Educational content only · not financial advice · v1.0.0
· Academy
Legal · Privacy

Privacy policy.

What we collect, why, who we share it with, and the controls you have. Written to GDPR and UK GDPR standards. Subject to formal legal review before broad onboarding.

Last updated · 2026-07-18

1. What we collect

1.1 You give us

  • Account: name, email, password hash, and (for educators) a public bio + handle + linked instructor profile.
  • Geo-derived: your country / flag, auto-populated from the request country header on your first authenticated visit. You can edit this on your profile.
  • Payment (only when paid courses launch): billing address, last 4 digits of card. The card itself never touches our servers — it is held by Stripe.
  • Learning: course enrolment, lesson progress, completion certificates, course reviews you write.
  • Messaging: messages you exchange with instructors are stored to deliver the conversation.

1.2 We collect automatically

  • Device, browser, and request country (used for fraud and abuse detection and to populate your profile flag).
  • Behavioural analytics — page views and lesson completion times (used to surface drop-off and improve courses).
  • Admin actions — every action taken in the admin panel is recorded in our audit log against the acting admin.

2. Why we collect it

  • To run your account and deliver lessons.
  • To recommend the next course / lesson.
  • To issue certificates and let anyone verify them via a public serial URL.
  • To send transactional emails (welcome, course-completion certificate, refund status, instructor application updates).
  • To prevent abuse (account sharing, scraping, payment fraud).
  • To improve courses — aggregated and individual-level lesson funnel data is visible to the instructor of that course only.

3. Who we share it with

  • Supabase (auth + database hosting, EU-region) — handles authentication and stores all application data.
  • Vercel (web hosting, edge functions, analytics) — serves the web app and edge functions; collects request-level analytics.
  • Resend (transactional email + SMTP) — delivers all email we send (welcome, password reset, magic links, course updates).
  • Stripe (only when paid courses launch) — processes payments and stores card data on our behalf.
  • Law enforcement, only on valid legal process.

We do not sell your personal data. We do not run third-party ad tracking.

4. Your controls

  • Edit your profile (name, handle, country, focus) at any time from your account.
  • Reset your password at /forgot-password.
  • Data export and account deletion: we do not yet offer one-click data export or self-service account deletion. You can request both by emailing privacy@01lot.com. We will fulfil deletion requests within 30 days, retaining only the minimum required for tax / accounting / regulatory compliance (see retention).

5. Retention

Active accounts: indefinitely. After deletion request: 6 years of financial records (UK tax / accounting requirement); other personal data deleted within 30 days. Course reviews you wrote remain visible against your display name unless you delete them or close your account.

6. Children

Not for under-18s. We do not knowingly collect data from minors. If you become aware that we have, email privacy@01lot.com and we will delete the account.

7. International transfers

Our service providers (Vercel, Stripe, Resend) operate globally and may process data outside the UK / EEA, including in the United States. Transfers are protected by Standard Contractual Clauses or each provider's UK-approved transfer mechanism.

8. Contact

Data protection: privacy@01lot.com.