Privacy Policy

1. Introduction

This Privacy Policy explains what personal data MB Capitals collects when you visit mbcapitals.com or buy the MB Capitals Blueprint, why we collect it, and how it is processed.

MB Capitals is operated from Germany and sells exclusively to consumers worldwide outside the European Union and the European Economic Area. Because the operator is established in the European Union, the EU General Data Protection Regulation (GDPR) applies to all processing, regardless of where the data subject is located. In addition, we apply the privacy frameworks of your country of residence (CCPA for California, UK GDPR for the UK, the Australian Privacy Principles for Australia, PIPEDA for Canada).

Data controller: Maximilian Bossow
Contact: privacy@mbcapitals.com

2. What We Collect

• Identification data — name, email, country of residence, billing address (during checkout).
• Payment data — last-four digits of card, payment-method type, transaction ID. Full card numbers are processed and stored exclusively by Stripe; we never see them.
• Communication data — content of WhatsApp, Instagram DM, or email communications you initiate with us.
• Course-progression data — login activity, completion of modules, posts in the Skool community.
• Aggregate site usage — page-views, scroll-depth, bounce, geographic country (no city, no postcode), browser type, referring source. Collected via Plausible Analytics, IP-anonymized at collection, no cookies set.
• Fit-check responses — your answers to the optional /fit-check questions, plus email if you provide it.

3. Why We Collect (Lawful Basis under GDPR)

• Contract performance (Art. 6 (1) (b) GDPR): payment processing, course-delivery, 1-on-1 coaching scheduling.
• Legitimate interest (Art. 6 (1) (f) GDPR): aggregate site analytics via Plausible, fraud prevention, geographic eligibility verification.
• Consent (Art. 6 (1) (a) GDPR): optional email-capture on fit-check, optional marketing emails (if any in future).
• Legal obligation (Art. 6 (1) (c) GDPR): retention of payment records for German tax purposes (§§ 257 HGB, 147 AO).

4. Data Processors We Use

• Stripe, Inc. — payment processing (US/EU/UK). Standard Contractual Clauses + EU-U.S. Data Privacy Framework. Privacy: stripe.com/privacy
• Resend — transactional email (US). Privacy: resend.com/legal/privacy-policy
• Skool — community + course delivery (US). Privacy: skool.com/privacy
• Plausible Analytics — privacy-friendly site metrics (EU, Germany). No cookies, IP-anonymized. Privacy: plausible.io/privacy
• Vercel — site hosting + edge runtime (EU/US). Privacy: vercel.com/legal/privacy-policy

5. International Data Transfers

Some of our processors (Stripe, Resend, Skool) are based in or transfer data to the United States. For such transfers, we rely on:

• EU-U.S. Data Privacy Framework adequacy decision (where applicable);
• Standard Contractual Clauses (SCCs) per Commission Decision 2021/914;
• UK International Data Transfer Agreement (for UK residents’ data) where required.

6. How Long We Keep Data

• Payment + identity data: 10 years per German commercial law (§§ 257 HGB, 147 AO).
• Communication data: until matter resolved, then deleted within 3 years.
• Course-progression: for as long as the Skool community membership is active, plus 90 days post-cancellation.
• Plausible aggregate: retained indefinitely with no personal data attached.
• Fit-check responses: if submitted with email, kept until you request deletion. If submitted without email, not stored beyond the session.

7. Your Rights — General (GDPR-Framework)

Under GDPR you have the right to access, rectify, erase (“right to be forgotten”), restrict processing of, port, and object to the processing of your personal data. You also have the right not to be subject to fully-automated decision-making.

To exercise any right, email privacy@mbcapitals.com. We respond within 30 days per Art. 12 GDPR. We may ask for proof of identity to prevent unauthorized disclosure.

8. California Resident Rights (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell about you.
• Request deletion of your personal information.
• Correct inaccurate personal information.
• Opt out of the “sale” of your personal information. We do not sell personal data.
• Opt out of the use of sensitive personal information. We do not use sensitive personal information.
• Non-discrimination for exercising your privacy rights.

To submit a CCPA request, email privacy@mbcapitals.com with subject line “CCPA Request”.

9. UK Resident Rights (UK GDPR)

UK residents have the same rights as set out in Section 7, under the UK General Data Protection Regulation. You may also lodge a complaint with the UK Information Commissioner’s Office (ICO): ico.org.uk.

10. Australian Resident Rights (Privacy Act 1988 + APPs)

If you are an Australian resident, your rights are set out in the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You have the right to access your personal information, correct it, and complain about how it is handled. Complaints can be made to the Office of the Australian Information Commissioner (OAIC): oaic.gov.au.

11. Canadian Resident Rights (PIPEDA)

If you are a Canadian resident, your rights are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation (e.g., Quebec’s Law 25, BC PIPA, Alberta PIPA). You have the right to access, correct, and request deletion of your personal information. Complaints can be made to the Office of the Privacy Commissioner of Canada: priv.gc.ca.

12. Cookies + Tracking

MB Capitals does not set advertising cookies, tracking cookies, or third-party-analytics cookies. Plausible Analytics uses no cookies whatsoever. Stripe sets strictly-necessary transactional cookies during the checkout flow only — these are required for fraud-prevention and payment-processing and are exempt from consent requirements under § 25 paragraph 2 TTDSG (Germany) and the equivalent ePrivacy Directive provisions in other jurisdictions.

The cookie-consent banner shown on first visit is provided for transparency; declining it does not affect site functionality.

13. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority. The German supervisory authority for MB Capitals as the operator is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA). EU residents may also complain to their local data-protection authority. UK, US, AU, and CA residents see the relevant sections above for their country-specific authority.

14. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active customers and via a banner on the site. The “Last updated” date at the top reflects the most recent version.