Cipher Academy← Back to home

Last updated · May 28, 2026

Privacy Policy

We collect the minimum data required to teach you the science of reading people — and we never sell it. This document explains what we collect, why, and the rights you have over it.

1. Who we are

Cipher Academy (“Cipher,” “we,” “us,” or “our”) operates the web application, mobile interface, and educational content available at cipheracademy.aiand related subdomains (collectively, the “Service”). This Privacy Policy explains how we collect, use, share, and safeguard personal information about you when you visit the Service, create an account, or interact with our content.

For privacy questions, contact us at info@cipheracademy.net. If you are an EU/UK resident, see Section 12 for our data-protection contact. If you are a California, Colorado, Virginia, Connecticut, or Utah resident, see Section 11 for state-specific rights.

2. What we collect

We collect three categories of information:

Information you provide

  • Account data: email address, display name, password hash, language preference.
  • Profile data: goals you set, scenarios you complete, mastery scores, lesson progress, voice settings.
  • Payment data: processed exclusively by Stripe; we receive only billing country, card brand, last four digits, and subscription status.
  • Communications: emails or messages you send us (support requests, feedback).

Information collected automatically

  • Device and log data: IP address, browser type, operating system, timestamps, pages visited.
  • Usage analytics: aggregated behavior such as which lessons you complete, time-on-task, scenario outcomes. Used to improve the curriculum.
  • Cookies and similar technologies: see Section 7.

Information from third parties

If you sign in with Google, Apple, or another OAuth provider, we receive the email and display name they share with us. We do not request access to your contacts, calendar, or other sensitive scopes.

3. Why we use your data

We process personal data only for the following purposes, each with a clear legal basis under GDPR Article 6 (where applicable):

  • To provide the Service — fulfilling our contract with you (Art. 6(1)(b)). This includes account creation, lesson delivery, progress tracking, and personalized AI scenarios.
  • To process payments — fulfilling our contract with you (Art. 6(1)(b)). Handled by Stripe under their own privacy notice.
  • To improve the Service — legitimate interest (Art. 6(1)(f)). Aggregated, pseudonymous analytics to refine lesson design.
  • To communicate with you — transactional emails by legitimate interest; marketing emails only with your consent (Art. 6(1)(a)), which you can withdraw any time.
  • To comply with law — legal obligation (Art. 6(1)(c)), including tax records and responses to lawful requests.
  • To protect rights and safety — legitimate interest in preventing fraud, abuse, and unauthorized access.

We do not use your personal data to train any third-party AI model. Your scenario inputs are processed only to generate your response, then deleted from upstream LLM providers in accordance with their zero-retention agreements.

4. Who we share data with

We share personal data only with the following categories of recipients, each bound by data-processing agreements:

  • Service providers (data processors):
  • Stripe, Inc. — payments (US, with SCCs for EU transfers).
  • Supabase, Inc. — database and authentication hosting (US East).
  • Vercel, Inc. — web hosting and CDN.
  • PostHog, Inc. — product analytics (US region; aggregated, IP truncated).
  • Sentry, GmbH — error monitoring (EU region).
  • OpenAI, L.L.C. — LLM for scenario generation (zero-retention configuration).
  • ElevenLabs, Inc. — text-to-speech narration.
  • Legal recipients — courts, regulators, or law enforcement when required by valid legal process.
  • Business transfers — successors in a merger, acquisition, or sale of substantially all assets. We will notify you before your data becomes subject to a different privacy policy.

We do not sell personal information as defined under CCPA/CPRA, and we do not share it for cross-context behavioral advertising.

5. International transfers

We are based in the United States, and several processors above are located in the US. When we transfer personal data outside the EU/UK or Brazil, we rely on the European Commission's Standard Contractual Clauses (2021/914) and equivalent safeguards. You may request a copy of these clauses by emailing info@cipheracademy.net.

6. How long we keep your data

  • Account data: retained while your account is active and for 12 months after deletion to permit account recovery and comply with fraud-prevention obligations.
  • Lesson progress and mastery: deleted within 30 days of account deletion.
  • Payment records: retained 7 years for tax compliance.
  • Aggregated analytics: retained indefinitely in de-identified form.
  • Backups: securely overwritten within 35 days.

7. Cookies and tracking

We use the minimum cookies required to operate the Service. Categories:

  • Strictly necessary — session, CSRF, language. No consent required.
  • Analytics — PostHog with anonymized IP. Requires consent in EU/UK; opt-out anywhere via your account settings.

We do not use advertising or third-party tracking cookies. We honor the Global Privacy Control (GPC) signal as a valid opt-out request from Sale/Share under CCPA/CPRA.

8. Your rights (Universal)

Regardless of where you live, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and associated data.
  • Export your data in a portable, machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time without affecting prior lawful processing.

To exercise any right, email info@cipheracademy.net or use the in-app “Download my data” and “Delete my account” tools. We respond within 30 days (45 for complex requests).

9. Security

  • TLS 1.3 in transit; AES-256 at rest.
  • Passwords hashed with Argon2id, never stored in plaintext.
  • Two-factor authentication available; required for staff access.
  • Quarterly third-party penetration tests; annual SOC 2 review.
  • Breach notification: within 72 hours to supervisory authority where required, and to you without undue delay where there is a high risk to your rights.

10. Children

The Service is intended for adults aged 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal data, contact us at info@cipheracademy.net and we will delete it promptly.

11. US state-specific rights

California (CCPA/CPRA)

California residents have the right to know, delete, correct, and limit use of sensitive personal information. We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months. To exercise rights, follow Section 8. You may also designate an authorized agent. We do not discriminate against users who exercise rights.

Colorado, Virginia, Connecticut, Utah, Texas

Residents have substantially similar rights: access, deletion, correction, portability, and opt-out of targeted advertising and profiling. Follow Section 8. We honor GPC as an opt-out signal.

Nevada

Nevada residents may opt out of certain sales of covered information. Email info@cipheracademy.net with the subject line “Nevada opt-out.”

12. EU / UK / EEA

Our representative for GDPR purposes can be reached at info@cipheracademy.net. You may also lodge a complaint with your local supervisory authority. The lead authority for cross-border issues is the Irish Data Protection Commission until a separate establishment in the EU is designated.

13. Brazil (LGPD)

Brazilian residents have the rights granted by Law No. 13.709/2018, including confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and the right to revoke consent. Contact our data protection officer at info@cipheracademy.net.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email and an in-app banner at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

15. Contact

Privacy questions, data-protection requests, and legal notices: info@cipheracademy.net.