Skip to main content

Data Protection & Privacy Policy

Version 2.0 Effective: 14 February 2026

Preamble

This Data Protection and Privacy Policy ("Policy") governs the collection, processing, storage, sharing, and protection of personal data by LEVELSTAIR ("LEVELSTAIR", "we", "us", or "our"). LEVELSTAIR is a creator-focused online community platform dedicated to game development, collaborative events, and creative industry engagement, accessible via https://www.levelstair.com/.

This Policy is written to reflect our genuine commitment to data minimization, transparency, and individual rights. It is intended to be read, understood, and relied upon by any person who provides personal data to LEVELSTAIR, whether through our website, membership registration, event participation, or any affiliated digital service.

By registering as a member, signing up for an event, submitting any form, or otherwise providing personal information to LEVELSTAIR, you acknowledge that you have read, understood, and agreed to the terms of this Policy. If you do not agree, please do not provide your personal data and contact us to discuss your options.

1. Definitions

For the purposes of this Policy, the following terms shall have the meanings set out below:

"Personal Data"

Means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, IP addresses, device identifiers, and any combination of data that can identify a person.

"Processing"

Means any operation or set of operations performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

"Data Controller"

Means the entity that determines the purposes and means of processing personal data. LEVELSTAIR is the Data Controller in respect of all personal data described in this Policy.

"Data Processor"

Means a third party that processes personal data on behalf of the Data Controller under documented instructions.

"Consent"

Means a freely given, specific, informed, and unambiguous indication of agreement by a data subject to the processing of their personal data.

"Data Subject"

Means any identified or identifiable natural person whose personal data is processed under this Policy — i.e., any member, event participant, or site visitor who has provided personal data to LEVELSTAIR.

"Member"

Means any individual who has completed and submitted a LEVELSTAIR membership registration form and whose membership has not been terminated or revoked.

"Event Participant"

Means any individual who registers for or attends a LEVELSTAIR-hosted or LEVELSTAIR-affiliated event, whether online or in person.

"Service" or "Platform"

Means the LEVELSTAIR website (https://www.levelstair.com/), associated registration forms, community communications platforms (including but not limited to WhatsApp groups, Discord server), and any other digital infrastructure operated by LEVELSTAIR.

"Sensitive Personal Data"

Means personal data revealing racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data, or data concerning minors — none of which LEVELSTAIR intentionally solicits except where explicitly disclosed.

"Anonymized Data"

Means data that has been irreversibly altered so that no individual can be directly or indirectly identified from it.

"Aggregated Data"

Means data combined from multiple sources into summary statistics or metrics in which no individual is identifiable.

"Third Party"

Means any entity other than the Data Subject and LEVELSTAIR, including subcontractors, partner organizations, and technology service providers.

"Breach" or "Security Incident"

Means any unauthorized access, disclosure, alteration, loss, or destruction of personal data.

"Minor"

Means any individual under the age of 18 years, or the age of digital consent applicable in their jurisdiction, whichever is higher.

2. Data Controller Identity and Contact Details

LEVELSTAIR operates as an unincorporated community organization and serves as the sole Data Controller for all personal data collected through the Platform and associated services.

Organization Name

LEVELSTAIR

Website

https://www.levelstair.com/

Privacy Enquiries

privacy@levelstair.com

General Contact

team@levelstair.com

Response Commitment

Within 10 business days of receiving a verifiable request

All formal requests under Section 14 (User Rights) must be submitted to privacy@levelstair.com with the subject line "Data Rights Request — [Full Name]". LEVELSTAIR reserves the right to verify the identity of the requestor before actioning any request.

3. Scope of this Policy

3.1 Who This Policy Applies To

This Policy applies to:

  • All registered members of LEVELSTAIR, from the time of registration until data deletion is confirmed;
  • Individuals who register for or participate in LEVELSTAIR-hosted or co-hosted events (online or physical);
  • Visitors who submit data via any LEVELSTAIR form, survey, or application submission;

Individuals who interact with LEVELSTAIR through community platforms including WhatsApp groups, Discord, social media, and any future communication channels.

