name + email associated with account
• Specific right you wish to exercise
• Detailed description
• Supporting information (if applicable)

Account Settings (for some requests):

• Update Profile: Account → Settings → Profile
• Download Data (Sellers): Account → Data Export → Download CSV
• Delete Account (Sellers): Account → Settings → Delete Account

Mail:
N.W. Marketing Inc.  

Attn: Privacy Officer  

c/o CGD Vibes  

204 rue du Saint-Sacrement, Espace 300  

Montréal, Québec, Canada  

H2Y 1W8

Response Timeline:

• Standard: Within 30 days (Quebec, PIPEDA, GDPR)
• California: Within 45 days (may extend by 45 days with notice)
• Complex requests: May require additional time; we'll notify you of delays

Verification: 

For security, we'll verify your identity before processing requests involving access, correction, or deletion:

• Matching account information (email, name)
• Requesting additional identifying information
• Requiring account login authentication

No Fee for First Request:

• First request in 12 months: Free
• Subsequent requests: May incur reasonable administrative fee (we'll notify in advance)
• Manifestly unfounded/excessive requests: May be refused or charged

15.8 Appeals (U.S. State Residents)

If we deny your request and you reside in a US state with appeal rights (CA, VA, CO, CT, UT, etc.):

How to Appeal: Email [email protected] within 30 days of denial:

• Subject: "Privacy Rights Appeal"
• Original request details
• Reason you believe denial was incorrect
• Additional supporting information

Appeal Review:

• Review within 45 days (or per state law)
• Written response explaining decision
• If denied, info on contacting state attorney general/data protection authority

16. CHILDREN'S PRIVACY

16.1 Age Restrictions

CGD Vibes is not intended for children under 13 (or under 16 in EEA/UK where applicable).

Minimum Age:

• Under 13: May not create accounts or use platform
• 13-17: May use only with verified parental/legal guardian consent
• 18+: No restrictions (subject to Terms of Service)

16.2 No Knowingly Collecting from Children Under 13

CGD Vibes does not knowingly collect personal information from children under 13.

If We Discover a Child Under 13 Registered:

• Immediately terminate account
• Delete all personal information collected
• Notify email address provided (if verifiable parent/guardian)
• Not retain information beyond legal compliance needs (e.g., deletion logs)

16.3 Age Verification (Current Practices)

Current Method:

• Users self-certify age during registration (checkbox: "I am 18 years of age or older")
• No formal age verification mechanism currently in place
• Rely on users to provide truthful information

Limitations:

• Acknowledge self-certification not foolproof
• Exploring more robust age verification for future

Parental Notification: 

If you believe your child under 13 created an account or provided information to CGD Vibes, contact [email protected] immediately. We'll delete account and information promptly.

16.4 Parental Consent for 13-17 (Not Currently Implemented)

Current Status: CGD Vibes does not currently have mechanism for obtaining/verifying parental consent for users 13-17.

Requirement for 13-17: Per Terms of Service, users 13-17 must have parental/guardian consent. However:

• We don't currently verify parental consent
• Parents/guardians responsible for monitoring children's use
• Recommend parents/guardians review Terms of Service and Privacy Policy with children

Future Implementation: Evaluating parental consent verification for compliance with:

• COPPA for users under 13
• GDPR Article 8 for users under 16 in EEA
• Other applicable laws requiring parental consent for minors

16.5 Parental Rights & Controls

Parents and Legal Guardians Can:

• Review personal information collected from child
• Request correction of inaccurate information
• Request deletion of child's account and all associated information
• Refuse further collection or use of child's information

How Parents Exercise Rights: Email [email protected]:

• Subject: "Parental Rights Request - Child Account"
• Child's name and email (if known)
• Proof of parental relationship (matching last name, ID verification)
• Specific request (access, correction, deletion)

Verification: For security, we'll verify parental identity before providing access or deleting child's information:

• Matching information (last name, contact details)
• Government-issued ID (uploaded securely)
• Video call verification (in some cases)

16.6 Third-Party Services & Children

Third-Party Content: Platform may contain links to third-party websites/products/services not controlled by CGD Vibes.

Parental Responsibility:

• Parents/guardians should supervise children's use of third-party links
• CGD Vibes not responsible for third-party privacy practices
• Review third-party privacy policies before allowing children access

No Targeted Advertising to Children: 

CGD Vibes does not engage in targeted advertising directed at children or users known to be under 18.

16.7 Reporting Underage Accounts

If You Suspect Underage User: If you believe a user is under 13 (or under minimum age in your jurisdiction), report to [email protected]:

• Subject: "Report Underage Account"
• Username or account details (if known)
• Reason for suspicion

We'll investigate promptly and take appropriate action (account termination, data deletion).

16.8 Commitment to Children's Safety

CGD Vibes is committed to protecting children's privacy and safety online. We:

• Prohibit content that sexualizes, exploits, or harms children (zero tolerance)
• Cooperate with law enforcement on child exploitation reports
• Implement content moderation to detect/remove harmful content
• Provide reporting mechanisms for users to flag inappropriate content

Report Child Safety 

Concerns: Email [email protected] immediately for urgent child safety issues.

