VildlyAcademy

Legal

Privacy policy

Vildly AB ("we") runs Vildly Academy at academy.vild.ly. This page explains what personal data we collect when you use the site, why we collect it, who we share it with, and how to exercise your rights under the EU General Data Protection Regulation (GDPR).

Last updated: 2026-05-07

Who we are

The data controller is Vildly AB, organisationsnummer 559192-5267, registered in Kalmar, Sweden. For any privacy-related request, contact oxana@vild.ly.

What we collect, and why

Account identity
When you sign in with GitHub, we receive your email address, GitHub username, and avatar URL via OAuth. Lawful basis: contract — we need an account to give you access to courses you've paid for.
Course progress
Which nodes you've visited and completed, your XP total, and your daily-learning streak. Stored locally in your browser for everyone, and additionally on our server for signed-in users so progress survives across devices. Lawful basis: contract (signed-in) and legitimate interest (anonymous, to give the product a useful default).
Payment data
Payments are processed by Stripe. We never see or store your card number. Stripe shares with us the fact of a successful charge, the amount, the course slug, your user id, and the customer email — enough to grant you access and issue a receipt. Lawful basis: contract.
Server logs
Our reverse proxy (Traefik) records request lines, IP addresses, and user-agents for security and debugging. Retained for up to 30 days, then deleted. Lawful basis: legitimate interest (operating the service securely).

Cookies and local storage

We only set cookies and storage entries that are strictly necessary for the site to work, so we do not show a cookie banner. Here is the full list:

sb-* · cookie
Authentication session token (set by Supabase, our auth provider). Without it you can't stay signed in. Cleared when you sign out.
ew:theme · localStorage
Your light/dark theme preference. Never sent to us.
ew:streak · localStorage
Your daily-learning streak counter. Stored in your browser so anonymous users get streaks too. For signed-in users we also keep a copy on the server so it survives devices.
ew:progress:<course> · localStorage
Visited and completed nodes per course. Same dual-storage rule as the streak.

When you start a checkout, Stripe sets its own cookies on checkout.stripe.com. Those are governed by Stripe's privacy policy, not ours.

We do not use analytics, advertising, or tracking cookies of any kind. If that ever changes, this policy updates first and you'll see a consent banner before any new cookie is set.

Who else sees your data

We use a small number of vendors as data processors. They handle your data only on our instructions, under written agreements:

  • Supabase (managed Postgres + auth) — stores your account, progress, and entitlements. Hosted in the EU.
  • Stripe (payments) — processes the card transaction and stores the payment record on its own infrastructure. Stripe is an independent controller for the payment data it holds.
  • GitHub — only involved during the OAuth handshake when you sign in. Governed by GitHub's own privacy terms.
  • Our hosting (a single VPS we operate ourselves, in Sweden) — runs the Vildly Academy app and reverse proxy.

We do not sell or rent personal data to anyone, ever.

How long we keep things

  • Account + progress: until you delete your account, or after 24 months of inactivity.
  • Entitlements (proof of purchase): kept while you have access; refunded entries are kept anonymized for accounting.
  • Stripe events / webhook log: 24 months, then deleted.
  • Server logs: up to 30 days.
  • Accounting records (Swedish Bookkeeping Act): 7 years for invoice and payment records — required by law and overrides deletion requests for that subset.

Your rights

Under GDPR you can:

  • Access a copy of the data we hold about you.
  • Correct data that's wrong.
  • Delete your account and associated data (the 7-year accounting subset stays — we'll tell you exactly what survives).
  • Export your data in a machine-readable format (JSON).
  • Object to processing based on legitimate interest.
  • Withdraw any consent you've given, without affecting prior processing.

Email oxana@vild.ly with what you want and we'll respond within 30 days.

If you think we're handling your data wrongly, you also have the right to complain to the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY).

Transfers outside the EU

Our infrastructure (Supabase EU, our own VPS in Sweden) keeps your account and progress data inside the EU. Stripe and GitHub may process small amounts of data outside the EU under EU Standard Contractual Clauses. We don't initiate any transfer that isn't covered by an adequacy decision or SCCs.

Changes to this policy

If we change anything material, we update the date at the top and — if you have an account — email you before the change takes effect.

← Back to the hub