Privacy Policy

Last Updated: 3/12/2025

This Privacy Policy (“Policy”) explains how XETRIX LIMITED (“Company”, “we”, “us”, “our”) collects, processes, stores, shares, and protects personal data when you (“User”, “Client”, “you”) access and use the website https://hottestcourse.com/ (“Site”), which provides online SMM courses and related digital content.

This Policy is drafted in accordance with:

• the General Data Protection Regulation (EU) 2016/679 (GDPR),
• the ePrivacy Directive,
• applicable EU consumer protection laws, and
• relevant Cyprus legislation concerning data protection.

By using the Site, you confirm that you have read, understood, and agreed to this Privacy Policy.

1. General Provisions

1.1. Scope and Relationship to Terms & Conditions

This Privacy Policy forms an integral part of the Site’s Terms & Conditions and applies to all processing of personal data carried out while browsing the Site, creating an account, purchasing digital content, engaging with customer support, or using any related services.

In case of conflict between this Policy and the Terms & Conditions regarding personal data matters, this Policy prevails.

1.2. Data Protection Principles

We process personal data lawfully, fairly, and transparently, in accordance with GDPR Article 5.

We collect and retain only the data necessary to provide services, ensure security, prevent fraud, and comply with legal obligations.

1.3. Legal Bases for Processing

We process personal data under the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR):
  providing access to purchased online courses, creating and managing accounts, providing customer support.
• Compliance with legal obligations (Art. 6(1)(c) GDPR):
  accounting, tax compliance, fraud prevention, and anti-abuse obligations.
• Legitimate interests (Art. 6(1)(f) GDPR):
  maintaining Site functionality and security, improving services, preventing abuse.
• Consent (Art. 6(1)(a) GDPR):
  marketing communications, certain cookies, and optional personalization features.

We do not process personal data for AML purposes unless explicitly required by applicable law.

2. Personal Data Management

2.1. Data Sources

We collect personal data from:

• information provided directly by Users (forms, purchases, communications),
• automated technologies (cookies, log files, analytics tools),
• third-party service providers (payment processors, email providers),
• publicly available sources if required for fraud prevention or security purposes.

2.2. Personal Data Necessary for Service Provision

To provide access to online courses, we may require:

• full name,
• email address,
• phone number (optional unless required for verification),
• billing details,
• country of residence,
• technical identifiers (IP address, device data),
• any verification information required to comply with applicable law.

2.3. Categories of Personal Data Processed

We may process:

• Contact information: name, email, phone.
• Account data: login credentials, user preferences.
• Transaction data: purchase history, billing details.
• Technical and usage data: IP address, device type, browser type, pages visited, session logs.
• Course activity data: progress tracking, lesson completion.

We do not knowingly collect sensitive personal data (Art. 9 GDPR).

2.4. Purposes of Processing

Personal data is processed for:

• providing access to purchased digital content,
• account creation and management,
• payment processing and invoicing,
• customer support,
• fraud detection and prevention,
• compliance with EU laws,
• improving Site performance and user experience,
• sending service notifications and updates.

2.5. Cookies and Tracking Technologies

We use cookies to:

• ensure essential Site functionality,
• authenticate Users,
• remember preferences,
• collect performance analytics.

Non-essential cookies (analytics, marketing) require your explicit consent through our cookie banner.

2.6. Analytics and Performance Data

We collect aggregated, anonymized data for statistical purposes, such as traffic volume, device types, and browsing patterns, to improve platform reliability and usability. No analytics data is used to identify individuals.

2.7. Sharing Personal Data with Third Parties

We may share personal data strictly on a need-to-know basis with:

• payment processors,
• hosting and infrastructure providers,
• analytics tools,
• email service providers,
• legal and accounting advisers,
• regulatory authorities where required by law.

All third parties must follow GDPR requirements and process data only under our documented instructions.
We do not sell, rent, or trade personal data.

3. User Rights Under GDPR

Users located in the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK) have specific rights regarding their personal data under the General Data Protection Regulation (GDPR) and UK GDPR. These rights ensure transparency, control, and accountability in how personal information is processed.
The Company ensures that all requests submitted under this section are handled in accordance with GDPR Articles 12–23.