17. MARKETING COMMUNICATIONS & YOUR CHOICES

17.1 Types of Communications

Transactional (Cannot Opt Out): Essential emails:

• Order confirmations, receipts
• Account security notifications (password resets, login alerts)
• Platform updates affecting functionality or terms
• Customer support responses
• Tax documentation (1099-K, T4A)
• Legal notices, policy updates

You cannot opt out (necessary for services and legal compliance).

Marketing (Can Opt Out): Promotional emails:

• New product/course launches
• Sales, promotions, special offers
• Newsletter, educational content
• Personalized recommendations
• Platform news, feature announcements
• Surveys, feedback requests

You can opt out anytime (see 17.2).

17.2 How to Opt Out

Unsubscribe Link: Every marketing email contains "Unsubscribe" link at bottom. Click to:

• Unsubscribe from all marketing, OR
• Manage preferences (choose email types)

Account Settings: Log in → Account → Settings → Communication Preferences

Toggle specific categories on/off (promotional, newsletters, recommendations)

Email Request: Send to [email protected]:

• Subject: "Unsubscribe from Marketing"
• Your account email address

Processing Time:

• Opt-out processed within 10 business days
• May receive emails already in queue during this period
• Once processed, no further marketing emails (transactional continue)

17.3 Seller Communications

From Sellers You've Purchased From: Sellers receive your email and may send:

• Order fulfillment updates, delivery confirmations
• Customer support for your purchase
• Updates about specific product/course you purchased

Seller Independence: Sellers are independent parties with own email marketing practices:

• May add you to their own email lists (subject to applicable law)
• CGD Vibes doesn't control seller marketing
• To unsubscribe from seller emails: Use unsubscribe link in seller's emails or contact seller directly
• Report sellers violating anti-spam laws to [email protected]

CGD Vibes' Responsibility:

• Provides sellers with email marketing best practices guidance
• Sellers must comply with anti-spam laws (CAN-SPAM, CASL, GDPR)
• Repeated violations may result in seller account suspension

17.4 Retargeting & Personalized Advertising

What is Retargeting? 

Shows you CGD Vibes ads on other websites/social media after you visit our site.

How It Works:

• When you visit CGD Vibes, cookies/pixels (Facebook, Google, TikTok) placed on your device
• Track browsing, enable platforms to show CGD Vibes ads elsewhere
• Ads personalized based on pages visited or products viewed

Your Choices:

Opt Out via Cookie Settings:

• Use cookie banner to reject marketing cookies
• Prevents retargeting pixels from being placed

Opt Out with Ad Platforms:

• Facebook/Meta: facebook.com/adpreferences
• Google Ads: adssettings.google.com
• TikTok: TikTok app → Settings → Privacy → Ads

Browser Privacy Settings:

• Enable "Do Not Track" (though not all sites honor it)
• Use private/incognito browsing
• Block third-party cookies in browser settings

Industry Opt-Out Tools:

• NAI: networkadvertising.org/choices
• DAA: aboutads.info/choices

17.5 Personalized Recommendations

On-Platform Personalization: CGD Vibes may personalize by:

• Recommending courses/products based on browsing history
• Displaying content in feed based on interests
• Suggesting sellers/communities you might like

Opting Out:

• Personalization based on platform activity
• To reduce: Clear browsing history or use private browsing
• Email [email protected] to request we stop profiling for personalization (may reduce functionality)

17.6 Affiliate Emails

If You Join as Affiliate: By joining affiliate program, you consent to receive:

• Affiliate program updates, announcements
• Commission statements, payout notifications
• Promotional materials, marketing resources

Affiliate Marketing Opt-Out:

• Affiliates can opt out of promotional emails (program updates/commission statements continue)
• Use unsubscribe link in affiliate emails or contact [email protected]

17.7 Anti-Spam Compliance

CGD Vibes complies with anti-spam laws worldwide:

• CAN-SPAM (US): All marketing emails include unsubscribe links, accurate sender info, sent only to opted-in users or those with existing relationship
• CASL (Canada): Express or implied consent obtained before commercial emails; unsubscribe mechanism provided
• GDPR (EU/UK): Marketing sent only with consent or based on legitimate interest (soft opt-in for existing customers); easy opt-out provided

Report Spam: If you receive unsolicited/inappropriate emails claiming to be from CGD Vibes, report to [email protected].

18. CALIFORNIA-SPECIFIC DISCLOSURES

Additional disclosures required under CCPA/CPRA.

18.1 Notice at Collection

Categories of Personal Information Collected:

Company: CGD Vibes is operated by N.W. Marketing Inc. (Quebec, Canada).
Address: 204 rue du Saint-Sacrement, Espace 300, Montréal, Quebec, Canada, H2Y 1W8
Email: [email protected] | Privacy Officer: [email protected]