Privacy policy

Account data: name, email address, preferred language, account settings. Basis: performance of the contract (GDPR Art. 6(1)(b)).

Payment data: we do not process card numbers ourselves. Payments go through Stripe, which acts as independent data controller for payment data. We only receive confirmations of successful payments and transaction identifiers. Basis: performance of the contract.

Progress data: which lectures you have completed, quiz results, last-read lecture. Basis: performance of the contract.

Usage statistics: anonymised page views via Plausible Analytics. Plausible sets no cookies, does not retain IP addresses, and builds no profiles. Basis: legitimate interest (GDPR Art. 6(1)(f)) in improving the service.

Correspondence: if you email us, we retain your message to reply and to be able to look up past conversations. Basis: legitimate interest.

To manage your account, to give you access to the content you pay for, to show your progress, and where necessary to communicate about your subscription (confirmations, changes, outages). We also use aggregated statistics to see which modules work well and where we can improve. We do not use your data for advertising and do not share it with third parties for marketing purposes.

We share only with processors we need in order to deliver the service, each under a data-processing agreement:

Firebase Authentication (Google, US under EU SCCs): email, name, sessions.

Cloud SQL (Google Cloud, EU): progress data, account metadata.

Stripe (payments, US under EU SCCs): payment data. Stripe is an independent controller for that data.

Resend (transactional email, EU): sending system emails.

Plausible (analytics, EU): anonymised page statistics.

Vercel (hosting, EU region where available): technical logs.

We do not provide data to governments unless legally required.

Some processors (Firebase/Google, Stripe) are based in the United States. Transfer happens under EU Standard Contractual Clauses and additional safeguards where those processors offer them.

Account data for as long as you have an account, plus thirty days after cancellation for reactivation. Progress data the same. Payment transactions for seven years due to tax retention obligations. Email correspondence three years. Plausible statistics are already anonymised and retained indefinitely.

Under the GDPR you have the right to: access your data, correct it, delete it, restrict processing, object, and receive your data in portable form. Send a request to privacy@theschoolofrealmarketing.com. We respond within thirty days.

If you are unsatisfied with our handling, you have the right to lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) or with the authority in your own EU country.

We set only functional cookies necessary for login and session state. We use no tracking cookies or third-party advertising cookies. Analytics (Plausible) works without cookies. For that reason we do not ask for cookie consent.

Data is encrypted in transit (TLS) and at rest. Internal access is limited to people who need it for their work. We do not store passwords in readable form; authentication runs through Firebase Authentication, which supports hashing and secure storage.

Changes are published on this page. Material changes are announced by email.

For privacy questions: privacy@theschoolofrealmarketing.com. For general questions: info@theschoolofrealmarketing.com. Bright & The Future B.V. is reachable at the same address.