Privacy Policy
Your privacy is fundamental to our mission. This policy explains what we collect, how we use it, who we share it with, and how you can control it.
Last updated: June 6, 2026
Who Is Responsible for Your Data
ISO 26262 Academy is the data controller for personal information processed through the platform at iso26262.academy. You can reach us at [email protected] for any privacy question.
We have not appointed a formal Data Protection Officer because our processing does not currently meet the thresholds in Article 37 GDPR, but you can address any data protection question to the same email above.
Information We Collect
- Account information: name, email, organization, professional role, password hash (we never store plaintext passwords)
- Identity data from OAuth sign-in: when you sign in with Google or LinkedIn we receive your email, name and profile picture from those providers
- Learning progress: courses started, video position, bookmarks, exam attempts and scores, exam disputes, work product submissions, career path responses
- Usage analytics: pages visited, features used, click events, search queries, time on platform, heatmap interactions
- Session recordings: anonymized interaction replays via PostHog Session Replay so we can debug issues and improve the product (form inputs and password fields are always masked)
- Payment and billing: billing address, last four card digits, subscription tier, invoice history (full card numbers are stored only by Stripe or PayPal, never by us)
- Communication data: support tickets, forum posts, feedback submissions, ratings, contact form messages
- Device and session security data: browser user agent, IP address, device fingerprint (used for session security and abuse prevention), approximate country derived from IP
- AI prompts and outputs: when you use AI-assisted features, your prompts and any generated responses are processed by our LLM providers and may be stored for quality and abuse review
- Cookies and similar technologies: see our Cookie Policy for the full list
How We Use Your Information
- Provide and operate the platform (contractual necessity, Art. 6(1)(b) GDPR)
- Authenticate you, secure your session, and detect suspicious sign-ins (legitimate interest, Art. 6(1)(f))
- Track learning progress, generate certificates, and surface personalized recommendations (contractual necessity and consent where applicable)
- Process payments and prevent fraud (contractual necessity and legal obligation)
- Send service emails such as password resets, billing notifications, and policy updates (contractual necessity)
- Send marketing or product update emails only with your consent, and only until you unsubscribe
- Improve the platform through aggregated analytics, A/B tests, surveys and session replays (legitimate interest, with opt-out controls)
- Generate content with the help of OpenAI and Anthropic models for AI-assisted features (contractual necessity for the feature, consent where the feature is optional)
- Comply with legal obligations such as tax records, accessibility requirements, and lawful requests from authorities
Data Protection
- All traffic is encrypted in transit using TLS 1.2 or higher
- Sensitive fields (OAuth tokens, refresh secrets) are encrypted at rest using Fernet (AES-128-CBC + HMAC)
- Passwords are stored only as salted hashes; we never see or store the plaintext
- Access to production data is restricted to a small number of named engineers on a need-to-know basis, logged, and reviewed
- Backups are encrypted, retained for a limited period, and stored separately from primary storage
- Regular dependency scanning, secret scanning, and review of authentication-related code
- We follow GDPR and CCPA practices and have an internal process for handling data subject requests
Your Rights
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate or incomplete data
- Erasure: ask us to delete your account and associated data, subject to the retention rules described below
- Restriction and objection: ask us to pause specific processing, including profiling-based recommendations
- Portability: receive your learning data in a machine-readable format
- Withdraw consent: turn off marketing emails, analytics tracking, or AI-assisted features at any time without losing access to the core product
- Lodge a complaint with your local data protection authority (in the EU, this is your national supervisory authority)
- To exercise any of these rights, write to [email protected]. We respond within 30 days as required by GDPR
AI Features and Automated Processing
Several features rely on large language models from OpenAI and Anthropic. When you use these features:
- The text you submit is sent to the relevant provider over an encrypted connection so the response can be generated
- Providers process the request on our behalf as data processors under their respective Data Processing Addendums
- We do not use your prompts to train any model, and we have asked our providers not to either where they offer that setting
- Generated content is stored alongside the page or item it belongs to so you can review or remove it
The career path recommender, exam adaptation, and learning suggestions use behavioral signals to rank content. These are not legally significant automated decisions in the sense of Article 22 GDPR. You can opt out of personalized recommendations from your profile settings without losing access to the rest of the platform.
