Skip to main content

Privacy Policy

How Elevia Academy collects, uses, and protects your personal data.

This Privacy Policy explains how Elevia Academy collects, uses, shares, and protects your personal data when you visit eleviaacademy.ai, contact us, subscribe to our newsletter, or take part in our coaching or advisory sessions. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and Hungarian Act CXII of 2011 on the right to informational self-determination (Infotv.).

This policy is not legal advice. It works alongside our Terms of Service (which govern coaching) and our Advisory Terms of Service (which govern the AI Strategy Advisory service), together setting out the contractual side of each relationship. Capitalized terms used but not defined in this policy — such as Session, Client, Coach, Advisor, Attendee, Trainee Coach, Session Brief, Discovery Call, and Site — have the meaning given to them in the applicable Terms. Where a term is defined in both Terms — for example Session, Client, or Attendee — it takes the meaning from whichever Terms govern the relationship in question; a reference to a Session means a coaching Session or an Advisory Session as the context requires.

1. Who is the data controller

The data controller responsible for your personal data is:

  • Operator: Imre Acsai, Hungarian sole proprietor (egyéni vállalkozó)
  • Registered address: 1214 Budapest, Völgy utca 19. 2 em. 8 a.
  • Sole-proprietor registry number: 62297657
  • Tax number (adószám): 92047280-1-43
  • Contact email for privacy matters: hello@eleviaacademy.ai

We are not required by GDPR to appoint a Data Protection Officer, but you can reach the person responsible for privacy at Elevia at the email above.

The Hungarian supervisory authority is the National Authority for Data Protection and Freedom of Information (NAIH):

  • Address: 1055 Budapest, Falk Miksa utca 9–11., Hungary
  • Phone: +36 (1) 391-1400
  • Email: ugyfelszolgalat@naih.hu
  • Website: naih.hu

You have the right to lodge a complaint with NAIH or with the supervisory authority in your EU country of residence. For complaints about the coaching service itself — rather than about your personal data — see the complaints procedure in our Terms of Service.

2. What data we collect and why

We collect personal data in the following situations.

2.1 You visit the Site

We host this Site on Cloudflare Pages. Cloudflare processes basic technical information (IP address, browser type and version, operating system, referrer URL, request paths, pages visited, and timestamps) for security, abuse prevention, and aggregate traffic analytics. Our analytics setup is cookieless: we use Cloudflare Web Analytics, which does not place any tracking cookies on your device and does not build a profile of you across sites. We do not use third-party advertising or behavioural-tracking cookies of any kind.

  • Lawful basis: legitimate interest (Article 6(1)(f) GDPR) — keeping the Site secure and operational.
  • Retention: Cloudflare’s edge logs are retained for short periods according to Cloudflare’s policies; we do not retain server-side analytics ourselves.

2.2 You use the contact form or email us

We collect your name, email address, and the content of your message. We use this only to respond to you.

  • Lawful basis: taking steps at your request prior to entering a contract (Article 6(1)(b) GDPR), or legitimate interest (Article 6(1)(f)) where your message is not about a possible engagement.
  • Retention: up to 24 months from your last contact, then deleted.

2.3 You subscribe to the newsletter

What we collect. Your email address (required) and your name (optional, if you choose to provide it).

What we use it for. The email address is used solely to deliver the newsletter you signed up for: occasional updates on using AI with judgment, written by Elevia. The name (if provided) is used to personalise the greeting in those emails — nothing else. We do not enrich, profile, or augment this data from any other source. We do not use it for advertising or for any other purpose than running the newsletter.

Who processes it. Submissions from the Site form are sent to a small serverless function we run on Cloudflare Pages (/api/subscribe), which forwards the data to MailerLite (UAB MailerLite, EU) where your contact record is held. MailerLite stores your email, optional name, and the standard delivery metadata they need to send you email (engagement events such as opens and clicks, unsubscribe status, and the date you joined). MailerLite acts as our processor under a Data Processing Agreement. They do not use your data for their own marketing.

Abuse protection. Newsletter submissions pass through two anti-bot layers before reaching MailerLite: (a) a hidden honeypot field that catches automated form-fillers, and (b) Cloudflare Turnstile, a privacy-friendly CAPTCHA service. Turnstile processes minimal device and connection signals (broadly, what your browser exposes to any website) solely to determine whether you are human. It may set short-lived, strictly-necessary cookies or local storage entries for that verification; it does not use tracking cookies and does not build a cross-site profile.