3.2 What This Policy Covers

This Policy covers:

  • Personal data collected directly by LEVELSTAIR through forms, registrations, and submissions;
  • Technical and metadata collected automatically through the use of the Platform;
  • Data processed or stored on third-party platforms on LEVELSTAIR's behalf;

Community-generated content posted or shared within LEVELSTAIR-operated spaces.

3.3 What This Policy Does Not Cover

This Policy does not govern:

  • The privacy practices of third-party platforms independently accessed by users (e.g., Discord's own data practices, Google's own data practices);
  • Personal communications between members not facilitated through official LEVELSTAIR channels;

Data processing by partner organizations using independently collected data under their own policies.

4. Categories of Personal Data Collected

4.1 Directly Provided Personal Data

4.1.1 Identity and Contact Information

  • Full name (required for membership registration)
  • Email address (required)
  • Phone number or WhatsApp number (required for community communications)
  • Date of birth or age bracket (optional; requested only for age-restricted activities)
  • City or district of residence (optional; used for regional event planning)

4.1.2 Professional and Skill Information

  • Current role or occupation (e.g., student, developer, designer)
  • Skill categories (e.g., programming, visual art, music, narrative design)
  • Self-assessed skill level (beginner, intermediate, advanced)
  • Portfolio URLs (e.g., GitHub, ArtStation, YouTube, LinkedIn) — provided voluntarily
  • Preferred game engines or tools

4.1.3 Community Preferences and Activity

  • Interest tags (e.g., esports, game jams, virtual production, extended reality)
  • Participation history within LEVELSTAIR (events attended, roles taken on, contributions recognized)
  • Feedback, suggestions, and responses submitted via surveys or forms

4.2 Automatically Collected Technical Data

When you access the LEVELSTAIR website or interact with our hosted forms, the following data may be collected automatically by the hosting platform or analytics services:

  • IP address and approximate geographic location derived therefrom
  • Browser type, version, and language settings
  • Operating system and device type
  • Pages visited, time spent on page, and clickstream behavior
  • Referring URL (the page visited before reaching our site)
  • Cookie identifiers and session tokens (see Section 17)
  • Date and time of access

This technical data is collected by hosting infrastructure and analytics tools (see Section 12). LEVELSTAIR does not independently operate server-level logging beyond what is automatically generated by its hosting and form providers.

4.3 Community-Generated Content

Content submitted by members in LEVELSTAIR-operated spaces (e.g., Discord, WhatsApp, community forums) may contain personal data embedded voluntarily, such as images, links, or personal disclosures. This content is covered by this Policy only to the extent it is stored or managed by LEVELSTAIR. For platform-governed spaces (e.g., Discord, WhatsApp), the respective platform's own privacy policy also applies.

4.4 Event and Photography Data

LEVELSTAIR may capture photographs or video recordings at physical events. Where this occurs:

  • Participants will be notified in advance via the event registration page or on-site signage;
  • Photographs or recordings in which individuals are identifiable will only be published to LEVELSTAIR's public channels with prior consent;
  • Individuals may withdraw consent for ongoing publication at any time by contacting privacy@levelstair.com; however, withdrawal of consent does not require deletion of materials already distributed where doing so is technically impractical, and LEVELSTAIR will make reasonable efforts to limit further distribution;
  • In online events, screen recordings or screenshots may be taken; participants will be informed before the session begins.

4.5 Data We Do Not Collect

LEVELSTAIR does not intentionally collect, and requests that members do not submit, the following categories of data:

  • Government-issued identification numbers (national ID, passport, driving licence)
  • Financial account details, credit or debit card information, or banking data
  • Health, medical, or biometric data
  • Racial or ethnic origin, religious beliefs, or political opinions
  • Sexual orientation or gender identity beyond voluntary self-identification in relevant programs
  • If such data is inadvertently received, LEVELSTAIR will delete it upon discovery and notify the submitter where feasible.

