Effective date: 16 July 2025
1) Who We Are
- Fun Arts Academy is operated by Grollth Company (“Fun Arts Academy,” “we,” “us,” or “our”).
- Website: https://funartsacademy.com
- Contact:
- Email: [email protected]
- Address: Room A11, 7/F, Block A, Superluck Industrial Centre Phase 2, 57 Sha Tsui Road, Tsuen Wan, N.T., Hong Kong
2) Scope
This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our website, create an account, enroll in courses, purchase services, interact with our communications, or otherwise engage with us online or offline. It applies to users worldwide, with additional disclosures for residents of the EEA/UK (GDPR) and California (CCPA/CPRA).
3) Categories of Personal Data We Collect
We collect the following categories of data, some of which may be considered personal data or personal information:
- Identifiers and Contact Information: name, username, email address, postal address, phone number, account IDs.
- Account and Profile Data: password (hashed), profile photo or avatar you upload, biography, preferences, settings.
- Transaction and Payment Data: order history, course enrollments, payment method type, billing address, tax information. Note: payment card numbers are processed by our payment processor and are not stored by us.
- Course/Service Usage Data: course progress, assignments and submissions, participation in forums or live sessions, bookings for workshops or events.
- Communications Data: emails, support requests, chat messages, survey responses, feedback, testimonials.
- Marketing and Analytics Data: campaign interactions, referral sources, cookie identifiers, advertising identifiers.
- Device/Technical Data: IP address, browser type/version, device type, operating system, language, time zone, session logs, error logs.
- Usage Data: pages viewed, time on site, clicks, navigation paths, feature usage.
- Geolocation Data: approximate location inferred from IP address; precise location only if you grant permission.
- Content You Provide: uploads (images, documents, audio/video you submit for coursework), comments, forum posts.
- Social/Single Sign-On (if enabled): if you sign in via a third-party SSO provider, we receive identifiers and profile information permitted by that provider.
- Optional Sensitive Data: only if you voluntarily provide (e.g., accessibility needs). We do not require sensitive data for general use.
4) Sources of Data
- Directly from you (forms, account creation, course participation, customer support).
- Automatically via cookies, pixels, SDKs, server logs, and similar technologies.
- From third parties: payment processors, analytics/advertising partners, referral partners, SSO providers, and publicly available sources.
5) Legal Bases for Processing (GDPR/UK GDPR)
Where GDPR/UK GDPR applies, we process personal data under the following legal bases:
- Contract: to provide our services, process enrollments, and fulfill purchases.
- Legitimate Interests: to secure our services; prevent fraud; understand usage; improve and personalize content; communicate about similar products and services; and conduct business operations (balanced against your rights).
- Consent: for non-essential cookies/marketing, email/SMS marketing where required, precise geolocation, and certain user-generated content uses.
- Legal Obligation: to comply with tax, accounting, and regulatory requirements; to respond to lawful requests.
- Vital Interests: in rare cases to protect your life or physical safety.
6) How We Use Personal Data
We use data to:
- Provide and operate the website and services, including account management and course delivery.
- Process payments and complete transactions.
- Communicate with you about your account, enrollments, updates, service changes, and security issues.
- Provide customer support and fulfill your requests.
- Personalize content, recommendations, and learning experiences.
- Monitor, analyze, and improve site performance and features.
- Conduct research, quality assurance, and training.
- Send marketing communications with your consent where required, and allow you to opt out at any time.
- Enforce terms, protect against fraud, and ensure the security and integrity of our services.
- Comply with legal obligations.
7) Cookies and Similar Technologies
- What we use: first- and third-party cookies, pixels, tags, local storage, and similar technologies for essential functionality, preferences, analytics, and advertising.
- Categories:
- Strictly Necessary: enable login, security, and shopping cart.
- Functional: remember preferences and enhance features.
- Analytics/Performance: measure traffic and usage (e.g., page views, conversions).
- Advertising/Targeting: deliver and measure ads, limit ad frequency, and build audiences.
- Your choices:
- Cookie Banner/Consent: where required, we request consent for non-essential cookies.
- Browser Controls: you can block or delete cookies via browser settings; this may impact functionality.
