Privacy Policy

Document Reference: ASC-LEGAL-GDPR-2026 Date of Last Revision: January 26, 2026 Jurisdiction: Republic of Estonia Data Controller: Ascendefy OÜ

1. INTERPRETATION AND DEFINITIONS

1.1. Preamble

This Privacy Policy (hereinafter the "Policy") sets forth the terms under which Ascendefy OÜ, a private limited company incorporated under the laws of the Republic of Estonia (hereinafter "Controller", "we", "us", or "our"), processes Personal Data. This Policy is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the "GDPR"), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and, where applicable mutatis mutandis, the California Consumer Privacy Act of 2018 (the "CCPA").

1.2. Definitions

Capitalized terms used herein shall have the meanings ascribed to them in Article 4 of the GDPR, unless otherwise defined:

  • "Personal Data" shall mean any information relating to an identified or identifiable natural person (the "Data Subject").
  • "Processing" shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data.
  • "Merchant of Record" shall refer to Whop Inc., the entity contractually responsible for financial transaction processing and compliance with Payment Card Industry Data Security Standards (PCI-DSS).

1.3. Amendments

The Controller reserves the right to amend, modify, or supplement this Policy at any time. Material changes shall be communicated via electronic mail or conspicuous notice on the Service. Continued use of the Service following such notification constitutes accepted acknowledgement of the revised Policy.

2. CONTROLLER DESIGNATION AND LIMITATION OF SCOPE

2.1. Controller Status

Pursuant to Article 4(7) of the GDPR, Ascendefy OÜ is designated as the Data Controller for Personal Data collected directly through its proprietary platforms, marketing channels, and community interfaces.

2.2. Severability of Financial Processing

Notwithstanding the foregoing, the Controller explicitly disclaims Controller status regarding financial instruments, including but not limited to Primary Account Numbers (PAN) and Card Verification Codes (CVC). Such data is collected, processed, and retained exclusively by Whop Inc. in its capacity as an independent Controller for the purposes of regulatory banking compliance. Ascendefy OÜ possesses neither access rights nor decryption keys for such financial payloads.

3. DATA COLLECTION AND MINIMIZATION PRINCIPLES

In adherence to the principle of Data Minimization under Article 5(1)(c) of the GDPR, the Controller processes only such Personal Data as is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

3.1. Categories of Personal Data

  • (a) Identity Data: First name, surname, unique platform identifiers (e.g., Discord Snowflake ID), and internal user verification tokens.
  • (b) Contact Data: Electronic mail address and billing domicile.
  • (c) Transactional Metadata: Invoice identifiers, product stock keeping units (SKUs), value-added tax (VAT) jurisdiction, and timestamp data.
  • (d) Technical Telemetry: Internet Protocol (IP) address, browser user-agent string, operating system specifications, and device hash identifiers.
  • (e) Behavioral Analytics: Interaction metrics, including scroll depth, clickstream data, and session duration logs.

4. LAWFUL BASIS FOR PROCESSING

The Controller relies exclusively on the following lawful bases pursuant to Article 6 of the GDPR:

4.1. Contractual Necessity (Art. 6(1)(b))

Processing of Identity and Contact Data is strictly necessary for the performance of the Service Agreement between the Controller and the Data Subject, specifically the provision of digital content and access to restricted community environments.

4.2. Compliance with Legal Obligations (Art. 6(1)(c))

Processing of Transactional Metadata is mandated by the Estonian Accounting Act (Raamatupidamise seadus) and applicable EU VAT Directives, requiring the retention of source documents for a statutory period of seven (7) years.

4.3. Legitimate Interests (Art. 6(1)(f))

Processing of Technical Telemetry and device hashing is based on the legitimate interests of the Controller to ensure network and information security, prevent fraudulent chargebacks, and enforce intellectual property rights. The Controller has conducted a balancing test determining that these interests do not override the fundamental rights and freedoms of the Data Subject.

4.4. Consent (Art. 6(1)(a))

Processing of Behavioral Analytics and deployment of non-essential tracking technologies is subject to the Data Subject’s prior, explicit, and granular consent. Such consent is revocable at any time without detriment.

