Privacy Policy

Comprehensive privacy policy for The Andreou Report. Learn how we collect, use, protect, and share your personal information. Compliant with GDPR, CCPA/CPRA, POPIA, and UAE PDPL.

Effective Date: December 24, 2025
Last Updated: December 26, 2025
Version: 1.0

1. Introduction

Welcome to The Andreou Report. We are committed to protecting your privacy and ensuring transparency in how we collect, use, store, and share your personal information.

This Privacy Policy explains our data practices for giannisandreou.com and our educational courses and services. This policy applies to all users, visitors, and customers accessing our Services from anywhere in the world.

We comply with multiple international data protection laws, including GDPR (European Union), CCPA/CPRA (United States), POPIA (South Africa), and PDPL (United Arab Emirates).

Important: By using our Services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Data Controller: The Andreou Report / Giannis Andreou

Contact for Privacy Matters:
Email: contact@giannisandreou.com
Website: giannisandreou.com

Information Officer (POPIA Compliance): Giannis Andreou

3. What Personal Information We Collect

3.1 Information You Provide Directly

Account Information: Name, email address, encrypted password, account preferences.

Payment Information: Payment card details processed securely by Stripe (we do not store full card numbers), billing address, transaction history.

Course Enrollment: Course selections, progress tracking, completion certificates, learning preferences.

Newsletter Subscriptions: Email address, subscription preferences, communication history.

Communications: Contact form messages, customer support inquiries, feedback and survey responses.

3.2 Information Collected Automatically

Usage Data: Pages visited, time spent, click patterns, referring/exit pages, timestamps.

Device Information: IP address, browser type, operating system, device identifiers, screen resolution.

Location Data: General geographic location (city/country level) derived from IP address. We do not collect precise geolocation.

Cookies and Tracking: Session cookies, persistent cookies, analytics cookies, advertising cookies (see Cookie Policy).

3.3 Information from Third Parties

We may receive information from payment processors (Stripe), analytics providers (Google Analytics, Microsoft Clarity, Meta Pixel), marketing platforms (GetResponse), and automation tools (Zapier).

4. How We Use Your Personal Information

4.1 Purposes of Processing

Service Delivery: Account management, course enrollment and payment processing, content delivery, customer support, transactional communications.

Marketing: Newsletters, educational content, new course promotions, market research, personalized marketing (with consent).

Website Operations: Usage analysis, performance improvement, A/B testing, debugging, security and fraud prevention.

Legal Compliance: Responding to legal requests, tax and accounting requirements, fraud prevention, Terms of Service enforcement.

4.2 Legal Bases for Processing

GDPR (EU): Consent, contract performance, legitimate interests, legal obligation.

POPIA (South Africa): Consent, contract performance, legitimate interests, legal compliance.

UAE PDPL: Consent, contract necessity, legal obligation, vital interests.

5. Cookies and Tracking Technologies

We use cookies to improve your experience. See our separate Cookie Policy for details.

Types of Cookies:

  • Strictly Necessary: Essential for website functionality (cannot be disabled)
  • Functional: Remember preferences and enhance experience
  • Analytics: Track usage patterns (Google Analytics, Microsoft Clarity)
  • Advertising: Deliver relevant ads (Google Ads, Meta Pixel)

Managing Cookies: Control via cookie consent banner, browser settings, opt-out tools, and privacy extensions.

6. How We Share Your Personal Information

We do not sell your personal information to third parties.

6.1 Service Providers and Processors

  • Webflow: Website hosting (USA)
  • Memberstack: User authentication
  • Stripe: Payment processing (PCI-DSS compliant)
  • GetResponse: Email marketing
  • Google Analytics, Microsoft Clarity, Meta Pixel: Analytics and advertising
  • Zapier: Workflow automation

All processors are contractually obligated to protect your data and process only on our instructions.

6.2 Legal Requirements

We may disclose information when required by law, court orders, government requests, or to protect our rights and prevent fraud.

7. International Data Transfers

Your personal information may be transferred to and processed in countries outside your country of residence, including the United States.

GDPR Safeguards: Standard Contractual Clauses, adequacy decisions, explicit consent.

POPIA Safeguards: Adequate country protection, binding contracts, explicit consent.

UAE PDPL Safeguards: Adequate jurisdiction laws, bilateral agreements, binding contracts, explicit consent.

8. Data Retention

Account Data: Retained while account is active, deleted within 90 days of closure request.

Payment Data: Transaction records retained 7 years for tax compliance; card data not stored by us.

Course Data: Retained while account is active; certificates retained indefinitely or until deletion requested.

Marketing Data: Retained until unsubscribe, removed from active campaigns within 48 hours.

Analytics Data: Google Analytics 26 months, server logs 90 days, aggregated data indefinitely.

9. Your Privacy Rights

9.1 GDPR Rights (EU/EEA/UK)

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Restriction: Limit processing in certain circumstances
  • Right to Data Portability: Receive data in portable format
  • Right to Object: Object to processing (always honored for marketing)
  • Right to Withdraw Consent: Withdraw consent anytime
  • Right to Lodge Complaint: File complaint with data protection authority

9.2 CCPA/CPRA Rights (California)

Note: While we comply with CCPA/CPRA when applicable, we do not primarily target California residents.

