← BackDaway

Last updated: May 5, 2026

Privacy Policy

This Privacy Policy describes how Collective 1X3 ("we", "us", "our") collects, uses, stores, and protects personal data when you use the Daway platform available at daway.club (the "Platform"). Daway is a community membership platform where creators build private communities with tiered subscriptions, courses, chat, and affiliate programs.

We are committed to protecting your privacy and complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR"), as well as applicable national data protection laws.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Collective 1X3
State of New Mexico, United States of America
Email: contact@daway.club
Website: daway.club

As data controller, Collective 1X3 determines the purposes and means of processing personal data collected through the Platform, in compliance with Regulation (EU) 2016/679 (GDPR).

2. Personal Data Collected

We collect and process different categories of personal data depending on your use of the Platform. Below is an exhaustive list of the data categories we may collect:

2.1 Identity Data

  • Full name (first name, last name)
  • Email address
  • Username / display name
  • Date of birth
  • Profile avatar / photo

2.2 Contact & External Identifiers

  • Email address
  • Social media handles (Instagram, Twitter/X, YouTube, TikTok, etc.)
  • External profile URLs provided by the user

2.3 Payment Data

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. We never store credit card numbers, CVV codes, or full payment card details on our servers.

  • Stripe customer ID
  • Transaction history (amounts, dates, subscription status)
  • Billing address (when provided to Stripe)
  • Invoice and receipt records
  • Refund and dispute history

2.4 Community & Membership Data

  • Community memberships and subscription tiers
  • Access passes and invitations
  • Course enrollments and lesson completion progress
  • Chat messages and direct messages
  • Community reviews and ratings
  • User-generated content posted within communities
  • Application forms and responses

2.5 Affiliate & Referral Data

  • Affiliate tracking codes and referral links
  • Commission history and payout records
  • Referral events (sign-ups, conversions)
  • Click data (timestamps, source URLs, landing pages)
  • Affiliate program enrollments

2.6 Historical Communication Data

  • Archived contact and consent records from retired communication tools
  • Historical delivery and engagement logs where retained for audit purposes
  • Unsubscribe records and communication preferences

2.7 Browsing & Analytics Data

  • IP address
  • User agent (browser type, operating system, device type)
  • Pages visited and navigation paths
  • Session duration and timestamps
  • Referral source (where you came from)
  • Geographic location (country/region level, derived from IP)

2.8 Experiment Data

  • A/B test variant assignments
  • Pricing experiment data and conversion events
  • Feature flag assignments
  • Experiment participation timestamps

3. Purpose of Processing

Your personal data is processed for the following purposes:

  • Account management: creating, maintaining, and authenticating your user account.
  • Service delivery: providing access to communities, courses, chat, and all Platform features.
  • Payment processing: managing subscriptions, processing payments, issuing invoices, and handling refunds and disputes.
  • Affiliate tracking: managing referral programs, calculating commissions, and processing affiliate payouts.
  • Transactional communications: sending account, access, billing, support, security, and service emails.
  • Analytics & improvement: analyzing usage patterns to improve the Platform, optimize user experience, and conduct A/B tests.
  • Legal compliance: fulfilling our legal and regulatory obligations, including tax reporting and record-keeping.
  • Fraud prevention & security: detecting, preventing, and investigating fraudulent activity, abuse, and security incidents.
  • Platform improvement: developing new features, testing improvements, and ensuring the overall quality and reliability of the Platform.
  • Dispute & chargeback defense: collecting and retaining technical evidence (timestamps, encrypted IP, user-agent, lesson events, watch time, terms acceptance with version) to prove the actual delivery of the contracted services in the event of a payment dispute (chargeback) initiated with a bank or card network. This processing is detailed in section 7.

4. Legal Basis for Processing

We process your personal data on the following legal bases, as defined by Article 6(1) of the GDPR:

4.1 Performance of a contract (Article 6(1)(b)). Processing is necessary for the performance of the contract between you and Collective 1X3 when you use the Platform. This includes account creation, service delivery, subscription management, payment processing, and community access.