Third Parties Who Receive Your Data
We share personal data with a small set of vetted providers, each acting either as a processor on our behalf or as an independent controller for their own service. The current list is:
- Stripe and PayPal - payment processing, subscription billing, and fraud prevention
- PostHog (EU region, eu.posthog.com) - product analytics, session replay (with masking), error tracking, A/B testing, surveys, and LLM usage analytics
- Sentry - backend and frontend error tracking, including stack traces and the user identifier of the affected session
- OpenAI and Anthropic - large language model providers for AI-assisted features
- Google and LinkedIn - OAuth identity providers when you choose to sign in with them
- Cloudflare - content delivery network, edge security, and bot protection
- DigitalOcean - managed PostgreSQL database, application hosting, and managed Redis
- Email delivery provider - transactional and (with consent) marketing emails
We do not sell personal information, and we do not share personal information with advertisers.
Cookies and Local Storage
We use the minimum cookies and browser storage needed to keep you signed in and remember your preferences. The categories and key items are:
- Essential - JWT access and refresh tokens (the refresh token is HttpOnly and same-site), CSRF protection, cookie consent state. These are required for the platform to work and cannot be turned off
- Functional preferences - sidebar expanded or collapsed, theme, locale, dismissed banner state
- Analytics - PostHog cookies used only after you accept analytics in the cookie banner
- No advertising cookies - we do not run ad networks or remarketing pixels
You can change your consent at any time through the cookie banner or your browser settings. See our Cookie Policy for the full list.
How Long We Keep Your Data
We hold each category of data only as long as we need it:
- Active account data: for as long as your account exists
- Learning progress and certifications: for the duration of your subscription plus 3 years so we can verify certificates after you leave
- Payment records: 10 years where required by tax law, otherwise 7 years
- Support tickets and contact messages: up to 3 years
- Session recordings: up to 30 days, then automatically deleted by PostHog
- Backend error events in Sentry: up to 90 days
- Server access logs and security events: 90 days
- Backups: encrypted, rotated, and overwritten on a fixed schedule
When you delete your account, we mark your record as soft-deleted, sign you out of all sessions, and stop processing your data for new purposes. We keep the soft-deleted record only for the legal and accounting periods listed above, after which it is purged. If you want immediate erasure of items not covered by a legal retention obligation, email [email protected].
Where Your Data Is Processed
Our primary application and database run in the European Union on DigitalOcean managed infrastructure. PostHog data is processed in the EU. Some of our providers, notably Stripe, OpenAI, Anthropic, Sentry, and Cloudflare, may process data in the United States or other countries.
For any transfer outside the European Economic Area we rely on either an adequacy decision by the European Commission, the EU-US Data Privacy Framework where the provider is certified, or Standard Contractual Clauses combined with technical safeguards such as encryption in transit and at rest.
Notice for California Residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we have collected about you, the right to correct it, the right to delete it, the right to limit the use of sensitive personal information, and the right to opt out of any sale or sharing of your personal information.
We do not sell personal information and we do not share it for cross-context behavioral advertising as defined by the CPRA. To exercise any California right, email [email protected] with the subject line "California Privacy Request". We will verify your identity using information already on file before responding.
Security Incidents
If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay, as required by Article 33 and Article 34 GDPR.
Children's Privacy
Our services are not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us and we will delete it.
Changes to This Policy
We may update this privacy policy from time to time. Material changes will be announced by email to active users and by a prominent notice in the app before they take effect. The version shown at the top of this page is always the current one, and previous versions are available on request.
Contact Our Privacy Team
Questions about this policy, requests to exercise your rights, or any other privacy concern can be sent to:
Email: [email protected]
Subject line for rights requests: "Privacy Request" (or "California Privacy Request" for CCPA / CPRA)