Privacy Policy

Last Updated: March 12, 2026

1. Introduction & Controller Identity

This Privacy Policy explains how Horizon Financial Academy ("Horizon Financial Academy", "we", "our", or "us") collects, uses, and protects your personal data when you visit horizonfinancialacademy.es (the "Website") or interact with our educational programs and materials. We provide financial education and literacy programs only. We do not offer investment advice, brokerage services, or other regulated financial services.

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR where applicable, the Data Controller is JOWEI S.L., with registered address: C. del Dr. Manuel Candela, 20, Algirós, 46021 Valencia, Spain. You can reach us at [email protected] regarding any privacy questions or requests. We currently do not appoint a Data Protection Officer because our processing activities do not require one under Article 37 GDPR.

This Policy applies to personal data we process as a controller. Where we link to third‑party resources, their privacy practices are governed by their own policies.

2. Personal Data We Collect

We collect only the information necessary to operate an educational website, communicate with prospective learners, and improve our materials. Categories include:

• Identity and contact data: name, email address, and country of residence that you provide via contact forms or email.
• Form content: free‑text messages, program selections, and any preferences you send us (e.g., program of interest).
• Technical data: IP address, browser type and version, device/OS, language, approximate location based on IP, and server log data necessary for security and troubleshooting.
• Usage data: pages viewed, time on page, navigation paths, and referring URLs.
• Cookies and similar identifiers: small files or IDs set on your device to remember preferences and, with consent, to enable analytics and advertising measurement. See Section 4 and our Cookie Policy.
• Conversion and engagement data: events such as form submissions, with timestamps and basic metadata.

We do not intentionally collect special‑category data (e.g., health, ethnicity, political views), financial account details, or government identifiers. Please do not include such information in free‑text fields.

3. Why We Process Your Data & Legal Bases

• Responding to inquiries and program requests — to communicate with you and share educational information you request. Legal bases: GDPR Art. 6(1)(b) (steps prior to a contract for service delivery) and Art. 6(1)(a) (consent when applicable).
• Analytics — to understand what content is helpful and improve the Website. Legal basis: Art. 6(1)(a) (consent). Analytics only load after you consent.
• Advertising measurement and remarketing — where enabled, to measure the effectiveness of our outreach and reach similar audiences. Legal basis: Art. 6(1)(a) (consent).
• Security and fraud prevention — to protect the Website against abuse, detect anomalies, and maintain service integrity. Legal basis: Art. 6(1)(f) (legitimate interests).
• Legal compliance — to satisfy legal, tax, and regulatory obligations. Legal basis: Art. 6(1)(c) (legal obligation).

Automated decision‑making: We do not engage in automated decision‑making or profiling that produces legal or similarly significant effects under GDPR Article 22.

4. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Website and, with your consent, to enable analytics and marketing features. Our consent banner appears to EEA/UK visitors and allows granular choices. Categories align with our Cookie Policy:

• Essential: required for core functionality and security. Examples: _site_session, cookie_consent. Retention ranges from session to 12 months.
• Analytics (consent): Google Analytics 4 (IP anonymization enabled). Examples: _ga (2 years) and _ga_XXXXXXXXXX (2 years). Data retention in GA is typically 14 months.
• Marketing (consent): identifiers for advertising measurement or remarketing, such as _gcl_au (Google Ads, 90 days), _fbp (Meta, 90 days), and _fbc (90 days when a click ID is present).

You can manage preferences anytime via the "Manage cookie preferences" link in our footer. For detailed information, please read our dedicated Cookie Policy.

5. Consent Management (EEA/UK)

Users in the EEA and UK receive a consent notice before non‑essential cookies load. We activate analytics and marketing technologies only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your selection is stored in the cookie_consent cookie for up to 12 months. You may withdraw consent at any time by reopening the preferences panel in the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing before withdrawal.

6. Sharing with Service Providers & Advertising Partners

We share personal data with trusted providers who help us operate the Website and measure performance. These providers process data under contracts that limit their use to our instructions:

• Google LLC (Google Analytics 4, Google Ads/Tag Manager) — cookie IDs, usage data, conversion events. Policy: policies.google.com/privacy.
• Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API where implemented) — page views, conversions, audience membership, hashed identifiers. Policy: facebook.com/privacy/policy.
• Cloudflare, Inc. (CDN and security services) — IP‑based threat detection and performance optimization. Policy: cloudflare.com/privacypolicy/.

We do not sell personal data. We do not permit these providers to use Website data for their own independent commercial purposes.

7. International Data Transfers

Where data is transferred outside the EEA/UK (e.g., to the United States), we rely on recognized safeguards: the EU‑US Data Privacy Framework and its UK Extension where applicable, and, if necessary, the European Commission’s Standard Contractual Clauses (2021/914) and the UK IDTA. We also implement supplementary measures consistent with guidance from the European Data Protection Board.

