Privacy Policy

Your privacy matters. This policy explains what data we collect, why, how we use and protect it, and the rights you have over it. It applies to The Master Key System Academy (the "Academy", "we", "us"). Plain language first; legal precision second.

1. Data We Collect

You give us

• Account data — name, email, password (hashed), language preference.
• Course work — quiz answers, journal entries, written reflections, sitting records, mind audits, community posts.
• Communication — messages you send to support.

We collect automatically

• Usage data — pages visited, lessons opened, completion timestamps.
• Device data — browser type, operating system, approximate region from IP.
• Cookies and similar — strictly necessary cookies for sign-in and session; no third-party tracking or advertising cookies.

From third parties

• Payment data — Stripe sends us a receipt and the last four digits of your card. We never see the full card number.

2. Why We Use It

• To deliver the course, track your progress, and issue your certificate.
• To run the community spaces and moderate them.
• To send course emails: lesson unlocks, weekly digest, streak reminders, graduation notice.
• To improve the curriculum and fix bugs.
• To meet legal and accounting obligations.

3. Legal Bases (GDPR)

Depending on the activity, we rely on (a) performance of our contract with you, (b) our legitimate interests in providing and improving the Service, (c) your consent (for optional features), and (d) compliance with legal obligations.

4. AI Processing

If you opt to use AI study aids, the relevant prompt may be sent to a model provider purely for that response. We do not allow the provider to train on your personal data, and we strip identifying account fields before sending.

5. Who We Share Data With

We do not sell your data. We share only with the processors needed to run the Service:

• Hosting & database — secure cloud infrastructure.
• Payments — Stripe.
• Email delivery — transactional email provider.
• AI model providers — only for the AI features you choose to use.
• Authorities — only where legally required.

6. International Transfers

Some processors are based outside the EU/EEA or your country of residence. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Retention

• Account and course-work data — for as long as your account is open.
• Payment records — for the period required by tax and accounting law (typically 7 years).
• Backups — rolling 30-day backups for disaster recovery.
• Closed-account data — deleted within 30 days of account closure, except as required by law.

8. Your Rights

Subject to your jurisdiction (GDPR, UK GDPR, Thailand PDPA, CCPA, etc.) you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent at any time for consent-based processing.
• Lodge a complaint with your local data-protection authority.

You can act on most of these from Settings → Account, or by writing to us through the contact page.

9. Security

We use encrypted connections (HTTPS), encrypted database storage, row-level access controls, hashed passwords, audit logging, and regular security reviews. No system is perfectly secure; we will notify affected users without undue delay if a breach materially affects them.

10. Children

The Service is not directed at children under 18 and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we will delete it.

11. Cookies

We use only strictly necessary cookies (sign-in session, CSRF protection, language). We do not use third-party advertising or behavioural tracking cookies.

12. Changes

Material changes to this policy will be announced in-app and by email at least 14 days before they take effect.

13. Contact

For privacy questions, data requests, or complaints, write to us via the contact page.