Privacy Policy
This is the privacy policy for rmfullstackaiengineer.dev ("the Service", "we", "us"). It explains what personal data we collect, why, and what you can do about it. We try to keep this readable — if anything is unclear, email privacy@rmfullstackaiengineer.dev.
1. Who we are
The Service is operated as a single-developer project by the owner of rmfullstackaiengineer.dev. For the purposes of GDPR and similar laws, the operator is the data controller. Reach us at privacy@rmfullstackaiengineer.dev.
2. What we collect
Account data
- Email address — required for sign-in, password reset, billing receipts, and important account notices.
- Password — stored only as a salted hash (PBKDF2). We cannot recover it.
- OAuth identity — if you sign in with Google or Apple, we store the provider's user ID and the email/name they share. We do not receive your provider password.
- Two-factor secret — if you enable TOTP 2FA, we store the encrypted TOTP secret and recovery code hashes.
Learning data
- Lesson progress, mastery scores, quiz answers, flashcards reviewed, and your Notebook entries — all tied to your account.
- Your prompts and responses to the AI Teacher. These are stored to render your lesson history and to track usage.
Billing data
- Your Stripe customer ID, subscription status, and credit balance. We never see or store your card details — those go directly to Stripe.
- Records of past charges and refunds, retained for tax and audit purposes (7 years).
Technical data
- IP address — used for abuse-prevention rate limits and audit logs of security-sensitive events (sign-in, password change). Not used for marketing.
- Session cookie — a single first-party,
HttpOnly,Secure,SameSite=Laxcookie used to keep you signed in. No third-party tracking cookies. - User-agent and timestamp on each session, so you can review and revoke active sessions.
3. How we use it
- To run the product — show your progress, save your notes, sync state across devices.
- To bill you — process subscriptions through Stripe.
- To talk to you about your account — verification emails, password resets, security alerts, billing receipts. These are transactional and you cannot opt out while your account is active.
- To prevent abuse — rate limits, audit logs, ban lists for credential stuffing or scraping.
- To improve the product — aggregated, anonymized funnel metrics (e.g. "X% of users complete stage 3"). We do not sell this data and do not run third-party analytics scripts.
4. Who we share it with (subprocessors)
We rely on a small set of vendors. They each get only the data they need:
| Vendor | Purpose | Data shared |
|---|---|---|
| Cloudflare | Hosting, CDN, DDoS protection | All Service data (it runs on Cloudflare Workers + D1) |
| Anthropic | AI Teacher (Claude Sonnet 4.6) | Lesson prompts you send. Anthropic's policy: API content is not used to train models. |
| Stripe | Subscription and payment processing | Email, customer ID, payment method (stored by Stripe directly) |
| Resend | Transactional email delivery | Email address, message body |
| Google / Apple | OAuth sign-in (only if you use it) | OAuth identity confirmation |
We do not share data with advertisers or data brokers. We do not have any marketing pixels or third-party analytics on the Service.
5. Your rights (GDPR / CCPA)
You can, at any time:
- Access — view all your data through the Account → Data Export menu (delivered as JSON).
- Correct — change your email or password from the Account menu.
- Delete — Account → Delete account permanently erases your data within 30 days. Billing records are kept for 7 years as required by tax law, then purged.
- Object / restrict processing — email privacy@rmfullstackaiengineer.dev.
- Lodge a complaint — with your local data protection authority. We hope you'll talk to us first.
6. Data retention
- Active account data: kept while your account exists.
- Deleted accounts: purged within 30 days. Stripe billing records retained for 7 years (tax requirement).
- Audit logs: retained for 365 days then deleted.
- Cached AI responses: retained up to 90 days to lower cost; not linked to your identity after that.
7. Cookies
We use exactly one cookie: a first-party session cookie named session. It is HttpOnly, Secure, SameSite=Lax, and used only to keep you signed in. No advertising cookies, no third-party trackers, no cross-site tracking.
8. Children
The Service is not directed at children under 16. If you are under 16, please do not create an account. If you believe a child has created an account, email us and we will delete it.
9. International transfers
The Service runs on Cloudflare's global network and your data may be processed in any region where Cloudflare operates. Cloudflare and our other subprocessors maintain GDPR-compliant Data Processing Agreements and Standard Contractual Clauses.
10. Changes to this policy
If we make material changes, we will email account holders at least 30 days before they take effect. Minor clarifications may be made without notice — the "Last updated" date at the top will always reflect the most recent change.
11. Contact
Privacy questions: privacy@rmfullstackaiengineer.dev
General contact: hello@rmfullstackaiengineer.dev