3.1. Right of Access (Art. 15 GDPR)

Users have the right to obtain confirmation as to whether their personal data is being processed. Upon request, the Company will provide:

• confirmation of whether processing takes place,
• a copy of the personal data undergoing processing,
• information about the purposes of processing,
• categories of personal data,
• recipients or categories of recipients to whom data has been or will be disclosed,
• the envisaged retention period or criteria used to determine it,
• information regarding the existence of automated decision-making or profiling, if applicable.

This right allows Users to understand how and why their data is being used.

3.2. Right to Rectification (Art. 16 GDPR)

Users have the right to request correction of inaccurate personal data and to have incomplete data completed. This includes:

• updating outdated or incorrect contact details,
• correcting typographical errors,
• updating billing information,
• completing missing profile information.

The Company will make the requested corrections without undue delay.

3.3. Right to Erasure (“Right to Be Forgotten”) (Art. 17 GDPR)

Users may request deletion of their personal data in the following circumstances:

• the data is no longer necessary for the purpose for which it was collected,
• the User withdraws consent and no other legal basis for processing exists,
• the User objects to processing based on legitimate interests and no overriding grounds exist,
• the data has been unlawfully processed,
• deletion is required for compliance with EU law.

However, the right to erasure does not apply where processing is necessary for:

• compliance with legal or tax obligations,
• exercising or defending legal claims,
• fulfilling contractual obligations related to purchased digital content.

3.4. Right to Restrict Processing (Art. 18 GDPR)

Users may request limitation of processing in the following situations:

• when the accuracy of data is contested,
• when processing is unlawful and the User prefers restriction instead of deletion,
• when the Company no longer needs the data, but the User requires it for legal claims,
• when the User has objected to processing and verification of legitimate grounds is pending.

While processing is restricted, the Company may continue to store the data but will not process it further without the User’s consent except for legal claims or public interest reasons.

3.5. Right to Data Portability (Art. 20 GDPR)

Users have the right to receive the personal data they provided to the Company in a structured, commonly used, and machine-readable format (e.g., CSV, JSON). They also have the right to request that the data be transmitted directly to another data controller where technically feasible.
This right applies only when processing is based on consent or contract and is carried out by automated means.

3.6. Right to Object (Art. 21 GDPR)

Users may object to the processing of their personal data at any time when such processing is based on:

• the Company’s legitimate interests,
• scientific or historical research purposes,
• direct marketing (including profiling related to marketing).

If a User objects, the Company will stop processing unless:

• compelling legitimate grounds override the User’s interests, or
• processing is necessary for legal claims.

For marketing communications, the objection is absolute and must be honored immediately.

3.7. Right to Withdraw Consent

When processing is based on consent (e.g., newsletters, marketing, analytics cookies), Users may withdraw their consent at any time. Withdrawal:

• does not affect the lawfulness of prior processing,
• may limit the functionality of certain features (e.g., personalization),
• must be easy and accessible (e.g., unsubscribe link, cookie banner settings).

3.8. How to Submit a Request

Users may submit any GDPR-related request by contacting us at: [email protected]

To protect User accounts, the Company may verify identity before fulfilling the request.

Response timeframe:

• Standard: within 30 days
• Extensions: up to 90 days for complex or multiple requests (the User will be notified in advance)

All responses are provided free of charge, unless requests are manifestly unfounded, excessive, or repetitive (as defined in Art. 12 GDPR).

4. Notifications and Communications

4.1. Service and Operational Communications

By creating an account on the Site, Users acknowledge and agree that the Company may send essential service-related communications necessary for the operation of the platform and the fulfillment of contractual obligations. These communications include, but are not limited to:

• Course access updates — notifications regarding enrollment, availability of new lessons, technical issues affecting course access, or updates to purchased digital content.
• Changes to Terms & Conditions or this Privacy Policy — legally required notifications informing Users of updates to contractual or data protection documentation.
• Account and security notifications — password reset emails, login alerts, verification requests, suspicious activity warnings, and important messages related to account integrity and security.

