Good Prompt School

Privacy policy

1. Data controller

The controller of personal data processed through Good Prompt School is the seller or operator listed in the Seller Details document.

For privacy requests, contact: contact@goodpromptschool.com.

2. Data we process

We process data provided directly by the user, including first name, last name, email address, account identifiers, required legal-acceptance history, order data, and the content of support or complaint correspondence.

If you buy gift codes, we also store the recipient email address and any optional personal message so we can prepare the purchase, assign the codes, and handle payment history, transactional delivery, or complaints.

We also process data generated while using the platform, such as learning progress, quiz results, payment history, redeemed gift codes, and technical or security data connected with login and service operation.

If a user earns a certificate, we store a snapshot of the first and last name recorded at the moment of issue together with the certificate data needed for later downloads and public verification by certificate number.

When you make a payment, payment card details are processed by Stripe as a separate payment-service provider under its own legal obligations.

3. Purposes and legal bases

We process data only to the extent needed to run the platform, complete sales, protect security, and defend claims, in particular for the following purposes and on the following legal bases:

  • entering into and performing the account or paid-access contract - Article 6(1)(b) GDPR;
  • handling payments, settlements, complaints, and tax or accounting obligations - Article 6(1)(b) and 6(1)(c) GDPR;
  • issuing course-completion certificates and enabling later downloads or public verification by certificate number - Article 6(1)(b) and 6(1)(f) GDPR;
  • account security, abuse prevention, keeping the service running, and pursuing or defending claims - Article 6(1)(f) GDPR;
  • recording mandatory digital-content consents and meeting consumer-information duties - Article 6(1)(c) and 6(1)(f) GDPR.

4. Data recipients

We rely on specialized providers that process data on our behalf or as separate controllers where this results from the service model. This includes in particular:

  • Supabase - backend infrastructure, database, authentication, and account-data storage;
  • Stripe - payments, checkout, and payment history;
  • Resend - transactional emails and purchase confirmations;
  • Cloudflare Turnstile - abuse protection for login, signup, and password-reset forms.

5. Transfers outside the EEA

Some providers may process data outside the European Economic Area, especially because of infrastructure or subprocessors.

In such cases we rely on GDPR-approved transfer mechanisms such as an adequacy decision or standard contractual clauses, in line with the provider's documentation.

6. Retention period

Retention depends on the type of data and the purpose of processing. As a rule, we apply the following periods:

  • account data, including first name, last name, and email address - generally until account deletion or permanent end of service use;
  • learning progress, quiz results, and issued-certificate records - for the period needed to operate the account, confirm course completion, and defend claims;
  • payment, settlement, and sales-document data - for the period required by tax and accounting law;
  • complaint data, consent evidence, and data needed to defend claims - until limitation periods or evidence duties expire;
  • technical and security data - for the period needed to detect abuse, resolve incidents, and protect the service.

7. Your rights

You may request access, rectification, erasure, restriction, portability, or objection to processing to the extent provided by GDPR.

You may also lodge a complaint with the President of the Polish Personal Data Protection Office.

8. Is providing data mandatory

Providing data marked as required, including first name, last name, and email address during signup, is voluntary, but necessary to create an account, buy access, receive confirmations, and handle complaints or support requests.

If you do not provide this data, we may be unable to conclude or perform the contract.

9. Automated decision-making

We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect users.

10. Cookies and browser storage

Details about cookies and other browser-side technologies are described in the Cookie Policy.

At the moment we do not run cookie-based marketing or external marketing analytics.