Privacy Policy

1. Who we are

[COMPANY NAME] Limited ("SuperShorts", "we", "our" or "us") is a company registered in England and Wales (company number [COMPANY NUMBER]) with its registered office at [REGISTERED ADDRESS], United Kingdom. We are the data controller responsible for your personal data and are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER].

2. Personal data we collect

We collect the following categories of personal data:

• Account data — your email address and a hashed record of your most recent verification code.
• Payment data — your subscription plan, payment status and a Stripe customer reference. We do not see or store your full payment card details; those are handled directly by Stripe.
• Usage data — which episodes you have started or completed, and the funnel events you trigger (page view, paywall shown, checkout started, payment success).
• Technical data — IP address, browser type, device type, operating system and approximate location (derived from your IP), collected by our hosting and analytics providers.

3. How we collect it

We collect data:

• directly from you when you enter your email and pay;
• automatically as you use the Service (cookies and similar technologies);
• from third-party providers who help us run the Service (Stripe for payments, Meta for advertising attribution).

4. Lawful basis for processing

We process your personal data on the following legal bases under the UK GDPR:

• Contract — to deliver the Service you have paid for (Article 6(1)(b)).
• Legitimate interests — to operate, secure and improve the Service, prevent fraud and measure the effectiveness of our advertising (Article 6(1)(f)).
• Legal obligation — to comply with tax, accounting and consumer-protection law (Article 6(1)(c)).
• Consent — where required (for example, certain non-essential cookies). You can withdraw consent at any time.

5. Who we share your data with

We share your personal data only with the providers we need to operate the Service:

• Stripe Payments Europe, Limited — payments, billing, fraud prevention.
• Mux Inc. — video delivery and viewing analytics.
• Resend (Drie B.V.) — transactional email (verification codes, receipts, magic links).
• Vercel Inc. — application hosting and edge-function execution.
• Meta Platforms Ireland Limited — advertising measurement via the Meta Pixel and Conversions API, where you have not opted out.

We do not sell your personal data. We may disclose your data when required by law, to protect our rights, or in connection with a business transfer (for example, a merger or acquisition).

6. International transfers

Some of our providers (notably Stripe, Mux, Vercel, Meta and Resend) process data outside the United Kingdom, including in the United States. Where we transfer personal data outside the UK, we rely on UK-approved safeguards including the UK's International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK Addendum, or the UK Extension to the EU-US Data Privacy Framework where the recipient is certified.

7. Cookies and similar technologies

We use the following types of cookies and storage:

• Strictly necessary — signed JWT cookies used to keep you signed in and to gate paid Content. These cannot be disabled.
• Analytics and advertising — the Meta Pixel sets cookies to measure the effectiveness of our advertising and to build audiences for future campaigns. You can opt out via your browser settings or, where presented, our cookie banner.

8. How long we keep your data

We retain your account and payment data for as long as you have an active subscription and for up to 7 years after closure to comply with UK tax and accounting law. Verification cookies expire within 5 minutes; magic link cookies within 30 minutes; access cookies within 12 months of last use. Funnel analytics events are retained for up to 24 months.

9. Your rights

Under UK GDPR you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request erasure of your personal data (subject to our legal obligations);
• restrict or object to certain processing, including direct marketing;
• receive a portable copy of the data you provided to us;
• withdraw consent (where consent is the legal basis);
• complain to the UK Information Commissioner's Office at ico.org.uk.

10. How to exercise your rights

Send any privacy request to support@example.com. We will respond within one calendar month. We may need to verify your identity before acting.

11. Children

The Service is not directed at children under 18 and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us so we can delete it.

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will reflect the latest revision. Material changes will be communicated via email or in-product notice.

13. Contact

Questions about this policy? Email support@example.com.