Who We Are
ProductCEO Academy Ltd ("ProductCEO", "we", "our", "us") is the data controller responsible for your personal information. We operate the website at productceo.com and all associated sub-domains, mobile applications, APIs, and related services (collectively, the "Platform").
We are registered as a data controller under applicable data protection legislation. Our Data Protection Officer (DPO) can be reached at privacy@productceo.com and is responsible for overseeing all data protection matters on behalf of ProductCEO Academy Ltd.
Data We Collect
We collect only the data that is necessary and proportionate to provide and improve our services. We collect information in three ways: information you provide directly, information collected automatically, and information we receive from third parties.
Information You Provide Directly
- Account Registration: Full name, email address, password (hashed), country and optional profile photo.
- Profile Information: Job title, company name, professional biography, LinkedIn URL and areas of expertise (optional).
- Payment Information: Billing name, billing address and payment card details. Card data is processed exclusively by our PCI-DSS Level 1 certified payment processor; we never store raw card numbers.
- Contact & Enquiries: Name, email, phone, company, inquiry subject and message body when you submit a contact form.
- Consultancy Bookings: Name, email, phone, company, service interest, preferred date/time and any contextual challenge description submitted via our booking system.
- Course Interactions: Progress data, quiz answers, assignment submissions, certificates earned and discussion forum contributions.
- Coach Applications: Professional credentials, CV/resume, course content submitted for review and bank/payout details.
- Communications: Email correspondence, support tickets and any records you share with our team.
Information Collected Automatically
- Usage Data: Pages visited, features used, time on page, click paths, search queries and referral sources.
- Technical Data: IP address, browser type and version, operating system, device type, screen resolution and time zone.
- Cookies & Tracking: Session identifiers, preference cookies and analytics identifiers (detailed in §6).
- Log Data: Server access logs, error logs, API call records and security event logs.
Information from Third Parties
- Social Sign-In: If you register via Google or LinkedIn, we receive your name, email and profile picture as authorised by you during the OAuth flow.
- Payment Processors: Transaction confirmation, last four card digits and billing country from Stripe or PayPal.
- Analytics Providers: Aggregated and anonymised behavioural data to improve platform performance.
How We Use Your Data
| Purpose | Data Used | Basis (§4) |
|---|---|---|
| Create and manage your account | Name, email, password | Contract |
| Deliver courses, content and certifications | Account data, progress data | Contract |
| Process payments and issue receipts | Billing data, email | Contract |
| Manage and fulfil consultancy bookings | Booking data, contact details | Contract |
| Provide customer support | Contact data, account history | Contract |
| Send transactional emails (receipts, bookings) | Email, name | Contract |
| Send marketing communications (with opt-in) | Email, name, preferences | Consent |
| Personalise the learning experience | Usage data, progress, preferences | Legitimate Interest |
| Analyse platform usage to improve our services | Usage data, technical data (anonymised) | Legitimate Interest |
| Detect and prevent fraud and abuse | IP, usage data, account data | Legitimate Interest |
| Comply with legal obligations | Any data required by law | Legal Obligation |
| Enforce our Terms of Service | Account data, usage data | Legitimate Interest |
Legal Basis for Processing
Under the General Data Protection Regulation (GDPR) and equivalent legislation, we are required to identify a lawful basis before processing your personal data. We rely on the following bases:
Processing is necessary to deliver the services you have requested — including account creation, course access, payment processing and consultancy booking fulfilment. You cannot use our paid services without this processing.
Where we rely on consent — for example, to send you marketing newsletters or to set non-essential cookies — we obtain your clear, freely-given, specific and informed consent beforehand. You may withdraw consent at any time without detriment by contacting us or using the unsubscribe link in any marketing email.
We process certain data for our legitimate business interests, including fraud prevention, platform security, product analytics and service personalisation. We conduct and document a Legitimate Interests Assessment (LIA) for each such processing activity to ensure your rights and freedoms are not overridden.
