Legal
Privacy Policy
Version 1.0 · Last updated: 2026-05-18
v1 — counsel review pending before public launch. Substantive questions to [email protected].
The short version
We're CTOschool. To run the platform we collect only what we need: your account credentials, the content you choose to make public, and basic activity logs for security. We never sell your data. We don't run third-party trackers without your permission. You can request a copy or deletion of everything we have, at any time. The full policy below covers the legal specifics.
1. Who we are
CTOschool is operated by [TODO(privacy-counsel-review): operating-entity legal name]. We are the data controller for the information described in this policy.
- Domain
- ctoschool.live
- [email protected]
- Mailing address
- [TODO(privacy-counsel-review): registered business address]
2. What we collect
Account data
When you sign up:
- Email address
- Password (stored hashed; we never see or store the plaintext)
- Username and full name (visible on your public Profile)
- Country, preferred locale, timezone (used to localise the product)
Profile data
What you fill in:
- Bio, headline, avatar image
- Tech stack, domain interests, role, institution
- Optional academic profile (institution, program, year)
Posts and projects
What you ship:
- Caption text, attached media (images, files, screenshots)
- Linked repositories, deployed URLs, and tagged tools
- Anything you mark public is displayed on your Profile and may be surfaced via search, discovery, and AI citation (see section 8)
Activity data (collected automatically)
- IP address and user agent (for fraud prevention, rate limiting, abuse detection)
- Timestamps of logins, posts, and interactions
- Session identifiers (stored in HttpOnly cookies)
Communications
Email exchanges between you and our support address, plus any in-product messages you send.
3. Why we collect it · legal basis
Under GDPR Article 6, every category of data we process has a specific lawful basis. For California residents, equivalent CCPA "business purpose" rules apply.
| Data | Purpose | Legal basis |
|---|---|---|
| Account credentials | Authenticate you | Contract · Art 6(1)(b) |
| Public Profile content | Display your work to others | Contract · Art 6(1)(b) |
| Activity / IP logs | Fraud prevention, abuse mitigation | Legitimate interest · Art 6(1)(f) |
| Analytics cookies | Understand platform usage | Consent · Art 6(1)(a) |
| Support emails | Respond to your questions | Legitimate interest · Art 6(1)(f) |
4. How long we keep it
- Account data: as long as your account exists, plus up to 30 days after deletion (soft-delete window for recovery / appeals). After 30 days, account data is permanently deleted or anonymised.
- Posts: retained as long as your account exists. After account deletion, posts are anonymised — your name is replaced with "Deleted user" — but remain visible so conversations they participated in stay coherent.
- Activity / IP logs: 90 days, then deleted.
- Email exchanges: 12 months unless an ongoing issue requires longer.
- Analytics data: 14 months in Google Analytics (configurable in GA4; we keep the default). Only collected if you consented.
5. Who we share it with
We do not sell your data. We share it only with the processors below, who help us run the platform under contractual data-processing terms.
| Processor | Purpose | What they receive |
|---|---|---|
| Mailgun (US) | Email delivery | Email address, message content |
| [TODO(privacy-counsel-review): hosting / database provider] | Application hosting + data storage | All data described in section 2 |
| Google Analytics (Google LLC) | Aggregate platform usage | Pageviews, browser metadata, session ID — only if you consent |
We disclose data to law enforcement only when legally compelled (court order, subpoena, or equivalent). Where permitted by law, we notify the affected user before doing so.
6. Where your data lives
[TODO(privacy-counsel-review): primary region(s) for the database and storage backend. Likely India for ctoschool.live; founder to confirm before public launch.]
We host data with cloud providers operating in the region(s) above. Backups may be replicated to additional regions for disaster recovery. Email sent via Mailgun is processed in the United States.
8. AI search and citation
Public content on CTOschool — your Profile at /your-username and your public posts at /p/postId — may be indexed and cited by AI search engines (ChatGPT, Claude, Perplexity, Google AI Overviews, and similar tools).
We publish a /llms.txt file declaring this policy openly. When AI search engines cite your content, they link back to your canonical URL on CTOschool — attribution is built into the citation chain.
What we don't do: we do not train our own AI models on your content. We do not sell your content to third-party AI training pipelines.
Your control: you can make your account inactive or delete it. A per-account opt-out toggle for AI indexing is on our roadmap.
9. Your rights
Under GDPR (EU/UK), CCPA (California), and similar laws, you have the following rights with respect to your personal data:
- Access: request a copy of all data we hold about you.
- Rectification: ask us to correct inaccurate data.
- Erasure: ask us to delete your account and data ("right to be forgotten").
- Portability: receive your data in a machine-readable format.
- Restriction: ask us to pause processing temporarily.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: revoke analytics consent at any time via the Cookie settings link in the footer.
How to exercise:
- Most rights are available directly in /settings → Privacy — including data export (Download my data) and account deletion.
- For everything else, email [email protected]. We respond within 30 days.
- You also have the right to complain to your local data protection authority (the supervisory authority in your EU member state, or the ICO in the UK).
10. International transfers
Some processors (Mailgun, Google Analytics) operate in the United States. If you are in the EU, UK, or another region with cross-border transfer rules, your data may be transferred to and processed in those jurisdictions. For EU/UK data, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission and UK ICO, plus our processors' own equivalent safeguards.
11. Children
CTOschool is not intended for users under the age of 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, email [email protected] and we will delete it within 30 days.
12. Security
How we protect your data in transit and at rest:
- TLS encryption for all traffic between you and ctoschool.live
- Passwords stored hashed (bcrypt); never in plaintext
- HttpOnly + Secure + SameSite flags on auth cookies
- Rate limiting and abuse detection on auth + posting
- Regular dependency audits and security review
No internet service is 100% secure. If you discover a vulnerability, email [email protected] — we'll respond within 5 business days.
13. Changes to this policy
We may update this policy. Material changes — new processors, new data categories, different legal basis, longer retention — will be notified to you via email and in-product at least 30 days before they take effect. Non-material changes (typos, clarifications) take effect on update; the "Last updated" date at the top reflects the most recent change.
14. Contact
For privacy questions, data requests, or to exercise any of your rights:
- [email protected]
- Postal
- [TODO(privacy-counsel-review): postal address for formal requests]