Privacy Policy

Last revised: May 19, 2026

1. Who we are

The Tiny Marketing Lab Training portal at training.tinymarketinglab.com is operated by 3AM SaaS OÜ (the "Controller" under the EU GDPR):

  • Registry code: 16445075
  • VAT: EE102534487
  • Registered office: Lõõtsa tn 2a, Tallinn, Harju maakond 11415, Estonia
  • Contact for privacy matters: bank@tinymarketinglab.com

We are the data controller responsible for the personal data you submit to the Service.

2. What data we collect

We collect only what's needed to operate the Service.

You provide directly:

  • Email address (required to log in)
  • Display name (optional, used in greetings)
  • Billing address (required at paid checkout — name, street, city, postal code, country, and where applicable state/region)
  • VAT ID (optional, only for B2B EU buyers using reverse charge)

Collected automatically:

  • Login timestamps and a session cookie for authentication
  • Course progress (lessons viewed, lessons marked complete, EXP earned)
  • Server logs of your requests (IP address, user agent, URL, status code, timestamp) — kept for up to 30 days for security and debugging
  • Email-delivery telemetry from our email provider (delivered, opened, bounced, complained)

Received from payment processor (Stripe):

  • Transaction records (amount, currency, tax breakdown, billing country, payment method type)
  • Refund and chargeback events

We do not see or store your full card number, CVC, or expiry — Stripe handles that directly.

3. Why we use it (lawful basis)

Purpose Lawful basis (GDPR Art. 6)
Provide the Service you signed up for (login, course access, progress tracking) Performance of a contract
Process payments and issue receipts/invoices Performance of a contract + legal obligation (accounting)
Send transactional emails (login codes, receipts, course welcomes) Performance of a contract
Send the optional course welcome message Legitimate interest (you can unsubscribe at any time)
Detect abuse and secure the Service Legitimate interest
Comply with tax, accounting, and consumer-protection law Legal obligation

4. Who we share data with

We use a small number of carefully chosen processors:

  • Stripe, Inc. — payment processing, Stripe Tax, fraud detection. Data flows: billing details, transaction info. Privacy policy: stripe.com/privacy
  • SparkPost (Message Systems, Inc.) — sends our transactional and marketing emails. Data flows: your email address, the email content itself.
  • Hetzner Online GmbH — hosting infrastructure (Germany / Finland). Data flows: all server-side data resides on their hardware.
  • Cloudflare — DNS and (where applicable) edge proxying.

We do not sell or rent your personal data, and we do not share it with advertisers.

5. International transfers

Our hosting infrastructure is in the EU (Hetzner). Some processors are based outside the EU (e.g. Stripe in the US, Cloudflare in the US). Where personal data is transferred outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) or other valid transfer mechanisms.

6. How long we keep it

  • Account data (email, name): for as long as your account exists, plus up to 90 days after deletion to allow recovery.
  • Course progress and EXP: for as long as your account exists.
  • Purchase / invoice records: 7 years after the transaction date, as required by Estonian accounting law (Raamatupidamise seadus).
  • Server logs: up to 30 days.
  • Email-delivery telemetry: up to 90 days.
  • Marketing email subscription preference: until you withdraw consent.

If we no longer need data for the original purpose, we delete or anonymize it.

7. Your rights

Under the GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure ("right to be forgotten") — delete your account and associated data, subject to legal retention obligations
  • Restriction — limit our processing in certain circumstances
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — for processing based on consent, at any time

To exercise any of these rights, email bank@tinymarketinglab.com from the address on your account. We respond within 30 days.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or with the supervisory authority in your country of residence.

8. Cookies

We use only strictly necessary cookies — a single signed session cookie that keeps you logged in. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

9. Email communication and unsubscribe

  • Login codes, receipts, refund notifications, and account-essential emails are transactional — we always send them and you cannot opt out while you have an active account.
  • Course welcome emails on enrollment count as transactional but include an unsubscribe link. Unsubscribing stops future course welcome emails but does not affect login codes or receipts.
  • We do not send promotional / newsletter emails at this time.

10. Children

The Service is not directed to children under 16. If you become aware that a child under 16 has provided personal data, contact us and we will delete it.

11. Security

We use industry-standard security practices: HTTPS everywhere, encrypted database backups, restricted server access, signed sessions, and minimum-privilege access for our processors. No system is perfectly secure — if you suspect a breach affecting your account, contact us immediately.

12. Changes to this policy

We may update this Privacy Policy occasionally. Material changes will be notified by email or by a notice on the site at least 14 days before they take effect.

13. Contact

Questions, requests, or complaints about your personal data:

3AM SaaS OÜ
Lõõtsa tn 2a, Tallinn, Harju maakond 11415, Estonia
Email: bank@tinymarketinglab.com
Reg No 16445075 · VAT EE102534487