  • Lawful basis: consent (Article 6(1)(a) GDPR) for the newsletter itself. Legitimate interest (Article 6(1)(f) GDPR) for the anti-bot processing (necessary to protect the service from abuse).
  • Retention: your subscriber record at MailerLite is kept until you unsubscribe (by clicking “unsubscribe” in any newsletter email) or until we close the newsletter list. Proof of your consent (the form submission record and the date/time of subscription) is retained for the duration of your subscription and for up to 12 months after you unsubscribe, to demonstrate compliance with Article 5(2) GDPR (accountability). The serverless function does not retain submission logs beyond Cloudflare’s standard short-term edge log window. Turnstile verification signals are not stored by us.
  • Your control. You may withdraw consent at any time. Unsubscribing removes you from future sends; you may also email hello@eleviaacademy.ai to ask us to delete your subscriber record immediately.

2.4 You book and pay for a coaching session

For bookings, our scheduling provider (cal.eu) processes your name, email, time-zone, and the slot you selected, as our processor and on our instruction. For payment, Gumroad, Inc. acts as our Merchant of Record: you pay Gumroad directly through the payment link, and Gumroad processes the payment, your billing details, and any tax-residency information required for VAT/sales-tax collection. Gumroad is an independent controller of that payment data for its own legal obligations — we are not the source of it and do not direct how Gumroad processes it; we receive back only the post-purchase summary information necessary to deliver the Session.

  • Lawful basis: performance of a contract (Article 6(1)(b) GDPR).
  • Retention: booking and Session metadata are retained for 8 years in line with Hungarian accounting-record obligations (Act C of 2000 on Accounting, §169).

2.5 You take part in a coaching session

The Session is held on Google Meet and is joined by our authorised transcription assistant, Fireflies.ai (Fireflies Labs, Inc.), under our Business plan. Fireflies.ai records audio of the call and produces a written transcript. The transcript is used to generate the post-Session summary email that is part of the service and to maintain continuity across your Sessions.

The personal data processed here includes the content of the Session conversation itself, as captured in the transcript. We do not solicit sensitive or special-category information (such as details about your health, beliefs, or political views), and we ask you to avoid sharing sensitive information you would not want transcribed. We recognise, however, that coaching conversations can occasionally touch on such matters — including the safety-related disclosures addressed in the Safeguarding paragraph of §3 of the Terms. Where special-category data does surface, we process it only so far as necessary. We rely on Article 9(2)(f) GDPR (establishment, exercise, or defence of legal claims) where a record must be retained, and on Article 9(2)(c) GDPR (protection of vital interests) only in the narrow case where you are unable to give consent — for example, an acute-crisis disclosure where you cannot meaningfully respond. You may ask us at any time to redact that part of the transcript or to delete the transcript entirely.

  • Lawful basis: legitimate interest (Article 6(1)(f) GDPR). The legitimate interest is the production of your post-Session summary email and the continuity of coaching across Sessions, both of which form part of what you are paying for. We have weighed this against the privacy impact and concluded that the processing is necessary, proportionate, and aligned with reasonable expectations of a coaching Client. You have the right to object to this processing (see §6 below); where the objection is upheld, we will run the Session without the transcription assistant and produce summary notes manually instead.
  • Training: Fireflies.ai does not, by default, use meeting content to train AI models, and its sub-processors are contractually prohibited from doing so. We do not enable any setting that would change that default.
  • Retention: transcripts are retained for up to 12 months after the Session takes place, or until your engagement with Elevia ends under §12 of the Terms, whichever comes first. You may request earlier deletion at any time. We may retain a specific transcript longer only where genuinely needed to handle an ongoing complaint or legal claim, and only for as long as that requires.

Trainee Coach observation (consent-based, up to two persons). From time to time, with your prior consent given for a specific Session, up to two Trainee Coaches engaged by Elevia may attend that Session in a silent observer capacity for training purposes — either as muted attendees in Google Meet or in the same physical room as the Coach. The contractual rules for this are set out in §5 of the Terms of Service; the data-protection mechanics are:

