Privacy Policy

1. Introduction

Welcome to ArchStack™ ("we," "our," or "us"). This Privacy Policy explains how Embedded Nature LLC collects, uses, discloses, and protects your personal information when you use our course website, content, and services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy and our Terms of Service. If you do not agree with our policies and practices, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Password (stored as a secure hash)
• Name (optional)
• Profile image (optional)

2.2 Payment Information

When you make a purchase, we collect:

• Billing address
• Payment method information (processed securely by Stripe)
• Transaction history

Note: We do not store your full payment card information. All payment data is handled by Stripe in compliance with PCI DSS standards.

2.3 Usage Data

We automatically collect information about how you use the Service, including:

• Pages visited and content accessed
• Time spent on pages
• Device information (browser type, operating system)
• IP address
• Referral sources

2.4 Communication Data

If you contact us or participate in our community, we may collect:

• Email communications
• Community forum posts and messages
• Support requests

3. How We Use Information

We use the information we collect to:

• Provide the Service: Process your account creation, authenticate your login, and provide access to course content
• Process Payments: Handle subscription payments and manage your account access
• Communicate: Send you course updates, important notices, and respond to your inquiries
• Improve the Service: Analyze usage patterns to enhance user experience and develop new features
• Security: Detect and prevent fraud, abuse, and unauthorized access
• Legal Compliance: Comply with applicable laws, regulations, and legal processes

4. Third-Party Services

We use third-party services to operate the Service. Below is detailed information about each service and how they handle your data:

4.1 Better Auth (Authentication)

• Purpose: User authentication and session management
• Hosting: Self-hosted on Railway (not a cloud service)
• Data Stored: Email address, password hash, session tokens
• Storage Location: Railway-hosted database (Turso/libSQL)
• Data Retention: Retained while your account is active. Deleted upon account deletion.
• Account Deletion: You can delete your account at any time by contacting [email protected]
• Privacy Policy: Covered in this Privacy Policy (Better Auth is self-hosted on Railway)

4.2 Stripe (Payment Processing)

• Purpose: Secure payment processing and subscription management
• PCI Compliance: Stripe is PCI DSS Level 1 certified
• Data Collected: Payment card numbers (encrypted), billing address, transaction data, payment method information
• Data Retention: Stripe retains transaction data per their data retention policy (typically 7 years for tax/regulatory compliance)
• Privacy Policy: https://stripe.com/privacy

4.3 Resend (Email Delivery)

• Purpose: Email delivery service for transactional and marketing emails
• Data Collected: Email addresses, email content (for delivery only)
• Data Storage: Resend does not store email content long-term; emails are delivered and logs are retained for delivery tracking
• Privacy Policy: https://resend.com/legal/privacy-policy

4.4 Railway (Hosting Infrastructure)

• Purpose: Application and database hosting infrastructure
• Data Stored: Application code, database (including user accounts, course access records)
• Data Location: Railway's infrastructure (geographic location may vary)
• Cookies: Railway does not set cookies
• Privacy Policy: https://railway.app/legal/privacy

4.5 Cloudflare Web Analytics (Analytics)

• Status: ✅ Implemented
• Purpose: Website usage analytics (privacy-focused, cookie-free)
• Cookies: None - Cloudflare Web Analytics does not use cookies
• Data Collected: Page views, Core Web Vitals (no personal data, no cookies)
• Privacy: Privacy-focused analytics service that does not collect personal data or set cookies
• Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Cookie Consent: Not required - Cloudflare Web Analytics is cookie-free

4.6 GoHighLevel (CRM/Marketing)

• Purpose: CRM and marketing automation integration
• Data Collected: User data shared with GoHighLevel (email, name, subscription status, course progress)
• Data Retention: Per GoHighLevel's data retention policy
• Privacy Policy: https://www.gohighlevel.com/privacy-policy
• Note: Data is shared for CRM and marketing automation purposes only.

4.7 Discord (Community Link)

• Purpose: Community link (external service)
• Data Collection: ArchStack does not collect data through Discord. Discord collects data per their privacy policy when you visit their platform.
• Privacy Policy: https://discord.com/privacy
• Note: No integration - this is an external link only.

4.8 Microsoft Teams (Community Link)

• Purpose: Community link (external service)
• Data Collection: ArchStack does not collect data through Microsoft Teams. Microsoft collects data per their privacy policy when you visit their platform.
• Privacy Policy: https://privacy.microsoft.com/privacystatement
• Note: No integration - this is an external link only.

4.9 Google Fonts (Font Delivery)

• Purpose: Font delivery service
• Cookies: Google Fonts does not set cookies
• Data Collection: IP address may be logged by Google (see Google Privacy Policy)
• Privacy Policy: https://policies.google.com/privacy

5. Data Storage

Your data is stored securely on Railway-hosted infrastructure:

• Database: Turso/libSQL database hosted on Railway
• Data Location: Railway's infrastructure (geographic location may vary)
• Encryption: Data is encrypted in transit (HTTPS) and at rest
• Backups: Regular backups are performed to ensure data availability

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
• Password Security: Passwords are hashed using secure algorithms and never stored in plain text
• Access Controls: Access to personal data is restricted to authorized personnel only
• Session Security: Session tokens are encrypted and expire after 7 days of inactivity
• Payment Security: Payment processing is handled by Stripe, which is PCI DSS Level 1 certified

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

7. Your Rights

7.1 General Rights

You have the right to:

• Access: Request a copy of your personal data
• Deletion: Request deletion of your personal data
• Correction: Request correction of inaccurate data
• Data Portability: Request your data in a portable format

To exercise these rights, contact us at [email protected].

