What is this policy about?

This Policy outlines how MCGAPROD LTD (hereinafter referred to as the “Company” or the “Contractor”) processes customers’ personal data and ensures its security and confidentiality.
This policy has been developed in accordance with the requirements of the Law of the Republic of Cyprus 125(I)/2018 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (implementing Regulation (EU) 2016/679, “GDPR”).
The Policy is made publicly available on the Contractor’s online resources, including the website, the GetCourse platform, as well as official accounts on social media and messaging services.
From the Policy, you will learn:
●       what personal data the Contractor collects and receives;
●       on what grounds and for what purposes they are used;
●       how their protection is ensured;
●       what rights do you have as a data subject;
●       In what cases data may be transferred to third parties, including cross-border transfers outside the EEA.
 
Terms and Definitions

Personal data – any information that relates directly or indirectly to an identified or identifiable individual (the subject of personal data). This may include a name, email address, phone number, IP address, location information, or any other data that can be used to identify a user.

A data subject – an individual whose personal data is processed by the Operator. For example, if you subscribe to a newsletter or communicate with us through a feedback form, you are considered a data subject.
 
Personal data operator (Operator) – a person or entity who, independently or jointly with others, organizes and/or carries out the processing of personal data, and also determines the purposes and scope of the data being processed.
 
The processing of personal data – any operation or set of operations performed on personal data, including collection, recording, systematization, accumulation, storage, clarification, retrieval, use, transfer (including delegation of processing to third parties), anonymization, blocking, deletion, and destruction of personal data.
 
The confidentiality of personal data – a duty of the Operator and any other persons who have access to such data, prohibiting them from disclosing this information to third parties without the consent of the data subject or without another legal basis.
 
Operator Resources – the website, social media accounts and pages, messaging platforms, email newsletters, and other channels through which the Operator collects or processes personal data.
 
Cookies – small pieces of data that a website stores in a user's browser. They allow the site to "remember" information about you (such as your settings, shopping cart contents, login status, and more) and are used to enhance your experience, as well as for analytics and marketing purposes.
 
An IP address – a unique network identifier assigned to a user's device on the Internet. It can be used for traffic analysis, geolocation, and website security.
 
A data processor – a third party that processes personal data on behalf of the Operator, based on a contract or other agreement with the Operator. For example, this could include CRM systems, email services, or payment providers.
 
A CRM system – software designed to manage interactions with customers, where personal data provided by users through the website or other channels can be stored and processed.
 
A personal data database – an organized collection of personal data that is accessed using information technology.
 
Automated processing of personal data – processing carried out using computing technology, such as through a website or application.
 
What are personal data?
Personal data means any information about an individual (the subject of personal data) by which they can be identified.

The Operator processes only those personal data that are listed in the Policy and that identify you as a user of the Resources.

You may provide your consent for the processing of personal data when using the Resources, filling out feedback forms on the Resources, or through other methods specified in the Policy.

Legal grounds and principles for processing personal data

We process your personal data solely on lawful grounds and strictly for the stated purposes. All data handling activities comply with Regulation (EU) 2016/679 (GDPR) and the Laws of the Republic of Cyprus 125(I)/2018, and are based on the following principles:

1.  Lawfulness, fairness, and transparency – data is processed based on a contract, consent, or another legal basis as provided by law; you can always find out what data we collect and for what purpose.

2.  Data adequacy and minimization – we collect only the data necessary for specific purposes (such as providing access to courses, communication, or fulfilling contractual obligations).

3.  Storage limitation – data is retained no longer than necessary for the purposes for which it was collected or as required by law.

4.  Accuracy – we take measures to ensure that personal data is up-to-date and accurate; you have the right to request its correction.

5.  Confidentiality and security – we employ technical and organizational measures to protect your data from unauthorized access, loss, or disclosure.

6.  Accountability – we maintain records of data processing and can confirm compliance with all data protection legislation requirements.

Legal grounds for the processing of personal data

The company processes the personal data of customers and users only on legal grounds as provided by the GDPR and the Law of the Republic of Cyprus 125(I)/2018.

1.  Consent (Art. 6(1)(a) GDPR)
You voluntarily give consent to the processing of your personal data when filling out forms on the website, subscribing to newsletters, using online resources, participating in surveys, posting reviews, as well as when using cookies and similar technologies.

2.  Performance of the contract (Art. 6(1)(b) GDPR)
Data processing is necessary for the conclusion and performance of the contract between you and the Company (for example, registration on the platform, providing access to courses, processing payments).

3.  Legal obligations (Art. 6(1)(c) GDPR)
The company may be required to process data in order to comply with legal requirements, including tax and accounting records, responding to requests from government authorities, and complying with court orders.

4.  The Company’s Legitimate Interests (Art. 6(1)(f) GDPR)
The Company processes data based on its legitimate interests, which include ensuring the security of online resources, preventing fraud and abuse, protecting its rights and interests in the event of disputes, as well as transferring data to trusted third parties (such as payment services or IT support providers) to deliver necessary services.

What rights do you have?

In accordance with the GDPR and Law 125(I)/2018 of the Republic of Cyprus, you have the following rights:

How does the Operator process personal data?