These operational messages are not subject to marketing consent and cannot be opted out of, as they are necessary for the performance of the contract and to ensure the security of User accounts (Art. 6(1)(b) and 6(1)(c) GDPR).

4.2. Marketing and Promotional Communications

The Company may send marketing emails, promotional materials, newsletters, or course recommendations only if the User has provided explicit, informed, and verifiable consent, in accordance with:

• GDPR Art. 6(1)(a),
• ePrivacy Directive rules for electronic marketing.

Consent must be freely given and may not be bundled with account creation.
Users will not receive marketing content unless they have actively opted in (e.g., by checking a consent box or selecting “Subscribe”).

4.3. Withdrawing Consent and Unsubscribing

Users can withdraw their consent to marketing communications at any time, without affecting the lawfulness of processing carried out before withdrawal.
Unsubscribing is made easily accessible through:

• a direct “unsubscribe” link in each marketing email,
• email request to customer support,
• or updates to account preferences (if applicable).

Upon unsubscribing:

• marketing communication will cease immediately,
• User will continue to receive essential operational messages necessary for account and service usage.

4.4. Communication Frequency and Transparency

The Company ensures that all communications are proportional, respectful, and relevant. Marketing emails are sent at a limited frequency and may include:

• new courses or modules,
• promotional discounts,
• platform updates and learning recommendations.

Users will be informed clearly and transparently about the purpose of each subscription type before providing consent, in accordance with GDPR transparency requirements (Art. 13–14).

4.5. Third-Party Communication Tools

If operational or marketing communications are delivered through third-party email service providers, such providers act strictly as GDPR-compliant processors. They may not use User data for any purpose other than sending communications on behalf of the Company.
All such third parties are required to:

• implement adequate security measures,
• process data only under the Company’s documented instructions,
• comply with GDPR and relevant data transfer rules.

5. Third-Party Websites

5.1. External Links and Third-Party Content

The Site may contain links to external websites, services, or platforms operated by third parties. These external resources are provided solely for convenience, educational purposes, or additional functionality. The Company does not control, manage, or influence the content, security measures, or data processing practices of these external websites.
Following any link to a third-party resource means that the User is leaving the scope of this Privacy Policy.

5.2. No Responsibility for Third-Party Policies

Because third-party websites operate independently from the Company, we cannot be held responsible or liable for:

• their privacy practices,
• the type of information they collect,
• how they use or share personal data,
• the security measures they implement,
• or any outcomes resulting from the User’s interaction with those sites.

Users are solely responsible for ensuring that they understand the privacy policies, terms, or cookie practices of any external service before providing personal data.

5.3. Third-Party Integrations Embedded on the Site

The Site may occasionally use embedded elements or plug-ins from third parties (such as video players, analytics widgets, or social media integrations). These third-party tools may collect data such as:

• device identifiers,
• IP address,
• interaction data (e.g., video views),
• cookie data.

Where such processing occurs, it is subject to the respective third party’s privacy policy.
We encourage Users to review these policies to understand how personal data may be processed by external services.

5.4. User Responsibility and Informed Decision-Making

We strongly advise Users to:

• read the privacy policy and terms of any external website prior to providing personal data,
• evaluate whether the external service offers adequate data protection,
• exercise caution when sharing personal or financial information outside the Site.

The Company does not endorse, guarantee, or make any representations regarding the accuracy, reliability, or security of third-party services.

5.5. Limitation of Liability

The Company shall not be held liable for any damages, losses, or privacy breaches that arise from the User’s interaction with third-party websites or their data-processing activities.
Responsibility for compliance with applicable data protection requirements rests solely with the operator of the third-party website.

6. Data Security

6.1. Commitment to Security Measures

The Company is committed to protecting personal data by implementing appropriate technical and organizational measures (“TOMs”) designed to ensure a level of security appropriate to the risks associated with data processing, as required by Articles 24, 25, and 32 of the GDPR.
Our security program is continuously evaluated and improved to address emerging threats, technological advancements, and regulatory requirements.