- Ad Choices: you may opt out of interest-based advertising via industry tools where available (e.g., NAI/DAA, YourOnlineChoices).
- Retention: cookie lifespans vary; see our Cookie Settings or banner for details.
8) Payment Processing
We use third-party payment processors to handle payments. These processors collect and process your payment card details in accordance with PCI-DSS. We receive limited payment information (e.g., last 4 digits, card type, transaction IDs) for recordkeeping, fraud prevention, and refunds.
9) Third-Party Sharing and Disclosures
We do not sell personal information for money. We may share data with:
- Service Providers/Processors: hosting, cloud storage, analytics, advertising, email/SMS, customer support tools, payment processing, content delivery networks, video hosting, proctoring (if used), and security services.
- Business Partners: co-branded courses, instructors, affiliates, and distributors as needed to deliver services you request.
- Instructors and Classroom Participants: content you share in forums or live sessions may be visible to other participants; please use discretion.
- Legal/Compliance: regulators, law enforcement, courts, and advisors where required or permitted by law.
- Business Transfers: as part of a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.
- With Your Consent: where you ask us to share or where we have obtained your consent.
California “Sharing” for Cross-Context Behavioral Advertising: We may disclose identifiers and usage data to advertising partners for targeted advertising, which may be deemed “sharing” under California law. See “Your Rights” below for opt-out choices.
10) International Data Transfers
We may transfer, store, and process personal data in countries outside your own, including the United States, the European Economic Area (EEA), the United Kingdom, and Hong Kong. Where required, we implement appropriate safeguards such as:
- Standard Contractual Clauses (SCCs) for transfers from the EEA/UK.
- Data Processing Agreements with processors imposing GDPR-equivalent protections.
- Additional technical and organizational measures (encryption, access controls).
You may request a copy of relevant transfer safeguards by contacting us.
11) Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy, including:
- Account data: retained while your account is active and for up to 7 years after closure for legal, accounting, and backup purposes, unless a longer period is required by law or to establish/defend legal claims.
- Transaction records: generally 7–10 years for tax and accounting compliance.
- Course content and submissions: retained for the duration of the course and a reasonable period thereafter for audit, accreditation, and support.
- Marketing data: retained until you opt out or for up to 24 months after your last interaction, whichever occurs first, unless a longer period is permitted by law.
- Logs and security records: typically 12–24 months, subject to operational necessity.
We will anonymize or aggregate data where feasible once retention periods expire.
12) Security Measures
We use appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS) and at rest for key systems and backups where feasible.
- Access controls, role-based permissions, and least-privilege principles.
- Password hashing and multi-factor authentication for administrative access.
- Network and application security, monitoring, and logging.
- Secure software development lifecycle and vulnerability management.
- Vendor due diligence and contractual security obligations.
No method of transmission or storage is 100% secure, but we work to protect your data and continually improve our safeguards.
13) Data Breach Notification
If we discover a data breach that is likely to result in a risk to your rights and freedoms (GDPR) or a significant risk of harm (other laws), we will:
- Investigate and take steps to contain and remedy the incident.
- Notify affected users and relevant supervisory authorities as required by law, without undue delay and within applicable statutory timeframes.
- Provide information on the nature of the breach, likely consequences, and measures taken or proposed.
14) Your Rights
Your rights depend on your location. Subject to legal limitations, you may have the right to:
A) EEA/UK (GDPR)
- Access: obtain a copy of your personal data.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion (“right to be forgotten”).
- Restriction: limit how we process your data.
- Portability: receive your data in a structured, machine-readable format and transmit it to another controller.
- Objection: object to processing based on legitimate interests and to direct marketing (including profiling).
- Withdraw Consent: where processing is based on consent, you can withdraw at any time.
- Lodge a Complaint: with your local Data Protection Authority.
B) California (CCPA/CPRA)
- Right to Know: request details about categories and specific pieces of personal information collected, sources, purposes, and third-party disclosures.
- Right to Delete: request deletion of personal information, subject to exceptions.
- Right to Correct: request correction of inaccurate information.
- Right to Opt Out of Sale/Sharing: opt out of the sale or “sharing” (for cross-context behavioral advertising) of personal information.
