Privacy Policy
Last updated: March 2026
1. Information We Collect
When you use Octo, we collect:
- Account information, name, email address, and authentication data provided during sign-up via Clerk.
- Payment information, processed securely by Stripe. We do not store your card details on our servers.
- Usage data, which modules you have completed, quiz scores, and badges earned, stored to power your progress dashboard and badges.
- Consent records, timestamps and details of when you accepted our terms, privacy policy, and cookie preferences.
- Technical data, IP address, browser type, and device information collected automatically through Cloudflare for security and performance.
2. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract, to provide course access and badges you have purchased.
- Consent, for non-essential cookies and any marketing communications.
- Legitimate interest, for platform security, fraud prevention, and aggregate analytics.
- Legal obligation, to comply with tax and financial record-keeping requirements.
3. How We Use Your Information
We use collected information to:
- Provide and maintain access to purchased courses.
- Issue and verify badges of completion.
- Send transactional emails (receipts, account updates) via Clerk and Stripe.
- Improve the platform based on aggregate, anonymised usage patterns.
- Prevent fraud and ensure platform security.
We do not sell your personal data to third parties.
4. Third-Party Services
We use the following third-party services that may process your data:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Clerk | Authentication & user management | clerk.com/legal/privacy |
| Stripe | Payment processing | stripe.com/privacy |
| Cloudflare | Hosting, database, CDN, security | cloudflare.com/privacypolicy |
Each provider acts as a data processor on our behalf and has their own privacy practices.
5. Cookies
We use essential cookies for authentication and payments, and may use optional cookies for analytics. See our Cookie Policy for full details.
6. Data Retention
We retain your data for as long as your account is active. Specifically:
- Account data, retained until you delete your account.
- Purchase records, retained for 7 years for tax and legal compliance.
- Progress & badges, retained until account deletion.
- Consent records, retained for the duration of the consent plus 3 years.
7. Your Rights
Depending on your jurisdiction (GDPR, CCPA, etc.), you have the right to:
- Access, request a copy of all personal data we hold about you.
- Rectification, correct inaccurate personal data.
- Erasure, request deletion of your personal data ("right to be forgotten").
- Data portability, receive your data in a machine-readable format.
- Restriction, restrict processing of your data in certain circumstances.
- Object, object to processing based on legitimate interests.
- Withdraw consent, withdraw consent at any time where processing is consent-based.
To exercise these rights, you can:
- Export your data, visit your Dashboard and use the data export feature.
- Delete your account, use the account deletion option in your settings or contact us.
- Email us, send a request to privacy@learnatocto.com.
We will respond to data rights requests within 30 days.
8. CCPA Disclosure (California Residents)
Under the California Consumer Privacy Act, California residents have the right to:
- Know what personal information is collected and how it is used.
- Request deletion of personal information.
- Opt out of the "sale" of personal information, we do not sell your personal data.
- Not be discriminated against for exercising your CCPA rights.
9. Children's Privacy
Octo is not directed at children under 16. We do not knowingly collect personal data from anyone under 16 years of age. If you believe a child has provided us with personal data, please contact us so we can delete it.
10. International Data Transfers
Your data may be processed in countries outside your own (including the United States) through our service providers. We ensure appropriate safeguards are in place through Standard Contractual Clauses and the providers' own compliance programs.
11. Data Security
We implement reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), secure authentication via Clerk, and PCI-compliant payment processing via Stripe. However, no method of transmission or storage is 100% secure.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email or by posting a prominent notice on the platform. The "Last updated" date at the top reflects the most recent revision.
13. Contact
Questions about this policy? Email us at privacy@learnatocto.com.