  • Lawful basis: consent (Article 6(1)(a) GDPR), requested separately for each Session. After a Session is confirmed and before it takes place we email you to ask whether a Trainee Coach may attend, identifying that person by first name. A Trainee Coach attends only where you give a clear affirmative agreement for that Session; if you do not reply, that is treated as a decline. You may accept, decline by reply, decline by not responding, or withdraw consent at any later point up to and including the start of the Session. Declining has no effect on the Session you have booked — there is no price difference, no rescheduling penalty, and no consequence for future Sessions.
  • Who Trainee Coaches are, in data-protection terms. Trainee Coaches act under Elevia’s authority within the meaning of Article 29 GDPR. They are bound to confidentiality at least equivalent to the Coach by a written agreement signed before they observe any Session, and they are not separate sub-processors of your data. They do not retain copies of Session materials, do not record any part of the Session, and do not use Session content outside the supervised training context with the Coach.
  • Cap. No more than two Trainee Coaches may attend a Session, and this cap cannot be waived. If the Trainee Coach is physically in the same room as the Coach, the Coach will introduce them on camera at the start of the Session so you can see who is present.
  • Retention of consent records. The pre-Session email exchange evidencing your consent (or decline) is kept only as long as needed to demonstrate that the processing was lawful — up to 24 months from the Session — and is not subject to the longer accounting-record retention in §2.4.

2.6 You book and take part in a Discovery Call

Discovery Calls are booked through the same scheduling provider used for paid Sessions (cal.eu; see §2.4) and held on Google Meet. During the call itself, Google (Meet) processes the call data as our processor (see §3), just as it does for paid Sessions. Gumroad is not involved — the Discovery Call is free of charge. We do not join the Discovery Call with the transcription assistant described in §2.5, do not record any part of the call, and do not take written notes. Beyond the live call, the only personal data we retain in connection with a Discovery Call is the booking record held by our scheduling provider (name, email, time-zone, slot).

  • Lawful basis: taking steps at your request prior to entering a contract (Article 6(1)(b) GDPR).
  • Retention: the Discovery Call dataset is deliberately minimal — just your name, email, time-zone, and chosen slot held in cal.eu on our instruction; there is no recording, no transcript, no Fireflies, and no notes. We retain this booking record for up to 6 months from the Discovery Call, after which it is deleted. It is not an accounting record and does not acquire the 8-year retention in §2.4 — even if you later book a paid Session, that paid Session generates its own separate accounting record, while the free-call booking record itself follows this 6-month window. You may request earlier deletion at any time by emailing hello@eleviaacademy.ai.

2.7 You book, pay for, and take part in an Advisory session

This section covers the AI Strategy Advisory service (governed by our Advisory Terms of Service), which is offered to businesses. An Advisory Session is a 90-minute video conversation attended by up to three people from the Client’s side (“Attendees”).

Booking and payment. As with coaching, our scheduling provider (cal.eu) processes the booker’s name, email, time-zone, and chosen slot as our processor, and Gumroad, Inc. acts as Merchant of Record for payment — you pay Gumroad directly, and Gumroad processes the payment, billing details, and any tax-residency or business tax-identification (such as a VAT number) needed to collect and remit tax. Gumroad is an independent controller of that payment data, on the same basis explained in §2.4.

  • Lawful basis: performance of a contract (Article 6(1)(b) GDPR).
  • Retention: booking and Session metadata are retained for 8 years in line with Hungarian accounting-record obligations (Act C of 2000, §169).

Attendees (up to three). The person who books may bring up to two further Attendees to the call in addition to themselves (three in total). The personal data we process about an additional Attendee is limited to their name, the email address the booker supplies (if any), and the Attendee’s contributions to the discussion as captured in the transcript. Under our Advisory Terms (§5), the Client is responsible for ensuring that each Attendee is authorised to take part and is aware that the Session is transcribed (see below). Because we usually obtain an additional Attendee’s details from the booker rather than from the Attendee directly, we provide the information required by Article 14 GDPR by making this Privacy Policy available to the Client to pass on to its Attendees before the Session, and publicly at eleviaacademy.ai/privacy; any Attendee can read it there and exercise the right to object — or any other right in §6 — by emailing hello@eleviaacademy.ai. As between Elevia and the Client, each acts as an independent controller of an Attendee’s personal data for its own purposes; the Client, as controller of its own personnel’s data, is responsible for authorising each Attendee’s participation and for giving them the information required by Articles 13–14 GDPR.

  • Lawful basis (booking and identity): performance of a contract (Article 6(1)(b) GDPR) in respect of the booker, who is a party to the contract; legitimate interest (Article 6(1)(f) GDPR) in respect of the other Attendees, whose identity and participation we process in order to deliver the Advisory Session the Client booked. The separate processing of the Session transcript (next paragraph) rests on legitimate interest for every participant, and any participant — booker or Attendee — may object to that transcription (see §6); objecting to the transcription does not cancel the booked Session, which we then run with manual notes instead.

