Privacy Policy

The data controller responsible for your personal data is:

Em.Skoulikaris LLC is a Wyoming, USA limited liability company that operates the Academy250 platform. For questions about this Privacy Policy or how we handle your data, contact us at privacy@academy250.com.

2.1 We act as data controller when we process your account information, billing details, and usage metrics for the purpose of providing and improving the Academy250 service. In this capacity, we determine the purposes and means of processing.

2.2 We act as data processor when we process Content that you upload, create, or generate on the Platform on your behalf. In this capacity, you are the data controller and we process your data solely based on your documented instructions and our Terms of Service.

We collect and process the following categories of personal data:

3.1 Account & Identity Data

• Email address (required — used for authentication, account identification, and all platform communications; this is the single source of truth for your identity on the Platform)
• Display name or username (optional)
• Date of birth or age range (required — used for age tier verification, see Section 7)

3.2 Parental Consent Data

For Makers aged 16–17, or for Primary Account Holders creating Dependent Accounts for minors under 16, we collect:

• Parent or legal guardian's name and email address
• Parental consent confirmation and timestamp
• Relationship to the minor (parent / legal guardian)

3.3 Billing & Transaction Data

• Usage Pack purchase history
• Invoice records and payment confirmations
• Payment method details (processed and stored by our Merchant of Record, polar.sh — we do not store full card numbers)

3.4 Usage & Metering Data

• Project Unit allocation and consumption records
• Platform Access Time usage logs
• AI Compute consumption logs
• Feature usage patterns and session activity
• Usage Account status

3.5 Technical & Device Data

• IP address
• Browser type and version
• Operating system
• Device identifiers
• Referring URLs and page interaction data
• Timestamps and time zone settings

3.6 Content Data (Processor Role)

• Documents, text, and files you upload to the Platform
• Content you create or generate using Platform tools
• Inputs submitted to AI Wizards (prompts, documents, queries)
• AI-generated outputs produced on your behalf
• Team communication messages within projects

3.7 Communication Data

• Support requests and correspondence
• Feedback and survey responses

4.1 Service delivery

• Creating and managing your account (and Dependent Accounts, if applicable)
• Authenticating your identity via email verification
• Verifying age eligibility and processing parental consent
• Processing Usage Pack purchases and activating your Project Units
• Tracking your Project Unit allocation and consumption across both pools (Platform Access Time and AI Compute)
• Delivering AI Wizard features and processing your Content

4.2 Billing & compliance

• Processing payments through our Merchant of Record (polar.sh)
• Generating and delivering invoices and payment receipts
• Complying with tax, accounting, and regulatory obligations

4.3 Communication

• Sending transactional notifications (purchase confirmations, unit expiration alerts, service updates)
• Responding to support requests
• Sending service-related announcements (maintenance notices, policy changes, security alerts)
• Notifying Primary Account Holders about activity on linked Dependent Accounts

4.4 Platform improvement

• Analysing usage patterns to improve Platform features and performance
• Monitoring system health and diagnosing technical issues
• Conducting internal analytics (aggregated and anonymised where possible)

4.5 Child safety

• Enforcing age tier requirements and parental consent verification
• Monitoring Dependent Account activity for safety compliance
• Providing Primary Account Holders with visibility into their Dependent Accounts' activity

4.6 Security & fraud prevention

• Detecting and preventing fraudulent activity, abuse, or violations of the Acceptable Use Policy
• Maintaining platform security and integrity
• Enforcing our Terms of Service

Under GDPR Article 6(1), we rely on the following legal bases for processing your personal data:

5.2 Processing of children's data. For Makers under 18, we process personal data on the basis of parental or guardian consent in accordance with GDPR Article 8 and applicable national laws. For Dependent Account holders (under 16), the Primary Account Holder provides this consent as part of the account creation process.

5.3 Legitimate interest assessment. Where we rely on legitimate interests, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. We apply heightened scrutiny when our legitimate interest processing involves data of minors. You may request details of our legitimate interest assessments by contacting us at privacy@academy250.com.

6.1 How AI Wizards process your data. When you use AI Wizards on the Platform, the content you submit (prompts, documents, and related inputs) is transmitted to our third-party AI providers via their respective APIs for processing. The AI provider generates an output which is returned to you through the Platform.

