BAZANOVA ART LLC
DATA POLICY
Effective Date: May 29, 2026
Last Updated: May 29, 2026

1. Purpose and Scope
This Data Policy describes how Bazanova Art LLC ("Bazanova Art," "we," "us," or "our") collects, processes, stores, secures, and shares data through its websites, online learning platform, and related services (the "Services"). It supplements our Privacy Policy and governs the operational handling of all data in our systems, including personal information of customers, students, prospects, employees, contractors, and business contacts.
Where there is any conflict between this Data Policy and the Privacy Policy with respect to the rights of consumers, the Privacy Policy controls.
2. Definitions
Personal Information / Personal Data: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Sensitive Personal Information: as defined by applicable U.S. state privacy laws, includes government identifiers, account log-in credentials, precise geolocation, and similar categories.
Processing: any operation performed on personal information, whether or not by automated means.
Service Provider / Processor: a third party that processes personal information on our behalf pursuant to a written contract.
Consumer / Data Subject: a natural person about whom we hold personal information.
3. Categories of Data We Process
3.1 Identifiers
Full name, email address, postal address, phone number, account username, IP address, device identifiers.
3.2 Customer Records
Billing address, payment confirmations, transaction IDs, course/tier selected, refund requests. Full payment card numbers are processed by PCI-DSS-compliant payment processors and are not stored on our systems.
3.3 Commercial Information
Records of purchases, products considered, discounts applied, marketing-list membership.
3.4 Internet / Network Activity
Browsing history on our Services, search history, interaction with content and ads, lesson progress, cookies and pixel data.
3.5 User-Generated Content
Photographs of your artwork, homework submissions, chat and forum messages, support tickets, survey responses.
3.6 Inferences
Profiles reflecting preferences, characteristics, predispositions, and aptitudes derived from the data above, used to recommend courses and personalize content.
3.7 Sensitive Personal Information
Account log-in credentials in combination with the information necessary to access the account; date of birth where collected. We do not knowingly collect government identifiers, precise geolocation, biometric data, health data, racial/ethnic origin, religious beliefs, sexual orientation, or union membership.
4. Sources of Data
Directly from you when you register, purchase a course, complete a form, contact support, post content, or otherwise interact with the Services.
Automatically from your devices and browsers through cookies, pixels, SDKs, and server logs.
From service providers and partners (payment processors, analytics, advertising platforms, learning-platform vendor, email/SMS delivery).
From publicly available sources where lawful (e.g., business contact databases for B2B outreach).
5. Purposes of Processing
Provide and maintain the Services, including delivering courses and managing your account.
Process payments, issue refunds, and detect/prevent fraud.
Personalize the learning experience and improve our curriculum.
Communicate transactional notices and customer support.
Send marketing communications consistent with your preferences and applicable law.
Operate the business: accounting, tax, audit, legal compliance, and risk management.
Protect the security and integrity of the Services and the safety of our users.
Comply with legal obligations and respond to lawful requests.
6. Retention Schedule
We retain personal data only for as long as necessary to fulfill the purposes set out in this Data Policy and our Privacy Policy. The following retention periods apply unless a longer period is required by law:
Account profile data: duration of the account plus 3 years after closure or last course access.
Course progress and certificates: minimum of 5 years to support credential verification.
Payment and tax records: minimum of 7 years pursuant to U.S. federal and state requirements.
Customer-support correspondence: 3 years from the last contact.
Marketing preferences and consent records: until consent is withdrawn, plus 3 years for suppression-list purposes.
Server logs and security telemetry: up to 12 months on a rolling basis.
Backups: up to 12 months on rolling deletion cycles; deletion requests are honored in production systems immediately and propagated to backups on the regular rotation.
7. Security Program
We maintain a written information security program designed to protect the confidentiality, integrity, and availability of personal data. Key controls include:
Encryption: TLS 1.2+ for data in transit; AES-256 (or equivalent) for sensitive data at rest.
Access controls: role-based access on a least-privilege basis, with multi-factor authentication on administrative accounts.
Network security: firewalls, intrusion detection, and isolation of production environments.
Endpoint security: managed device configurations, anti-malware, and screen-lock policies for staff.
Vendor risk management: due-diligence reviews and written data-processing agreements with all service providers handling personal data.
Personnel training: mandatory privacy and security training for all employees and contractors with access to personal data.
Incident response: documented procedures for detection, containment, eradication, recovery, and notification; tested at least annually.
Patching and vulnerability management: regular patching cycles and periodic vulnerability assessments.
