Privacy Policy

1. Who we are (Controller)

Spooniversity is an independent online education platform operated by Roi Shternin, an individual based in Austria. We are the data controller responsible for your personal data.

Contact: hello@spooniversity.org

A Data Protection Officer (DPO) is not required for small operators like Spooniversity that do not process sensitive data at scale. For any data protection questions, contact us directly at the email above.

2. What we collect and why (Legal basis per GDPR Art. 6)

We only collect what we need:

• Email address — to create your account, send your magic login link, and send important account notices. Legal basis: performance of contract (Art. 6(1)(b)).

• Learning progress (which lessons you have completed, your enrolment status) — to show your dashboard and resume where you left off. Legal basis: performance of contract (Art. 6(1)(b)).

• Billing information — processed by Stripe on our behalf. We never store your full card details. Legal basis: performance of contract (Art. 6(1)(b)).

• Community content you submit — posts, reflections, or comments inside the platform. Legal basis: performance of contract (Art. 6(1)(b)).

• Platform analytics (page views, session duration) — via PostHog, to understand how the platform is used and improve it. Legal basis: our legitimate interests in improving the service (Art. 6(1)(f)). You can opt out at any time (see Cookies section).

• Marketing emails — only if you explicitly opt in. Legal basis: consent (Art. 6(1)(a)). You can withdraw consent at any time.

3. Third-party services and international transfers

We use the following services to operate the platform:

• Better Auth — authentication and session management. User data stored in our own Neon PostgreSQL database.

• Neon — database hosting. Hosted in EU (Frankfurt). EU data only.

• Stripe — payment processing. Stripe operates globally including the United States. Stripe participates in the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) for data transfers. See stripe.com/privacy.

• Resend — transactional email (login links, receipts). EU-based hosting.

• Vercel — website hosting and delivery. Vercel serves content via a global edge network including US servers. Vercel uses SCCs for transfers. See vercel.com/legal/privacy-policy.

• PostHog — analytics. We use PostHog's EU Cloud (hosted in Frankfurt). No personal data leaves the EU for analytics.

We do not sell your data. We do not share it with third parties for advertising.

4. Your rights under GDPR

You have the following rights regarding your personal data:

• Access — you can request a copy of the personal data we hold about you.

• Rectification — you can ask us to correct inaccurate data.

• Erasure ("right to be forgotten") — you can ask us to delete your personal data. We will do so within 30 days, except where we are legally required to retain records (e.g., billing records for 7 years under EU law).

• Restriction — you can ask us to pause processing your data in certain circumstances.

• Portability — you can request your data in a machine-readable format.

• Objection — you can object to processing based on legitimate interests (e.g., analytics). We will stop unless we have compelling legitimate grounds.

• Withdraw consent — if processing is based on your consent (e.g., marketing emails), you can withdraw it at any time. This does not affect processing that occurred before withdrawal.

• Not subject to automated decisions — we do not make legally significant automated decisions about you.

To exercise any of these rights, email hello@spooniversity.org. We will respond within 30 days. You will not be penalised for exercising your rights.

5. Complaints

If you believe we have mishandled your data, you have the right to lodge a complaint with the supervisory authority in your country. In Austria, this is:

Österreichische Datenschutzbehörde Barichgasse 40–42, 1030 Wien www.dsb.gv.at

We would always prefer to resolve concerns directly first — please email us and we will take it seriously.

6. Data retention

We keep your account and learning progress data for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, except where we are legally required to retain it (billing records are retained for 7 years under EU financial compliance requirements).

7. Cookies

We use two types of cookies:

• Session cookies (strictly necessary) — to keep you logged in. These are required for the platform to function. No consent required under ePrivacy rules.

• Analytics cookies (PostHog) — to understand how the platform is used. These are based on our legitimate interests. You can opt out by clicking "Decline analytics" in your account settings, or by enabling the "Do Not Track" browser setting, which we honour.

We do not use advertising, retargeting, or third-party tracking cookies.

8. Changes to this policy

If we make significant changes to this policy, we will notify you by email before they take effect. The updated policy will also be published on this page with a revised date. Where changes affect the legal basis for processing, we will seek fresh consent if required.

9. Contact

For any privacy questions, requests to exercise your rights, or concerns: hello@spooniversity.org

We respond within 30 days. We are a small team and we treat privacy as a real value, not a compliance checkbox.