Privacy Policy
Last updated: May 17, 2026
Short version: we collect what we need to run the Service and nothing else. No analytics pixels. No advertising trackers. No marketing cookies.
What we collect
- Account: your email address. Authentication is handled by Supabase Auth using email magic link plus OTP; we do not store your password (we don’t use passwords at all).
- Study progress: which lessons you completed, drill and mock-exam scores by domain, missed-question history, and your audio playback position. Lesson, drill, exam, and analytics progress syncs to your account; audio playback position remains device-local. This is the data the Service needs to show you your progress and to point you at your weakest topics.
- Payment status: if you purchase, we receive from Stripe your customer ID, your plan type (lifetime or monthly), and your subscription state. We never see or store your card number.
- Feedback you submit: the text of any feedback you send through the in-app Feedback form, plus the email address tied to your account so we can reply.
What we do NOT collect
We do not use, install, or rely on any of the following:
- Google Analytics or any other third-party analytics
- Facebook Pixel, TikTok pixel, or any other advertising tracker
- Mixpanel, PostHog, Amplitude, Heap, or similar product-analytics tools
- Sentry or any other automatic error-reporting service
- Session replay tools (FullStory, Hotjar, LogRocket)
- Advertising IDs or third-party fingerprinting
- Precise location data
- Microphone or camera access
- Contacts, photos, calendar, or any device permissions
Cookies
We do not use tracking cookies, third-party cookies, or marketing cookies. Supabase Auth stores strictly-necessary session tokens in browser localStorage to keep you signed in. We also use localStorage for functional state such as mock-mode local progress during development, theme preference, onboarding state, and the position of the audio player. If this ever changes (for example, if we add cart persistence on a checkout flow), this policy will be updated.
Service providers we use
- Supabase (Postgres database, authentication, storage, edge functions). Data processed on our behalf per Supabase’s DPA.
- Stripe (payments). All payment data goes directly from your browser to Stripe; we never see card information.
- SMTP2GO (transactional email). We use SMTP2GO to send account email such as sign-in magic links, purchase receipts, and important account notices. We do not send marketing email.
- Cloudflare Workers (hosting). Serves the static site and a small number of read-only worker endpoints.
- OpenAI (audio generation). Used to pre-render the audio narration of lessons during authoring. We do not stream your inputs to OpenAI at runtime.
How we use your data
- To run the Service (sign you in, show your progress, gate paid content).
- To process payments through Stripe.
- To send transactional email (sign-in codes, purchase receipts, important service notices). No marketing email without explicit opt-in.
- To respond to feedback you submit through the in-app Feedback form.
Data retention
Account data is kept for as long as your account is active. You can request deletion at any time through the Feedback page; we will delete your account, study progress, and feedback within 30 days of the request. Payment records that we are required to keep for tax or legal reasons are retained for the period required by law.
Your rights
You may:
- Request a copy of your data.
- Request correction of inaccurate data.
- Request deletion of your account and associated data.
- Withdraw consent for transactional email (note: doing so may break sign-in, since we use email magic links).
All of the above are handled through the Feedback page.
Children
The Service is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has created an account, contact us and we will delete it.
International users
The Service is operated in the United States. By using it, you understand your data will be processed in the U.S. We make a reasonable effort to comply with applicable data-protection rules; for users in the EU or UK this generally means the lawful bases of contract (account, payments) and legitimate interest (anti-abuse, transactional email).
Changes to this policy
We will post any change here and update the “last updated” date at the top. For material changes (anything that expands what we collect, who we share it with, or how we use it), we will notify active account holders by email at least 30 days before the change takes effect.
Contact
Privacy questions: support@part107trainer.com, or through the Feedback page.