4.2 Consent (Article 6(1)(a)). Certain processing activities are based on your explicit consent, including optional communications, analytics cookies, and participation in experiments or A/B tests. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.3 Legitimate interest (Article 6(1)(f)). We rely on our legitimate interest for fraud prevention, Platform security, improving our services, and internal analytics. We ensure that our legitimate interests do not override your fundamental rights and freedoms. A balancing test is conducted for each processing activity based on this legal basis.

4.4 Legal obligation (Article 6(1)(c)). We process certain data to comply with legal obligations, including tax regulations, anti-money laundering requirements, accounting obligations, and responding to lawful requests from public authorities.

5. Data Recipients

Your personal data may be shared with the following categories of recipients, strictly to the extent necessary for the purposes described in this policy:

Stripe — Payment Processing & Dispute Defense

Handles all payment transactions, subscription billing, and payout processing. PCI-DSS Level 1 certified. In the event of a payment dispute (chargeback), Stripe also receives the evidence file we compile to prove the lawful execution of the contract (acceptance proofs, IP, timestamps, watch time, refund correspondence) and forwards it to the card network and the issuing bank. See section 7 for retention details.

stripe.com/privacy

Resend — Email Delivery

Delivers transactional emails (account verification, password resets, notifications) and marketing campaigns.

resend.com/legal/privacy-policy

Mux — Video Hosting

Hosts and streams video content for courses and community features.

mux.com/privacy

PostHog — Analytics

Provides product analytics, session recordings, feature flags, and experiment management.

posthog.com/privacy

Supabase — Database

Provides database hosting and storage infrastructure.

supabase.com/privacy

Hosting: The Platform is hosted on private, secure servers operated directly by Collective 1X3. We do not use third-party hosting platforms such as Vercel, AWS, or similar services for application hosting.

We do not sell, rent, or trade your personal data to any third party. Data is shared with the above recipients solely to provide and improve our services.

6. Data Transfers Outside the EU

Collective 1X3 is based in the United States of America (New Mexico). As a result, your personal data may be transferred to, stored, and processed in the United States or other countries outside the European Economic Area (EEA) where our service providers operate.

The following service providers may process your data outside the EU/EEA:

  • Supabase (United States)
  • Stripe (United States)
  • Resend (United States)
  • Mux (United States)
  • PostHog (United States / European Union)

To ensure an adequate level of protection for your personal data in accordance with Chapter V of the GDPR, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs): adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, ensuring contractual obligations to protect your data.
  • EU-U.S. Data Privacy Framework: where applicable, our US-based providers are certified under the EU-U.S. Data Privacy Framework, providing an adequate level of data protection as recognized by the European Commission.
  • Encryption: all data is encrypted in transit (TLS 1.2+) and at rest, regardless of where it is stored.

You may request a copy of the applicable safeguards by contacting us at contact@daway.club.

7. Data Retention Period

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention periods are as follows:

Account & profile dataDuration of your active account + 3 years after account deletion or last activity, for legitimate interest and potential legal claims.
Payment & billing data10 years from the date of the transaction, in compliance with accounting and tax record-keeping obligations.
Browsing & analytics data13 months maximum, in accordance with CNIL (Commission Nationale de l'Informatique et des Libertés) guidelines.
Lesson & watch event data18 months from the date of the event. Legal basis: legitimate interest (defense against payment disputes / chargebacks). Mentioned explicitly here per CNIL transparency guidance.
Dispute evidence (raw)24 months from the date of payment. Includes the encrypted IP, user-agent and the dispute file compiled at the time of a chargeback. Encrypted at rest (AES-256-GCM) with strict access control and full audit log.
Dispute evidence (aggregated / anonymised)Up to 5 years for accounting and audit purposes. No personal identifiers, no IP, no user-agent — only counts and outcomes per dispute reason code.
Legal document acceptance10 years from the date of payment, in line with our accounting and tax record-keeping obligations. Includes the snapshot of the version of CGV / Refund Policy / Privacy Policy / Withdrawal Waiver you accepted at checkout (timestamp, IP hash, IP encrypted).
Application data2 years from the date of the application, whether accepted or rejected.
Cookie dataAs defined in our cookie policy. Cookie consent preferences are retained for 13 months.
Historical communication dataDuration required for audit, consent proof, or legal compliance.
Affiliate & referral dataDuration of your affiliate account + 5 years for commission audit trails and tax compliance.

