Privacy policy.
Last updated: 2026-05-23 · 8-minute read
In plain English
- We collect your email, name, and (optionally) your university so we can run your account and send you course-related emails.
- Your payment is processed by Stripe. We never see or store your card number.
- We share data only with the processors we need to operate: hosting, payments, email, analytics (with your consent), and error monitoring.
- You have the right to access, correct, or delete your data at any time. Email hoang@edlintics.com and we will respond within 30 days.
- We keep financial records as long as Estonian tax law requires. Everything else is deleted when you close your account.
Data we collect
When you create an account or use Edlintics, we collect the following categories of personal data:
- Account data: your email address and display name, provided when you register.
- University (optional): the institution you attend, if you choose to provide it. This is used only to tailor course recommendations and is never required.
- Payment data: payment is processed by Stripe and Stripe Tax. We receive a transaction record (amount, currency, date, and a Stripe customer ID). We never see, transmit, or store your card number, CVV, or bank details.
- Course enrolments: which courses you have purchased and when.
- Exercise attempts: your responses to in-course exercises, including timestamps. These are used to track your progress and are not shared externally.
- Booked sessions: appointment records for 1:1 or group tutoring sessions, including the scheduled time and session type.
- Referral data: if you sign up through a referral link or refer another person, we store the link between your account and the referring or referred account, so we can attribute and apply any referral reward.
- Marketing preferences: whether you have opted in to marketing or product-update emails, with a timestamped record of that consent. Marketing email is sent only with your explicit opt-in, and every message includes a one-click unsubscribe; transactional email (receipts, booking confirmations) is sent regardless as it is necessary to deliver the service.
- Technical data: IP address, browser type, and device type, collected automatically by our infrastructure providers (Vercel, Cloudflare) for security and performance purposes.
Legal basis (GDPR Art. 6)
We process your personal data under the following legal bases as defined in GDPR Article 6:
Performance of a contract (Art. 6(1)(b))
When you purchase a course or book a tutoring session, we process your account data, payment records, enrolments, and session records to deliver the service you have contracted for. This includes sending confirmation emails, granting access to course materials, and scheduling your live session.
Legitimate interests (Art. 6(1)(f))
We use analytics (PostHog) and error monitoring (Sentry) to improve the reliability and quality of the service. Analytics is conditional on your consent; error monitoring runs unconditionally because it is operationally necessary for us to detect and fix problems that affect your experience.
Legal obligation (Art. 6(1)(c))
We retain payment and invoicing records for as long as Estonian tax law requires (currently seven years for accounting and VAT records under the Estonian Accounting Act). This obligation overrides any erasure request for those specific records during the retention period.
Third-party processors
We use the following third-party processors to operate Edlintics. Each processor has signed a Data Processing Agreement (DPA) with us or operates under the EU Standard Contractual Clauses where required. We do not sell your data to any third party.
| Processor | Purpose | Data flowed | Region |
|---|---|---|---|
| Neon | Primary database | All user and course data stored in the database | EU (eu-west-1, Ireland) |
| Vercel | Application hosting and edge delivery | All web traffic; IP addresses; request logs | EU / Global edge |
| Stripe / Stripe Tax | Payment processing and tax calculation | Email address, transaction amount, currency, billing country; Stripe customer ID | EU / US |
| Cloudflare R2, Images, Stream | File storage, image optimisation, video delivery | Course assets (video, images, documents); no PII beyond access logs | Global edge |
| Anthropic | AI-assisted content authoring (admin-side only) | Course draft text submitted by the admin; no student data is sent to Anthropic | US |
| Resend | Transactional email delivery | Email address, name, email content (receipts, access links) | EU |
| PostHog | Product analytics | Page views, feature interactions, anonymised usage events — only when analytics consent is given | EU |
| Sentry | Error monitoring and performance tracing | Stack traces, browser/device info, anonymised user context | US |
| Inngest | Background job processing | Job payloads relevant to the triggered event (e.g. user ID for post-purchase workflows) | US |
| Upstash | Rate limiting and ephemeral caching | Hashed IP addresses or user IDs used as rate-limit keys | Global edge |
| Better Auth | Session management and authentication | Session tokens stored in-app; no data leaves the Edlintics infrastructure for this purpose | In-app (Neon) |
| Zoom | Live tutoring session video | Name and email address used to generate a Zoom meeting link; video and audio of the session if Zoom's recording feature is used (only with your consent) | US |
Cookies
We use cookies to keep you signed in, remember your theme preference, and (with your permission) measure how the site is used. For a full breakdown of every cookie we set — including names, purposes, and expiry — see our Cookie policy.
Data retention
We retain different categories of data for different periods:
- Account data (email, name): retained while your account is active. Deleted within 30 days of an account-erasure request, subject to the exceptions below.
- Payment and invoice records: retained for seven years as required by Estonian tax law (the Estonian Accounting Act). During this period, erasure requests for these records cannot be fulfilled, but the data is isolated from active processing.
- Session records (booked appointments): retained for the same seven-year period for tax and contractual record-keeping purposes.
- Exercise attempts and course progress: deleted on account erasure. No retention obligation applies.
- Analytics events (PostHog): retained for up to 12 months in anonymised form. No post-erasure retention of identifiable events.
To request account deletion, email hoang@edlintics.com. We will confirm receipt within 5 business days and complete the deletion within 30 days.
Your rights under GDPR
As a data subject under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15): you may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): you may request that we correct inaccurate or incomplete data.
- Right to erasure (Art. 17): you may request deletion of your data, subject to retention obligations described above.
- Right to data portability (Art. 20): you may request your data in a structured, machine-readable format.
- Right to object (Art. 21): you may object to processing based on legitimate interests.
- Right to restriction of processing (Art. 18): you may request that we restrict how we use your data while a dispute is resolved.
To exercise any of these rights, email hoang@edlintics.com. We will respond within 30 days as required by GDPR. If you believe we have not handled your request correctly, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee, or with the data protection authority in your own EU country of residence.
International transfers
Several of our processors are based in the United States (Anthropic, Sentry, Inngest, Zoom). Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for that transfer, as provided under GDPR Article 46(2)(c). Each processor has either executed SCCs with us directly or participates in an equivalent adequacy framework.
Processors operating at the global edge (Vercel, Cloudflare, Upstash) may cache or serve requests from nodes outside the EU. Where this occurs, the data involved is limited to technical request data (IP address, headers) and is covered by the processor's own DPA and SCCs.
Contact for data requests
Edlintics is operated by Hoang Truong, registered in Estonia. For any question, request, or concern about how we handle your personal data, contact us at:
We will acknowledge your message within 5 business days and respond fully within 30 days, as required by GDPR. If your request is complex or numerous, we may extend this period by a further two months, in which case we will notify you within the initial 30-day window.
Updates to this policy
We may update this policy when we add new processors, change how we use data, or are required to by law. The "Last updated" date at the top of this page reflects the most recent revision.
For significant changes — for example, if we add a new category of data processing or a new international transfer — we will notify you by email before the change takes effect, giving you the opportunity to review the updated policy and, where applicable, withdraw consent or close your account.
Minor editorial updates (correcting typos, clarifying existing text without changing the substance) will not be separately notified but will be reflected in the updated date above.