Privacy Policy

Privacy Policy

Effective date: April 3, 2026

GDPRCCPA / CPRACalOPPACAN-SPAM

Nespola.io ("we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, why we collect it, how we use and share it, and what rights you have — including those under the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable laws.

By using our website at nespola.io and any related services (collectively, the "Services"), you acknowledge that you have read and understood this Policy.

1. Who We Are

Nespola.io is an education company that helps independent authors build publishing businesses on Amazon KDP. For GDPR purposes, Nespola.io acts as the data controller for personal data processed in connection with our website and marketing. When we process data on behalf of our students as part of program delivery, we act as a data processor.

Contact us: info@nespola.io

2. Data We Collect

2.1 Information you provide directly

  • Name, email address, and contact details when you fill in a form, apply to a program, or contact us.
  • Payment information (processed directly by our payment processor; we do not store raw card numbers).
  • Profile information and content you submit in our community or course platform.
  • Communications you send us (emails, chat messages, support tickets).

2.2 Information collected automatically

  • IP address, browser type, operating system, and device identifiers.
  • Pages visited, referral URLs, time on page, and clickstream data.
  • Cookies and similar tracking technologies (see Section 7).

2.3 Information from third parties

  • Data from social media platforms if you connect an account or interact with our social media content.
  • Analytics and advertising partner data used to measure campaign performance.

We do not knowingly collect personal data from children under 13 (USA) or under 16 (EU/EEA). If you believe a minor has provided us personal data, contact us at info@nespola.io and we will delete it promptly.

3. Legal Basis for Processing (GDPR)

If you are located in the EU/EEA or UK, we rely on the following legal bases:

  • Contract performance — to deliver the programs and services you purchase.
  • Legitimate interests — to improve our Services, prevent fraud, and send direct marketing to existing customers (you can opt out at any time).
  • Consent — for marketing emails to prospective customers, and for non-essential cookies. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation — to comply with applicable law, including tax and accounting requirements.

4. How We Use Your Data

  • Provide, operate, and improve our Services and educational programs.
  • Process payments and send transactional communications (receipts, enrollment confirmations).
  • Send marketing and promotional communications (with your consent or based on legitimate interests where permitted).
  • Respond to inquiries and provide customer support.
  • Monitor and analyze usage patterns to improve user experience.
  • Detect, investigate, and prevent fraudulent activity and security breaches.
  • Comply with legal obligations.

5. How We Share Your Data

We do not sell your personal data. We share data only as follows:

  • Service providers — trusted third parties that help us operate (e.g., payment processors, email delivery, analytics, hosting). They are contractually obligated to protect your data and may not use it for their own purposes.
  • Business transfers — if Nespola.io is involved in a merger, acquisition, or sale, personal data may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.
  • Legal requirements — when required by law, court order, or to protect our rights and the safety of others.

Third-party tools we use may include:

  • Stripe (payment processing)
  • Skool (community platform)
  • Google Analytics / similar analytics tools
  • Email marketing platforms (e.g., Mailchimp, ConvertKit)

Each provider has its own privacy policy. We encourage you to review them.

6. International Data Transfers

Nespola.io is based in the United States. If you are located in the EU/EEA, UK, or Switzerland, your personal data will be transferred to and processed in the US. We ensure adequate safeguards through Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms. By using our Services, you acknowledge this transfer.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Essential cookies — necessary for the site to function (cannot be disabled).
  • Analytics cookies — help us understand how visitors use our site (e.g., Google Analytics).
  • Marketing cookies — used to deliver relevant ads (e.g., Meta Pixel, Google Ads).

You can control non-essential cookies through your browser settings or our cookie consent banner. Note that disabling cookies may affect site functionality.

We honor Global Privacy Control (GPC) signals and "Do Not Track" (DNT) browser settings to the extent required by applicable law.

8. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law. In general:

  • Account and transaction records: 7 years (for tax and legal compliance).
  • Marketing data: until you unsubscribe or request deletion.
  • Website analytics: up to 26 months (or as configured in the analytics platform).

9. Your Rights

9.1 Rights under GDPR (EU/EEA/UK residents)

You have the right to:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your data (subject to legal retention obligations).
  • Restriction — limit how we process your data in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — at any time, without affecting prior lawful processing.
  • Lodge a complaint — with your local data protection authority (e.g., your national DPA or the ICO in the UK).

9.2 Rights under CCPA / CPRA (California residents)

If you are a California resident, you have the right to:

  • Know — what personal information we collect, use, disclose, and sell.
  • Delete — request deletion of your personal information (subject to exceptions).
  • Correct — request correction of inaccurate personal information.
  • Opt out of sale/sharing — we do not sell or share your personal information for cross-context behavioral advertising.
  • Limit use of sensitive personal information — you may direct us to limit the use of sensitive data to what is necessary to perform the Services.
  • Non-discrimination — we will not discriminate against you for exercising your rights.

To exercise your California rights, email us at info@nespola.io with "California Privacy Request" in the subject line. We will respond within 45 days (or 90 days when reasonably necessary).

9.3 How to exercise your rights

To exercise any of the rights above, email us at info@nespola.io. We may need to verify your identity before processing your request. We will respond within 30 days (GDPR) or 45 days (CCPA), unless an extension is required.

10. Email Communications

We comply with the CAN-SPAM Act and the EU ePrivacy Directive. All marketing emails include a clear unsubscribe link. You can opt out of marketing emails at any time by clicking "Unsubscribe" in any email or by contacting us at info@nespola.io. Transactional emails (receipts, enrollment confirmations) are not marketing and cannot be opted out of while you have an active account.

11. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration — including encryption in transit (TLS), access controls, and regular security reviews. No system is 100% secure; if you suspect a breach, please contact us immediately.

12. Third-Party Links

Our website may contain links to third-party sites. We are not responsible for the privacy practices of those sites and encourage you to review their policies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on our website at least 30 days before the changes take effect (where required by law). The effective date at the top of this page will always reflect the most recent version.

14. Contact Us

For questions, requests, or complaints about this Privacy Policy or our data practices, please contact our Privacy team:

Nespola.io
Privacy Team
Email: info@nespola.io

If you are an EU/EEA resident and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.