Privacy Policy

    Last updated: 23 May 2026

    Data controller

    The controller is Oleks Tech OÜ, registry code 17290539, address: Sinika tee 15-2, Järveküla, Rae Vald, Harjumaa, Eesti 75304.

    Contact for privacy questions, data-subject rights and complaints: [email protected]. A data-protection officer or privacy lead can be reached through this contact where applicable.

    This Policy applies to https://dumka.care, Dumka accounts, the digital-content marketplace, payments, communications, support and platform infrastructure.

    1. Data we process

    Account: email, hashed password or Google OAuth identifier, public name, country, preferred language, user role, email-verification status and display-currency settings.

    Coach profile: bio, expertise, portfolio, role status, KYC/KYB/AML status and Stripe Connect data where a Coach onboards for payouts.

    Purchases: product, tier, price, currency, discount, order ID, payment status, Stripe customer/session/payment intent IDs, receipt URL, access date, access expiry and separate legal-acceptance records.

    Content: courses, lessons, videos, documents, links, upload metadata and technical storage identifiers.

    Technical data: IP address, User-Agent, timestamps, API paths, response statuses, security logs, errors, device/browser information and cookie/local-storage preferences.

    Communications: support messages, transactional email logs, email verification, password reset, order confirmations, receipt-link emails and account deletion/change-email confirmations. Application delivery logs use recipient counts and keyed hashes instead of plaintext recipient lists where possible.

    2. Purposes and GDPR legal bases

    Contract, Article 6(1)(b): account creation, authentication, access to digital content, order processing, transactional emails, user support and checkout flow.

    Legal obligation, Article 6(1)(c): accounting, tax, VAT/OSS or equivalent records, lawful requests, consumer-law duties and retention of acceptance evidence.

    Legitimate interests, Article 6(1)(f): security, fraud prevention, abuse prevention, rate limiting, logging, diagnostics, protection of Dumka, Coaches and users, and DSA moderation records.

    Consent, Article 6(1)(a): optional cookies, marketing if enabled and other actions where we separately request consent. Consent can be withdrawn without affecting prior lawful processing.

    Welcome/product emails that form part of onboarding or account confirmation are transactional. Advertising or newsletter emails will be sent only with separate opt-in consent.

    3. Retention

    Account and profile: while the account is active; after deletion request the account is deactivated and the profile is anonymized or deleted, except where retention is legally required.

    Purchases, invoices, receipts, tax and accounting records: up to 7 years or another period required by applicable law.

    Legal acceptance records: while needed to evidence the contract, protect rights, meet tax/consumer duties and limitation periods.

    Security and technical logs: usually up to 12 months unless a longer period is needed for an incident, fraud, dispute or legal compliance.

    Transactional email logs: up to 2 years to evidence delivery of important service notices; marketing logs, if marketing is enabled, up to 6 months after unsubscribe or longer where needed to evidence opt-in/opt-out.

    Coach videos and documents: while content is active or needed to perform contracts with buyers; deletion is subject to technical storage and backup cleanup windows.

    4. Recipients and processors

    Cloudflare Stream and Cloudflare R2: hosting, transcoding, storage and delivery of video/documents.

    Stripe: payments, fraud prevention, customer/payment IDs, receipts, Connect/KYC/KYB/AML for Coaches and tax features where enabled.

    Resend: transactional email delivery, including verification, password reset, order confirmation, receipt-link and account emails.

    Sentry: error monitoring and diagnostics where enabled. We configure Sentry to avoid sending unnecessary personal data.

    Google OAuth: authentication through Google Sign-In if selected by the user.

    Data may also be disclosed to authorities, courts, auditors, lawyers or payment providers where required by law, security or protection of rights.

    5. International transfers

    Oleks Tech OÜ is in Estonia, and some processors may process data in the EEA, the United States or other countries.

    Where data is transferred outside the EEA, we use appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, the EU-US Data Privacy Framework for certified providers or other GDPR mechanisms.

    Specific processor details may change with infrastructure; the current key-processor list is provided in this Policy.

    6. Your rights

    You may request access, rectification, erasure, restriction, portability, objection to legitimate-interest processing, withdrawal of consent and not to be subject to a solely automated decision with legal or similarly significant effects.

    Send requests to [email protected]. We respond without undue delay and within 1 month. For complex requests, the period may be extended by up to 2 further months with notice.

    We may ask for additional information to verify identity, especially where the request is not made from the account or associated email address.

    You may complain to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, https://www.aki.ee) or another competent data-protection authority in your country. Ukrainian users also retain rights under Ukraine's Personal Data Protection Law.

    7. Automation, discounts and profiling

    Dumka does not make decisions based solely on automated processing that produce legal or similarly significant effects for a user.

    Personal or renewal discounts may be calculated from a client-coach relationship, access history or private share token. They only affect the price of the specific offer and are shown before payment.

    Stripe may apply its own fraud-prevention and risk checks as an independent or separate controller/processor under its privacy policy.

    8. Cookies and local storage

    We use essential cookies and local storage for authentication, security, cookie preferences and interface operation.

    Optional analytics or marketing cookies are not currently used. If added, we will update the Cookie Policy and request consent before enabling them.

    9. Security and children

    We use HTTPS/TLS, password hashing, role-based access control, rate limiting, audit logs for important actions, media access controls, pre-signed/signed URLs and error monitoring.

    No security method is absolute. If you suspect account compromise or a data incident, contact [email protected].

    Dumka is not intended for children under 16. We do not knowingly collect personal data from children under 16.

    10. Changes

    We may update this Policy when processing practices, processors, law or Dumka features change.

    Material changes are notified through the site, email or another appropriate channel before they take effect where required by law.

    Policy version: 23.05.2026.

    View Cookie PolicyManage privacy settings