8. Data Retention

• Contact submissions: retained for up to 2 years from last interaction.
• Analytics: typically retained for 14 months within Google Analytics 4.
• Marketing cookies: per the stated cookie lifetime (e.g., 90 days for _gcl_au, _fbp, _fbc).
• Email correspondence: duration of the relationship plus 1 year.
• Server logs: up to 90 days unless extended for security investigations.
• Cookie consent record: up to 3 years for audit purposes.
• Legal/tax records: per applicable law (often 6–10 years).

9. Your Rights (GDPR/UK GDPR)

Subject to conditions and exemptions, you have the right to request: access, rectification, erasure, restriction, portability, and to object to certain processing. Where processing is based on consent, you may withdraw consent at any time. You also have the right to lodge a complaint with your local authority, such as the Spanish AEPD (aepd.es), the UK ICO (ico.org.uk), or another competent EU supervisory authority listed by the EDPB (edpb.europa.eu).

To exercise rights, email [email protected] with sufficient information to verify your identity and your request. We aim to respond within 30 days, extendable by up to 60 additional days for complex requests as permitted by law.

10. Children’s Privacy

Our Website and programs are not directed at individuals under 16. We do not knowingly collect personal data from children under 16. If we become aware that data from a child under 16 has been provided without verifiable parental consent, we will delete it promptly.

11. Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. The Website does not respond to DNT signals. Third‑party providers may have their own handling of DNT; please review their privacy policies for details.

12. Account & Data Deletion Requests

We do not operate user accounts for our educational content at this time. For deletion of personal data you have shared (e.g., via contact forms or email), please email [email protected] with the subject "Data Deletion Request". After verifying your identity, we will complete deletion unless retention is required by law.

13. Business Transfers

In the event of a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor or acquiring entity subject to this Privacy Policy or a policy with materially similar protections. We will notify users via a site notice if any material changes in data use occur as a result of such a transaction.

14. California Privacy (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) may grant you additional rights. Over the past 12 months, we may have disclosed for a business purpose the following categories of personal information to service providers and advertising partners: identifiers (name, email, IP, device IDs); internet or network activity (browsing, interactions); and inferences (interests or preferences) derived from interactions. We do not sell personal information as defined by the CCPA. We may "share" personal information for cross‑context behavioral advertising when you have consented; you may opt out by disabling Marketing cookies in our preferences panel.

Your CCPA rights include: the right to know, delete, correct, and opt out of sale/sharing, and the right to non‑discrimination for exercising your rights. Submit requests by emailing [email protected] with the subject "California Privacy Request". We will verify your identity and, if applicable, accept requests via authorized agents who provide written authorization.

15. Virginia Privacy (VCDPA)

For Virginia residents, the Virginia Consumer Data Protection Act (VCDPA) provides rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects. Submit requests to [email protected] with the subject "Virginia Privacy Request". If we deny your request, you may appeal by emailing us within 30 days with the subject "Appeal of Refusal — Privacy Request". Unresolved concerns may be directed to the Office of the Attorney General of Virginia.

16. Nevada Privacy

Nevada residents may submit a verified request to opt out of the sale of personal information by emailing [email protected] with the subject "Nevada Do Not Sell Request". We do not currently sell personal information as defined in Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in technology, law, or our operations. Material changes will be announced via a notice on our homepage at least 14 days before they take effect. The "Last Updated" date at the top of this page will always indicate the latest revision.

18. Contact Us

If you have questions about this Policy or wish to exercise your privacy rights, please contact:

• Legal entity (Data Controller): JOWEI S.L.
• Trading name: Horizon Financial Academy
• Address: C. del Dr. Manuel Candela, 20, Algirós, 46021 Valencia, Spain
• Email: [email protected]

Annex — Cookie and Identifier Summary

Below is a non‑exhaustive list of cookies and identifiers used on the Website. For the full and authoritative list, see the Cookie Policy.

• _site_session — site session continuity (Essential; first‑party; session).
• cookie_consent — records your cookie choices (Essential; first‑party; up to 12 months).
• _ga — GA4 user identifier (Analytics; third‑party; 2 years; consent‑based).
• _ga_XXXXXXXXXX — GA4 session state (Analytics; third‑party; 2 years; consent‑based).
• _gcl_au — Google Ads conversion linker (Marketing; third‑party; 90 days; consent‑based).
• _fbp — Meta Pixel browser identifier (Marketing; third‑party; 90 days; consent‑based).
• _fbc — Meta Pixel click identifier (Marketing; third‑party; 90 days; consent‑based, only when fbclid present).

You may also manage preferences using browser controls and, where available, platform tools such as Google’s Ads Settings and Facebook’s Ad Preferences. Links are provided in the Cookie Policy for convenience.