6.2. Technical Security Measures

To safeguard personal data, we employ industry-standard security controls, including but not limited to:

• SSL/TLS Encryption
  All data transmitted between the User’s browser and our servers is encrypted using modern SSL/TLS protocols to protect against interception or tampering.
• Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS)
  Our infrastructure is protected by firewall rules and automated monitoring tools designed to detect, prevent, and alert against suspicious activity, unauthorized access attempts, and abuse.
• Encrypted, Hashed, and Salted Passwords
  User passwords are never stored in plain text.
  They are processed using secure, industry-accepted hashing algorithms (e.g., bcrypt, Argon2) combined with unique salts to mitigate brute-force attacks.
• Secure Data Storage and Encryption-at-Rest
  Where appropriate, stored data is encrypted using strong cryptographic methods to prevent unauthorized access even in the event of physical compromise.
• Access-Control Policies
  Access to personal data is strictly limited to authorized personnel who require access for operational or legal purposes.
  Access rights follow the principles of:
  • least privilege,
  • role-based access control (RBAC),
  • logging and monitoring of administrative actions.
• Regular Vulnerability Assessments and Security Audits
  We perform periodic internal and external assessments, including:
  • penetration tests,
  • code reviews,
  • security configuration checks,
  • automated vulnerability scans.
  Detected vulnerabilities are remediated in accordance with our internal risk management procedures.

6.3. Organizational Security Measures

In addition to technical controls, the Company enforces several organizational safeguards, such as:

• employee training on GDPR, cybersecurity, and secure data handling,
• confidentiality agreements with staff and service providers,
• documented incident response procedures,
• policies for secure device use and secure remote access,
• routine audits of access privileges and operational processes.

6.4. Third-Party Security Compliance

Where personal data is processed by third-party service providers (e.g., hosting, email delivery, analytics tools), we ensure:

• contractual data protection agreements (DPAs) are in place,
• third parties meet GDPR requirements and apply adequate security measures,
• data processing is carried out only according to our documented instructions,
• data is not used for unrelated purposes.

We conduct due diligence and risk assessments before engaging any processor.

6.5. Data Breach Prevention and Response

Despite all preventive measures, cybersecurity risks cannot be completely eliminated.
If a personal data breach occurs, we will:

• assess its impact,
• take immediate corrective actions,
• notify the relevant Supervisory Authority within 72 hours, where required by GDPR,
• inform affected Users when there is a high risk to their rights and freedoms.

Our incident response plan ensures prompt management, containment, and mitigation of security breaches.

6.6. No Absolute Guarantee of Security

While we employ robust technical and organizational safeguards and adhere to internationally recognized security standards, no online service can guarantee complete protection against all potential threats.
The Company commits to minimizing risks, monitoring evolving cyber threats, and continuously improving its security posture in accordance with industry best practices.

7. Cookies Policy

We use cookies and similar technologies to ensure the proper functioning of the Site, improve the user experience, and, where applicable, provide analytics and marketing features.

The cookies used on the Site fall into the following categories:

• Strictly necessary cookies – essential for authentication, secure login, and access to purchased courses. These cannot be disabled.
• Functional cookies – enhance usability by remembering preferences and improving navigation.
• Performance/Analytics cookies – help us understand how Users interact with the Site so we can improve content and platform stability.
• Marketing cookies – used only with explicit User consent to deliver relevant promotional content.

Users may decline all non-essential cookies via the cookie banner without affecting access to purchased digital content.
A detailed description of each cookie type, its purpose, provider, and retention period is available in our separate Cookie Policy document, which can be accessed directly on the Site.

8. International Data Transfers

8.1. General Principles

The Company processes personal data primarily within the European Economic Area (EEA).
However, certain service providers, technical infrastructure providers, or communication tools may be located outside the EEA.
In such cases, any international transfer of personal data is carried out strictly in accordance with Chapter V of the GDPR, ensuring an equivalent level of protection to that guaranteed within the EU.
We do not transfer personal data internationally unless proper legal safeguards are in place.

