Privacy Policy - THE PIVOTAL PROTOCOL Academy

Section 01Summary

The short version. We collect what we need to operate the Academy: your email and account data, what you study, payment information through Stripe (we never see your card), and the notes and protocols you choose to save. We do not sell your data. We do not share it for marketing. We do not profile your health conditions. We do not run advertising trackers. Cookies are limited to keeping you logged in.

This Privacy Policy explains, in detail, the practices behind that summary. THE PIVOTAL PROTOCOL ("the Company," "we," "us") is the data controller for personal information processed through the Academy.

Section 02What we collect

Account information

Email address (required for login and service communications).
Display name or username, if you choose to set one.
Hashed password if you use email-and-password authentication. We never store your raw password.
Account preferences (notification settings, theme, locale).

Payment and billing information

Subscription tier, billing cycle, renewal date, and invoice history.
Last four digits and brand of your payment card and the billing country, returned to us by Stripe for receipts.
Full payment card details are entered directly into Stripe and are not stored on our servers.

Usage analytics

Modules viewed, lessons completed, time spent on lessons, and bookmark or note counts.
Aggregated event data such as page views, referrer URL, device type, browser, and approximate country derived from IP.
Error and crash reports for diagnosing platform issues.

User-generated content

Notes, bookmarks, custom protocol drafts, calculator inputs, lab tracking entries, and journal logs you create within the Academy.
Community posts, comments, and replies if you participate in any community feature.

Communications

Email content you send to support, privacy, or safety inboxes.
Delivery, open, and click metadata for transactional and educational emails we send to you.

Section 03How we use it

We process your personal data only for the purposes listed below.

Purpose	Lawful basis
Provide and operate the Academy, including authentication and content delivery	Performance of contract
Process subscriptions, renewals, refunds, and tax obligations	Performance of contract / legal obligation
Send transactional emails (receipts, password resets, security alerts)	Performance of contract
Send course updates, new module announcements, and educational digests	Legitimate interest / consent where required
Diagnose and fix platform errors	Legitimate interest
Improve the curriculum based on aggregated, anonymized usage patterns	Legitimate interest
Detect and prevent fraud, abuse, and unauthorized access	Legitimate interest / legal obligation
Comply with legal requests, regulatory obligations, and lawful court orders	Legal obligation

You can opt out of marketing-style emails (course updates, educational digests) at any time using the unsubscribe link in any such email. You cannot opt out of strictly transactional emails because they are necessary to operate your account.

Section 04What we will not do

Hard commitments. These are architectural choices, not aspirations.

We do not sell your personal data. Not to data brokers, not to advertisers, not to research firms, not to anyone.
We do not share your data with third parties for their marketing purposes.
We do not build health-condition profiles. Notes you write about your own health are stored encrypted and are not analyzed, segmented, or used to target you.
We do not run advertising trackers, retargeting pixels, or third-party advertising cookies.
We do not share your data with social media platforms. No Facebook Pixel, no LinkedIn Insight Tag, no TikTok Pixel.
We do not use your private notes or protocol drafts to train machine-learning models.

Section 05Third-party processors

We rely on a small number of vetted processors to operate the Service. Each is bound by a data processing agreement and acts only on our documented instructions.

Processor	Purpose	Data shared
Stripe	Payment processing, billing, subscription management	Email, billing address, payment card (entered directly into Stripe)
MailChannels / Resend	Transactional and educational email delivery	Email address, message content, delivery metadata
Cloudflare	Hosting, content delivery network, DDoS protection, edge compute	IP address, request metadata, content served to your browser

We do not use third-party analytics platforms (no Google Analytics, no Mixpanel, no Segment). All usage analytics are processed in our own infrastructure.

Section 06Cookies and tracking

The Academy uses the minimum cookies necessary to operate.

Session authentication cookie. Keeps you logged in across pages. Expires when you log out or after a period of inactivity.
Security and anti-fraud cookies. Help us detect suspicious activity and protect your account.
Preference cookie. Remembers your interface preferences such as theme, locale, or playback speed.

We do not set tracking pixels, advertising cookies, or third-party marketing cookies. We do not use fingerprinting techniques to identify you across sites.

For the full list of cookies, lifetimes, and third-party services, see our dedicated cookie policy. You can change your cookie preferences at any time using the Cookie Preferences link in the footer of every page.

Section 07Data retention

Account data. Retained while your account is active. After cancellation or deletion, retained for up to ninety days to allow recovery and to satisfy financial-record obligations.
Billing records. Retained for the period required by tax and accounting law, typically seven years.
Usage analytics. Aggregated and anonymized after twelve months. Raw event data is purged on the same cycle.
Communications. Email correspondence retained while needed to resolve the matter and for a reasonable period after.
Backups. Encrypted backups may retain copies of deleted data for up to thirty additional days before being overwritten in the normal rotation.

Section 08Your rights

Depending on your jurisdiction, you may have rights including:

Access. Request a copy of the personal data we hold about you.
Portability. Receive your data in a structured, machine-readable format.
Correction. Ask us to correct inaccurate or incomplete data.
Deletion. Ask us to delete your account and associated personal data, subject to legal retention obligations.
Restriction. Ask us to restrict processing in certain circumstances.
Objection. Object to processing based on legitimate interests.
Withdrawal of consent. Withdraw consent for any processing based on consent, without affecting the lawfulness of prior processing.
Complaint. Lodge a complaint with your local data protection authority.

To exercise any right, email [email protected] from the address associated with your account. We will respond within thirty days. We may need to verify your identity before acting on a request.

If you are a California resident, you have the rights to know, delete, correct, and opt out of sale or sharing under the California Consumer Privacy Act and the California Privacy Rights Act. We do not sell or share personal information as those terms are defined under California law.

If you are in the European Economic Area, the United Kingdom, or Switzerland, this Policy and our processing comply with the General Data Protection Regulation and equivalent local laws.

Section 09Children

The Academy is not intended for, directed to, or available for use by individuals under eighteen years of age. We do not knowingly collect personal information from anyone under eighteen. If we become aware that we have collected personal information from a person under eighteen, we will delete it promptly.

If you believe a person under eighteen has provided us with personal information, please contact [email protected].

Section 10International transfers

The Academy is hosted on Cloudflare's global edge infrastructure. As a result, your data may be processed in any country in which Cloudflare operates, including the United States and other regions.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been determined to provide an adequate level of protection, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission and additional technical and organizational measures.

Section 11Security

We protect your data with industry-standard technical and organizational measures, including:

TLS encryption for all data in transit between your device and our infrastructure.
Encryption at rest for stored databases and backups.
No storage of full payment card details on our infrastructure (handled by Stripe).
Hashed and salted password storage using modern algorithms.
Role-based access controls for the small team that operates the platform.
Audit logging of administrative actions.
Regular review of dependencies, infrastructure, and security posture.

No system is perfectly secure. If we ever detect unauthorized access affecting your account, we will notify you and applicable regulators within the time required by law.

Section 12Changes

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, provide notice through the Service or to your registered email at least thirty days before the changes take effect.

Section 13Contact

For privacy questions, requests, or complaints:

THE PIVOTAL PROTOCOL
Privacy: [email protected]
Legal: [email protected]
Support: [email protected]

This page provides educational context regarding our privacy practices. It is not a substitute for legal advice.