5. Methods of Data Collection

5.1 Direct Submission

Data is collected when you:

  • Complete and submit a LEVELSTAIR membership registration form;
  • Register for an event via an online registration form;
  • Submit a project, application, or portfolio for consideration;
  • Respond to a survey, feedback form, or community poll;
  • Join a LEVELSTAIR-managed WhatsApp group or Discord server;
  • Send an email or message to any LEVELSTAIR contact address.

5.2 Automated Collection via Platform Hosting

Technical and usage data (see Section 4.2) is automatically generated by the infrastructure used to host our website and forms. These may include services such as Google Forms, Notion, Airtable, or other platforms whose data practices are governed by their respective policies in addition to this Policy.

5.3 Third-Party Sources

LEVELSTAIR may receive limited data about individuals from third parties in the following limited circumstances:

  • Partner organizations referring individuals to LEVELSTAIR programs, in which case only the data explicitly provided for the referral purpose will be processed;
  • Social media platforms where a user tags LEVELSTAIR or engages publicly with LEVELSTAIR-operated accounts.

In no case will LEVELSTAIR purchase, license, or otherwise acquire personal data lists from third-party data brokers or marketing providers.

6. Purposes and Lawful Basis for Processing

LEVELSTAIR processes personal data only for the specific, explicit, and legitimate purposes described below. Each purpose is listed alongside its lawful basis for processing and the corresponding data categories used. Data will not be used for any purpose incompatible with those stated below without obtaining renewed consent.

6.1 Community Membership Management

Purpose: To create, maintain, and manage member profiles; to communicate with members regarding community activities, updates, and announcements.

Lawful Basis: Consent (as provided at registration); legitimate interest in maintaining an active and organized community.

Data Used: Identity and contact information; professional and skill information; community preferences.

6.2 Event Coordination and Participation

Purpose: To administer registrations for LEVELSTAIR events; to match participants into teams or roles; to communicate event-specific logistics; to award prizes or recognize contributors.

Lawful Basis: Performance of a contract or pre-contractual obligation (event registration constitutes an agreement to participate); consent where additional data is collected for prize distribution.

Data Used: Full name, contact information, skill level, interest tags; postal/shipping address collected separately at time of prize fulfillment only.

6.3 Opportunity Matching

Purpose: To identify and introduce members to suitable opportunities such as team formation for game jams, internships, competitions, mentorship programs, or collaborative projects.

Lawful Basis: Consent; legitimate interest in delivering core community value.

Data Used: Professional information; skill categories; interest tags; participation history. Introductions will only be made with the explicit knowledge of the member and, where the opportunity involves a third party, with the member's prior opt-in.

6.4 Community Analytics and Reporting

Purpose: To understand the demographic and skill composition of the community; to produce anonymized reports for internal strategic planning or to present to potential sponsors or institutional partners.

Lawful Basis: Legitimate interest; consent where reports involve non-anonymized data.

Data Used: Anonymized or aggregated data only. No identifiable personal data will be included in reports shared outside the LEVELSTAIR core organizing team without explicit consent.

6.5 Content Personalization

Purpose: To tailor workshops, newsletters, announcements, and content recommendations to member interests.

Lawful Basis: Consent; legitimate interest.

Data Used: Interest tags; participation history; skill information. Members may opt out of personalized communications at any time.

6.6 Safety, Security, and Legal Compliance

Purpose: To detect, investigate, and respond to suspected misuse of the Platform; to comply with applicable law, court order, or regulatory requirement.

Lawful Basis: Legal obligation; legitimate interest in protecting the community.

Data Used: Relevant personal data and technical data on a need-to-know basis only.

6.7 Prohibited Uses

LEVELSTAIR explicitly prohibits the following uses of personal data collected under this Policy:

  • Selling, renting, licensing, or otherwise monetizing member personal data;
  • Using personal data for behavioral advertising, re-targeting, or audience building on third-party advertising platforms;
  • Using personal data for any purpose not described in this Section without obtaining explicit renewed consent;
  • Using personal data to make or facilitate automated decisions with significant legal or similarly significant effects without disclosure (see Section 15);
  • Sharing identifiable member data with any third party for that third party's own commercial purposes.