8.2. Transfers Based on Adequacy Decisions

Where personal data is transferred to a country that the European Commission has recognized as providing an adequate level of data protection, the transfer is permitted without additional measures.
These include countries whose privacy regulations are considered essentially equivalent to EU standards.
Adequacy decisions ensure that personal data remains protected in accordance with GDPR principles.

8.3. Transfers Based on Standard Contractual Clauses (SCCs)

If a transfer is made to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission.
These contractual commitments:

• bind the recipient to EU-level data protection standards,
• impose confidentiality, security, and limited-use obligations,
• require the implementation of appropriate technical and organizational measures,
• ensure enforceable rights and effective legal remedies for Users.

We conduct due diligence and, where necessary, perform Transfer Impact Assessments to verify that SCCs offer sufficient protection in practice.

8.4. Supplemental Technical and Organizational Measures

In addition to SCCs or adequacy decisions, we may implement supplemental safeguards, including:

• encryption in transit and at rest,
• data pseudonymization or minimization,
• restricted access on a need-to-know basis,
• segregation of data environments,
• secure communication channels,
• policies to prevent unauthorized onward transfers.

These measures help ensure compliance with GDPR requirements even in jurisdictions with different legal frameworks.

8.5. Transfers to Processors and Sub-Processors

Any international transfer to third-party processors (such as cloud hosting, email delivery services, analytics providers, or customer support tools) occurs only when:

• a Data Processing Agreement (DPA) is in place,
• the processor commits to GDPR-compliant safeguards,
• the processor’s sub-processors are also subject to equivalent protections.

We do not authorize processors to use personal data for their own purposes.

8.6. No International Transfers Without Safeguards

The Company does not transfer personal data outside the EEA unless one of the lawful mechanisms described above is applied.
This includes ensuring:

• transparency regarding the nature, purpose, and location of the transfer,
• enforceability of User rights,
• ongoing monitoring of the adequacy of implemented protections.

If a transfer cannot meet GDPR requirements, it will not take place.

9. Data Retention

We store personal data only for the duration necessary to:

• provide services,
• comply with tax and accounting obligations,
• maintain accurate transaction history,
• resolve disputes and enforce agreements.

Inactive accounts may be deleted after 36 months of inactivity, unless retention is required by law.

10. Final Provisions

10.1. Governing Law

This Privacy Policy is governed by and interpreted in accordance with:

• the General Data Protection Regulation (GDPR),
• the applicable laws and regulations of the European Union,
• the national data protection laws of Cyprus, as the jurisdiction in which the Company is incorporated and operates.

Where mandatory consumer protection or data protection rules of the User’s country of residence require additional safeguards, such protections shall also apply.
Nothing in this Policy limits the rights granted to Users under GDPR, EU law, or binding national legislation.

10.2. Updates to This Policy

We may amend or update this Privacy Policy from time to time to reflect:

• changes in data protection laws or regulatory requirements,
• updates to our services, technologies, or processing activities,
• improvements in transparency or security measures,
• operational or organizational changes within the Company.

Any material changes—those affecting how personal data is collected, used, or shared—will be communicated directly to Users via:

• email notification (where applicable), and/or
• a prominent notice on the Site.

Users are encouraged to review this Policy periodically to stay informed of how their personal data is protected.
The most current version of the Policy will always be available on the Site and will include the “Last Updated” date.

10.3. Acceptance of the Policy

By accessing or using https://hottestcourse.com/, creating an account, purchasing digital content, or interacting with the Site in any manner, you confirm that you:

• have read this Privacy Policy in full,
• understand the scope of data processing described herein,
• agree to the terms and conditions governing the collection and processing of your personal data.

If you do not agree with any part of this Policy, you should discontinue use of the Site. Continued use after updates are published constitutes acceptance of the revised Policy.

Legal Information About the Company

XETRIX LIMITED
Registration Number: HE 482289
Registered Address:
Arch. Makariou III, 1
MITSI BUILDING 3, 3rd floor, Office 310
1065, Nicosia, Cyprus
Email: [email protected]
Phone: +357 25 834467