Privacy Policy

1. Introduction

Flower Gold Academy ("we," "our," or "us") is operated by Fathima Mafaza, based at 272, Galoya Junction, Ukuwela, Matale, Sri Lanka. This Privacy Policy explains how we collect, use, and protect your information when you visit flowergoldacademy.com and use our services.

2. Data We Collect

We collect the following types of information:

• Authentication Data: Email address and encrypted password for admin users, managed via Supabase Auth.
• Contact Form Submissions: Name, email, phone number, subject, and message (submitted via the Contact page).
• Course Inquiry Submissions: Name, email, phone, and message (submitted via Course Inquiry forms).
• Newsletter Signups: Email address, subscribed via MailerLite. You may unsubscribe at any time.
• Uploaded Images: Images uploaded by administrators are stored on Cloudinary's CDN.
• Usage Data: Browser type, IP address, pages visited, referrer information (collected by analytics tools if enabled).

3. Third-Party Services

We use the following third-party services:

• Supabase (US servers): Database, authentication, and storage. Personal data (contact submissions, user accounts) is stored on Supabase's PostgreSQL servers in the United States. See Supabase Privacy Policy.
• Cloudinary (US/EU CDN): Image hosting and optimization. Uploaded images are stored on Cloudinary's global CDN. See Cloudinary Privacy Policy.
• MailerLite: Email newsletter service. Subscriber email addresses are stored on MailerLite. See MailerLite Privacy Policy.
• Resend: Transactional email delivery. Used to send contact form confirmations and notifications. Email addresses are processed but not stored by Resend.
• Cloudflare Turnstile: Bot protection on contact and inquiry forms. Does not store personal data beyond verification tokens.
• Google Maps (Embed): Embedded map on the Contact page. Google may collect your IP address and browser information when the map is loaded. See Google Privacy Policy.
• Google Analytics 4 (optional): If enabled, GA4 collects anonymized usage data including page views, session duration, and device information. See Google Privacy Policy. Analytics is only activated after your cookie consent.

4. Cookies & Tracking

We use the following types of cookies. You can control cookie preferences via our cookie consent banner or your browser settings.

• Supabase Auth Session Cookie: Essential. Maintains your logged-in state for admin users. Cannot be disabled for authenticated sessions.
• Cookie Consent Preference: Essential. Stores your consent choice (accepted/rejected) in localStorage so we don't show the banner on every visit.
• Cloudflare Turnstile Cookies: Functional. Used for bot verification on forms. Temporary, session-scoped.
• Google Analytics Cookies (_ga, _gid): Analytics (optional). Only set after you accept cookies. Used to measure traffic and page performance. You can opt out at any time via our cookie banner.

Disabling essential cookies will affect authentication functionality.

5. How We Use Your Data

• To respond to inquiries and course enrollment requests
• To send transactional emails (confirmation of contact form submissions)
• To send newsletters (only to subscribers)
• To authenticate and authorize admin dashboard access
• To improve website performance (analytics, if consented)
• To comply with legal obligations

6. Data Security

We implement industry-standard security: HTTPS/TLS encryption, Supabase row-level security (RLS), bcrypt password hashing, and access controls. No transmission method is 100% secure. If you believe your data has been compromised, contact us immediately.

7. Your Rights (GDPR & Global)

If you are in the European Economic Area (EEA), United Kingdom, or another privacy-regulated jurisdiction, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data. We will action this within 30 days.
• Right to Data Portability: Receive your data in a structured, machine-readable format (e.g., CSV export of your submissions).
• Right to Object: Object to processing of your data for marketing purposes. Unsubscribe from newsletters at any time via the link in any email.
• Right to Withdraw Consent: Withdraw cookie consent at any time via the cookie banner.

To exercise any of these rights, email us at info@flowergoldacademy.com. We will respond within 30 days.

8. International Data Transfers

We are based in Sri Lanka. Our database (Supabase) and image CDN (Cloudinary) are hosted on servers in the United States. Our newsletter provider (MailerLite) operates in the EU. By using our website, you consent to your data being transferred to and processed in these countries. We ensure our service providers meet adequate data protection standards.

9. Data Retention

• Contact form submissions: retained for 2 years, then deleted.
• Course inquiry submissions: retained while relevant, up to 2 years.
• Newsletter subscribers: retained until you unsubscribe.
• Admin accounts: retained while access is required.

You may request early deletion at any time.

10. Children's Privacy

Our website is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has submitted data to us, please contact us for immediate deletion.

11. Policy Changes

We may update this Privacy Policy. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the website after changes constitutes acceptance.

12. Contact & Data Controller