Privacy Policy
Last updated: [DATE]. This is a draft to be reviewed by counsel before publishing.
1. Who we are
[COMPANY LEGAL NAME], [REGISTERED ADDRESS] (“we”) is the data controller for personal data processed through this platform. For a coach’s branded academy, the coach may be an independent controller for their student relationships; where that applies it is described at [COACH DPA / ARRANGEMENT]. Contact our data protection contact at [PRIVACY EMAIL] ([DPO / EU REPRESENTATIVE IF APPLICABLE]).
2. Data we collect
- Account: name, email, role (coach/student), and your sign-in method (Google or email magic-link).
- Learning activity: enrollments, lesson/action completions, XP, badges, goals, streaks, and messages you send coaches.
- Coach content: courses, lessons, media, articles, videos, and automations you create.
- Payments: purchase records (amount, course, date, coupon). Card details are handled by Stripe — we never see or store full card numbers.
- Technical & usage: pages visited, article/video views with referrer/UTM, log data, IP address, device/browser, and cookie data (see the Cookie Policy).
3. How and why we use it (and legal bases)
- Provide the service — deliver courses, track progress, run messaging (performance of a contract).
- Process payments and prevent fraud (contract / legal obligation).
- Send transactional email, and marketing email only where permitted (legitimate interests / consent).
- Run course automations and give coaches aggregate insight into their students (legitimate interests).
- Security, abuse prevention, analytics, and legal compliance (legitimate interests / legal obligation; analytics per your cookie choice).
4. Who we share it with
We share data with service providers (processors) who act on our instructions, including: hosting & analytics ([VERCEL]), database ([NEON]), payments ([STRIPE]), transactional email ([SENDGRID] / [RESEND]), rate-limiting ([UPSTASH]), error monitoring ([SENTRY]), and sign-in ([GOOGLE] / email magic-link). Coaches can see the data of students enrolled in their own courses. We do not sell personal data. Confirm the current, complete sub-processor list before publishing.
5. Retention & international transfers
We keep personal data for as long as your account is active and as needed for the purposes above or as required by law (e.g. tax/accounting for order records), then delete or anonymize it. Data may be processed in [REGIONS]; where data leaves your region, transfers rely on appropriate safeguards (e.g. EU Standard Contractual Clauses). [CONFIRM RETENTION PERIODS + TRANSFER MECHANISMS.]
6. Your rights
Depending on your location (e.g. EU/UK GDPR, CCPA/CPRA), you may have the right to access, correct, export (portability), delete, restrict, or object to processing, and to withdraw consent at any time without affecting prior processing. To exercise these, email [PRIVACY EMAIL] ; we will respond within the period required by law. Self-serve data export and account deletion from Account settings are planned. You may also lodge a complaint with your local supervisory authority (in Sweden, the Integritetsskyddsmyndigheten (IMY)).
7. Security & children
We use technical and organizational measures (encryption in transit, access controls, error monitoring) to protect personal data, but no system is perfectly secure. The service is not directed to children under [AGE], and we do not knowingly collect their data.
8. Changes & contact
We may update this policy; we will post material changes here and, where required, notify you. Questions or requests: [PRIVACY EMAIL].