7.2 GDPR Rights (EU/UK Users)

If you are located in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: You can request access to your personal data and receive a copy
• Right to Rectification: You can request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data under certain circumstances
• Right to Restrict Processing: You can request that we limit how we use your data
• Right to Data Portability: You can request your data in a structured, machine-readable format
• Right to Object: You can object to processing of your data for certain purposes
• Right to Withdraw Consent: You can withdraw consent for data processing at any time

Supervisory Authority: If you are in the EU/UK, you have the right to lodge a complaint with your local data protection authority.

Response Timeframe: We will respond to GDPR requests within 30 days.

7.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request to know what personal information we collect, use, disclose, and sell
• Right to Delete: You can request deletion of your personal information
• Right to Opt-Out: You have the right to opt-out of the sale of personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Do Not Sell My Personal Information: We do not sell your personal information to third parties. If this changes in the future, we will update this Privacy Policy and provide an opt-out mechanism.

To exercise your CCPA rights, contact us at [email protected].

8. Cookies and Tracking

We use cookies and similar technologies to provide and improve the Service. Below is a detailed breakdown:

8.1 Required Cookies

Authentication Cookies (Better Auth)

• Cookies: `better-auth.session_token` (7 days), `better-auth.csrf_token` (Session)
• Purpose: User authentication and session management
• Required: Yes - Cannot disable without losing login functionality
• Type: HTTP Only, Secure, SameSite=Strict
• Third-Party: No - Self-hosted Better Auth

Payment Cookies (Stripe)

• Cookies: `__stripe_mid`, `__stripe_sid`, `__stripe_orig_props`
• Purpose: Payment processing and fraud prevention
• Required: Yes - Required for Stripe Checkout
• Third-Party: Yes - Set by Stripe
• Privacy Policy: https://stripe.com/privacy

8.2 Analytics (No Cookies Required)

Cloudflare Web Analytics

• Status: ✅ Implemented
• Cookies: None - Cloudflare Web Analytics is cookie-free
• Purpose: Website usage analytics (page views, Core Web Vitals)
• Required: No - Can be disabled
• Privacy: Privacy-focused analytics that does not collect personal data or set cookies
• Cookie Consent: Not required - no cookies are set
• Opt-Out: Not applicable - no cookies or personal data collection

8.3 Cookie Consent

We only use essential cookies (authentication and payment processing) which do not require consent under GDPR. Our analytics service (Cloudflare Web Analytics) is cookie-free and does not require consent. You can manage cookie preferences through your browser settings.

8.4 Disabling Cookies

You can disable cookies through your browser settings. However, disabling required cookies may prevent you from using certain features of the Service, including:

• Logging into your account
• Making payments
• Accessing course content

9. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Transaction Data: Retained for 7 years for tax and regulatory compliance (handled by Stripe)
• Email Data: Retained for communication purposes. You can unsubscribe from marketing emails at any time.
• Usage Data: Retained for analytics purposes, typically for up to 2 years.

After the retention period, we will securely delete or anonymize your data unless we are required to retain it for legal or regulatory purposes.

10. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notification Timeline: Notify affected users within 72 hours (GDPR requirement) or as soon as practicable
• Notification Method: Email notification to affected users
• Information Provided:
  • Description of the breach
  • Types of data affected
  • Steps we are taking to address the breach
  • Recommended actions for users
  • Contact information for questions
• Regulatory Reporting: We will report breaches to relevant supervisory authorities as required by law

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Adequacy Decisions: We rely on adequacy decisions where applicable
• Standard Contractual Clauses: We use standard contractual clauses approved by relevant authorities
• Data Location: Data is primarily stored on Railway infrastructure, which may be located in various geographic regions

By using the Service, you consent to the transfer of your data to these locations.

12. Children's Privacy

12.1 COPPA Compliance

We do not knowingly collect personal information from children under 13 years of age. If we discover we have collected information from a child under 13, we will delete it immediately.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at [email protected].

12.2 Service Age Requirement

ArchStack is intended for users 18 years or older. Users under 18 must have parental consent. By using ArchStack, you represent that you are at least 18 years old or have parental consent.

12.3 Trading Age Requirement

Trading (including paper trading) requires you to be 18+ and complete identity verification with Alpaca Markets or another broker. We do not provide trading services directly.

12.4 Age Verification

We reserve the right to verify your age and may request proof of age or parental consent. If we discover you are under 18 without parental consent, we will terminate your account immediately.

13. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an email notification (for significant changes)

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Service and may delete your account.

14. Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

• Email: [email protected]
• Business: Embedded Nature LLC
• Jurisdiction: Minnesota, United States

We will respond to your inquiry within 30 days.