Privacy Policy

Daily 8 is operated by an individual sole trader (개인사업자) registered in the Republic of Korea. The sole trader is the “data controller” for the purposes of UK GDPR, the “business” for the purposes of the California Consumer Privacy Act (CCPA/CPRA), and the “personal information controller” (개인정보처리자) for the purposes of the Korean Personal Information Protection Act (PIPA).

Full operator details — business name, Korean business registration number, and registered Korean address — are published in the “Seller information” block at the bottom of this page, as required by the Korean Act on the Consumer Protection in Electronic Commerce (전자상거래법).

For all privacy enquiries, contact our designated point of contact (acting as our data protection officer for routine enquiries) at team.byzzle@gmail.com.

We collect only what we need to deliver one daily lesson to your WhatsApp number, manage your subscription, and answer your support questions.

• Name — first name (or whatever name you give us) so we can address you in the daily lessons.
• Phone number — the WhatsApp number on which you want to receive the lessons. This is the primary identifier of your account.
• Email — optional. Used for billing receipts, renewal reminders, and as a recovery channel if WhatsApp delivery fails.
• Spanish level — the level you select at signup (beginner, intermediate, etc.) so we send the right lessons.
• Timezone — inferred from your browser or asked at signup, so the daily lesson lands at 8 AM your local time.
• Billing data — handled by Lemon Squeezy, our Merchant of Record (which uses Stripe as a payment sub-processor). Lemon Squeezy holds your card details; we see only the metadata it returns (e.g. last four digits of the card, billing country, subscription status, invoice/receipt records). We do not store full card numbers on our own servers.
• Technical data — IP address at signup, browser user agent, and any analytics identifiers collected with your consent.
• Support correspondence — anything you write to us by email or WhatsApp, kept as part of the support history.

We do not knowingly collect biometric data, government ID numbers, location data beyond timezone, or any of the “sensitive” categories under UK GDPR Art. 9 or PIPA Art. 23.

• To deliver the service — sending the daily lesson at 8 AM in your timezone, on the WhatsApp number you provided, at the level you selected.
• To process your subscription — taking payment via Lemon Squeezy (our Merchant of Record), sending receipts, managing renewals, and handling the 7-day free trial.
• Customer support — replying to your questions and keeping a history of the conversation so the next reply has context.
• Service improvement — understanding which lessons are delivered, opened, and engaged with, so we can make the curriculum better.
• Optional analytics — measuring how the website performs (signup, conversion, drop-offs). Only with your consent through the cookie banner.
• Legal and accounting — keeping the records of a transaction we are required to keep under Korean tax law and under UK / US consumer protection rules.

For subscribers based in the United Kingdom, UK GDPR requires that every act of processing be tied to one of six legal bases. We rely on the following:

• Performance of a contract — sending the daily lessons, processing payment, managing the trial, handling cancellations, and providing customer support are all necessary to perform the subscription contract with you.
• Legitimate interests — measuring how the service is used so we can improve it, preventing fraud and chargeback abuse, and keeping logs sufficient to defend a legal claim. We have balanced these interests against your rights and concluded they do not override them; you can object at any time.
• Consent — optional marketing emails, non-essential cookies, and any analytics tools that go beyond aggregate measurement. You can withdraw consent at any time without affecting service delivery.
• Legal obligation — retaining invoice and tax records for the period required by Korean tax law and by the consumer protection laws of the buyer's country of residence.

Because the operator is registered in the Republic of Korea, the Personal Information Protection Act (개인정보 보호법) applies to all processing carried out by us, regardless of where you live. This section sets out the disclosures PIPA requires.

Purposes of collection. The purposes are limited to those listed in “Why we collect it” above. We will not use your personal information for any unrelated purpose without first obtaining your separate consent (PIPA Art. 18).

Categories of personal information. As listed in “What personal data we collect”. No “sensitive information” (민감정보) or “unique identifying information” (고유식별정보) is processed.

Retention period. See “How long we keep your data” below. Records that must be kept under the Korean Act on the Consumer Protection in Electronic Commerce are retained for the statutory minima (e.g. records of contract and withdrawal of subscription — 5 years; records of payment and supply of goods/services — 5 years; records of consumer complaints or dispute resolution — 3 years).

Third-party provision. See “Who we share your data with”. Where PIPA requires separate consent for provision to a third party, we collect that consent at signup or before the provision takes place.

Data subject rights. Under PIPA Arts. 35–37 you may at any time request access to, correction of, deletion of, or suspension of processing of your personal information. To exercise these rights, email team.byzzle@gmail.com. We respond within 10 days, as PIPA requires.

Privacy contact (개인정보 보호책임자). The point of contact for PIPA matters is the operator named in the “Seller information” block at the bottom of this page, reachable at team.byzzle@gmail.com. While we are below the threshold at which appointment of a dedicated Chief Privacy Officer (CPO) is mandatory, the operator personally fulfils that role for the time being.

