Privacy Policy
Last updated: May 5, 2026
1. Who we are
BAvolta is operated by SCL UP (the "Company," "we," "us," "our"):
- Legal name: SCL UP
- Legal form: Private limited company (SRL)
- Registered seat: Avenue Louise 167, box 12, 1050 Ixelles, Belgium
- Enterprise number (BCE): 0774.292.404
- VAT number: BE0774292404
BAvolta is the product brand under which SCL UP operates the website bavolta.com and the BAvolta learning platform (the "Service"). We provide interactive business analysis training through online lessons, case simulations, and portfolio-building exercises.
- General support: hello@bavolta.com
- Data protection, privacy rights, legal: info@sclup.be
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and applicable national law.
2. Data we collect
2.1 Data you provide directly
When you create an account, we collect:
- Full name: used to personalize your learning experience
- Email address: used for account authentication, transactional emails, and support communication
- Password: hashed using bcrypt (via Supabase Auth); we never see or store your plain-text password
- Persona selection (e.g., "career switcher," "junior BA"): used to tailor your learning path
BAvolta does not currently process payments, and we do not collect billing information. When paid subscriptions launch, our chosen Merchant of Record will collect billing information directly at checkout; we will not receive or store your card details. We will receive a limited set of transactional metadata (your name, email, country of residence, transaction ID, subscription status, and amount paid) needed to provision your account.
2.2 Data we collect automatically
When you use the platform, we automatically collect:
- Timezone: detected from your browser at signup to send emails at appropriate local times
- Lesson progress: which lessons you have started, completed, and your responses to knowledge checks and scenarios
- Case Lab submissions: your work in case simulations, including stakeholder analyses, requirements documents, and other artifacts you produce
- Usage data: pages visited, features used, time spent on lessons
- Device and browser information: browser type, operating system, screen size
- IP address: collected by our hosting, authentication, and analytics providers for security and fraud prevention
2.3 Data we do not collect
We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation.
We do not sell personal data to anyone, and we do not share it with advertisers.
3. Legal basis for processing
Under GDPR, we process your personal data on the following legal bases:
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, password | Account creation and authentication | Contract performance |
| Verification, password reset, welcome emails | Contract performance | |
| Lesson completion, inactivity nudge, and feedback emails | Legitimate interest | |
| New content announcements | Legitimate interest | |
| Persona selection, timezone | Personalizing the learning experience | Contract performance |
| Lesson progress, quiz responses | Tracking progress, enabling certificates | Contract performance |
| Case Lab submissions | Providing feedback and portfolio generation | Contract performance |
| Billing metadata (from Merchant of Record, when paid plans launch) | Account management, invoicing, subscription status | Contract performance, legal obligation (tax/accounting) |
| Usage data, device info | Improving the platform and fixing bugs | Legitimate interest |
| IP address | Security, fraud prevention, abuse detection | Legitimate interest |
You can opt out of non-essential emails (inactivity nudges, content announcements) at any time by clicking the unsubscribe link in those emails or by emailing info@sclup.be.
4. Who we share your data with
We share your personal data only with the following third-party service providers, each bound by a data processing agreement or equivalent safeguards:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Authentication and database hosting | Name, email, hashed password, platform data | EU (Frankfurt) |
| Resend | Transactional email delivery | Email address, name | US |
| Vercel | Frontend hosting and web analytics | IP address, browser information, usage data | Global CDN, primary EU |
| Railway | Backend API hosting | All API request data including authentication tokens | EU |
| Microsoft Clarity | Product analytics (session replay, heatmaps) | IP address, browser/device info, anonymized interaction data | US |
When BAvolta launches paid subscriptions, our chosen Merchant of Record will be added to this list and existing users will be notified by email at least 14 days before any change takes effect.
Payment processing. BAvolta does not currently process payments. When paid subscriptions launch, the Merchant of Record we contract with will independently control limited customer data (name, email, billing address, payment details) for the purpose of processing the transaction and meeting its tax and accounting obligations. Their privacy policy will be linked from this page at that time.
If we add new service providers in the future, we will update this policy before sharing any personal data with them.
Cookies
We use cookies and similar technologies to keep the site working, to keep you signed in, and (with your consent) to understand which lessons help students and which don't. The table below lists every cookie or tracking technology BAvolta uses, what it does, and how long it lasts.
| Name | Provider | Purpose | Category | Retention |
|---|---|---|---|---|
| Supabase auth | Supabase | Keeps you signed in | Necessary | Session |
| Microsoft Clarity | Microsoft | Anonymous behavior analytics and session replay | Analytics | 1 year |
| Vercel Web Analytics | Vercel | Aggregate page views, cookieless | Analytics | No cookies set |
| Vercel Speed Insights | Vercel | Performance metrics, cookieless | Necessary | No cookies set |
You can change your preferences at any time.
5. How long we keep your data
- Account data (name, email, persona): retained while your account is active; deleted within 30 days of account deletion
- Lesson progress and Case Lab submissions: retained while your account is active; deleted within 30 days of account deletion
- Transaction and invoice records: retained for 7 years from the transaction date, as required by Belgian accounting and tax law (Article III.86 of the Belgian Code of Economic Law)
- Email logs (sent/bounce records): retained for 12 months, then automatically deleted
- Server logs (IP addresses, browser info): retained by our hosting providers for 30 to 90 days
6. Your rights under GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:
- Access: request a copy of all personal data we hold about you
- Rectification: ask us to correct inaccurate or incomplete data
- Erasure ("right to be forgotten"): ask us to delete your account and associated data (subject to retention obligations above)
- Data portability: request your data in a machine-readable format (JSON)
- Restriction: ask us to restrict processing in certain circumstances
- Objection: object to processing based on legitimate interest
- Withdraw consent: where processing is based on consent, withdraw it at any time
To exercise these rights, email info@sclup.be. We respond within 30 days. Proof of identity may be required to protect your account.
If you believe we have not handled your request appropriately, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données): dataprotectionauthority.be, or with your local EU supervisory authority.
7. Data security
We implement appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted using TLS (HTTPS)
- Passwords are hashed using bcrypt (via Supabase Auth)
- Database access is restricted to authenticated API requests
- Row Level Security (RLS) is enabled on all database tables
- Administrative access is role-based and limited to platform administrators
- Payment data is not currently processed by BAvolta; when paid plans launch, payment data will be handled exclusively by our Merchant of Record under PCI-DSS compliance, and we will never see or store card information
No system is 100% secure. If we become aware of a data breach that affects your personal data, we will notify you and the Belgian Data Protection Authority within 72 hours as required by Article 33 of GDPR.
8. International data transfers
Your data is primarily stored and processed within the European Union. Some of our service providers may process limited personal data outside the EEA under appropriate transfer mechanisms. The current list of sub-processors and their data residency is shown in the table above. When we add a Merchant of Record for paid subscriptions, the country of processing will be disclosed at that time.
These transfers are conducted under appropriate safeguards, including the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Children's data
BAvolta is intended for adults pursuing professional development in business analysis. We do not knowingly collect data from anyone under the age of 16. If you believe a child under 16 has created an account, contact info@sclup.be and we will delete the account promptly.
10. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on the platform. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
BAvolta (a product of SCL UP) Avenue Louise 167, box 12, 1050 Ixelles, Belgium Enterprise number: 0774.292.404 · VAT: BE0774292404
- General support: hello@bavolta.com
- Data protection, privacy rights, legal: info@sclup.be