7. Data Minimization

LEVELSTAIR is committed to collecting only the minimum personal data necessary for each identified purpose. The following principles apply:

  • Registration forms will clearly distinguish between mandatory and optional fields. Optional fields will be labelled as such.
  • Data collected for a specific event or project will not be used for unrelated purposes without further consent.
  • LEVELSTAIR will conduct a review of all data categories held at least once every 12 months to assess whether continued retention is justified.
  • Data fields that are no longer operationally necessary will be deleted or anonymized during scheduled cleanups.
  • Where a purpose can be achieved with anonymized or aggregated data, LEVELSTAIR will prefer that approach over retaining identifiable data.

8. Data Retention Policy

8.1 Retention Periods by Data Category

Personal data will be retained only as long as necessary for the purpose for which it was collected, in accordance with the following schedule:

Data Category Retention Period
Active Membership Data Retained for the duration of active membership. Deleted or anonymized within 30 days of a verified deletion request.
Inactive Membership Data Accounts showing no engagement for 12 consecutive months are flagged for review. Data will be anonymized or deleted during the next annual cleanup cycle, unless the member responds to a prior notification and requests continued retention.
Event Participation Data Retained for 6 months following the conclusion of the event, unless the member consents to longer retention for portfolio or achievement-tracking purposes.
Communication Logs Email and form submission logs retained for 6 months, then deleted. Archived Discord/WhatsApp content is subject to those platforms' own retention policies.
Technical & Usage Data Log data retained by hosting services in accordance with those services' policies, typically 30–90 days. LEVELSTAIR does not independently archive this data.
Prize / Shipping Data Addresses collected for prize fulfillment are deleted within 30 days of confirmed delivery.
Anonymized/Aggregated Data Not subject to deletion timelines. Once anonymization is verified irreversible, data is excluded from data subject rights requests.

8.2 Annual Data Cleanup

LEVELSTAIR will conduct a formal annual data audit each calendar year to:

  • Identify and action retention period expirations;
  • Verify that data held continues to be necessary for active purposes;
  • Notify inactive members prior to anonymization or deletion;
  • Record the outcome of the audit in an internal data inventory log.

8.3 Post-Deletion

Following deletion, LEVELSTAIR will retain only a record of: (a) the fact that a deletion occurred; (b) the date of deletion; (c) the category of data deleted; (d) the identity of the individual if required for legal compliance purposes. This residual record will itself be deleted after three years.

9. Data Storage, Security, and Limitations

9.1 Storage Infrastructure

Personal data is stored on the following categories of platform, all of which operate under access-controlled, encrypted environments:

  • Form and survey data: Google Forms / Google Workspace
  • Structured member databases: Airtable and/or Notion
  • Communications: WhatsApp (Meta) and Discord
  • Backups: Encrypted cloud storage (Google Drive or equivalent), access restricted to designated administrators

LEVELSTAIR will update this list when material changes to storage infrastructure occur. Each storage platform used is bound by its own data processing terms; LEVELSTAIR selects platforms with established security credentials and data protection commitments.

9.2 Access Controls

Access to identifiable personal data is strictly limited as follows:

  • Only designated members of the LEVELSTAIR core organizing team are authorized to access identifiable member data.
  • Access is granted on a need-to-know basis consistent with each team member's operational role.
  • Former team members' access credentials are revoked promptly upon cessation of their role.
  • Team members with access to personal data are informed of this Policy and expected to adhere to it. Internal data handling guidelines will be maintained alongside this Policy.
  • No team member is authorized to access, copy, or use personal data for any purpose outside the purposes stated in Section 6.

9.3 Security Measures

LEVELSTAIR implements the following technical and organizational security measures:

  • Passwords and authentication credentials for all storage platforms use strong, unique credentials managed by authorized administrators.
  • Periodic encrypted backups are maintained to prevent data loss.
  • Sharing permissions on storage documents are reviewed regularly to prevent unauthorized public access.
  • No personal data will be stored in unencrypted, publicly accessible files, shared drives, or spreadsheets.

