Privacy Policy
Last updated: 05.05.2026
This Privacy Policy explains how Coders Duo Studio (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit codersduostudio.com (the “Site”), home of Heroic Rescue Academy.
This policy is governed by:
- The EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”)
If you are visiting from outside the European Economic Area, additional rights may apply to you under your local law (see Section 14).
If you have questions about this policy or want to exercise your rights, contact us at legal@codersduostudio.com.
1. Who we are (data controller)
For the purposes of GDPR, Coders Duo Studio is the data controller:
Coders Duo Studio LLC
Email: legal@codersduostudio.com
2. Data Protection Officer
We have not appointed a Data Protection Officer because our processing does not meet the thresholds set out in Article 37 GDPR. For all data protection enquiries, contact us at legal@codersduostudio.com.
3. What data we collect, why, and on what legal basis
GDPR requires every act of processing to have a lawful basis. The table below maps every category of data we collect to the lawful basis we rely on.
3.1 When you visit the Site
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Age verification cookie status | Confirm you have passed the 18+ age gate | Legitimate interest (Art. 6(1)(f)): operating an age-restricted site |
| Server log data (IP, user agent, requested URL, timestamp) | Site security, abuse prevention, diagnostics | Legitimate interest (Art. 6(1)(f)): security and integrity of our service |
3.2 When you subscribe to our newsletter
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Send you the newsletter you signed up for | Consent (Art. 6(1)(a)) |
| Consent timestamp | Demonstrate when consent was given | Legal obligation (Art. 6(1)(c)) per Art. 7(1) GDPR |
| IP address at submission | Demonstrate that the consent originated from you | Legal obligation (Art. 6(1)(c)) per Art. 7(1) GDPR |
| Source tag | Understand which page brought you to us | Legitimate interest (Art. 6(1)(f)): improving our content |
You can withdraw consent at any time, with effect from the moment of withdrawal, by clicking the unsubscribe link in any email or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
3.3 When you contact us
| Data | Purpose | Legal basis |
|---|---|---|
| Email address, message contents, and any data you choose to share | Respond to your enquiry | Legitimate interest (Art. 6(1)(f)) – or, if pre-contractual, Art. 6(1)(b) |
3.4 Cookies and similar technologies
The Site uses cookies as described in our Cookie Policy. Strictly necessary cookies are loaded under Article 5(3) of the ePrivacy Directive. All other cookies are loaded only after your prior consent.
3.5 What we do NOT do
To be clear:
- We do not sell your personal data
- We do not transfer your data to advertisers or data brokers
- We do not use your data for automated decision-making producing legal or similarly significant effects (Art. 22 GDPR)
- We do not carry out behavioural profiling for marketing
- We do not process special category data (Art. 9 GDPR)
4. Recipients of your data (data processors)
We share data only with processors who act on our behalf under written contracts that comply with Article 28 GDPR.
4.1 Mailchimp (Intuit Inc.)
Mailchimp manages our newsletter list. When you subscribe, your email address, consent timestamp, IP address, and source tag are transmitted to Mailchimp.
- Established in: United States (a “third country” for GDPR purposes)
- Transfer mechanism: Standard Contractual Clauses (Article 46(2)(c) GDPR) and the EU–US Data Privacy Framework (Mailchimp is a participating organisation)
- Privacy policy: https://www.intuit.com/privacy/statement/
- Data Processing Addendum: https://mailchimp.com/legal/data-processing-addendum/
4.2 Namecheap, Inc. (hosting)
The Site is hosted by Namecheap. They process server logs and have technical access to server data.
- Established in: United States
- Transfer mechanism: Standard Contractual Clauses
- Privacy policy: https://www.namecheap.com/legal/general/privacy-policy/
4.3 Other recipients
We may share data with: legal advisors, accountants, and similar professional service providers under confidentiality obligations; law enforcement or regulators, where legally required and acquirers in the event of a merger or sale of assets (with notice to you and continued protection of your data).
