Privacy Policy

Effective 1 December 2025

1. Data Controller Redepta, is the controller of your personal data.

1. Information We Collect; Information you provide: name, email, billing details, profile photo, biographical text, forum posts, live-session video/audio. b. Automatically collected: IP address, browser type, device identifiers, analytics events. c. Payment data: processed by Stripe, PayPal, Bank transfer - we never receive or store full card numbers. d. Recordings & transcripts of live seminars (stored indefinitely at company discretion unless the Educator deletes them).

2. How We Use Your Data

* To provide and improve the Service

* To process payments and issue receipts

* To send transactional emails (session reminders, diplomas, earnings reports)

* To generate automatic transcripts and highlight quotations (OpenAI services under strict Business Associate–style terms)

* To enforce our Terms and protect the community

* Legal Bases (GDPR) Contract (performance of Channel enrolment), legitimate interests (fraud prevention, platform security), and consent (optional marketing).

3. Data Sharing Only with:

* Stripe (payments)

* PayPal

* Banks

* LiveKit / Fly.io (live-video infrastructure)

* OpenAI (transcription & quotation extraction - data not used for training)

* The specific Educator whose Channel you join (they receive your name, email, and messages)

* The specific Student who joins your channel (they receive your name, email, and messages)

* Sub-processors listed at redepta.com/subprocessors (kept continuously updated)

4. International Transfers Data is stored in the United States. Transfers from EEA/UK/Switzerland occur under Standard Contractual Clauses + UK International Data Transfer Addendum.

5. Retention Account data: until you delete your account + 180 days Channel materials & recordings: indefinitely (perpetual license promise) Earnings records: 7 years (tax requirements).

6. Your Rights Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Submit requests to [email protected]. We respond within 30 days (or 45 for CCPA).

7. Security Industry-standard encryption at rest and in transit, regular penetration testing, and least-privilege access.

8. Children - The Service is strictly for individuals 18 and older. Children must use the platform under an adult created account.

9. Material changes will be notified by email and in-app notice.

10. Lawful Bases for Processing (Art. 6 GDPR) Processing Activity Lawful Basis Explanation

Account creation & profile management Art. 6(1)(b) – Contract (Necessary to provide you with the Service

Enrolling in and delivering a Channel) Art. 6(1)(b) – Contract Performance of the enrolment agreement with you and the Educator

Processing payments Art. 6(1)(b) – Contract + Art. 6(1)(c) – Legal obligation Required for billing and tax compliance

Sending transactional emails (reminders, diplomas, receipts) Art. 6(1)(b) – Contract + Art. 6(1)(f) – Legitimate interests (Essential for service delivery and fraud prevention)

Recording live seminars & creating transcripts Art. 6(1)(b) – Contract + explicit consent at start of each session. Students and Educators actively consent via “I agree to recording” banner

Generating AI quotations & highlights Art. 6(1)(f) – Legitimate interests Improves educational value; no overriding rights (data not used to train models).

Analytics (PostHog self-hosted) Art. 6(1)(f) – Legitimate interests Platform security, performance, and fraud prevention

Marketing emails (optional newsletter) Art. 6(1)(a) – Consent Double opt-in; one-click unsubscribe always available

11. Your Rights under GDPR (Arts. 15–22)

You have the following rights, free of charge (except manifestly unfounded or excessive requests):

Access (Art. 15) [email protected] → “GDPR Access Request” - 30 days max

Rectification (Art. 16) Edit directly in profile or email request - Immediate / 7 days

Erasure (“right to be forgotten”) (Art. 17) [email protected] → “GDPR Erasure Request” - 30 days max

Restriction of processing (Art. 18) Same as above - Immediate

Data portability (Art. 20) Request machine-readable export of all your content, posts, notes - 30 days max

Object to processing (Art. 21) Object to analytics or AI highlights - Immediate

Withdraw consent (Art. 7) Revoke recording consent → future sessions only - Immediate

Lodge a complaint (Art. 77) Directly with your EU national DPA or with the Irish Data Protection Commission (our lead supervisory authority) n/a

12. International Transfers (Chapter V GDPR)

* Legal mechanisms: – EU–U.S. Data Privacy Framework (Redepta, Inc. is self-certified as of 1 Dec 2025) – Standard Contractual Clauses (2021/914) executed with every sub-processor – UK International Data Transfer Addendum (Table 4 – “data importer” commitments)

