Privacy Policy
Last updated: 16 January 2026
1. Introduction and Data Controller
This Privacy Policy explains how we collect, use, and protect your personal data when you use The Claritecture Method and related services.
Data Controller:
- Company: Claritecture Studio Ltd
- Registered Address: 128 City Road, London, United Kingdom, EC1V 2NX
- Company Number: 16948359
- ICO Registration: ZC078056
- Email: [email protected]
References to "we", "us", or "our" mean Claritecture Studio Ltd.
2. Data We Collect
A. Information You Provide
- Name and email address
- Billing information (processed through Stripe - we do not store card details)
- Account details and password (hashed)
- Messages you send us
- Course progress and completion data
B. Usage Information
- Login activity and session data
- Module and lesson completion
- Device and browser details
- IP address (for security purposes)
C. AI Conversations
We offer two AI features:
- Public AI Chat: Available on the course page to answer questions about the course. No account required. Conversations are not stored by us.
- Claritecture AI Guide: Available to Tier 2 students to help navigate course content. Conversations are not stored by us.
Both AI features send your messages to our AI providers (OpenAI or Anthropic) for processing. Your conversations follow the retention policies of each AI provider. We do not store AI conversations on our servers.
3. How We Use Your Data and Lawful Basis
Under UK GDPR Article 6, we process your personal data on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) |
| Course delivery and progress tracking | Contract (Art. 6(1)(b)) |
| Payment processing | Contract (Art. 6(1)(b)) |
| Public AI Chat (pre-purchase enquiries) | Legitimate Interest (Art. 6(1)(f)) |
| AI Guide features (Tier 2) | Contract (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate Interest (Art. 6(1)(f)) |
| Tax and accounting records | Legal Obligation (Art. 6(1)(c)) |
| Marketing emails (if opted in) | Consent (Art. 6(1)(a)) |
We do not sell your data. We do not use your content to train AI models.
4. AI System Transparency (EU AI Act Compliance)
Under Article 50 of the EU AI Act (Regulation 2024/1689), we provide the following information:
AI System Classification: Our AI features (Public AI Chat and Claritecture AI Guide) use General Purpose AI (GPAI) systems. They are not classified as high-risk AI systems.
AI Providers:
- OpenAI (GPT models) - General purpose text generation
- Anthropic (Claude models) - General purpose text generation
How AI is Used: AI provides educational guidance and responds to your questions. AI does not make automated decisions that significantly affect you. All AI responses are informational and do not constitute professional advice.
5. Automated Decision-Making
Under UK GDPR Article 22, you have rights relating to automated decision-making. We use automated processing for:
- Course progress tracking: Automatic recording of completed lessons
- Access control: Automatic verification of subscription status
- Security monitoring: Automatic detection of suspicious activity
None of these automated processes produce legal effects or similarly significant effects on you. If you believe an automated decision has unfairly affected you, contact us at [email protected] to request human review.
6. How Long We Keep Data
- Account data: Retained while your account is active
- Course progress: Retained while your account is active
- Payment records: Retained for 6 years (legal requirement)
- After account closure: Personal data retained for up to 90 days, then deleted
- AI conversations: Stored by the AI provider under their retention policy
We cannot override or shorten AI provider retention settings.
7. International Data Transfers
Your data may be transferred to countries outside the UK and EU. We ensure appropriate safeguards:
| Provider | Location | Transfer Mechanism |
|---|---|---|
| OpenAI | USA | EU-US Data Privacy Framework, SCCs |
| Anthropic | USA | Standard Contractual Clauses |
| Stripe | USA | EU-US Data Privacy Framework, SCCs |
| Cloudflare | USA/Global | EU-US Data Privacy Framework, SCCs |
| Neon | USA | Standard Contractual Clauses |
| Bunny CDN | EU/Global | EU servers preferred |
We never share your data for advertising purposes.
8. Your Rights (UK GDPR)
Under UK GDPR, you have the following rights:
- Right of Access (Article 15): Request a copy of your personal data
- Right to Rectification (Article 16): Request correction of inaccurate data
- Right to Erasure (Article 17): Request deletion of your data
- Right to Restrict Processing (Article 18): Request we limit how we use your data
- Right to Data Portability (Article 20): Receive your data in a machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests
- Right to Withdraw Consent (Article 7): Withdraw consent at any time
To exercise your rights:
We will respond within one month.
9. Right to Lodge a Complaint
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
- Telephone: 0303 123 1113
- Website: https://ico.org.uk/make-a-complaint/
We encourage you to contact us first so we can try to resolve your concerns.
10. Cookies
We use essential cookies only:
| Cookie | Purpose | Duration |
|---|---|---|
| session_id | Maintains your login session | Session / 7 days |
| csrf_token | Security - prevents cross-site request forgery | Session |
| cookie_notice_seen | Records that you've seen the cookie notice | 1 year |
We do not use tracking, analytics, or advertising cookies. All cookies are essential for the service to function properly and do not require consent under PECR.
11. Security
We protect your data with:
- Encryption in transit (TLS) and at rest
- Role-based access controls
- Audit logging
- Two-factor authentication for admin access
- Regular security monitoring
12. Age Restriction
Our service is intended for users aged 18 and over only. We do not knowingly collect personal information from anyone under 18. If you are under 18, you must not use this service.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under CCPA/CPRA:
Categories of Personal Information Collected:
- Identifiers (name, email, IP address)
- Commercial information (purchase history)
- Internet activity (course progress, login activity)
Your California Rights:
- Right to Know: Request disclosure of personal information collected
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate information
- Right to Opt-Out: We do not sell or share personal information
- Right to Non-Discrimination: We will not discriminate for exercising these rights
We do not sell your personal information.
To exercise your rights: [email protected]. Response time: Within 45 days.
14. Content Reporting and Online Safety
In accordance with the UK Online Safety Act 2023, we provide mechanisms for reporting harmful content:
- Report Harmful Content: [email protected]
- Response Time: We aim to review all reports within 48 hours
- Transparency: We will inform you of the outcome where appropriate
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website and, where appropriate, by email.
16. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights:
- Email: [email protected]
- Address: Claritecture Studio Ltd, 128 City Road, London, EC1V 2NX, United Kingdom