9.4 Security Limitations

LEVELSTAIR operates as a community organization without dedicated cybersecurity infrastructure. While we implement reasonable security measures, we acknowledge the following limitations:

  • We rely substantially on the security measures of third-party platforms (Google, Notion, Airtable, Discord, WhatsApp). We do not independently control the security of those platforms.
  • We cannot guarantee absolute protection against all forms of cyber threat, unauthorized access, or data breach.
  • Communication channels including WhatsApp and Discord are subject to those platforms' encryption standards, which LEVELSTAIR does not control.

In the event of a Security Incident, LEVELSTAIR will follow the procedures outlined in Section 16.

10. Third-Party Sharing and Data Processors

10.1 General Principle

LEVELSTAIR does not sell, rent, trade, license, or otherwise transfer personal data to any third party for commercial gain or for that third party's independent use. Personal data is shared with third parties only in the circumstances described below.

10.2 Service Providers and Data Processors

LEVELSTAIR uses the following categories of third-party services that may process personal data on its behalf as Data Processors:

  • Form and data collection: Google Forms / Google Workspace
  • Database and documentation: Notion, Airtable
  • Community communication: Discord (Discord Inc.), WhatsApp (Meta Platforms, Inc.)
  • Website hosting: As applicable per the current hosting provider
  • Analytics: Google Analytics or equivalent, where deployed

Each of these providers is engaged under their own service terms, which constitute a form of data processing agreement. LEVELSTAIR will update this list as processors change. Users are encouraged to review the privacy policies of these platforms directly.

10.3 Partner Organizations

  • Potential or active sponsors, for the purpose of demonstrating community reach and demographics (e.g., percentage of members in a specific skill category);
  • Institutional partners such as universities, for the purpose of facilitating collaborative programs.

In all cases, reports shared with partners will contain only anonymized or aggregated data. No identifiable personal data will be shared with partners unless:

  • The member has given specific, informed consent for that particular disclosure;
  • The disclosure is required by law or court order;
  • Sharing is necessary for the protection of the vital interests of the member.

Where identifiable data must be shared (e.g., to register a prize winner for an affiliated program), LEVELSTAIR will: (a) inform the member of what data will be shared, with whom, and why; (b) obtain explicit prior consent; and (c) document that consent.

10.4 Legal Disclosure

LEVELSTAIR may disclose personal data where required to do so by applicable law, regulation, court order, or at the direction of competent governmental authority. Where legally permissible, LEVELSTAIR will notify the affected individual of such a disclosure request prior to compliance.

10.5 No Onward Transfer Without Consent

Where LEVELSTAIR shares data with a partner or third party with the member's consent for a specific purpose, LEVELSTAIR will contractually prohibit that recipient from using the data for any purpose beyond that which was consented to, and from further sharing the data without LEVELSTAIR's and the member's explicit authorization.

11. Cross-Border Data Transfers

LEVELSTAIR is based in Sri Lanka. The third-party platforms used by LEVELSTAIR (including Google, Notion, Airtable, Discord, and Meta/WhatsApp) are headquartered outside Sri Lanka and may store and process data in multiple jurisdictions, including the United States and European Union member states.

By providing personal data to LEVELSTAIR and using the Platform, you acknowledge and consent to the transfer of your data to these platforms in accordance with their respective data processing agreements and the terms of this Policy.

LEVELSTAIR selects platforms that either: (a) operate under adequacy decisions or equivalent data protection frameworks; or (b) maintain Standard Contractual Clauses or equivalent transfer safeguards with their customers. LEVELSTAIR does not independently execute cross-border transfer agreements but relies on the contractual commitments made by each platform to its users.

If you have concerns about cross-border data transfers, you may contact us at privacy@levelstair.com and we will provide information about the specific platforms in use and their applicable transfer mechanisms.

12. Applicable Law and Regulatory Framework

LEVELSTAIR's data practices are governed by the applicable laws of Sri Lanka. In the absence of comprehensive data protection legislation in Sri Lanka at the time of this Policy's effective date, LEVELSTAIR voluntarily aligns its practices with internationally recognized standards, including:

  • General Data Protection Regulation (GDPR) — transparency, lawful basis, and user rights principles;
  • OECD Privacy Guidelines — data minimization, purpose limitation, and accountability;
  • ISO/IEC 27001 principles — as aspirational security standards.