* You may request copies of the executed SCCs at [email protected]

13. Sub-processors (Art. 28 GDPR)

Current list always available at redepta.com/subprocessors (updated within 30 days of any change):

Sub-processor Purpose Location Safeguard

Stripe, Inc. Payments USA DPF + SCCs

PayPal, Inc Payments USA

Banks Payments Global

LiveKit, Inc. Live video infrastructure USA SCCs

Fly.io Regional compute USA / EU SCCs (EU region available)

OpenAI, LLC Transcription & quotations USA SCCs + no-training clause

PostHog, Inc. Self-hosted analytics EU (Frankfurt) Intra-EU processing only

Resend (Tinybird) Transactional email USA SCCs

14. Data Protection Officer

Dr. Regan Gallagher, [email protected]

15. Automated Decision-Making (Art. 22)

Redepta does not use any automated decision-making with legal or similarly significant effects.

16. Data Breach Notification

Personal data breaches will be notified to the Irish DPC within 72 hours and to affected users without undue delay where the breach is likely to result in high risk to rights and freedoms.

17. Age of Consent

We do not knowingly process data of individuals under 18. Any account found to belong to a minor will be terminated immediately.

Expanded CCPA / CPRA Compliance Section

Privacy Policy – CCPA / CPRA Addendum (California Residents)

Effective 1 January 2026

1. California Consumer Privacy Act Rights (Cal. Civ. Code §1798.100 et seq., as amended by CPRA)

If you are a California resident, you have the following rights with respect to your personal information:

Right What It Covers How to Exercise Response Timeline

Right to Know (Access) Categories and specific pieces of personal information collected, sources, business purpose, categories of third parties shared with [email protected] → Subject: “CCPA Know Request” 45 days (extendable once by 45 days)

Right to Delete Deletion of personal information (subject to exceptions below) [email protected] → Subject: “CCPA Delete Request” 45 days

Right to Opt-Out of Sale or Sharing We do not sell or share personal information for cross-context behavioural advertising. No action required. N/A (no sale/sharing occurs) N/A

Right to Limit Use of Sensitive PI We do not use sensitive personal information for purposes beyond those permitted without consent N/A N/A

Right to Non-Discrimination You will not be denied services, charged different prices, or receive lower quality for exercising rights Automatic N/A

Right to Correct Inaccurate Information Correction of inaccurate personal information [email protected] → Subject: “CCPA Correction” 45 days

2. Categories of Personal Information Collected in the Past 12 Months

Category (CCPA §1798.140(v)) Collected? Examples

Identifiers Yes Name, email, IP address

Customer Records (Cal. Civ. Code §1798.80) Yes Billing address (via Stripe, PayPal, Bank)

Commercial Information Yes Channel purchases, transaction history

Internet/Network Activity Yes Pages visited, session duration (PostHog self-hosted)

Geolocation Data Yes Approximate location from IP

Audio/Visual Information Yes Live-session recordings & transcripts (only with consent)

Professional/Education Information Yes Bio, diplomas issued, forum posts

Inferences Drawn Yes Educational interests inferred from enrolments

Sensitive Personal Information No We do not collect SSN, precise geolocation, racial origin, etc.

3. Categories of Personal Information Disclosed for a Business Purpose

* Identifiers & commercial information → Stripe (payments)

* Audio/visual & education information → the specific Educator whose Channel you joined

* Internet activity → PostHog (analytics – self-hosted in EU)

* All categories → legal authorities when required by law

4. No Sale or Sharing of Personal Information

Redepta does not and will not sell personal information or share it for cross-context behavioural advertising as defined in CCPA/CPRA §1798.140(ah) & (ai). Therefore, the “Do Not Sell or Share My Personal Information” link is not required and is intentionally omitted.

5. Authorised Agents

You may designate an authorised agent using one of these methods:

* Signed written permission uploaded to [email protected]

* Registration with the California Secretary of State + power of attorney

6. Verification Process

We verify Know and Delete requests to a reasonably high degree of certainty (typically two-factor authentication + confirmation of recent transaction or forum post). Requests that cannot be verified will be rejected with explanation.

7. Metrics (published annually by 31 July)

2024–2025 California rights requests and median response time will be posted at redepta.com/legal/ccpa-metrics.