Privacy Policy

1. Data Controller

The data controller for personal data collected on the WEOKTO platform (accessible at weokto.com) is:

Collective 1X3
New Mexico, United States
Email: [email protected]

The purpose of this privacy policy is to inform you about how we collect, use, store, and protect your personal data, in accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and applicable data protection laws.

2. Personal Data Collected

In the course of using the WEOKTO platform, we may collect and process the following categories of personal data:

2.1 Identity Data

• First and last name
• Username
• Date of birth
• Email address

2.2 Contact Details and External Identifiers

• Phone number
• Instagram handle (username)
• Telegram handle

This information is primarily collected as part of the application process and is used to contact you and verify your profile.

2.3 Application Data

• Current situation (professional and personal)
• Current monthly income
• Online business experience
• Motivation and goals
• Financial target
• Weekly availability (hours)

2.4 Payment Data

Payments on WEOKTO are handled exclusively by our payment processor Stripe. We never directly store credit card numbers, expiration dates, or security codes (CVV) on our servers. Stripe processes this information as a PCI-DSS certified sub-processor. We only retain a Stripe customer identifier and the transaction history (amounts, dates, statuses).

2.5 Browsing Data

• IP address
• Browser type and version (user-agent)
• Pages visited and browsing path
• Date and time of connection
• Visit duration

2.6 Affiliate Data

• Unique referral code
• Commission history
• Sales history generated through affiliation
• Affiliate performance statistics (clicks, conversions, revenue)
• Referral tree (relationship between referrer and referrals)

3. Purpose of Processing

Your personal data is collected and processed for the following purposes:

3.1 Account Management and Authentication

Creation and management of your user account, secure authentication upon login, session management, and access to the various features of the platform.

3.2 Application Processing

Evaluation and processing of your application to join the WEOKTO program. Analysis of your profile, motivation, and suitability for our program.

3.3 Affiliate Performance Tracking

Calculation and attribution of affiliate commissions, sales tracking, performance report generation, referral program management, and commission payouts.

3.4 Communication

Sending transactional emails (payment confirmations, commission notifications, account updates) and, with your consent, marketing emails (news, training, opportunities).

3.5 Service Improvement

Analysis of platform usage to improve the user experience, optimize technical performance, develop new features, and adapt our training content.

3.6 Legal Obligations

Compliance with legal and regulatory obligations regarding accounting, taxation, and fraud prevention.

4. Legal Basis for Processing

Each processing of personal data is based on a specific legal basis in accordance with Article 6 of the GDPR:

• Performance of a contract — The processing of your identity, payment, and affiliate data is necessary for the performance of the contract between you and WEOKTO (account management, access to services, commission payouts).
• Consent — The sending of marketing emails, the use of non-essential cookies, and the processing of your application data are based on your prior consent, which you may withdraw at any time.
• Legitimate interest — Platform improvement, fraud prevention, and access security are based on our legitimate interest, insofar as such processing does not disproportionately affect your rights and freedoms.
• Legal obligation — The retention of certain financial and accounting data is required by law (tax and accounting obligations).

5. Data Recipients

Your personal data may be shared with the following recipients, in strict compliance with the principle of data minimization:

• WEOKTO team (administrators) — Access to the data necessary for platform management, application processing, user support, and affiliate performance tracking.
• Stripe — Online payment processor. Processes payment data for transaction execution and commission payouts. PCI-DSS certified. Stripe Privacy Policy
• Resend — Transactional and marketing email delivery service. Accesses your email address and name for communication delivery. Resend Privacy Policy
• Mux — Video hosting and streaming service. May collect technical data related to video playback (IP address, performance data). Mux Privacy Policy
• Supabase — Database service. Hosts all platform data on a secure infrastructure. Supabase Privacy Policy

No personal data is sold to third parties. The sub-processors listed above only have access to the data strictly necessary for the performance of their services and are contractually bound to respect the confidentiality and security of your data.

6. Data Transfers Outside the European Union

WEOKTO is operated by Collective 1X3, a company based in the United States. Consequently, your personal data may be transferred to and stored on servers located in the United States, notably through our service providers:

• Supabase (database)
• Stripe (payment processing)
• Resend (email delivery)
• Mux (video hosting)

These transfers are governed by appropriate safeguards in accordance with Articles 46 et seq. of the GDPR, including:

• Standard Contractual Clauses (SCCs)— Our service providers have adopted the Standard Contractual Clauses approved by the European Commission, which ensure an adequate level of protection for personal data when transferred outside the EU.
• EU-U.S. Data Privacy Framework— Some of our service providers (notably Stripe) are certified under the EU-U.S. Data Privacy Framework, recognized as providing an adequate level of protection by the European Commission.
• Supplementary measures — Additional technical and organizational security measures are in place, including encryption of data in transit and at rest.

