Privacy Policy

This policy explains how WEBZI s.r.o. (trading as Wall Street Uni) collects, uses, shares and protects personal data in line with the EU General Data Protection Regulation (GDPR) and Czech Act No. 110/2019 Coll. on personal data processing.

Last updated: 2026-06-26

Data Security

Your data is encrypted in transit and at rest.

Transparency

We list every processor that touches your data.

Your Control

Access, export, and erasure on request.

1. Data Controller

The data controller responsible for personal data processed through Wall Street Uni under Article 4(7) GDPR is:

WEBZI s.r.o. (trading as Wall Street Uni)

IČO: 24602175

Krásova 2919/31a, Žižkov, 130 00 Praha 3, Czech Republic

Privacy contact: privacy@wallstreetuni.com

We are not required to designate a Data Protection Officer under Article 37 GDPR, but you may direct any GDPR enquiry to the address above.

2. Categories of Personal Data We Process

Account data

First and last name, email address.
Password (stored only as a bcrypt hash; we never see plaintext).
Optional profile picture, exam level/year/window.
Federated identifiers (Google / LinkedIn) if you choose social sign-in.

Learning data

Quiz and mock-exam answers, scores, time spent, streaks, achievements.
Topic preferences and content interactions.
Conversations with the WSU AI study assistant.

Billing data

Stripe customer id, subscription status, plan type, invoice metadata.
Payment-card data is processed entirely by Stripe — we never store full PANs.

Technical and tracking data

IP address, user-agent, device class, approximate location (country, region).
Cookies and pixel identifiers — only when you grant the relevant consent.
Server-side request logs (auto-deleted after 30 days).

3. Why We Process Your Data (Lawful Basis)

Under Article 6 GDPR, every processing activity has at least one of the following bases:

Performance of a contract (Art. 6(1)(b)): running your account, delivering the courses you paid for, processing your subscription.
Legitimate interests (Art. 6(1)(f)):platform security, abuse prevention, fraud detection, server logs, anonymous performance telemetry (Vercel Analytics & Speed Insights).
Consent (Art. 6(1)(a)): analytics cookies (GA4, Microsoft Clarity) and marketing cookies (Google Ads, Microsoft Ads, LinkedIn Insight Tag) — collected via our consent banner and revocable at any time.
Legal obligation (Art. 6(1)(c)): tax invoicing, accounting records, responding to lawful authority requests.

4. Recipients and Sub-Processors

We use the following processors. Each is bound by a GDPR-compliant data processing agreement (DPA) and processes data only on our documented instructions. Transfers outside the EEA rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

Processor	Purpose	Data Categories	Location	Safeguard
MongoDB Atlas (MongoDB, Inc.)	Primary application database — accounts, progress, content.	Account, learning data, technical logs.	EEA (Frankfurt) — primary region.	GDPR DPA; SCCs for any non-EEA transfers.
Vercel Inc.	Web hosting, edge compute, CDN, error and request logs.	IP address, request metadata, account data in transit.	United States (with EU edge nodes).	GDPR DPA; EU SCCs (module 2 & 3).
Vercel Analytics	First-party, cookie-less aggregate page analytics.	Anonymous page views, country, device class. No cookies.	United States.	GDPR DPA; aggregated, non-identifying telemetry.
Vercel Speed Insights	Anonymous Core Web Vitals (LCP, INP, CLS) measurement.	Anonymous performance samples. No cookies, no PII.	United States.	GDPR DPA; aggregated performance metrics.
Vercel Blob	Storage for user-uploaded files (avatars, attachments).	Uploaded files and their metadata.	United States.	GDPR DPA; SCCs.
Stripe Payments Europe Ltd.	Subscription billing and payment processing.	Name, email, billing address, payment card token, IP.	Ireland (EEA) — card data processed via Stripe global network.	GDPR DPA; PCI-DSS Level 1; SCCs.
Google Ireland Ltd. (Google Tag Manager)	Tag orchestration — loads other analytics/marketing tags.	GTM itself sets no cookies; downstream tags listed below.	Ireland (EEA) — global edge.	GDPR DPA; SCCs for non-EEA transfers.
Google Ireland Ltd. (Google Analytics 4)	Aggregate usage analytics — pages viewed, conversion funnels.	Pseudonymous client id, truncated IP, page URL, referrer.	Ireland (EEA) with US sub-processors.	EU-US Data Privacy Framework; IP anonymisation; SCCs.
Microsoft Corporation (Clarity)	Heatmaps and session-replay diagnostics.	Pseudonymous session id; replays redact form fields and passwords.	United States.	GDPR DPA; EU-US Data Privacy Framework; SCCs.
Google Ireland Ltd. (Google Ads)	Conversion measurement and remarketing for paid campaigns.	Click ID (gclid), pseudonymous ad-cookie id, conversion event.	Ireland (EEA) / United States.	EU-US Data Privacy Framework; SCCs; Consent Mode v2.
Microsoft Ireland Operations Ltd. (Microsoft Ads / UET)	Conversion measurement for Microsoft (Bing) ad campaigns.	Click ID (msclkid), pseudonymous ad-cookie id, conversion event.	Ireland (EEA) / United States.	GDPR DPA; EU-US Data Privacy Framework; SCCs.
LinkedIn Ireland Unlimited Co. (Insight Tag)	Conversion measurement and remarketing for LinkedIn campaigns.	Pseudonymous member id, conversion event.	Ireland (EEA) / United States.	GDPR DPA; EU-US Data Privacy Framework; SCCs.
Google Ireland Ltd. (Google OAuth)	Optional federated sign-in.	Email, name, profile photo URL (only if you sign in with Google).	Ireland (EEA).	GDPR DPA.
LinkedIn Ireland Unlimited Co. (LinkedIn OAuth)	Optional federated sign-in.	Email, name, headline (only if you sign in with LinkedIn).	Ireland (EEA).	GDPR DPA.
Anthropic, PBC	LLM for the WSU AI study assistant.	Chat content you submit to the assistant. Zero-retention API.	United States.	DPA; zero-retention configuration (no training, no storage).
OpenAI, L.L.C.	LLM and embeddings for content classification and chat fallback.	Chat content; queries are not used for training under API DPA.	United States.	DPA; opt-out of training; SCCs.
Pinecone Systems, Inc.	Vector store for retrieval-augmented assistant search.	Embeddings derived from public CFA content; no PII.	United States.	DPA; encrypted at rest and in transit.
Email delivery (SMTP)	Transactional and marketing email delivery.	Email address, subject, message body of platform-sent mail.	EU/US (depending on configured provider).	DPA; SCCs where applicable.
Vercel BotID	Bot mitigation on auth and lead forms.	Browser challenge token, IP for the challenge only.	United States.	DPA; no persistent identifier.