5. INTERNATIONAL DATA TRANSFERS

The Controller utilizes third-party processors domiciled in the United States. In compliance with Chapter V of the GDPR and the judgment of the Court of Justice of the European Union in Case C-311/18 (Schrems II), transfers are governed as follows:

5.1. Transfer Mechanisms

  • (a) EU-US Data Privacy Framework: Transfers to entities certified under the EU-US Data Privacy Framework are deemed to provide an adequate level of protection pursuant to the Adequacy Decision of July 10, 2023.
  • (b) Standard Contractual Clauses: For entities not covered by the Framework, the Controller executes the European Commission’s Standard Contractual Clauses (Decision 2021/914/EU, Module Two).

5.2. Supplementary Measures

The Controller implements supplementary technical measures, including encryption in transit (TLS 1.2+) and pseudonymization, to mitigate risks associated with foreign surveillance legislation (e.g., FISA Section 702).

6. DATA SECURITY AND INTEGRITY

6.1. Technical and Organizational Measures

In accordance with Article 32 of the GDPR, the Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • (a) Pseudonymization and encryption of Personal Data;
  • (b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems;
  • (c) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

6.2. Breach Notification

In the event of a Personal Data Breach, the Controller shall notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

7. DATA RETENTION SCHEDULE

Personal Data shall be retained only for as long as necessary to fulfill the purposes set out herein.

Data Category Retention Period Statutory/Legal Basis
Transaction Metadata 7 Years Estonian Accounting Act
Account Data Duration of Service + 3 Years Statute of Limitations (Civil Claims)
Analytics Data 14 Months Commercial Efficacy / Obsolescence
Security Logs 6 Months Incident Investigation

8. RIGHTS OF THE DATA SUBJECT

Under Chapter III of the GDPR, the Data Subject possesses the following rights:

  • Right of Access (Art. 15): To obtain confirmation as to whether or not Personal Data concerning them are being processed.
  • Right to Rectification (Art. 16): To obtain the rectification of inaccurate Personal Data.
  • Right to Erasure (Art. 17): To obtain the erasure of Personal Data without undue delay, subject to Article 17(3).
  • Right to Restriction (Art. 18): To obtain restriction of processing where accuracy is contested or processing is unlawful.
  • Right to Object (Art. 21): To object, on grounds relating to their particular situation, to processing based on Article 6(1)(f).

To exercise these rights, the Data Subject must submit a formal request via the Whop Resolution Center or to the designated privacy contact email.

9. CALIFORNIA CONSUMER PRIVACY ACT (CCPA) ADDENDUM

9.1. Applicability

This Section 9 applies solely to visitors, users, and others who reside in the State of California ("Consumers").

9.2. Rights

Consumers have the right to request disclosure of categories of personal information collected, sources of collection, business purpose for collection, and categories of third parties with whom information is shared. Consumers further possess the right to request deletion of personal information, subject to statutory exceptions.

9.3. Non-Sale of Data

The Controller does not "sell" personal information as defined under the CCPA. Data sharing is limited to "Service Providers" for business purposes defined in contractual agreements.

10. CHILDREN'S PRIVACY AND AGE RESTRICTIONS

The Services are strictly prohibited for use by individuals under the age of eighteen (18). The Controller does not knowingly collect or solicit Personal Data from anyone under the age of 18. In the event that the Controller learns that Personal Data from a child under age 18 has been collected without verification of parental consent, the Controller will delete that information as quickly as possible.

11. LIMITATION OF LIABILITY

11.1. Commercial Damages

To the maximum extent permitted by applicable law, the Controller’s liability for any claim arising out of or relating to this Policy, excluding claims related to GDPR Article 82, shall be limited to the amount of fees paid by the Data Subject to the Controller in the twelve (12) months preceding the event giving rise to the claim.

11.2. Statutory Rights

Nothing in this Policy shall exclude or limit liability for death or personal injury caused by negligence, fraud, or any liability which cannot be excluded or limited under applicable data protection laws.

12. CONTACT INFORMATION

  • Data Controller: Ascendefy OÜ
  • Registered Office: Republic of Estonia
  • Contact Email: privacy@ascendefy.com
  • Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) – www.aki.ee