If you are a resident of California, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you the following rights with respect to the personal information we hold about you:

• Right to know — the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom it is shared.
• Right to delete — request deletion of your personal information, subject to the statutory exceptions (e.g. ongoing transactions, legal recordkeeping).
• Right to correct — request correction of inaccurate information we hold about you.
• Right to opt out of “sale” or “sharing” — we do not sell personal information for money, and we do not “share” it for cross-context behavioural advertising as those terms are defined under CPRA. If we ever change this, we will publish a “Do Not Sell or Share My Personal Information” link before doing so.
• Right to limit use of sensitive personal information — we do not collect “sensitive personal information” in the CPRA sense.
• Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised a privacy right.

To exercise any of these rights, email team.byzzle@gmail.com. We will verify your identity by asking you to reply from the email address on file or from the WhatsApp number on file, and will respond within 45 days as required by CCPA. Authorised agents may submit requests on your behalf with written authorisation.

We share personal information only with the service providers we need in order to operate. Each is bound by a written data-processing agreement.

• Lemon Squeezy (Merchant of Record) — checkout, payment processing, subscription billing, sales-tax/VAT/GST handling, invoicing, and refunds. Lemon Squeezy is the legal seller for the payment transaction and uses Stripe as its payment sub-processor. Lemon Squeezy / Stripe hold the full card number; we do not.
• Meta Platforms / WhatsApp Business API — delivery of the daily lesson to your WhatsApp number, and the message channel for support conversations.
• Email provider — sending receipts, renewal notices, and support replies.
• Hosting provider — running the daily8am.com website and the APIs behind it.
• Analytics — only the tools you consent to via the cookie banner.

We do not sell personal information. We do not share it for third-party marketing. We disclose personal information to law enforcement only when compelled by a valid legal request.

Be aware that Daily 8 is operated from the Republic of Korea by a Korean sole trader. If you are based in the United Kingdom, the European Union, or the United States, your personal information will be transferred to and processed in Korea, and may be transferred onwards to the service providers listed above (most of which are based in the United States).

UK to Korea. The United Kingdom has not issued a general adequacy decision in favour of the Republic of Korea. We rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supplemented by a transfer risk assessment, as the lawful mechanism for receiving your personal data in Korea.

EU to Korea. The European Commission has issued an adequacy decision in favour of the Republic of Korea (Decision (EU) 2022/254), so transfers from the EEA to the Korean operator do not require additional safeguards. You retain all your GDPR rights after the transfer.

Onward transfers to US-based sub-processors (Lemon Squeezy and its payment sub-processor Stripe, Meta, our email provider, our hosting provider) are covered by EU Standard Contractual Clauses combined, where applicable, with the processor's certification under the EU–US and UK–US Data Privacy Frameworks, plus a written data-processing addendum with each sub-processor.

• Active subscription — for as long as your subscription is active, plus 90 days after cancellation to handle refund requests, billing disputes, and reactivation.
• Billing and tax records — 5 years from the date of the relevant transaction (Korean Act on the Consumer Protection in Electronic Commerce), or the longer period required by the tax law of your country of residence.
• Consumer complaints and dispute records — 3 years from resolution.
• Marketing consent — until you withdraw it, plus a short audit log of the consent event itself.
• Support correspondence — 24 months from the last message.

When the retention period for a record expires, the record is deleted or irreversibly anonymised.

Encryption in transit (TLS 1.2 or higher) for everything between your device, our website, and our sub-processors. Encryption at rest for the databases in which subscriber records live. Access controls limiting who on the operating team can see personal data. Audit logging of access to the subscriber database.

If we ever become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours (UK GDPR Art. 33) and, where the risk is high, notify affected subscribers directly. Equivalent notifications are made to the Personal Information Protection Commission (PIPC) of Korea as required by PIPA Art. 34.

We use strictly-necessary cookies to keep you signed in and to remember your language and level choices. Analytics and marketing cookies are loaded only after you give consent through the cookie banner. A full list of cookies — name, provider, purpose, lifespan — will be published on a dedicated Cookie Policy page once the consent banner is live.

Daily 8 is intended for adults. We do not knowingly accept subscriptions from anyone under 18. If you believe a minor has signed up, email team.byzzle@gmail.com and we will deactivate the subscription and delete the associated personal data. Under PIPA Art. 22-2, separate guardian consent is required for the processing of personal information of children under 14 — we do not process such data.

We will email active subscribers and display an in-WhatsApp notice at least 14 days before any material change to this policy takes effect. Non-material updates (clarifications, typos, processor name changes that do not alter what is shared) are published with an updated “last updated” date and no separate notice.

For any privacy request — access, deletion, correction, objection, opt-out, withdrawal of consent, or simply a question — email team.byzzle@gmail.com. We respond within 30 days (UK GDPR), 45 days (CCPA), or 10 days (PIPA), whichever is shorter for your jurisdiction.

You also have the right to complain to a supervisory authority:

• United Kingdom — Information Commissioner's Office (ICO), ico.org.uk.
• California — California Attorney General (oag.ca.gov/privacy) or the California Privacy Protection Agency (cppa.ca.gov).
• Republic of Korea — Personal Information Protection Commission (PIPC, pipc.go.kr) or the KISA Privacy Call Centre (118).

This is a draft. Will be reviewed by a qualified lawyer before launch.