1. Data Controller
The data controller for this Service is Digital Creative Academy ("we", "us", "our"), operating the Kora platform. For any privacy-related inquiries, contact us at learning-support@digital-creative-academy.com.
2. Information We Collect
We collect the following information:
- Account data: Name, email address, and encrypted password when you create an account.
- Payment data: Processed securely by Stripe. We store only your Stripe customer ID — never your card details.
- Learning progress: Module completion status and session duration are stored on our servers to track your progress.
- Voice audio: During live sessions, your microphone audio is streamed in real-time directly from your browser to Google Gemini for AI facilitation. Audio is processed transiently in memory only — it is never recorded, stored, or retained by us or by Google. Our servers never receive your audio data.
- Contact messages: Information you provide when contacting us through our form.
3. Data Stored Only in Your Browser
Session transcripts and personal notes are stored exclusively in your browser's local storage. This data never leaves your device and is not transmitted to or accessible by our servers. You can clear this data at any time by clearing your browser data or using the in-app clear button.
4. Legal Basis for Processing
We process your personal data on the following legal grounds (GDPR Art. 6 / Swiss FADP Art. 31):
- Contract performance: Processing your account data, payment data, and learning progress is necessary to provide the Service you subscribed to.
- Legitimate interest: Sending transactional emails (e.g., password resets, payment receipts) and maintaining platform security.
- Consent: Processing voice audio during live sessions, which you initiate by starting a session and activating your microphone.
5. How We Use Your Data
- To provide and improve the Kora learning experience
- To process payments and manage subscriptions
- To send verification and transactional emails
- To respond to your support inquiries
We do not sell, rent, or share your personal data with third parties for marketing purposes.
6. Data Security
We take security seriously. Your data is protected with:
- Password encryption: Passwords are hashed using bcrypt with a cost factor of 12. We never store plain-text passwords.
- Token security: Verification tokens are SHA-256 hashed before storage.
- HTTPS: All data in transit is encrypted using TLS.
- Secure sessions: Authentication uses signed JWT tokens with HTTP-only cookies.
- Payment processing: Handled entirely by Stripe (PCI DSS Level 1 certified).
7. Cookies & Local Storage
We use HTTP-only session cookies for authentication. These are strictly necessary cookies and do not require consent. We do not use tracking cookies or third-party analytics cookies.
We use your browser's local storage to save session transcripts and personal notes for your convenience. This data remains entirely on your device.
8. International Data Transfers
Digital Creative Academy is based in Switzerland. We prioritise keeping your data within Europe:
- Render — Application and database hosting, located in Frankfurt, Germany (EU). Your data remains within the European Union.
- Stripe — Payment processing, operated within the EU by Stripe Payments Europe, Ltd. (Dublin, Ireland). Covered by Stripe's Data Processing Agreement.
- Google (Gemini API) — Voice audio processing. Audio may be processed outside the EU. Covered by Google's Data Processing Addendum and Standard Contractual Clauses (SCCs).
Switzerland benefits from an EU adequacy decision, meaning data transfers between Switzerland and the EU/EEA do not require additional safeguards. For transfers to countries without an adequacy decision (e.g., the United States), we rely on Standard Contractual Clauses approved by the European Commission.
9. Data Retention
Your data is retained as long as your account is active. When you delete your account, all personal data, enrollments, and session history are permanently and irreversibly deleted from our servers. Browser-stored data (transcripts, notes) can be cleared independently by you at any time.
10. Your Rights
Under the GDPR and Swiss Federal Act on Data Protection (FADP), you have the right to:
- Access: View your personal data on the Settings page.
- Rectification: Update incorrect data from your Settings page.
- Deletion: Permanently delete your account and all associated data from Settings.
- Restrict processing: Request that we limit how we use your data.
- Object: Object to processing based on legitimate interest.
- Data portability: Request an export of your data by contacting us.
- Withdraw consent: You can stop voice processing at any time by muting your microphone or ending the session.
To exercise any of these rights, contact us at learning-support@digital-creative-academy.com. We will respond within 30 days.
11. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
- The Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch
- Your local EU/EEA data protection authority, if you are based in the European Union.
12. Third-Party Services
- Stripe — Payment processing (Privacy Policy)
- Google Gemini — AI facilitator for voice sessions. Audio is processed transiently in real-time, is not stored, and is not used to train AI models on the paid API tier (API Terms).
- Render — Application and database hosting (Privacy Policy).
13. Children's Privacy
Kora is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
14. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours, in accordance with GDPR Art. 33 and Swiss FADP Art. 24.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email. The "Last updated" date at the top of this page reflects the most recent revision.