Upon expiration of the applicable retention period, your data is securely deleted or anonymized so that it can no longer be associated with you.

8. Your Data Protection Rights

In accordance with the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to receive a copy of that data along with information about the processing.
  • Right to rectification (Article 16): You have the right to request the correction of inaccurate personal data and the completion of incomplete data.
  • Right to erasure / "right to be forgotten" (Article 17): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the data has been unlawfully processed.
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller without hindrance.
  • Right to object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests, including profiling. You also have the right to object at any time to the processing of your data for direct marketing purposes.
  • Right to restriction of processing (Article 18): You have the right to request the restriction of processing in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful but you oppose erasure.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

How to exercise your rights: Send your request by email to contact@daway.club. Please include sufficient information to verify your identity (name, email associated with your account). We will respond to your request within 30 calendar days of receipt. If the request is complex or we receive a large number of requests, this period may be extended by an additional 60 days, in which case we will inform you of the extension within the initial 30-day period.

9. Data Security

We implement appropriate technical and organizational measures to ensure the security, confidentiality, integrity, and availability of your personal data, in accordance with Article 32 of the GDPR.

  • Encryption at rest and in transit: All data is encrypted using industry-standard algorithms. All communications between your browser and our servers use HTTPS with TLS 1.2 or higher.
  • Access control & least privilege: Access to personal data is restricted to authorized personnel on a need-to-know basis. We enforce the principle of least privilege across all systems and services.
  • OTP authentication: The Platform uses one-time password (OTP) authentication via email. No passwords are stored on our servers, eliminating the risk of password database breaches.
  • Infrastructure certifications: Our service providers maintain industry-leading security certifications, including SOC 2 Type II and ISO 27001, ensuring that data processing meets rigorous security standards.
  • Regular security audits: We conduct regular security assessments, vulnerability scans, and code reviews to identify and remediate potential security risks.
  • Monitoring & incident response: We maintain continuous monitoring of our systems and have an established incident response plan to detect and respond to security threats promptly.

10. Personal Data Breach

In the event of a personal data breach, we will act in accordance with Articles 33 and 34 of the GDPR:

  • Notification to the supervisory authority (Article 33): If the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
  • Communication to affected individuals (Article 34): If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will inform affected users without undue delay, providing clear information about the nature of the breach and the steps they can take to protect themselves.
  • Documentation: All personal data breaches are documented, including the facts of the breach, its effects, and the corrective actions taken. This documentation is maintained in accordance with Article 33(5) of the GDPR and is available for review by supervisory authorities upon request.

11. Right to Lodge a Complaint

If you believe that the processing of your personal data constitutes a violation of the GDPR or applicable data protection laws, you have the right to lodge a complaint with a supervisory authority, in accordance with Article 77 of the GDPR.

You may contact the supervisory authority in your country of residence, your place of work, or the place of the alleged infringement. Below are relevant supervisory authorities:

CNIL — Commission Nationale de l'Informatique et des Libertés (France)

www.cnil.fr

APD — Autorité de protection des données (Belgium)

www.autoriteprotectiondonnees.be

PFPDT — Préposé fédéral à la protection des données et à la transparence (Switzerland)

www.edoeb.admin.ch

12. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. Any changes will be effective immediately upon publication on this page, with the "Last updated" date revised accordingly.

In the event of substantial changes that materially affect how we process your personal data, we will notify you by email (sent to the address associated with your account) or through a prominent notice on the Platform prior to the changes taking effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact — Data Protection Officer

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, you may contact us at:

Collective 1X3 — Data Protection
State of New Mexico, United States of America
Email: contact@daway.club

We will endeavor to respond to all legitimate inquiries within a reasonable timeframe and no later than 30 calendar days from receipt of your request.

Privacy Policy | Daway