We process personal data both manually and using automated systems, depending on where and how you interact with us: through our website, app, or, for example, via messenger.
All actions involving personal data are carried out strictly within the purposes outlined in this Policy.
At the same time, the Operator is limited to the following actions:


We do not share your data except in cases expressly specified in this Policy, and when data is transferred, we make sure that contractors maintain a level of protection at least equal to ours.

What are cookies?

The website uses cookies – small text files that are stored in the user's browser when visiting the site. Cookies allow the website to recognize the user's device, ensure proper site functionality, and enhance the performance of its services.
 
Categories of cookies used:

1. Functional cookies – essential for the basic operation of the website, including user authentication, saving user preferences, and enabling the shopping cart and personal account features.
2. Analytical cookies – used to collect statistics and analyze user behavior on the website. This helps improve the site's structure and content. Web analytics systems with localized data storage are used for this purpose (for example, Google Analytics with IP anonymization).
3. Marketing cookies – used to personalize content and display advertisements on third-party platforms (where applicable). They are only used with the user's explicit consent.

 
Legal basis for processing

Functional cookies are processed on the basis of the Operator’s legitimate interests (to ensure the website’s technical accessibility).
Analytical and marketing cookies are processed based on the data subject’s consent, which is given by checking the appropriate box or by continuing to use the website after the cookie banner has been displayed.
 
Cookie Management

The user has the right to disable cookies in their browser settings. However, this may affect the proper display of certain elements on the website and limit access to some features of the personal account.
 
Transfer of personal data to third parties

The Operator may disclose personal data to third parties to the extent necessary to achieve the purposes outlined in this Policy. Such disclosure is permitted only in cases provided by law or when required to provide services to the user.
The Operator engages third-party service providers to process personal data on its behalf, based on executed confidentiality and data processing agreements. This is permissible if such parties:
●  provide adequate data protection,
●  do not use them for their own purposes,
●  They act strictly within the scope of their mandate.
 
The recipients may include:
●  payment solution providers – for receiving payments;
●  Providers of CRM systems and email and push notification platforms.
●  hosting providers and individuals providing technical support for the website;
●  Persons responsible for providing legal protection to the Operator or third parties in cases of violation of their rights or threats of such violations, including breaches of laws or regulatory documents.
●  persons providing users with access to the Resources;
●  GetCourse platform.
 
The Operator does not receive or store payment data (such as card numbers, CVV codes, etc.). This information is transmitted directly to the relevant payment provider in accordance with PCI DSS and other applicable standards.
In the event of disputes, threats to the rights or legitimate interests of the Operator or third parties, personal data may be disclosed to lawyers, representatives, judicial or law enforcement authorities in accordance with procedures established by law.
The transfer of personal data is permitted upon request and in cases expressly provided for by the laws of the Republic of Cyprus and the European Union – for example, when requested by tax authorities, courts, police, or other competent government agencies.
 
How does the Operator ensure the security of personal data?

The Operator shall take the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, dissemination, and any other unlawful actions.
 
These measures include, among others:
●  restricting access to personal data to authorized personnel only;
●  access control in information systems
●  the use of antivirus and other software for information protection
●  keeping a log of access to personal data (if necessary);
●  encryption of communication channels, data backup;
●  training employees with access to personal data on confidentiality requirements;
●  Conclusion of non-disclosure and data processing agreements with contractors.
 
In the event of an incident involving loss, unauthorized access, or any other breach of personal data security, the Company acts in accordance with the GDPR and internal procedures.
●  notifies the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus within 72 hours of identifying the incident, if the personal data breach may pose risks to the rights and freedoms of data subjects;
●  if necessary, also notifies the data subjects themselves about the incident and its consequences;
●  carries out an internal investigation and implements technical and organizational measures to resolve the incident and minimize its consequences.
 
The Operator also notifies affected data subjects, if necessary, if the incident may impact their rights and legitimate interests.
 
What does the Operator not check?

The Operator assumes that the personal data provided pertains to the user who:
●  has full legal capacity and the right to manage their own data;
●  provides accurate information;
●  acts in good faith and in accordance with applicable law.
The Operator does not verify the accuracy of the information provided, except in cases where such verification is necessary to fulfill obligations to the data subject or is required by law.
 
How can I contact the Operator?

For any questions regarding the processing of personal data, you may contact the Operator by email at mcgaprodmv@gmail.com.
When making an inquiry, please provide your name and contact information for feedback.
The Operator will respond to your inquiry no later than 10 business days from the date it is received.
 
Policy Change

This Policy may be amended by the Company in the following cases:
●  amendments to the legislation of the European Union or the Republic of Cyprus in the field of personal data protection (including the GDPR and Law 125(I)/2018);
●  implementation of new technologies, products, or data processing methods;
●  changes to the Company’s organizational structure or business processes;
●  updating or modifying the structure of the website, platform, or the services used;
●  Based on the results of internal or external data protection audits;
●  Recording of requests, complaints, and recommendations from users or regulatory authorities.
The company undertakes to publish the current version of the Policy in open access on its website and other resources. The date of the latest update is indicated at the beginning of the document. By using the website and services after a new version of the Policy has been posted, users agree to its terms.