Privacy Policy
Last updated: June 11, 2026
1. Who we are
BAvolta is operated by SCL UP (the "Company," "we," "us," "our"):
- Legal name: SCL UP
- Legal form: Private limited company (SRL)
- Registered seat: Avenue Louise 167, box 12, 1050 Ixelles, Belgium
- Enterprise number (BCE): 0774.292.404
- VAT number: BE0774292404
BAvolta is the product brand under which SCL UP operates the website bavolta.com and the BAvolta learning platform (the "Service"). We provide interactive business analysis training through online lessons, case simulations, and portfolio-building exercises.
- General support: hello@bavolta.com
- Data protection, privacy rights, legal: info@sclup.be
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and applicable national law.
2. Data we collect
2.1 Data you provide directly
When you create an account, we collect:
- Full name: used to personalize your learning experience
- Email address: used for account authentication, transactional emails, and support communication
- Password: hashed using bcrypt (via Supabase Auth); we never see or store your plain-text password
- Persona selection (e.g., "career switcher," "junior BA"): used to tailor your learning path
When you purchase a subscription, our payment processor Paddle (see Section 4) collects billing information directly. We do not receive or store your card details. We receive a limited set of transactional metadata from Paddle: your name, email, country of residence, transaction ID, subscription status, and amount paid.
2.2 Data we collect automatically
When you use the platform, we automatically collect:
- Timezone: detected from your browser at signup to send emails at appropriate local times
- Lesson progress: which lessons you have started, completed, and your responses to knowledge checks and scenarios
- Case Lab submissions: your work in case simulations, including stakeholder analyses, requirements documents, and other artifacts you produce
- Usage data: pages visited, features used, time spent on lessons
- Device and browser information: browser type, operating system, screen size
- IP address: collected by our hosting, authentication, and analytics providers for security and fraud prevention
2.3 Newsletter subscription data
You can subscribe to the BAvolta newsletter without creating an account. When you subscribe, we collect:
- Email address: used only to send you the newsletter
- Consent metadata: the page from which you subscribed and the timestamp of your consent, kept as proof of consent
- Hashed IP address and browser user agent: collected at signup for spam and abuse prevention; the IP address is hashed with a rotating salt and cannot be reversed back to you
The consent metadata consists of: the time of signup, the page where you signed up, a hashed form of your IP address, and your browser user agent.
We use double opt-in: after you sign up, we send a confirmation link, and we only send the newsletter to addresses that have confirmed. Confirmation links expire after 48 hours. If you do not confirm, we do not send you the newsletter.
2.4 Data we do not collect
We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation.
We do not sell personal data to anyone, and we do not share it with advertisers.
3. Legal basis for processing
Under GDPR, we process your personal data on the following legal bases:
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, password | Account creation and authentication | Contract performance |
| Verification, password reset, welcome emails | Contract performance | |
| Lesson completion, inactivity nudge, and feedback emails | Legitimate interest | |
| New content announcements | Legitimate interest | |
| Persona selection, timezone | Personalizing the learning experience | Contract performance |
| Lesson progress, quiz responses | Tracking progress, enabling certificates | Contract performance |
| Case Lab submissions | Providing feedback and portfolio generation | Contract performance |
| Billing metadata (from Paddle) | Account management, invoicing, subscription status | Contract performance, legal obligation (tax/accounting) |
| Usage data, device info | Improving the platform and fixing bugs | Legitimate interest |
| IP address | Security, fraud prevention, abuse detection | Legitimate interest |
| Email, newsletter consent metadata | Newsletter delivery (double opt-in) | Consent |
You can opt out of non-essential emails (inactivity nudges, content announcements) at any time by clicking the unsubscribe link in those emails or by emailing info@sclup.be.
For the newsletter, every email we send includes an unsubscribe link that works without an account. You can withdraw your consent at any time by using that link or by emailing hello@bavolta.com.
