Privacy Policy

Account & Identity Information: First name, last name, email address, and password (stored as a secure cryptographic hash, never in plain text).

Profile Information: Age, country of residence, phone number, and profile image (if uploaded).

Payment Information: Payment details are collected and processed exclusively by Stripe, Inc., our PCI-compliant third-party payment processor. We store your Stripe customer ID, transaction references, amounts paid, currency, and subscription status but never store your credit card numbers, bank account details, or other sensitive financial information on our servers.

User-Generated Content: Posts, comments, reactions, images, and other content you submit through the Platform's community features.

Consent Records: Your acceptance of the Terms of Service and opt-in/opt-out status for marketing communications.

Usage & Progress Data: Lesson progress (percentage watched, completion status), course engagement metrics, and feature-usage patterns.

Session & Authentication Data: Authentication tokens (JWT), session identifiers, login timestamps, and token-refresh events.

Device & Browser Data: Browser type, operating system, screen resolution, language preferences, and general device information collected through standard web protocols and analytics services.

Geographic Inference: Your approximate geographic location inferred from your IP address (via the x-vercel-ip-country header) or your browser's timezone setting. This is used solely to display prices in your local currency (USD or EUR) and is not stored as a precise geolocation profile.

Analytics Data: We use Vercel Analytics, a privacy-focused analytics service, to collect anonymized usage data such as page views, navigation patterns, and performance metrics. Vercel Analytics does not use cookies and does not track individual users across sites.

Service Delivery (Performance of Contract): To create and manage your account, provide access to courses, track your learning progress, deliver community features, and fulfill your purchase.

Payment Processing (Performance of Contract): To process your purchase, manage billing through Stripe, and send purchase confirmations and receipts.

Transactional Communications (Performance of Contract / Legitimate Interest): To send you essential service-related notifications, including account verification emails, purchase confirmations, security alerts, community announcements, and comment-reply notifications.

Marketing Communications (Consent): If you have opted in, to send you promotional emails about programs, offers, and new content. You can withdraw marketing consent at any time.

Platform Improvement (Legitimate Interest): To understand how the Platform is used so we can improve the user experience, develop new features, and optimize performance.

Safety, Security & Compliance (Legitimate Interest / Legal Obligation): To enforce our Terms of Service, detect and prevent fraud or abuse (including chargeback fraud), manage bans and moderation, and comply with applicable legal obligations.

Internal Business Operations (Legitimate Interest): To send internal sale notifications to our team when a purchase is made, which include the buyer's name, email, phone number, country, and payment amount for order fulfillment and customer support readiness.

Stripe, Inc. (Payment Processing): Handles all payment processing, checkout, and billing. Your payment data is subject to Stripe's Privacy Policy. Stripe may also provide installment payment options (e.g., Klarna) subject to the applicable provider's terms.

Resend (Email Delivery): Delivers transactional and marketing emails on our behalf, including magic-link authentication emails, purchase confirmations, community announcements, comment-reply notifications, and promotional communications. Emails may contain your name and relevant content context.

VdoCipher (Video Hosting & DRM): Hosts and streams course video content with digital rights management (DRM) protection. VdoCipher receives video playback requests and may collect device/browser fingerprint data for DRM enforcement.

Vercel, Inc. (Hosting, Analytics & File Storage): Hosts the Platform infrastructure. Vercel Analytics collects anonymized usage metrics. Vercel Blob stores uploaded files (profile images, community post images, course documents) as publicly accessible URLs. Files uploaded to Vercel Blob may be accessible via their direct URL even after content is removed from the Platform interface, until the blob is explicitly deleted from storage.

Authentication Providers (Google, GitHub): If you use social login, your authentication data is also governed by that provider's privacy policy. We receive and store OAuth tokens to maintain your session.

Google Fonts: We use Google Fonts for typography rendering. Font files are loaded from Google's servers, which may process your IP address in accordance with Google's Privacy Policy.

Strictly Necessary Cookies: Authentication session cookies (e.g., next-auth.session-token) that are essential for you to log in and use the Platform. These cannot be disabled.

Analytics: Vercel Analytics uses a cookieless, privacy-focused approach to collect anonymized usage data. No personally identifiable tracking cookies are set by our analytics.

Account Data: Retained for as long as your account is active. Upon account deletion, personal data is removed within thirty (30) days, except as noted below.

Payment & Transaction Records: Retained for a minimum of seven (7) years to comply with tax, accounting, and financial-reporting obligations.

User-Generated Content: Posts and comments may be retained in anonymized form (with your personal identifiers removed) after account deletion to maintain the integrity of community discussions for other Users.

Moderation & Ban Records: Records of enforcement actions (including ban reasons and actor identifiers) are retained for as long as necessary to enforce our Terms of Service and prevent re-registration by banned Users.

Uploaded Files: Profile images and community-post images stored in Vercel Blob are deleted when you remove or replace them, or when your account is deleted. Files associated with cascading database deletions may remain as orphaned blobs until they are identified and cleaned up by our systems.

Access: The right to request a copy of the personal data we hold about you.

Correction: The right to request correction of inaccurate or incomplete data. You can update most profile information directly in your account settings.

Deletion: The right to request deletion of your personal data, subject to the retention exceptions described in Section 7. You can also delete your account directly from the Platform settings.

Portability: The right to receive your data in a structured, commonly used, machine-readable format.

Withdraw Consent: Where processing is based on consent (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

Restriction of Processing: The right to request that we restrict the processing of your data in certain circumstances.

Objection: The right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

Supervisory Authority: The right to lodge a complaint with a data protection supervisory authority in your country of residence.

Right to Know: You have the right to know the categories and specific pieces of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it.

Right to Delete: You have the right to request deletion of personal information we have collected, subject to legal exceptions.

No Sale / No Sharing: We do not sell or share (as defined by the CCPA/CPRA) your personal information for cross-context behavioral advertising.

Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Passwords are securely hashed using industry-standard cryptographic algorithms (bcrypt) and never stored in plain text.

All data transmissions are encrypted using TLS (Transport Layer Security) protocols.

Payment information is handled exclusively by PCI DSS-compliant processors (Stripe). We do not process or store raw card data.

Access to personal data within our systems is restricted to authorized personnel on a need-to-know basis.

Video content is protected by DRM (Digital Rights Management) technology provided by VdoCipher.

Clicking the “unsubscribe” link in any marketing email.

Contacting us at support@gurmanova.guru.