The Session and the transcript. Advisory Sessions are held on Google Meet and joined by our authorised transcription assistant, Fireflies.ai (Fireflies Labs, Inc.), under our Business plan, exactly as described for coaching in §2.5. Fireflies.ai records the call and produces a written transcript, which is used to generate the Session Brief — the short written deliverable provided to the Client after the Session — and to maintain continuity across Sessions. The personal data processed here includes the content of the Advisory conversation, which typically concerns the Client’s business — its strategy, operations, and internal context — rather than the personal or emotional matters that can arise in coaching. We do not solicit special-category data, and the business nature of these Sessions makes it far less likely to arise than in coaching.

  • Lawful basis: legitimate interest (Article 6(1)(f) GDPR) — the production of the Session Brief and continuity across Sessions, both of which form part of what the Client is paying for. Any Attendee has the right to object (see §6); where an objection is upheld, we run the Session without the transcription assistant and produce notes manually instead.
  • Training: as in §2.5, Fireflies.ai does not use meeting content to train AI models by default, and we do not enable any setting that would change that.
  • Retention: transcripts are retained for up to 12 months after the Session, or until the Client’s engagement ends under §12 of the Advisory Terms, whichever comes first; earlier deletion on request. Any client-identifying copy of the Session Brief we retain follows the same period (this does not limit the operator’s underlying methodology or anonymised learnings, as described in §9 of the Advisory Terms). We may retain a specific transcript longer only where genuinely needed for an ongoing complaint or legal claim.

Advisory Discovery Calls are handled exactly as in §2.6 — same scheduling provider, held on Google Meet, no transcription assistant, no recording, and no notes beyond the booking record — and follow the same minimal 6-month retention.

3. Who we share data with

We work with a small number of third parties in connection with the service. Most act as our processors — they process personal data on our behalf, under written terms (typically a Data Processing Agreement), only as needed to operate the service. One — Gumroad — acts as an independent controller in the payment transaction, as explained in §2.4: Gumroad determines how it processes payment and tax data for its own legal obligations, so it is not our processor and does not act “on our behalf”.

Each processor may in turn engage its own sub-processors under its terms. We do not maintain a standalone sub-processor list; the current sub-processors for a given provider are published on that provider’s website, and we can point you to them on request at hello@eleviaacademy.ai.

Processors acting on our behalf

ProviderPurposeCountry of establishmentProvider’s privacy policy
Cal.com, Inc. (cal.eu EU-residency offering)Booking and rescheduling of Sessions and Discovery CallsUnited States (data hosted in the EU)cal.com/privacy
Fireflies.ai (Fireflies Labs, Inc.)Transcription and summary support for SessionsUnited Statesfireflies.ai/privacy
Google LLC (Google Meet)Video calling for Sessions and Discovery CallsUnited Statespolicies.google.com/privacy
MailerLite (UAB MailerLite)Newsletter deliveryLithuania (EU)mailerlite.com/legal/privacy-policy
Cloudflare, Inc.Site hosting (Cloudflare Pages), DNS, and Turnstile (newsletter anti-bot verification)United Statescloudflare.com/privacypolicy

Independent controller in the payment transaction

ProviderPurposeCountry of establishmentProvider’s privacy policy
Gumroad, Inc.Merchant of Record for Session purchases; collects payment directly from you; collects and remits taxes; processes refunds (see §2.4)United Statesgumroad.com/privacy

We do not sell your personal data, do not share it with advertising networks, and do not use it to train AI models — neither our own nor anyone else’s.

4. International transfers

Several of our processors are established in the United States. Where we transfer personal data to a processor outside the European Economic Area, the transfer is protected by the European Commission’s Standard Contractual Clauses (and, where applicable, the processor’s certification under the EU–US Data Privacy Framework, adopted by the European Commission’s adequacy decision of 10 July 2023). Copies of the relevant Standard Contractual Clauses can be requested by emailing hello@eleviaacademy.ai.

Where your data actually rests, by processor:

  • Cal.com (cal.eu) — booking data is stored in the EU under its EU-residency offering. US-parent access, if any, is covered by the safeguards above.
  • Fireflies.ai — Session transcripts are stored in the EU and processed in the United States. The US processing relies on the safeguards above (Fireflies’ EU–US Data Privacy Framework self-certification, with Standard Contractual Clauses as the contractual fallback in its Data Processing Addendum).
  • MailerLite — newsletter data is stored in the EU.
  • Google (Google Meet) and Cloudflare — process data in the United States and globally; transfers are covered by the safeguards above.

