Privacy Policy

1. Introduction

Courses (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and what rights you have regarding your data.

This policy applies to all users of the Courses platform, including visitors, registered users, students, and creators. By using the Platform, you agree to the collection and use of information as described in this policy.

2. Data We Collect

2.1 Account & Registration Data

When you create an account, we collect:

• Name and email address;
• Password (stored in hashed form via AWS Cognito — we never store your plain-text password);
• Profile information you choose to provide (profile photo, bio, social links);
• Authentication data if you sign in via Google OAuth (name, email, and profile picture from your Google account).

2.2 Creator Data

If you register as a creator, we additionally collect:

• Business information (shop name, payout details) required for Stripe Connect onboarding;
• Tax information as required by applicable law and Stripe’s requirements;
• Course content you upload (videos, images, text, quizzes, assignments, downloadable files).

2.3 Purchase & Transaction Data

When you make a purchase, we collect:

• Order details (courses purchased, price, date);
• Payment information — processed by Stripe. We do not store full card numbers. We receive confirmation of payment and a Stripe payment reference;
• Refund history;
• Invoice data for tax and accounting purposes.

2.4 Usage & Learning Data

When you use the Platform, we collect:

• Course progress data (which modules you have viewed, quiz scores, completion status);
• Video playback data (last-played position, play events) — used to track progress and enforce refund eligibility;
• Reviews and ratings you submit;
• Support requests you submit.

2.5 Technical & Analytics Data

We automatically collect certain technical data when you use the Platform:

• IP address, browser type, operating system, and device information;
• Pages visited, time spent, and navigation patterns;
• Error and performance data collected via Sentry (error monitoring);
• Usage analytics collected via Google Analytics (see Section 5 for details).

3. How We Use Your Data

We use your personal data for the following purposes:

• Account management: Creating and managing your account, authenticating your identity, and providing access to purchased content;
• Order fulfillment: Processing payments, issuing invoices, and granting access to purchased courses;
• Refund processing: Evaluating refund eligibility based on purchase date and course progress;
• Creator payouts: Calculating and processing creator earnings via Stripe Connect;
• Platform improvement: Analyzing usage patterns to improve the Platform’s features and performance;
• Content moderation: Reviewing uploaded content for compliance with our policies, including automated scanning;
• Communications: Sending transactional emails (order confirmations, refund notifications, support responses);
• Legal compliance: Meeting our obligations under applicable law, including tax, accounting, and consumer protection requirements;
• Security & fraud prevention: Detecting and preventing fraudulent activity, abuse, and unauthorized access.

4. Data Sharing

4.1 Sharing with Creators (Sellers)

When you purchase a course, your email address is shared with the course creator. This is necessary for order processing and to enable the creator to provide course-related support. Creators are required to handle your data in accordance with applicable data protection laws.

4.2 Third-Party Service Providers

We share data with trusted third-party service providers who help us operate the Platform:

• AWS (Amazon Web Services): Cloud infrastructure, database storage (DynamoDB), file storage (S3), content delivery (CloudFront), email delivery (Lambda), and authentication (Cognito). Data may be stored in the EU (eu-central-1 region).
• Bunny CDN: Video hosting and streaming. Videos you upload (as a creator) or watch (as a student) are served via Bunny CDN infrastructure. Bunny CDN may collect technical data such as IP addresses for delivery optimization.
• Stripe: Payment processing and creator payouts via Stripe Connect. Stripe processes payment data in accordance with their Privacy Policy and PCI DSS standards.
• Google Analytics: We use Google Analytics to understand how users interact with the Platform. Google Analytics collects anonymized usage data including page views, session duration, and navigation paths. You can opt out via the Google Analytics Opt-out Browser Add-on.
• Sentry: Error monitoring and performance tracking. Sentry may collect technical data including error messages, stack traces, and device information.

4.3 Legal Disclosures

We may disclose your personal data if required to do so by law, or in response to valid legal requests from public authorities (e.g., courts, law enforcement agencies).

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer.

4.5 Google API Services — Limited Use Disclosure

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use data obtained via Google APIs (name, email address, and profile picture) to provide and improve user-facing features of the Platform, namely account creation and authentication;
• We do not transfer Google user data to third parties, except as necessary to provide or improve the Platform’s core functionality, for security purposes, to comply with applicable law, or as part of a merger or acquisition with prior user consent;
• We do not use Google user data for serving advertisements, retargeting, personalized or interest-based advertising, or to determine creditworthiness;
• We do not allow humans to read Google user data unless you have given affirmative consent, it is necessary for security or legal purposes, or the data is aggregated and anonymized for internal operations.

5. Cookies & Tracking

We use cookies and similar tracking technologies to operate and improve the Platform. These include:

• Essential cookies: Required for the Platform to function (e.g., authentication session cookies);
• Analytics cookies: Used by Google Analytics to collect anonymized usage data;
• Performance cookies: Used to monitor Platform performance and detect errors.

You can control cookies through your browser settings. Disabling essential cookies may affect Platform functionality.

6. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this policy, or as required by law. Specific retention periods:

• Account data: Retained for the duration of your account and for a period after deletion as required by law or for legitimate business purposes (e.g., resolving disputes, fraud prevention);
• Transaction & invoice data: Retained for a minimum of 7 years for tax and accounting compliance;
• Course progress data: Retained for the duration of your access to the course;
• Analytics data: Retained in accordance with Google Analytics’ data retention settings (typically 14 months for user-level data).

6.1 Account Deletion

If you delete your account, we will begin the process of removing your personal data. However, please be aware that:

• Deletion of your account does not result in the immediate or complete removal of all your data. Certain data is retained as required by law (e.g., transaction records for tax purposes) or for legitimate business purposes (e.g., fraud prevention, resolving outstanding disputes);
• If you are a creator, course content associated with purchases made by students may be retained to fulfill ongoing student access obligations (see our Creator Terms);
• Anonymized or aggregated data derived from your usage may be retained indefinitely as it no longer identifies you;
• Backup copies of data may persist for a limited period before being overwritten.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you;
• Right to rectification: Request correction of inaccurate or incomplete data;
• Right to erasure: Request deletion of your personal data, subject to legal retention obligations;
• Right to restriction: Request that we restrict processing of your data in certain circumstances;
• Right to data portability: Request a copy of your data in a structured, machine-readable format;
• Right to object: Object to processing of your data for certain purposes, including direct marketing;
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@courses.com. We will respond within 30 days. We may need to verify your identity before processing your request.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit (HTTPS/TLS);
• Encryption of data at rest in AWS storage services;
• Access controls limiting who can access personal data within our organization;
• Authentication via AWS Cognito with secure password hashing;
• Regular security monitoring via Sentry and AWS CloudWatch.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. International Data Transfers

Your data may be processed in countries outside your own, including the United States (where AWS and Google have infrastructure). Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

10. Children’s Privacy

The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date, and where appropriate, by email. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated policy.

12. Contact & Data Controller

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@courses.com
• General support: support@courses.com

If you are located in the EU/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.