Nothing in this Policy shall be construed as creating obligations beyond those required by applicable Sri Lankan law. Alignment with GDPR principles is a voluntary measure intended to demonstrate good practice and protect the rights of all users regardless of their jurisdiction, not a representation that GDPR applies as a matter of law to LEVELSTAIR.

13. Your Rights as a Data Subject

LEVELSTAIR recognizes the following rights in respect of personal data we hold about you. These rights are subject to applicable law and to the verification of your identity.

13.1 Right of Access

You have the right to request a copy of the personal data LEVELSTAIR holds about you, and to receive information about how it is being processed. Requests will be fulfilled within 10 business days.

13.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. LEVELSTAIR will update data upon receiving a verifiable correction request and will confirm the update within 10 business days.

13.3 Right to Erasure

You have the right to request deletion of your personal data. Upon receiving a verified deletion request, LEVELSTAIR will:

  • Delete all identifiable personal data within 30 days;
  • Notify any Data Processors who hold a copy of the data on our behalf to do the same;
  • Retain only the residual deletion record described in Section 8.3;
  • Confirm deletion to the requesting individual.

The right to erasure is subject to limitations where retention is required for legal compliance, the establishment or defense of legal claims, or other overriding legitimate grounds.

13.4 Right to Restriction of Processing

You have the right to request that LEVELSTAIR restrict processing of your data — for example, excluding you from newsletters, event invitations, or opportunity matching — without requiring full deletion of your membership record. To exercise this right, specify the processing activities you wish to restrict.

13.5 Right to Data Portability

Where technically feasible, you have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON). LEVELSTAIR will provide a data export in such format upon request.

13.6 Right to Object

You have the right to object to processing based on legitimate interest. Upon receiving such an objection, LEVELSTAIR will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

13.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time by contacting privacy@levelstair.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

13.8 How to Exercise Your Rights

To exercise any of the above rights, email privacy@levelstair.com with the subject line "Data Rights Request — [Full Name]". Include:

  • Your full name and the email address associated with your LEVELSTAIR account;
  • The specific right you wish to exercise;
  • Any relevant details to assist us in locating your data.

LEVELSTAIR will respond to all verifiable rights requests within 10 business days. If a request cannot be fulfilled in full, LEVELSTAIR will provide a written explanation.

14. Children and Minors

The LEVELSTAIR Platform is primarily intended for individuals aged 16 and above. LEVELSTAIR does not knowingly collect personal data from individuals under the age of 13 (or such higher age as is required by applicable law in the user's jurisdiction) without verifiable parental or guardian consent.

Individuals aged 13 to 17 ("Minors") may participate in LEVELSTAIR programs subject to the following conditions:

  • Where an event, program, or activity is open to Minors, LEVELSTAIR will state this in the event description;
  • For programs involving Minors, LEVELSTAIR may require parental or guardian acknowledgment of this Policy;
  • LEVELSTAIR will not share identifiable data about Minors with any third party without explicit parental or guardian consent in addition to the Minor's own consent;
  • In all publications, photography, or social content, Minors will not be identified by name without dual consent from both the Minor and their parent or guardian;
  • Minors may exercise data rights through a verified parent or guardian.

If LEVELSTAIR discovers that personal data has been collected from a child under 13 without verifiable consent, such data will be deleted promptly and the parent or guardian notified where contact information is available.

15. Automated Decision-Making and Profiling

As of the effective date of this Policy, LEVELSTAIR does not engage in any automated decision-making or algorithmic profiling that produces decisions with legal or similarly significant effects upon data subjects.

Certain operational activities may involve limited data-driven matching or filtering, such as:

  • Matching members to teams or opportunities based on self-reported skill categories and interest tags — such matching is performed manually by LEVELSTAIR organizers and is advisory in nature only;
  • Segmenting communication lists by interest or skill category for the purpose of targeted announcements.