- Right to Limit Use of Sensitive Personal Information: where applicable.
- Non-Discrimination: we will not discriminate against you for exercising your rights.
C) Other Jurisdictions
You may have similar rights under other laws. We will honor rights requests as required by applicable law.
How to Exercise Your Rights
- Email [email protected] with the subject line “Privacy Rights Request.”
- Provide sufficient information to verify your identity and describe your request.
- Authorized agents: where permitted by law, agents may submit requests with proof of authorization.
We will respond within the timeframes required by law (e.g., 30–45 days) and will explain reasons if we cannot fulfill a request.
15) Children’s Privacy
Our services are generally intended for users aged 13 and over (or the age of digital consent in your country). We do not knowingly collect personal data from children under the applicable age without verifiable parental consent. If you believe a child has provided personal data to us without consent, contact us and we will take appropriate steps to delete such data.
16) Do Not Track and Global Privacy Control
Our site does not currently respond to browser “Do Not Track” signals. Where legally required, we honor browser- or extension-based Global Privacy Control (GPC) signals as an opt-out of “sale”/“sharing” for targeted advertising.
17) Third-Party Links and Services
Our website may include links to third-party websites, plug-ins, or services. We are not responsible for their privacy practices. We encourage you to review their privacy policies.
18) User-Generated Content, Forums, and Live Sessions
Information you post or share in forums, communities, class streams, reviews, or live sessions may be visible to other users or the public. Please do not share personal information you prefer to keep private. We may record live sessions for course access and quality; you will be notified where applicable.
19) Automated Decision-Making and Profiling
We may use limited profiling to personalize content, recommendations, and marketing. We do not make decisions producing legal or similarly significant effects on you solely through automated processing without human involvement.
20) Data Controllers and Processors
- For users in the EEA/UK, Grollth Company is the controller of your personal data processed via funartsacademy.com. We may engage processors to process data on our behalf under written contracts that meet GDPR requirements.
- If we designate a local representative where required, we will update this Policy with details.
21) Exercising Marketing Preferences
- Email: click “unsubscribe” in our emails or contact [email protected].
- Cookies/Ads: adjust cookie settings via our banner or your browser; use platform-level ad settings (e.g., Google, Facebook) and regional opt-out tools.
22) International Users — Additional Disclosures
- EEA/UK: You can contact your supervisory authority. Our lead authority, if applicable, will be disclosed upon request.
- Hong Kong: We handle personal data in line with the Personal Data (Privacy) Ordinance (PDPO) principles of purpose and use, data accuracy, retention, security, openness, and data access/correction.
23) Changes to This Policy
We may update this Policy from time to time. Material changes will be posted on this page with a prominent notice and, where required, we will seek your consent. The “Effective date” at the top indicates the latest version.
24) Severability
If any provision of this Policy is found to be invalid or unenforceable, that provision shall be enforced to the maximum extent permissible, and the remaining provisions will remain in full force and effect.
25) Governing Law and Jurisdiction
This Policy and any dispute arising out of or related to it shall be governed by the laws of Hong Kong, without regard to its conflict of laws rules. You agree to submit to the exclusive jurisdiction of the courts of Hong Kong, unless another forum is required by mandatory applicable law.
26) Contact Us
If you have questions, concerns, or requests regarding this Policy or our privacy practices, please contact:
- Email: [email protected]
- Mail: Room A11, 7/F, Block A, Superluck Industrial Centre Phase 2, 57 Sha Tsui Road, Tsuen Wan, N.T., Hong Kong
27) Revision History
- Version 1.0 — 16 July 2025: Initial publication.
Annex — Summary of Categories Disclosed for a Business Purpose (CCPA/CPRA)
- Identifiers (e.g., name, email, IP address): service providers, analytics and advertising partners, payment processors.
- Commercial Information (e.g., purchases, enrollments): payment processors, fulfillment/operations partners.
- Internet/Network Activity (e.g., browsing, usage data, cookies): analytics and advertising partners, security providers.
- Geolocation (approximate): analytics and security.
- Inferences (preferences/likelihood of interest): marketing/analytics partners.
We do not knowingly sell personal information of consumers under 16.