Privacy Policy
Last updated: February 23, 2026
Data We Collect
| Data Category | What We Collect | How Long We Keep It |
|---|---|---|
| Account Data | Name, email, password (encrypted) | Until account deletion + 30 days |
| Profile Data | Avatar, timezone, bio | Until account deletion |
| Payment Data | Stripe customer ID (NOT card numbers) | 7 years (tax/accounting) |
| Transaction History | Purchases, amounts, dates | 7 years (tax/accounting) |
| Subscription Data | Plan type, status, start/end dates | 7 years (tax/accounting) |
| Quiz Responses | Readiness level, experience, challenges | Until account deletion |
| Content Engagement | Pages viewed, content played, progress | 2 years rolling |
| Community Posts | Forum topics, replies | Until deleted by user or admin |
| Email Preferences | Opt-in/out status, email frequency | Until account deletion |
| Session Data | Login timestamps, IP addresses, device info | 90 days |
| Cookies | Session cookies, analytics cookies, preferences | See Cookie Policy |
| Lab Registrations | Name, email, session registered for | 1 year after lab date |
| Support Communications | Emails, messages to support | 3 years |
Data NOT Collected
- Credit card numbers, CVVs, or bank account details (handled entirely by Stripe, never touches our server)
- Social Security numbers
- Health records or medical information
- Biometric data
Third-Party Data Sharing
| Third Party | Data Shared | Purpose |
|---|---|---|
| Stripe | Name, email, payment intent | Payment processing |
| Supabase | All account and content data | Database hosting |
| Resend | Name, email, event type | Transactional email delivery |
| Cloudflare | IP address, request headers | CDN and security |
| Bunny Stream | Video view events (anonymous) | Video hosting and delivery |
| Google Analytics (GA4) | Anonymized browsing behavior | Website analytics |
| Calendly | Name, email, booking time | Session scheduling |
Data is NOT sold. You do not sell, rent, or trade user personal data to any third party, ever.
User Rights
| Right | How to Exercise |
|---|---|
| Right to know what data is collected | Email request or Account Settings |
| Right to access/download your data | Account Settings > "Download My Data" |
| Right to delete your data | Account Settings > "Delete Account" or email request |
| Right to correct inaccurate data | Account Settings (self-service) or email request |
| Right to data portability | Same as access (data export) |
| Right to opt out of analytics | Cookie banner settings |
| Right to opt out of marketing emails | Unsubscribe link in every email + Account Settings |
| Right to restrict processing | Email request |
| Right to object to processing | Email request |
Response time: All requests fulfilled within 30 days (GDPR) / 45 days (CCPA).
Account Deletion Process
- 1.User requests deletion via Account Settings or email
- 2.Active subscriptions must be canceled first (commitment minimums still apply)
- 3.Account data deleted within 30 days
- 4.Transaction/payment records retained for 7 years (legal/tax requirement, disclosed to user)
- 5.Community forum posts anonymized (author changed to “Deleted User”) but content preserved for thread integrity
- 6.Deletion is irreversible. User is warned before confirmation.
Data Security Summary
- All data encrypted in transit (TLS 1.3)
- All data encrypted at rest (AES-256)
- Passwords hashed with bcrypt (never stored in plain text)
- Payment data handled by Stripe (PCI DSS Level 1 certified, never touches our server)
- Admin access requires two-factor authentication
- Security breach notification within 72 hours
Children's Privacy
The platform is not intended for children under 18. We do not knowingly collect personal information from minors. If a parent or guardian becomes aware that their child has provided personal information, they should contact you immediately. Any such data will be deleted within 48 hours.
International Data Transfers
User data may be transferred to and processed in the United States. For EU users, this transfer is protected by Standard Contractual Clauses where applicable, compliance certifications from our service providers, and user consent at signup.
Questions
If you have questions about this Privacy Policy, please reach out at hi@cocoswanson.com.