These activities do not constitute automated decision-making for legal purposes as they do not produce binding outcomes. Members retain the right to object to such segmentation by contacting privacy@levelstair.com.

If LEVELSTAIR introduces any form of automated profiling or AI-assisted decision-making in the future, this Policy will be updated in accordance with Section 18 and affected members will be notified prior to implementation.

16. Cookies and Tracking Technologies

16.1 What Are Cookies

Cookies are small text files placed on your device by a website to store information about your session or preferences. Related tracking technologies include web beacons, pixel tags, and local storage objects.

16.2 Cookies Used by LEVELSTAIR

The LEVELSTAIR website may use the following categories of cookies:

  • Strictly Necessary Cookies: Required for the website or embedded form to function. These cannot be disabled without impairing functionality. No personal data beyond session information is stored.
  • Analytics Cookies: Used to understand how visitors interact with our site (e.g., pages visited, time on site). This data is collected in aggregate or anonymized form. If Google Analytics or a similar tool is active, users may opt out via that provider's opt-out mechanism.
  • Third-Party Embedded Cookies: Some pages may embed third-party content (e.g., Google Forms, YouTube) which may set their own cookies subject to those providers' policies.

16.3 Cookie Management

You may manage or disable cookies through your browser settings. Disabling strictly necessary cookies may impair your ability to use certain features of the Platform. Browser-based cookie management does not extend to cookies set by third-party platforms such as Discord or WhatsApp.

Where applicable law requires affirmative consent before setting non-essential cookies, LEVELSTAIR will implement a cookie consent mechanism on the website.

17. Security Incident and Breach Notification

17.1 Definition of a Notifiable Incident

A notifiable Security Incident is any confirmed unauthorized access, disclosure, loss, alteration, or destruction of personal data that poses a risk to the rights and freedoms of data subjects.

17.2 Internal Response

Upon discovering a suspected or confirmed Security Incident, LEVELSTAIR will:

  • Immediately contain the incident by revoking compromised access and securing affected systems;
  • Document the nature of the incident, data involved, and number of affected individuals;
  • Assess the risk level to affected data subjects;
  • Implement remediation measures to prevent recurrence.

17.3 Notification to Affected Individuals

Where a Security Incident is likely to result in a high risk to the rights and freedoms of affected individuals, LEVELSTAIR will notify those individuals:

  • Without undue delay and in any event within 72 hours of becoming aware of the high-risk incident;
  • Via the primary email address on record;
  • Including a description of the nature of the incident, the data affected, likely consequences, and the measures taken or proposed.

17.4 Limitations

LEVELSTAIR acknowledges that it relies on third-party platforms (Google, Discord, Meta, Notion, Airtable) for storage and communications. Security incidents occurring within those platforms may not be immediately known to LEVELSTAIR. In such cases, LEVELSTAIR will notify affected members as soon as reasonably practicable after becoming aware.

18. Community-Generated Content

Members may post, share, or contribute content in LEVELSTAIR-managed spaces including Discord, WhatsApp, and any future community forums. The following terms apply to such content:

  • Content posted by members in public LEVELSTAIR channels (e.g., public Discord channels) may be visible to other community members and is treated as voluntarily disclosed to the community.
  • LEVELSTAIR does not scrape, archive, or commercially exploit member-generated content.
  • LEVELSTAIR moderators may review content in managed channels for community safety purposes.
  • Members should not post others' personal data in community channels without their consent.
  • If you wish to have your community-contributed content removed from LEVELSTAIR-managed spaces, contact privacy@levelstair.com with details of the content to be removed. Removal may not be technically possible where content has been shared by other members outside LEVELSTAIR's direct control.

