We collect the following categories of personal data:
Account data — username, email, password hash (bcrypt). Optionally first/last name if you set them for certificates.
Discord account data — Discord ID, username, avatar URL, and the email associated with your Discord account, if you choose to link Discord.
Payment data — name, billing address, card last-4 and country are handled by Stripe (we never see the card number). We store your Stripe customer ID and the active subscription tier.
Integrity-monitoring data — when you take an aptitude test or compete in a PvP battle, a client-side WASM module records behavioral signals (typing cadence variance, focus/blur transitions, tab-switch counts, browser fingerprint heuristics) to detect cheating. Collection only happens with your explicit consent, recorded in your profile, and is retained for 90 days.
Communication — bug reports, contact-form submissions, comments, blog posts you author.
Operational data — IP address, user agent, and timestamp on security-sensitive actions (login, password reset, email change, admin actions). Retained in our audit log for 12 months.
2. How We Use Your Information
We use your information to:
Operate the platform — authenticate, track progress, award certificates, run leaderboards.
Process payments and manage subscriptions (Stripe).
With your consent, send a periodic newsletter and product-update emails. You can opt out at any time in Settings → Email Preferences.
With your consent, measure traffic via Google Analytics and run advertising via Google Ads / AdSense (analytics and ad cookies are opt-in via our cookie banner).
Detect cheating during integrity-monitored sessions.
Provide customer support.
Comply with legal obligations.
3. Third-Party Processors
We rely on these services:
Stripe — payment processing and subscription management. Receives your billing data directly via Stripe.js (we never see card numbers).
Discord — receives your Discord ID and email when you link or sign in with Discord; receives role-sync API calls when your tier or rank changes.
Google — Google Ads (conversion tracking), Google AdSense (display advertising), reCAPTCHA (anti-bot). All opt-in via the cookie banner.
Anthropic / OpenAI — when you use AI-assisted features (blog summarization, blog search, blog image generation) the request and a snippet of the relevant content are sent to the AI provider.
Email infrastructure — outbound email is delivered via Google's Gmail API on behalf of a configured operational mailbox.
Hosting — application servers and Postgres database hosted on operator infrastructure (managed Supabase Postgres for the primary DB).
We do not sell personal data.
4. Cookies & Tracking
We use three categories of cookies:
Strictly necessary — session cookies for sign-in and security. Always enabled.
Analytics — Google Analytics page-view counts. Opt-in via the cookie banner.
Advertising — Google Ads / AdSense. Opt-in via the cookie banner. We use Google Consent Mode v2 so these cookies are denied by default until you accept.
You can change your choice at any time by re-opening the cookie banner with the button below. Your stored choice will be pre-loaded so you can flip individual categories without starting from scratch.
5. Integrity Monitoring
When you start an aptitude test or PvP battle we ask for explicit consent to monitor the session for cheating. With consent, our client-side WebAssembly module records:
Typing cadence variance and key-hold timing (no raw key contents).
Canvas/audio/WebGL fingerprint hashes (used to detect VM/automation).
Reports are retained for 90 days. You can review every flag raised against your sessions, including reasons and admin verdicts, by requesting a full data export at Settings → Your Data → Download my data. Admin reviewers reviewing a flag have access to your username and avatar to enable investigation; their actions on flagged sessions are recorded in our audit log.
6. Data Security
HTTPS / HSTS in transit.
Bcrypt-12 password hashes; tokenVersion bump invalidates all JWTs on password change or role demotion.
VPN private keys encrypted at rest with AES-256-GCM and a per-record IV.
Strict CSP, no-store cache for signed asset URLs, SameSite=Lax session cookies.
Email-change and password-change notifications sent to the previous address.
Append-only audit log for security-sensitive admin and self-service actions.
7. Your Rights
If you are in the EU/EEA or UK you have the following rights under GDPR. We honor equivalent requests from anyone, anywhere:
Rectify — edit profile fields in Settings; email changes are double-confirmed by the new address and the old address is notified.
Delete — self-service account deletion at Settings → Your Data → Delete my account. Deletion is irreversible; we will revoke your VPN peer and delete your Stripe customer record.
Object / restrict — opt out of marketing in Settings → Email Preferences.
Withdraw consent — toggle analytics or advertising cookies via the cookie banner; re-open it any time with the Manage cookie preferences button in section 4 above. Withdraw integrity-monitoring consent at Settings → Privacy & Consent.
Complain — to your local data-protection authority.
8. Data Retention
Account data: while your account is active. Removed within 30 days of deletion, except backups (rolling 30-day retention).
Integrity reports: 90 days.
Audit log entries: 12 months (IP/UA pruned at 12 months; action record kept indefinitely).
Expired verification tokens: 7 days past expiry.
Stripe customer record: removed on account deletion; Stripe retains transaction records per their own retention policies (typically 7 years for tax).
9. International Transfers
Our processors (Stripe, Discord, Google, Anthropic, OpenAI, Cloudflare) operate globally. Personal data may be transferred to and processed in countries outside the EEA, subject to standard contractual clauses where applicable.
10. Children's Privacy
The platform is not directed at users under 16. If you become aware that a child under 16 has registered, contact us and the account will be deleted.
11. Changes
We will update this page when our processing materially changes. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy concerns, contact us at [email protected]. Subject line "Privacy request" routes to the data controller.