Privacy Policy

Last updated: [DATE]. This is a template and must be reviewed by counsel.

1. Who we are

[COMPANY LEGAL NAME] (“we”) is the data controller for personal data processed through Nordic LMS. Contact our data protection contact at [PRIVACY EMAIL] ([DPO / EU REPRESENTATIVE IF APPLICABLE]).

2. Data we collect

Account data (name, email), authentication identifiers (Google / email magic-link), course and learning activity (enrollments, lesson completions, XP, badges), coach-authored content, payment metadata (handled by [STRIPE]; we do not store full card numbers), media you upload, and technical data (log/usage/analytics, cookies — see the Cookie Policy).

3. How and why we use it

To provide the service (deliver courses, track progress), process payments, send transactional and (with consent) marketing email, run course automations, ensure security, and comply with law. Legal bases (where GDPR applies): performance of contract, legitimate interests, consent, and legal obligation.

4. Sharing

We share data with processors who act on our instructions: hosting ([VERCEL]), database ([NEON]), payments ([STRIPE]), email/SMS ([RESEND] / [TWILIO]), and analytics. Coaches can see the data of students enrolled in their courses. We do not sell personal data.

5. Retention & international transfers

We keep data for as long as your account is active and as required by law, then delete or anonymize it. Data may be processed in [REGIONS]; transfers use appropriate safeguards (e.g. Standard Contractual Clauses).

6. Your rights

Depending on your location (e.g. GDPR / UK GDPR / CCPA) you may have the right to access, correct, export (data portability), delete, restrict, or object to processing, and to withdraw consent. To exercise these:

• Access / export: request a copy of your data by emailing [PRIVACY EMAIL]. (Self-serve export from Account settings is planned.)
• Deletion: request account deletion via Account settings or by emailing us; we will delete your data subject to legal retention obligations. (Self-serve deletion is planned.)

You may also lodge a complaint with your local supervisory authority.

7. Security & children

We use technical and organizational measures to protect personal data, but no system is perfectly secure. The service is not directed to children under [AGE].

8. Changes & contact

We may update this policy; material changes will be notified. Questions: [PRIVACY EMAIL].