Privacy policy

This privacy policy describes which personal data we process in connection with use of the The Creative Shift platform. It supplements the general privacy policy of the marketing website gad-studios.com. Where this page contains more specific information about the platform, it takes precedence for that platform.

Full legal disclosure: Imprint (also gad-studios.com/imprint).

The controller for processing on this platform is the party stated in the main website’s privacy policy, except where a service provider (e.g. Stripe, Resend) acts as an independent controller or under its own legal framework.

As described at gad-studios.com/privacy-policy, this includes: GADELRAB STUDIO L.L.C, representation and address in Dubai (United Arab Emirates), contact email ahmed.gadstudios@gmail.com.

The application runs as a modern web app (Next.js). Hosting, delivery, and server infrastructure are provided by Vercel Inc. (USA). Technically necessary access data are processed (e.g. IP address, timestamp, requested resource, user agent). Legal bases: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual steps) and Art. 6(1)(f) GDPR (legitimate interests in secure, reliable operation).

For Vercel’s privacy and data-processing terms, see Vercel’s documentation. Where data are transferred to the USA, we rely where required on the EU–US Data Privacy Framework and/or appropriate safeguards under Art. 46 GDPR.

Account data, course data, enrolments, quiz and progress data, and where applicable lead data are stored in a PostgreSQL database hosted by Supabase. Supabase acts as a processor under Art. 28 GDPR. Depending on region and product configuration, processing may occur inside or outside the EU.

Purposes: user accounts, course access, enrolments, and support for the learning environment. Legal bases: Art. 6(1)(b) GDPR (course contract) and, where you opt into optional features, Art. 6(1)(a) GDPR (consent).

Payments for courses and bundles are processed via Stripe. Stripe processes data required for payment (e.g. payment details, transaction IDs, invoice data where applicable) as an independent controller or together with us along the checkout flow. We receive status information from Stripe and store references (e.g. checkout session) to fulfil the course contract.

Legal basis: Art. 6(1)(b) GDPR. See Stripe’s privacy notice at stripe.com/privacy.

We use Resend to send email (e.g. access after purchase, password setup, password reset, chakra-test follow-up, internal notifications). Recipient address, subject, body, and technical sending metadata are processed. Resend may act as a processor; depending on routing, data may be processed in third countries (e.g. the USA).

Legal bases: Art. 6(1)(b) GDPR (contract / pre-contractual measures); for purely promotional communication, Art. 6(1)(a) GDPR only with prior consent.

When you register or log in, we process the data you provide (at minimum email; name where provided). Passwords are stored as hashes. Authentication uses a session-based mechanism (e.g. session cookies). Legal basis: Art. 6(1)(b) GDPR.

We store data about your participation (e.g. enrolment, completed modules, quiz results, unlock logic) to provide access owed under the contract. Video may be delivered via embedded streaming providers; when you play content, your IP address may be processed by that provider.

Legal basis: Art. 6(1)(b) GDPR.

If you complete the public chakra test, we may — where technically configured — store the email you provide, optionally your name, and your answers. Processing for marketing purposes occurs only if you have given clear opt-in consent.

Legal bases for the test and sending results: Art. 6(1)(a) GDPR (consent) and/or Art. 6(1)(b) GDPR where directly pre-contractual.

When you use the platform, hosting and application servers typically generate server logs (e.g. IP address, timestamp, requested URL, status code). Purposes: security, error analysis, abuse prevention. Legal basis: Art. 6(1)(f) GDPR.

We use technically necessary cookies and/or local storage for login and security. Optional cookies (analytics, marketing, preferences) are used only if you allow them in cookie settings. Legal basis for optional cookies: Art. 6(1)(a) GDPR. You can change your choices any time via the cookie icon.

Services listed above (including Vercel, Supabase, Stripe, Resend) may involve processing outside the European Economic Area. Where required by law, we implement appropriate safeguards (e.g. standard contractual clauses, the Data Privacy Framework, or comparable mechanisms) and carry out transfer impact assessments where appropriate.

We keep personal data only as long as needed for the purposes described or as required by law. Customer records may be retained longer under commercial and tax rules (often up to ten years) where applicable.

Where the legal requirements are met, you have the right to:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
• Withdraw consent with effect for the future (Art. 7(3) GDPR)

To exercise your rights, contact the controller at the email address above.

You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or the place of the alleged infringement.

We may update this privacy policy if the legal situation, services, or platform features change. The current version is always available at this URL. We may notify you of material changes by appropriate means.

Last updated: April 2026 · Platform URL: https://mindset-gadstudios.vercel.app