19. Logs, Backups, and Residual Data

LEVELSTAIR acknowledges that certain categories of residual data may persist in system logs, automated backups, and archive snapshots beyond the primary retention periods described in Section 8. The following applies:

  • Backup copies of databases may contain personal data for up to 90 days following the primary deletion event, after which they will be purged in the normal backup rotation cycle;
  • LEVELSTAIR will not access backup copies for purposes other than disaster recovery or legal compliance;
  • System logs generated by third-party hosting platforms are retained in accordance with those platforms' policies and may not be immediately erasable by LEVELSTAIR;
  • Where a data subject requests erasure and residual copies exist in backups, LEVELSTAIR will document the request and ensure the data is not further processed and is deleted upon the next backup rotation.

20. Policy Changes and Versioning

20.1 Right to Amend

LEVELSTAIR reserves the right to update or amend this Policy at any time to reflect changes in: applicable law or regulatory guidance; our data practices; the platforms and processors we use; or operational changes to the community.

20.2 Notification of Changes

In the event of a material change to this Policy:

  • Members will be notified via email and/or a community announcement on Discord and WhatsApp at least 14 days before the new version takes effect;
  • The updated Policy will be published on the LEVELSTAIR website with a revised effective date and version number;
  • A summary of key changes will accompany the notification.

20.3 Renewed Consent for Major Changes

Where a material change involves a new use of personal data, a new category of data collected, or a significant change to sharing practices, LEVELSTAIR will seek renewed explicit consent from affected members before the change takes effect. Continued use of the Platform following the effective date of a non-material change constitutes acceptance of the revised Policy.

20.4 Version History

Previous versions of this Policy will be archived and made available upon request by emailing privacy@levelstair.com.

Version Info Details
Current Version 2.0
Effective Date 14 August 2025
Previous Version 1.0 (14 August 2025 — internal draft)

21. Contact Procedures and Dispute Resolution

21.1 Primary Contact

For all privacy-related queries, rights requests, complaints, or concerns, please contact:

Contact Field Channel / Information
Email privacy@levelstair.com
Subject Line Privacy Enquiry / Data Rights Request — [Your Full Name]
Response Time Within 10 business days

21.2 Escalation

If you are not satisfied with LEVELSTAIR's response to your enquiry or rights request, you may:

  • Request that the matter be escalated to senior LEVELSTAIR leadership via contact@levelstair.com;
  • Seek independent advice or mediation from a consumer rights body or digital rights organization in your jurisdiction;
  • Where applicable law provides for regulatory oversight of data protection, lodge a complaint with the relevant authority.

21.3 No Waiver of Legal Rights

Nothing in this Policy constitutes a waiver of any legal right available to you under applicable law. This Policy supplements, and does not displace, your statutory rights as a data subject.

22. Limitations and Disclaimers

The following limitations and disclaimers are explicitly set out to prevent misinterpretation or misuse of this Policy:

  • LEVELSTAIR is a community organization, not a regulated data controller under a formal statutory data protection regime. Our compliance with GDPR-aligned principles is voluntary and good-practice-based; it does not constitute a representation that GDPR applies as binding law to LEVELSTAIR.
  • This Policy does not guarantee the absolute security of your personal data. As stated in Section 9.4, we rely on third-party platforms and acknowledge the inherent limitations of community-operated infrastructure.
  • LEVELSTAIR cannot be held responsible for data processing carried out by third-party platforms under their own policies. Users are advised to review the privacy policies of Discord, WhatsApp/Meta, Google, Notion, and Airtable directly.
  • Community-generated content posted in LEVELSTAIR spaces is subject to moderation but LEVELSTAIR cannot guarantee that other community members will not independently copy, screenshot, or redistribute such content. Members should be mindful of the information they choose to share in community spaces.
  • This Policy applies only to data collected through official LEVELSTAIR channels. Informal data exchanges between community members are not governed by this Policy.
  • LEVELSTAIR does not represent that this Policy complies with the specific data protection laws of every country from which members may access the Platform. We have sought to align with broadly accepted international standards; however, members in jurisdictions with specific legal requirements are responsible for assessing their own compliance posture.
  • Where LEVELSTAIR provides links to third-party websites, resources, or platforms, those sites are not governed by this Policy. Visiting third-party sites is at your own risk.

Consent and Agreement Confirmed

LEVELSTAIR PRIVACY PROTOCOL V2.0