Privacy Policy

Last updated: May 28, 2026

1. Information We Collect

When you purchase a course we store on our servers:

• First name and last name
• Email address
• An encrypted (hashed) password
• Enrollments, lesson progress, and certificates
• Invoice records (invoice number, amount, product, date) — see Section 9

Your billing country and payment method are captured by Stripe during checkout and stored in Stripe, not on our servers. We do not see or store your card details.

2. How We Use Your Information

• Create your account and deliver the courses you purchased
• Send your login credentials and service emails
• Process payments and prevent fraud (via Stripe)
• Meet our legal obligations (tax/accounting records)

3. Payment Processing

All payment processing is handled by Stripe, Inc. We never store your credit card information on our servers. Stripe's privacy policy applies to the handling of your payment data.

4. Cookies and Analytics

We use the following:

• Strictly necessary cookies — required for the site to function. These include a consent preference cookie that remembers your choice.
• Analytics — anonymous pageviews via PostHog. No IP address, no cross-site tracking, no autocapture of form inputs. Runs in a cookieless mode that does not require consent.
• Session recording (optional) — see Section 4a.

4a. Session Recording

We capture anonymized replays of how visitors navigate our site in order to diagnose bugs and improve UX. Our legal basis is legitimate interest (GDPR Art. 6(1)(f)), balanced against your privacy by aggressive input masking and strict retention limits.

• What is captured: page URL, clicks, scrolls, and a masked DOM. All form inputs are masked by default; you see the form, we see only placeholders.
• What is never captured: passwords, payment details, MFA codes, or values typed into any input field. Checkout, login, password, and MFA forms are blocked entirely.
• IP address: not stored.
• Retention: 30 days, then automatically deleted.
• Processor: PostHog. A Data Processing Agreement is in place.
• Objection: you may object to this processing at any time by emailing us at the address in Section 12. We will stop recording your sessions and delete existing recordings on request.

5. Age Requirement

Our services are intended for users aged 16 or older. By creating an account or making a purchase you confirm that you are at least 16.

6. Third-Party Processors

• Stripe — payment processing (stores billing country, card details, customer profile)
• PostHog — privacy-friendly analytics
• Google — optional social login (you choose whether to use it; only email and basic profile are requested)

7. Your Rights

You have the following rights under the GDPR. All of them can be exercised directly from your account's Settings → Privacy & Data page, or by emailing us:

• Access & portability — download all your data as JSON from Settings → Privacy & Data.
• Rectification — edit your name on the Profile page; change your email address on the Email page (requires re-verification).
• Erasure — delete your account from Settings → Privacy & Data. See Section 9 for what is erased and what is retained.
• Withdraw analytics consent — use the "Decline analytics" button in the cookie banner.
• Lodge a complaint — with your national data-protection authority.

8. Account Deletion

When you delete your account we erase your profile, login credentials, enrollments, lesson progress, and any future access to purchased content. Deleting your account voids your right to future access to previously-purchased courses and to refunds on past purchases.

9. Data Retention

We retain your personal information for as long as your account is active. After account deletion the following limited records are retained, because we are legally required to keep them under Bulgarian tax and accounting law (Наредба Н-18, Appendix 29) for approximately 10 years:

• Invoice number, product, amount, date
• Name and email at time of purchase (as required for a valid invoice)
• Stripe session reference

No login credentials, progress, or access rights are retained. This retention is permitted under GDPR Article 17(3)(b) (compliance with a legal obligation).

10. Data Security

We apply industry-standard technical and organisational measures to protect your data. These include encryption in transit, secure password storage, two-factor authentication for privileged accounts, and tamper-evident payment records.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email.

12. Contact

Privacy questions and requests: [email protected].