8. Service Providers and Sub-Processors
We engage trusted service providers to perform functions on our behalf. Each provider is bound by a written agreement that limits their use of personal data to performing services for us and requires appropriate safeguards. Current categories include:
Payment processing: PCI-DSS-compliant payment gateways.
Cloud hosting and infrastructure: storage, compute, and content delivery providers.
Learning platform vendor: the operator of painting.eduonline.io.
Email and SMS delivery: transactional and marketing message delivery.
Analytics and product telemetry: usage and performance measurement.
Customer support tools: ticketing, chat, and knowledge-base platforms.
Professional services: accountants, attorneys, and auditors.
A current list of sub-processors is available upon request at privacy@bazanova.art.
9. Cross-Border Data Transfers
We primarily host and process data within the United States. Some service providers may process data outside the United States. Where personal data is transferred internationally, we implement appropriate safeguards, including Standard Contractual Clauses or equivalent mechanisms, and conduct transfer impact assessments where required.
10. Data Subject Rights and Request Handling
Consumers may exercise rights described in our Privacy Policy, including the right to know, access, correct, delete, port, opt out of sale/sharing/targeted advertising, and appeal. Operationally:
Requests are received at privacy@bazanova.art or via the request form on the website.
We log every request and assign a unique tracking ID.
We verify the requester's identity using information already in our possession (e.g., account email).
Requests are acknowledged within 10 business days and substantively responded to within 45 days, extendable once by an additional 45 days for complex requests, with notice to the consumer.
Denials include the reason for the denial and instructions for appeal; appeals are decided within 60 days.
We honor opt-outs from authorized agents and recognized opt-out preference signals (e.g., Global Privacy Control).
11. Data Breach Notification
In the event of a security incident affecting personal data, we will:
Activate our incident-response plan and contain the incident as quickly as reasonably possible.
Conduct a documented investigation, including assessment of risk to affected individuals.
Notify affected individuals, regulators, and other parties as required by applicable law. For Florida residents, we comply with the Florida Information Protection Act (FIPA, Fla. Stat. §501.171), including notification without unreasonable delay and no later than 30 days after determination of a breach affecting 500 or more Florida residents, with notice to the Florida Department of Legal Affairs where required.
Cooperate with law enforcement and applicable regulators.
Conduct a post-incident review and implement corrective actions.
12. Marketing and Communications
Marketing emails are sent only to recipients who have consented or where permitted under the CAN-SPAM Act. Every marketing email includes an unsubscribe link and a physical postal address. SMS marketing, where used, complies with the Telephone Consumer Protection Act (TCPA) and includes clear opt-in disclosures and STOP-to-unsubscribe instructions. Transactional communications (e.g., order confirmations, account notices) are not marketing and may be sent regardless of marketing preferences.
13. Cookies and Tracking
We use cookies and similar technologies as described in our Privacy Policy and any cookie banner we display. Users may manage preferences through the banner, their browser, and, where required by law, by exercising opt-out rights for sale/sharing and targeted advertising. We honor Global Privacy Control (GPC) signals from supported browsers.
14. Children's Data
The Services are intended for adults. We do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). Users between 13 and 17 may use the Services only with the verifiable consent and supervision of a parent or legal guardian, who must complete enrollment and remain responsible for the minor's account. We do not knowingly sell or share for cross-context behavioral advertising the personal information of consumers under 16 without the affirmative consent required by applicable law.
15. Employee and Contractor Data
Personal data of employees, contractors, and applicants is processed for human-resources, payroll, tax, benefits, and compliance purposes. Internal HR policies govern collection, access, and retention of such data.
16. Roles and Responsibilities
Privacy Officer: oversees this Data Policy, responds to data subject requests, and serves as the primary point of contact for privacy inquiries. Contact: privacy@bazanova.art.
Security Lead: owns the information security program and incident response. Contact: security@bazanova.art.
All personnel: must complete privacy and security training and follow this Data Policy.
17. Governing Law
This Data Policy is governed by the laws of the State of Florida and applicable federal laws of the United States, without regard to conflict-of-laws principles. We additionally comply with the privacy laws of other U.S. states that apply to our processing, including, where applicable, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and the Florida Digital Bill of Rights (FDBR).
18. Updates to This Policy
We review this Data Policy at least annually and update it as needed to reflect changes in our practices, technology, legal requirements, or other factors. Material updates will be communicated to affected consumers and posted on our website with a revised "Last Updated" date.
19. Contact
Bazanova Art LLC
Attn: Privacy Officer
[Florida business address - to be inserted]
Email: privacy@bazanova.art
Security: security@bazanova.art