5. International data transfers
Some of our processors are established outside the European Economic Area (EEA), in particular in the United States. The European Commission has determined that the United States provides an adequate level of protection for personal data transferred to organisations participating in the EU–US Data Privacy Framework (adequacy decision of 10 July 2023).
Where transfers occur outside the EEA and are not covered by an adequacy decision, we rely on:
- Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914)
- Supplementary measures following the Schrems II judgment (Case C-311/18), including encryption in transit and at rest, and contractual safeguards
You can request a copy of the safeguards in place by contacting us at legal@codersduostudio.com.
6. How long we keep your data (retention)
| Category | Retention period |
|---|---|
| Newsletter subscribers | Until you unsubscribe, then a hash of your email + the date of unsubscription is kept indefinitely as proof of withdrawal |
| Consent records | Same as the underlying processing; minimum 3 years after consent withdrawal for evidentiary purposes |
| Server logs | Up to 30 days |
| Email correspondence | Up to 24 months from last contact, unless an active matter requires longer |
When the retention period ends, data is deleted or irreversibly anonymised.
7. Your rights under GDPR
You have the following rights in relation to your personal data. Exercising them is free of charge, and we will respond within one month (extendable by two further months for complex requests, with notice to you).
- Right of access (Art. 15) – get a copy of the data we hold about you, plus information about how we process it
- Right to rectification (Art. 16) – have inaccurate data corrected
- Right to erasure / “right to be forgotten” (Art. 17) – have your data deleted, subject to limited exceptions
- Right to restriction of processing (Art. 18) – limit our use of your data in specific circumstances
- Right to data portability (Art. 20) – receive your data in a structured, machine-readable format
- Right to object (Art. 21) – object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3)) – at any time, with effect from withdrawal
- Right not to be subject to automated decision-making (Art. 22) – we do not carry out such processing
- Right to lodge a complaint with a supervisory authority (see Section 8)
To exercise any right, email legal@codersduostudio.com with the right you wish to exercise and sufficient information to verify your identity (we will not ask for more than necessary).
8. Children
The Site is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. We do not provide our services to anyone we know to be under 18, regardless of the age of consent in their country. If you believe a person under 18 has provided us with personal data, contact us at legal@codersduostudio.com, and we will delete it without undue delay.
9. Security
We apply appropriate technical and organisational measures (Art. 32 GDPR), including:
- HTTPS encryption for all traffic
- Access controls on administrative interfaces with strong, unique credentials
- Regular software updates and security patches
- Off-site encrypted backups
- Limited internal access on a need-to-know basis
- Processor contracts that bind our service providers to GDPR-equivalent obligations
10. Changes to this policy
We may update this Privacy Policy. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated via the Site banner and, where required, by email to subscribers. Where new processing requires consent, we will request fresh consent before that processing begins.
11. Site visitors outside the EU/EEA
We process the personal data of visitors regardless of their location, using the GDPR as our baseline. The following additional rights or rules may apply to you:
11.1 United Kingdom
If you are in the UK, the UK General Data Protection Regulation and the Data Protection Act 2018 apply alongside our GDPR-aligned practices. Your rights are substantially the same as under the EU GDPR.
You may complain to the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint/.
We honour the Global Privacy Control signal as an opt-out of sale or sharing.
To exercise these rights, email legal@codersduostudio.com. We do not need to verify California residency separately – exercising any GDPR right also satisfies any equivalent CCPA right.
11.2 Other jurisdictions
If you are in another jurisdiction with data protection law (Brazil’s LGPD, Canada’s PIPEDA, Switzerland’s FADP, etc.), you may have rights similar to those under GDPR. We apply GDPR standards globally as our baseline and will respond to any rights request in a manner consistent with applicable local law, where it provides protections beyond GDPR.
12. Contact
Coders Duo Studio
Email: legal@codersduostudio.com