Privacy Policy

Account Information: When you register, we collect your name, email address, and password (stored as a salted hash). If you enable Multi-Factor Authentication (MFA), we store a TOTP secret associated with your account.

Payment Information: Payment details (credit card numbers, billing addresses) are processed directly by Stripe. We do not store full payment card details on our servers. We retain Stripe customer IDs and subscription metadata.

Usage Data: We automatically collect information about how you interact with the Service, including pages visited, course progress, quiz attempts, forum posts, chat messages, IP addresses, browser type, and device information.

User-Generated Content: Forum posts, chat messages, quiz responses, and any other content you voluntarily submit through the platform.

Cookies and Similar Technologies: We use essential and functional cookies as described in our Cookie Policy.

We process your personal data for the following purposes:

• Providing, operating, and maintaining the Service
• Processing payments and managing subscriptions via Stripe
• Tracking course progress and delivering personalized learning experiences
• Authenticating your identity and securing your account (including MFA)
• Sending transactional notifications (enrollment confirmations, progress updates)
• Facilitating community features (forums, real-time chat via Centrifugo)
• Analyzing usage patterns to improve our platform and content
• Complying with legal obligations and enforcing our Terms of Service
• Detecting, preventing, and addressing fraud, abuse, and security issues

We rely on the following legal bases under GDPR Article 6(1) to process your personal data:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to fulfill our agreement with you, including providing access to courses, managing your account, and processing payments.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for optional analytics cookies or marketing communications. You may withdraw consent at any time.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including platform security, fraud prevention, and service improvement, provided these interests are not overridden by your rights.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax reporting and regulatory requirements.

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

• Account Data: Retained for the duration of your account and for 30 days after deletion request (to allow recovery).
• Payment Records: Retained for 7 years to comply with tax and financial regulations.
• Usage Logs: Retained for 12 months, then anonymized or deleted.
• Forum and Chat Content: Retained for the life of the platform unless you request deletion. Deleted content may be retained in backups for up to 90 days.
• Soft-Deleted Records: Our system uses soft deletion for data integrity. Soft-deleted records are permanently purged within 90 days.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data, subject to legal retention requirements.
• Right to Restrict Processing (Art. 18): You have the right to request that we limit how we use your data in certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right Regarding Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

We use cookies and similar technologies to operate our Service. For detailed information about the types of cookies we use and how to manage them, please see our Cookie Policy.

Essential cookies (such as authentication JWT tokens stored in httpOnly cookies) are necessary for the Service to function and cannot be disabled. Functional cookies (such as theme preference) enhance your experience. Analytics cookies are only set with your consent.

We share data with the following third-party service providers, each acting as a data processor on our behalf:

• Stripe: Processes payments and manages subscription billing. Stripe receives your payment information directly and is PCI-DSS Level 1 certified. See Stripe's Privacy Policy.
• Cloudflare: Provides CDN, DDoS protection, and performance optimization. Cloudflare may process IP addresses and request metadata. See Cloudflare's Privacy Policy.
• Centrifugo: Powers real-time WebSocket communication for our chat feature. Centrifugo is self-hosted on our infrastructure and does not transmit data to external parties.

We require all third-party processors to maintain appropriate technical and organizational security measures and to process data only according to our instructions.

We implement robust technical and organizational measures aligned with SOC 2 Trust Service Criteria to protect your personal data:

• Encryption: All data in transit is encrypted using TLS 1.2+. Sensitive data at rest is encrypted using AES-256.
• Authentication: Passwords are hashed with bcrypt. JWT tokens are stored in httpOnly, Secure, SameSite cookies. Multi-Factor Authentication (TOTP) is available for all accounts.
• Access Controls: Role-based access control (RBAC) restricts data access to authorized personnel only. Administrative actions are logged with full audit trails.
• Infrastructure: Our database, cache (Redis), and message queue (RabbitMQ) are deployed on secured, isolated infrastructure with firewall rules and network segmentation.
• Monitoring: We maintain continuous monitoring, structured logging, and incident response procedures.
• Soft Deletion: Records are soft-deleted to maintain referential integrity and support audit trails before permanent purging.

Horane Technologies LLC is based in the United States. If you access the Service from outside the United States, your personal data will be transferred to and processed in the United States. We ensure that such transfers comply with applicable data protection laws by implementing appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all third-party sub-processors
• Technical measures ensuring the continued protection of transferred data

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

We will endeavor to respond to all privacy-related inquiries within 30 days.