  • Right to Know: Request disclosure of information collected
  • Right to Delete: Request deletion of information
  • Right to Correct: Request correction of inaccurate information
  • Right to Opt-Out: Opt out of sale/sharing for behavioral advertising (we do not sell personal information)
  • Right to Limit Sensitive Data: Limit use of sensitive information
  • Right to Non-Discrimination: No penalties for exercising rights

9.3 POPIA Rights (South Africa)

  • Right to Access: Confirm and request copy of information
  • Right to Correction: Request correction or deletion
  • Right to Object: Object to processing and direct marketing
  • Right to Restrict: Request processing restriction
  • Right to Complain: Lodge complaint with Information Regulator

9.4 UAE PDPL Rights (UAE)

  • Right to Access: Obtain confirmation and access data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion
  • Right to Restriction: Restrict processing
  • Right to Object: Object to processing and automated decisions
  • Right to Data Portability: Receive data in portable format
  • Right to Withdraw Consent: Withdraw consent anytime
  • Right to Complain: File complaint with UAE Data Office

10. How to Exercise Your Rights

To exercise your privacy rights, submit a request through our Data Subject Access Request form:

Submit Privacy Rights Request

Alternative Contact Methods:
Email: contact@giannisandreou.com
Mail: The Andreou Report, Attn: Privacy Requests

Verification: We must verify your identity before processing requests for security purposes.

Response Timeline:

  • GDPR: 1 month (extendable by 2 months)
  • CCPA/CPRA: 45 days (extendable by 45 days)
  • POPIA: 30 days typically
  • UAE PDPL: Per Data Office timeframes

11. Children's Privacy

Our Services are not directed to children under 18 years of age. We do not knowingly collect information from children without appropriate parental consent.

Age Requirements: GDPR under 16, CCPA under 16 (no sale/sharing), POPIA under 18, UAE PDPL requires guardian consent.

If we learn of child data collection without consent, we will delete it immediately.

12. Data Security

Technical Safeguards:

  • Encryption in transit (TLS/SSL) and at rest
  • Secure password hashing
  • Firewall protection and intrusion detection
  • Regular security updates and vulnerability assessments

Organizational Safeguards:

  • Access controls and authentication
  • Employee confidentiality agreements
  • Privacy and security training
  • Data processing agreements
  • Incident response procedures

Third-Party Security:

  • PCI-DSS compliance (Stripe)
  • SOC 2 Type II certifications
  • Regular security audits

Data Breach Notification:

In the event of a breach, we will notify:

  • GDPR: Supervisory authority within 72 hours, affected individuals without delay
  • CCPA/CPRA: California AG if 500+ residents affected
  • POPIA: Information Regulator immediately, affected individuals if high risk
  • UAE PDPL: UAE Data Office immediately, affected individuals

13. Marketing and Communications

Email Marketing: Sent only with consent or where permitted by law. Types include newsletters, course announcements, promotions, educational content.

Opting Out: Click unsubscribe in emails, adjust account preferences, or contact us. Processing time: up to 48 hours. You cannot opt out of transactional emails.

Advertising: We use cookies for interest-based advertising, remarketing, and personalization.

Control Advertising: Adjust cookie preferences via our cookie consent banner, browser settings, or opt out via NAI, DAA, Google Ad Settings, or Meta Ad Preferences.

14. Third-Party Links

Our Website contains links to third-party sites. We are not responsible for their privacy practices. When you leave our site, you are subject to the third party's privacy policy.

15. California-Specific Disclosures

Note: The Andreou Report does not primarily target California residents. However, we comply with CCPA/CPRA requirements when applicable.

Categories of Personal Information Collected: Identifiers, commercial information, internet activity, general geolocation data, inferences, account credentials (sensitive), payment information (sensitive).

Sources: Directly from you, automatically from devices, from service providers, from analytics providers.

Business Purposes: Service delivery, customer support, payment processing, analytics, marketing (with consent), security.

Third Parties We Share With: Service providers, advertising networks, analytics providers, payment processors.

Sale and Sharing: We do NOT sell personal information. We may share information with advertising partners for behavioral advertising purposes. California residents can opt out by adjusting cookie preferences via our cookie consent banner or by submitting a request through our Data Subject Access Request form.

16. Updates to This Privacy Policy

We may update this policy periodically. Material changes will be notified via email and prominent website notice. Continued use after changes constitutes acceptance.

17. Contact Us

Privacy Questions or Requests:

Email: contact@giannisandreou.com
Website: giannisandreou.com
Privacy Rights Form: Submit Request

Data Protection Officer / Information Officer: Giannis Andreou

Complaints:

  • EU (GDPR): Local Data Protection Authority
  • USA (CCPA/CPRA): California Privacy Protection Agency
  • South Africa (POPIA): Information Regulator
  • UAE (PDPL): UAE Data Office

18. Jurisdiction-Specific Addendums

18.1 European Union (GDPR)

Legal Basis Table: Account management (Contract), Course delivery (Contract), Payment processing (Contract), Newsletter (Consent), Analytics (Legitimate Interest), Advertising (Consent), Security (Legitimate Interest), Legal compliance (Legal Obligation).

18.2 California (CCPA/CPRA)

Note: We do not primarily target California residents but comply with CCPA/CPRA when applicable.

Your California Privacy Rights: Right to Know, Delete, Correct, Opt-Out (we do not sell personal information), Limit Sensitive Data Use, Non-Discrimination.

Exercise Rights: Submit requests through our Data Subject Access Request form or adjust cookie preferences via our cookie consent banner.

18.3 South Africa (POPIA)

Information Officer: Giannis Andreou
Email: contact@giannisandreou.com

Direct Marketing Opt-Out: Unsubscribe link in emails, contact Information Officer, or adjust preferences.

Mandatory Warning: Investing in crypto assets may result in the loss of capital.

18.4 United Arab Emirates (PDPL)

Data Protection Officer: Giannis Andreou
Email: contact@giannisandreou.com

Cross-Border Transfers: With appropriate safeguards including Standard Contractual Clauses and explicit consent.

19. Final Notices

Last Updated: December 26, 2025
Version: 1.0

BY USING THE ANDREOU REPORT AND GIANNISANDREOU.COM, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY.