1. What we collect
1.1 You give us
- Account: name, email, password hash, and (for educators) a public bio + handle + linked instructor profile.
- Geo-derived: your country / flag, auto-populated from the request country header on your first authenticated visit. You can edit this on your profile.
- Payment (only when paid courses launch): billing address, last 4 digits of card. The card itself never touches our servers — it is held by Stripe.
- Learning: course enrolment, lesson progress, completion certificates, course reviews you write.
- Messaging: messages you exchange with instructors are stored to deliver the conversation.
1.2 We collect automatically
- Device, browser, and request country (used for fraud and abuse detection and to populate your profile flag).
- Behavioural analytics — page views and lesson completion times (used to surface drop-off and improve courses).
- Admin actions — every action taken in the admin panel is recorded in our audit log against the acting admin.
2. Why we collect it
- To run your account and deliver lessons.
- To recommend the next course / lesson.
- To issue certificates and let anyone verify them via a public serial URL.
- To send transactional emails (welcome, course-completion certificate, refund status, instructor application updates).
- To prevent abuse (account sharing, scraping, payment fraud).
- To improve courses — aggregated and individual-level lesson funnel data is visible to the instructor of that course only.
3. Who we share it with
- Supabase (auth + database hosting, EU-region) — handles authentication and stores all application data.
- Vercel (web hosting, edge functions, analytics) — serves the web app and edge functions; collects request-level analytics.
- Resend (transactional email + SMTP) — delivers all email we send (welcome, password reset, magic links, course updates).
- Stripe (only when paid courses launch) — processes payments and stores card data on our behalf.
- Law enforcement, only on valid legal process.
We do not sell your personal data. We do not run third-party ad tracking.
4. Your controls
- Edit your profile (name, handle, country, focus) at any time from your account.
- Reset your password at /forgot-password.
- Data export and account deletion: we do not yet offer one-click data export or self-service account deletion. You can request both by emailing privacy@01lot.com. We will fulfil deletion requests within 30 days, retaining only the minimum required for tax / accounting / regulatory compliance (see retention).
5. Retention
Active accounts: indefinitely. After deletion request: 6 years of financial records (UK tax / accounting requirement); other personal data deleted within 30 days. Course reviews you wrote remain visible against your display name unless you delete them or close your account.
6. Children
Not for under-18s. We do not knowingly collect data from minors. If you become aware that we have, email privacy@01lot.com and we will delete the account.
7. International transfers
Our service providers (Vercel, Stripe, Resend) operate globally and may process data outside the UK / EEA, including in the United States. Transfers are protected by Standard Contractual Clauses or each provider's UK-approved transfer mechanism.
8. Contact
Data protection: privacy@01lot.com.