We may process data where necessary to comply with a legal or regulatory obligation, including tax record-keeping, responding to lawful requests from courts or public authorities, and complying with anti-money laundering requirements.
Data Sharing & Transfers
We do not share your personal data with third parties except in the limited circumstances described below. Where we do share data, we require all recipients to maintain appropriate security standards and to use the data only for the specified purpose.
Service Providers (Processors)
We share data with carefully vetted third-party processors who act under our instruction and are contractually bound by Data Processing Agreements (DPAs):
| Category | Purpose | Transfer Safeguard |
|---|---|---|
| Payment Processor (Stripe / PayPal) | Secure payment collection and fraud prevention | Standard Contractual Clauses + PCI-DSS |
| Cloud Hosting (AWS / DigitalOcean) | Platform infrastructure and data storage | DPA + SCCs / EU-US Data Privacy Framework |
| Email Delivery (SendGrid / Mailgun) | Transactional and marketing email dispatch | DPA + SCCs |
| Analytics (Google Analytics) | Anonymised usage analysis | DPA + SCCs + IP anonymisation enabled |
| Video Hosting (Vimeo / Bunny.net) | Course video delivery | DPA + SCCs |
| Customer Support (Crisp / Intercom) | Live chat and support ticket management | DPA + SCCs |
| Accounting Software | Invoice generation and tax compliance | DPA |
Other Permitted Disclosures
- Legal Requirements: We may disclose data when required by law, court order, or governmental authority, and only to the extent legally compelled.
- Business Transfers: In the event of a merger, acquisition or sale of substantially all assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections and advance notice to you.
- Protection of Rights: We may disclose data where necessary to protect the legal rights, safety or property of ProductCEO, our users or the public.
- With Your Consent: We may share data with other parties where you have given us explicit prior consent to do so.
Cookies & Tracking Technologies
We use cookies and similar technologies (local storage, session storage, pixel tags) to operate and improve the Platform. Cookies are small text files placed on your device. Below is a full inventory of the cookies we use:
| Category | Cookie / Technology | Purpose | Duration | Consent Required |
|---|---|---|---|---|
| Strictly Necessary | PHPSESSID, csrf_token | Session management, CSRF protection, login state | Session | Not Required |
| Strictly Necessary | cookie_consent | Stores your cookie preferences | 12 months | Not Required |
| Functional | lang_pref, theme_pref | Remembers your language and display preferences | 12 months | Required |
| Analytics | _ga, _gid (Google Analytics) | Anonymised page view tracking to understand usage | 2 years | Required |
| Analytics | _pceo_session_id | Internal session analytics (no PII) | Session | Required |
| Marketing | _fbp (Facebook Pixel) | Conversion tracking if you click a Facebook ad | 90 days | Required |
| Performance | bunnycdn_.* | Video CDN performance optimisation | Session | Required |
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes set out in this policy, to comply with legal obligations, or to resolve disputes. Our retention schedule is:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Active user account data | Duration of account + 3 years | Contract fulfilment; legitimate interest in re-engagement |
| Deleted account data | 90 days post-deletion | To process final requests and prevent fraudulent re-registration |
| Payment & billing records | 7 years | Statutory accounting and tax obligations (HMRC / IRS compliance) |
| Course progress & certificates | Indefinitely (opt-out available) | Users need lifetime access to proof of learning |
| Consultancy booking records | 3 years | Contract records and legal dispute resolution window |
| Contact form submissions | 2 years | Legitimate interest in managing enquiries |
| Marketing consent records | Duration of consent + 2 years | Proof of consent and compliance audit trail |
| Server & security logs | 90 days | Security monitoring; rolling deletion thereafter |
| Analytics data (anonymised) | Up to 26 months | Platform improvement; no personal identification possible |
When data is no longer required, it is securely deleted or irreversibly anonymised using industry-standard methods. Backups containing personal data are purged on the same schedule as live data.