A current list of sub-processors is maintained on this page. Material changes are announced at least 14 days in advance via email or in-app notice.

5. Retention Periods

Account & learning data: kept while your account is active. On deletion request, erased or anonymised within 30 days.
Billing & invoice records: retained for 10 years to satisfy Czech accounting law (Act No. 563/1991 Coll.).
Server logs: 30 days.
Analytics events (GA4): 14 months on Google's servers.
Microsoft Clarity recordings: 13 months.
Marketing cookies: per platform — typically 13 months from your last interaction.
Backups: rolling 35-day window; data inside a backup is purged at the next rotation after erasure.

6. Your Rights Under GDPR

Access (Art. 15): request a copy of the personal data we hold about you.
Rectification (Art. 16): correct inaccurate data — most fields are self-serve in account settings.
Erasure (Art. 17): "right to be forgotten" — delete your account and associated data.
Restriction (Art. 18): ask us to suspend processing while a complaint is investigated.
Portability (Art. 20): receive your data in a machine-readable format.
Objection (Art. 21): object to processing based on legitimate interests or to direct marketing.
Withdraw consent (Art. 7(3)): open the "Manage cookies" link in the footer to revoke analytics/marketing consent at any time.
Lodge a complaint: with the Czech supervisory authority — Úřad pro ochranu osobních údajů (uoou.cz) — or your local EEA DPA.

To exercise any of these rights write to privacy@wallstreetuni.com. We respond within one month (extendable by two further months for complex requests, Art. 12(3) GDPR).

7. International Data Transfers

Some processors (Vercel, Microsoft Clarity, Google Ads, OpenAI, Anthropic, Pinecone, Stripe global network) are located in the United States. Transfers rely on one or more of:

European Commission adequacy decisions (incl. the EU–US Data Privacy Framework).
EU Standard Contractual Clauses (Decision 2021/914) supplemented by additional safeguards (encryption in transit, pseudonymisation, IP truncation).
Your explicit consent for non-essential transfers (analytics, marketing cookies).

8. Security

HTTPS/TLS 1.3 in transit; AES-256 encryption at rest on MongoDB Atlas and Vercel Blob.
Passwords stored only as salted bcrypt hashes.
Optional TOTP-based two-factor authentication.
BotID verification on auth and lead forms (Vercel + Anthropic).
Strict Content Security Policy, HSTS preload, frame-ancestors lock.
Least-privilege access controls and audit logging on admin actions.

9. Cookies and Similar Technologies

We use a layered consent banner (Google Consent Mode v2 with deny-by-default signals) to control analytics and marketing cookies. The full cookie inventory is on the Cookie Policy page. You can change your choices at any time via "Manage cookies" in the footer.

10. Children

The platform is intended for users aged 16 and above. We do not knowingly collect data from children under 16. If you believe a child has registered, contact privacy@wallstreetuni.com and we will delete the account.

11. Changes to This Policy

Material changes are announced at least 14 days in advance via email or in-app notice. Continued use after the notice period constitutes acceptance.

Questions or Concerns?

Email privacy@wallstreetuni.com or write to WEBZI s.r.o., Krásova 2919/31a, Žižkov, 130 00 Praha 3, Czech Republic.