4. Who we share your data with
We share your personal data only with the following third-party service providers, each bound by a data processing agreement or equivalent safeguards:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Paddle.com Market Ltd | Payment processing, Merchant of Record, invoicing, tax compliance | Name, email, billing address, payment method, transaction data | UK / EU / US |
| Supabase | Authentication and database hosting | Name, email, hashed password, platform data | EU (Frankfurt) |
| Resend | Transactional and newsletter email delivery | Email address, name (account emails); email address only (newsletter) | US |
| Vercel | Frontend hosting and web analytics | IP address, browser information, usage data | Global CDN, primary EU |
| Railway | Backend API hosting | All API request data including authentication tokens | EU |
| Microsoft Clarity | Product analytics (session replay, heatmaps) | IP address, browser/device info, anonymized interaction data | US |
Paddle as Merchant of Record. When you purchase a BAvolta subscription, the contract for that purchase is concluded directly between you and Paddle.com Market Ltd, acting as the Merchant of Record. Paddle independently determines the purposes and means of processing payment data and acts as a separate data controller for that processing. Paddle's privacy policy is available at paddle.com/legal/privacy.
If we add new service providers in the future, we will update this policy before sharing any personal data with them.
Cookies
We use cookies and similar technologies to keep the site working, to keep you signed in, and (with your consent) to understand which lessons help students and which don't. The table below lists every cookie or tracking technology BAvolta uses, what it does, and how long it lasts.
| Name | Provider | Purpose | Category | Retention |
|---|---|---|---|---|
| Supabase auth | Supabase | Keeps you signed in | Necessary | Session |
| Paddle checkout | Paddle | Process payments at checkout | Necessary | Loaded only during checkout |
| Microsoft Clarity | Microsoft | Anonymous behavior analytics and session replay | Analytics | 1 year |
| Vercel Web Analytics | Vercel | Aggregate page views, cookieless | Analytics | No cookies set |
| Vercel Speed Insights | Vercel | Performance metrics, cookieless | Necessary | No cookies set |
You can change your preferences at any time.
5. How long we keep your data
- Account data (name, email, persona): retained while your account is active; deleted within 30 days of account deletion
- Lesson progress and Case Lab submissions: retained while your account is active; deleted within 30 days of account deletion
- Transaction and invoice records: retained for 7 years from the transaction date, as required by Belgian accounting and tax law (Article III.86 of the Belgian Code of Economic Law)
- Email logs (sent/bounce records): retained for 12 months, then automatically deleted
- Newsletter subscription data: retained while you are subscribed; if you unsubscribe, we keep your email address and the unsubscribe record so we can honor your opt-out. Unconfirmed signups are deleted automatically within 7 days of the confirmation link expiring
- Server logs (IP addresses, browser info): retained by our hosting providers for 30 to 90 days
6. Your rights under GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:
- Access: request a copy of all personal data we hold about you
- Rectification: ask us to correct inaccurate or incomplete data
- Erasure ("right to be forgotten"): ask us to delete your account and associated data (subject to retention obligations above)
- Data portability: request your data in a machine-readable format (JSON)
- Restriction: ask us to restrict processing in certain circumstances
- Objection: object to processing based on legitimate interest
- Withdraw consent: where processing is based on consent, withdraw it at any time
To exercise these rights, email info@sclup.be. We respond within 30 days. Proof of identity may be required to protect your account.
If you believe we have not handled your request appropriately, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données): dataprotectionauthority.be, or with your local EU supervisory authority.
7. Data security
We implement appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted using TLS (HTTPS)
- Passwords are hashed using bcrypt (via Supabase Auth)
- Database access is restricted to authenticated API requests
- Row Level Security (RLS) is enabled on all database tables
- Administrative access is role-based and limited to platform administrators
- Payment data is handled exclusively by Paddle under PCI-DSS Level 1 compliance; we never see or store card information
No system is 100% secure. If we become aware of a data breach that affects your personal data, we will notify you and the Belgian Data Protection Authority within 72 hours as required by Article 33 of GDPR.
8. International data transfers
Your data is primarily stored and processed within the European Union. Some data is processed in the United States (Resend, Microsoft Clarity, portions of Vercel infrastructure) and the United Kingdom (Paddle). These transfers are conducted under appropriate safeguards, including the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Children's data
BAvolta is intended for adults pursuing professional development in business analysis. We do not knowingly collect data from anyone under the age of 16. If you believe a child under 16 has created an account, contact info@sclup.be and we will delete the account promptly.
10. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on the platform. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
BAvolta (a product of SCL UP) Avenue Louise 167, box 12, 1050 Ixelles, Belgium Enterprise number: 0774.292.404 · VAT: BE0774292404
- General support: hello@bavolta.com
- Data protection, privacy rights, legal: info@sclup.be