6.2 AI provider data commitments. We select AI providers that offer enterprise-grade API agreements under which:

• Customer inputs and outputs are not used to train the provider's general-purpose models
• Data is processed solely to generate the requested output and is not retained beyond the provider's processing window (typically up to 30 days for abuse monitoring purposes)
• Both OpenAI and Anthropic maintain SOC 2 Type II compliance for their API services

6.3 Current AI providers:

6.4 AI metering data. We record AI usage metrics — specifically the number of Project Units consumed per operation, the model used, and timestamps — for the purpose of tracking your AI Compute units. These records do not contain the content of your prompts or outputs.

6.5 AI and minors. AI Wizards are available to Dependent Account holders. The Primary Account Holder consents to AI processing on the minor's behalf when creating the Dependent Account. Primary Account Holders may restrict AI Wizard access for individual Dependent Accounts through account settings.

6.6 Your responsibility. You are responsible for ensuring that any personal data of third parties that you submit to AI Wizards is processed under a lawful basis in accordance with applicable data protection law. Do not submit sensitive personal data (GDPR Article 9 special categories) to AI features unless you have a specific legal basis and have assessed the risks.

6.7 Provider changes. We may add, remove, or replace AI providers to improve the service or manage costs. If we add a new AI provider that materially changes how your data is processed, we will update this section and the sub-processor list at least 14 days before the change takes effect and notify you via email or in-platform announcement.

9.1 Em.Skoulikaris LLC is based in the United States. Our primary infrastructure providers (Render, Cloudflare) and key sub-processors (polar.sh, OpenAI, Anthropic) are also based in the United States. This means that your personal data is transferred to and processed in the United States.

9.2 Transfer safeguards. For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on the following legal mechanisms as permitted under GDPR Chapter V:

• EU-U.S. Data Privacy Framework (DPF): Where a sub-processor is certified under the EU-U.S. Data Privacy Framework, we rely on that certification as providing adequate protection. As of the date of this Policy, Cloudflare, OpenAI, and Anthropic participate in the DPF.
• Standard Contractual Clauses (SCCs): Where the DPF does not apply, we enter into the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with the relevant sub-processor as the legal basis for the transfer.

9.3 Transfers involving minors' data. The same transfer safeguards apply to personal data of Dependent Account holders and Makers aged 16–17. We do not apply different transfer mechanisms based on the data subject's age, but we ensure that all sub-processors maintain appropriate protections for children's data.

9.4 You may request a copy of the transfer safeguards we have in place by contacting privacy@academy250.com.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

10.2 When data is no longer needed, it is securely deleted or anonymised. Anonymised data (from which you can no longer be identified) may be retained indefinitely for statistical and analytical purposes.

12.1 We use cookies and similar technologies to operate the Platform, maintain your session, and remember your preferences. Our use of cookies is governed by our Cookie Policy, which provides full details on the types of cookies we use, their purposes, and how you can manage your preferences.

12.2 Essential cookies. Some cookies are strictly necessary for the Platform to function (authentication, session management, security). These cannot be disabled without breaking core functionality.

12.3 Consent for non-essential cookies. Where we use analytics or other non-essential cookies, we obtain your consent before placing them via our cookie consent banner, in accordance with the ePrivacy Directive (2002/58/EC) and applicable national laws. You may manage your cookie preferences at any time through the cookie settings accessible on the Platform.

13.1 We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or sub-processor arrangements. The "Last updated" date at the top of this page indicates when the latest revision was published.

13.2 Notification of material changes. For material changes that significantly affect how we process your personal data, we will provide at least 30 days' notice before the changes take effect, via email to the address on file and/or a prominent notice on the Platform. For changes affecting how we process minors' data, we will also notify Primary Account Holders directly.

13.3 Your continued use of the Platform after the effective date of the updated Policy constitutes acceptance of the changes. If you do not agree, you may terminate your account in accordance with the Terms of Service.

14.1 Contact us. For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data:

14.2 EU representative. Although not legally required at our current scale, if we appoint an EU representative under GDPR Article 27, their details will be published here and on our Contact page.

14.3 Supervisory authority complaints. If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a data protection supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (GDPR Article 77).

For customers based in Greece, the relevant authority is the Hellenic Data Protection Authority (HDPA): www.dpa.gr | Kifissias 1-3, 115 23, Athens, Greece | Tel: +30 210 6475600