Gumroad, as the independent controller in the payment transaction (§2.4), is responsible for the lawfulness of its own international transfers under its privacy terms; for that processing we are not the data exporter.

5. How long we keep data

Specific retention periods are given alongside each processing activity in §2. In summary:

  • Contact-form messages: up to 24 months from last contact.
  • Newsletter subscribers: until you unsubscribe. Proof-of-consent record kept for up to 12 months after unsubscribe.
  • Booking and Session metadata (financial records), coaching and advisory: 8 years (Hungarian accounting law).
  • Discovery Call booking records (name, email, time-zone, slot; no recording, no transcripts, no notes): up to 6 months from the Discovery Call; not accounting records; deletable on request at any time.
  • Trainee Coach consent records: up to 24 months from the Session.
  • Session transcripts (Fireflies.ai), coaching and advisory: up to 12 months by default, or until your engagement ends under §12 of the applicable Terms — whichever comes first; sooner on request, or longer only where needed for an ongoing complaint or legal claim.
  • Site/edge logs: short-term, per Cloudflare’s policies.

When the relevant period ends, data is deleted or fully anonymised.

6. Your rights

Under GDPR and Hungarian data-protection law you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data (“right to be forgotten”) in the situations set out in Article 17 GDPR;
  • Restrict processing in certain situations;
  • Object to processing based on legitimate interest, including the Fireflies.ai transcription described in §2.5 and §2.7;
  • Port your data — receive it in a structured, commonly used, machine-readable format;
  • Withdraw consent at any time where processing is based on consent (this does not affect prior lawful processing);
  • Lodge a complaint with NAIH (naih.hu; ugyfelszolgalat@naih.hu; +36 (1) 391-1400) or with the supervisory authority in your EU country of residence;
  • Seek a judicial remedy before the competent Hungarian court under Article 79 GDPR.

To exercise any of these rights, email hello@eleviaacademy.ai. We respond within one month of receiving your request, as required by Article 12(3) GDPR. Where a request is particularly complex or where we receive multiple requests, we may extend this period by up to a further two months; we will notify you of any such extension and the reasons within the first month. We may ask you to verify your identity before acting on a request.

No automated decision-making. We do not make decisions about you that significantly affect you on a purely automated basis within the meaning of Article 22 GDPR. Where any aspect of the service relies on automated tooling — for example the transcription described in §2.5 and §2.7 — the substantive decisions about how we coach or advise you remain with the human Coach or Advisor.

7. Cookies

We run a deliberately minimal cookie footprint. Specifically:

  • No analytics cookies. Our analytics is Cloudflare Web Analytics, which is cookieless — no analytics cookie is ever placed on your device.
  • No advertising or behavioural-tracking cookies. We do not run ads on the Site and do not embed third-party trackers.
  • Strictly-necessary cookies. Cloudflare may set short-lived cookies for security, bot detection, and load-balancing purposes when you visit the Site (for example, __cf_bm for Cloudflare’s bot-management layer). These are necessary for the Site to operate safely; they cannot be disabled without breaking the Site, and they are not used for analytics or advertising.
  • Newsletter anti-bot (Cloudflare Turnstile). When you submit the newsletter form, Turnstile may set short-lived cookies or local storage entries solely to determine whether you are human. These signals are used only for that purpose and are not used to track you across sites.

If we add analytics or any other category of cookie in the future, we will update this policy first, and — where the law requires consent — present a cookie banner before any such cookie is set.

8. Security

We use the security controls of our providers (Cloudflare, Gumroad, Cal.com, Google, Fireflies.ai, MailerLite), maintain account credentials with multi-factor authentication where available, and limit access to personal data to the operator. No system is perfectly secure; if a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the relevant supervisory authority and, where required, you, in line with Articles 33 and 34 GDPR.

9. Children

The service is intended for adult professionals. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided personal data to us, please email hello@eleviaacademy.ai and we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced on the Site, take effect on the date stated in the updated version, and will not be applied retroactively. The effective date below is the date of the current version.


Effective date: 2026-06-01 — Version 1.0

Version 1.1 — 2026-06-26: added §2.7 covering the AI Strategy Advisory service (up-to-three Attendees, business-confidential transcripts, the Session Brief) and broadened the shared definitions accordingly.