Your Rights
Depending on your country of residence, you hold some or all of the following rights over your personal data. We honour these rights for all users globally, regardless of whether local law strictly requires us to do so.
Right to Access
Request a copy of all personal data we hold about you. We respond within 30 days at no charge.
Right to Rectification
Correct inaccurate or incomplete data. You can update most profile data directly in your account settings.
Right to Erasure
Request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.
Right to Object
Object to processing based on legitimate interests, including for direct marketing, which is an absolute right.
Right to Restrict
Request that we restrict processing of your data while a complaint or dispute is being resolved.
Right to Portability
Receive your data in a structured, machine-readable format (JSON or CSV) for transfer to another service.
Right to Withdraw Consent
Withdraw any consent you have given at any time. Withdrawal does not affect prior lawful processing.
Right to Complain
Lodge a complaint with your national supervisory authority (e.g. ICO in the UK, CNIL in France) at any time.
Security Measures
We implement layered, industry-leading technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration or disclosure.
- Encryption in Transit: All data transmitted between your browser and our servers is protected by TLS 1.3 encryption (HTTPS enforced site-wide with HSTS).
- Encryption at Rest: Database backups and sensitive data fields are encrypted at rest using AES-256.
- Password Security: Passwords are hashed using bcrypt with a minimum cost factor of 12. We never store passwords in plain text.
- CSRF & XSS Protection: All forms are protected by CSRF tokens. Input is sanitised and output is encoded to prevent Cross-Site Scripting attacks.
- Access Controls: Administrative access is restricted by role. All admin actions are logged with timestamps and originating IP addresses.
- Penetration Testing: We commission independent penetration tests and vulnerability assessments on at least an annual basis.
- Incident Response: We maintain a documented data breach response plan. In the event of a breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.
- Staff Training: All staff handling personal data receive mandatory data protection and security training.
No method of transmission over the internet or electronic storage is 100% secure. While we take all reasonable precautions, we cannot guarantee absolute security. If you become aware of any security vulnerability or breach, please report it immediately to security@productceo.com.
Children's Privacy
Third-Party Services & Links
Our Platform may contain links to third-party websites, embedded content (such as YouTube videos) or integrations with external services. Once you leave our Platform or interact with third-party content, this Privacy Policy no longer applies. We encourage you to review the privacy policies of any third-party service you visit.
We are not responsible for the privacy practices, security or content of external websites or services, even if we have provided a link to them.
International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). Where we transfer personal data internationally, we ensure it receives equivalent protection through one or more of the following safeguards:
- Standard Contractual Clauses (SCCs): The European Commission-approved model clauses incorporated into all relevant processing agreements.
- EU–US Data Privacy Framework: Where applicable, transfers to US processors certified under the DPF.
- Adequacy Decisions: Transfers to countries the European Commission has determined provide adequate protection.
- Binding Corporate Rules: Where applicable, multinational processors with approved BCRs.
You may request a copy of any transfer mechanism we rely on by contacting privacy@productceo.com.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or for other operational reasons.
When we make material changes, we will notify you by: (a) posting a prominent notice on our Platform for at least 30 days before the change takes effect; (b) sending an email notification to your registered email address; and (c) updating the "Last Updated" date at the top of this page. Your continued use of the Platform after the effective date constitutes acceptance of the revised policy.
For non-material changes (such as formatting corrections or updated contact details), we will update the policy without separate notification, and the change will take effect immediately upon posting.
Contact & Data Protection Officer
For all privacy-related enquiries, data subject requests or concerns, please contact our Data Protection Officer:
Data Protection Officer — ProductCEO Academy Ltd
Our DPO is your first point of contact for all data protection matters. We commit to acknowledging all requests within 5 business days and resolving them within 30 calendar days.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the United Kingdom this is the Information Commissioner's Office (ICO); in the European Union, you should contact your national data protection authority.