7. Data Retention Period

We retain your personal data only for the duration necessary to fulfill the purposes for which it was collected:

• Account data — Retained for the lifetime of your account, then for 3 years from the deletion of the account or the last activity. This period allows us to respond to any potential claims.
• Application data — Retained for 2 years from the date the application was submitted, whether accepted or rejected.
• Financial and accounting data — Retained for 10 years in accordance with legal accounting and tax obligations.
• Browsing data — Retained for a maximum of 13 months, in accordance with CNIL recommendations.
• Cookies — See our Cookie Policy for specific cookie retention periods.

At the end of these retention periods, your data is either deleted or irreversibly anonymized for statistical purposes.

8. Your Data Protection Rights

In accordance with the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

8.1 Right of Access

You have the right to obtain confirmation as to whether or not your personal data is being processed and, where it is, to obtain a copy of all such data along with information about the conditions of its processing.

8.2 Right to Rectification

You have the right to obtain the rectification of your personal data when it is inaccurate or incomplete.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to obtain the deletion of your personal data in the cases provided for by the GDPR, notably when the data is no longer necessary for the purposes for which it was collected, or when you withdraw your consent. This right does not apply when processing is necessary for compliance with a legal obligation.

8.4 Right to Data Portability

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller without hindrance from us.

8.5 Right to Object

You have the right to object at any time to the processing of your personal data based on our legitimate interest. You also have the right to object to the processing of your data for direct marketing purposes, without needing to provide any justification.

8.6 Right to Restriction of Processing

You have the right to obtain the restriction of processing of your data in certain cases provided for by the GDPR, notably when you contest the accuracy of the data or when you have objected to the processing.

8.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.

Exercising Your Rights

To exercise any of these rights, you may contact us by email at [email protected] specifying your request and providing proof of your identity. We undertake to respond within one month of receiving your request. This period may be extended by two additional months in the case of a complex request, in which case we will inform you accordingly.

9. Data Security

We implement appropriate technical and organizational measures to ensure the security of your personal data and protect it against unauthorized access, alteration, disclosure, or destruction:

• Encryption of sensitive data — Sensitive data is encrypted at rest and in transit. Passwords are hashed using robust cryptographic algorithms and are never stored in plain text.
• Secure connections (HTTPS) — All communications between your browser and our servers are encrypted via the HTTPS/TLS protocol, ensuring data confidentiality in transit.
• Access control — Access to personal data is strictly limited to authorized members of the WEOKTO team, following the principle of least privilege. Enhanced authentication mechanisms are in place.
• Secure infrastructure — Our infrastructure and service providers (Supabase) hold recognized security certifications (SOC 2, ISO 27001) and implement advanced protection measures.
• Monitoring and auditing — We conduct regular reviews of our security practices and remain vigilant against emerging threats.

10. Personal Data Breach

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we undertake to:

• Notify the CNIL within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
• Inform the affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the GDPR.
• Document the incident by recording the nature of the breach, its likely consequences, and the measures taken to remedy it.

11. Right to Lodge a Complaint

If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with a competent supervisory authority:

• France — Commission Nationale de l'Informatique et des Libertes (CNIL) — www.cnil.fr
• Belgium — Data Protection Authority (APD) — www.autoriteprotectiondonnees.be
• Switzerland — Federal Data Protection and Information Commissioner (PFPDT) — www.edoeb.admin.ch

We encourage you to contact us first so that we may attempt to resolve your concern directly.

12. Changes to This Policy

We reserve the right to modify this privacy policy at any time to reflect changes in our data processing practices or legislative and regulatory developments. In the event of a material change, we will notify you by email at the address associated with your account and/or through a visible notification on the platform. The last updated date is indicated at the top of this page. We encourage you to review this policy regularly.

13. Contact — Data Protection Officer

For any questions regarding the protection of your personal data or to exercise your rights, you may contact our data protection officer:

Collective 1X3 — Data Protection
New Mexico, United States
Email: [email protected]

We are committed to processing any request within a reasonable timeframe and in compliance with GDPR requirements.