Tom Phillips, a sole trader based in the United Kingdom, is the data controller for personal data collected through this site. Contact: tom@tomphillips.uk.

The site collects, depending on how you use it:

• Account data — when you register: email address, chosen password (hashed), display name.
• Payment data — when you buy a course: name, email, billing address, card details processed by Stripe (we never see or store card numbers ourselves).
• Usage data — for the training platform: which lessons you watch, how far through, completion timestamps, certificates earned.
• Technical data — server logs (IP, user agent, request path) for security and debugging; held briefly and not joined to your account.
• Support data — any messages you send us, retained as long as needed to resolve the request and meet legal obligations.

• To run your account (sign-in, password reset).
• To deliver the training courses you've enrolled on, track your progress, and issue certificates.
• To process payments and send receipts.
• To send service-related emails (purchase receipts, certificate notifications, password resets, security alerts).
• To respond to support questions.
• To detect and prevent fraud, abuse, and security incidents.
• To meet legal obligations (e.g. retaining transaction records for tax).

We don't send marketing emails. We don't sell or rent personal data. We don't use it to train machine-learning models.

• Contract (6(1)(b)) — to provide the training services you've paid for.
• Legitimate interest (6(1)(f)) — security logging, fraud prevention, and providing a stable service.
• Legal obligation (6(1)(c)) — retention of transaction records for HMRC.
• Consent (6(1)(a)) — for non-essential cookies and (in future) any marketing communications.

Cookies are small files stored in your browser. This site uses three categories:

• Essential — sign-in session cookie, CSRF tokens, security cookies. These can't be turned off without breaking the site, and don't require consent under UK PECR.
• Functional — remembers UI preferences (audio sound effects toggle, training-announcement banner dismissal, cookie-preference choice itself). Optional. Stored in localStorage rather than HTTP cookies in some cases.
• Analytics — none active at the moment. Reserved for future privacy-respecting analytics (e.g. Plausible or self-hosted PostHog). Will require explicit opt-in if added.

You set your preferences on first visit; you can change them at any time via Cookie settings. Rejecting non-essential cookies degrades some UX features but the site remains fully functional.

The site uses a small number of third-party services that process personal data on our behalf:

• Supabase (EU region) — database, authentication, file storage.
• Vercel (USA/EU edge) — application hosting and content delivery.
• Stripe (Ireland / USA) — payment processing, tax calculation, customer portal.
• Bunny Stream (Slovenia / global CDN) — video hosting and delivery for course lessons.
• Resend (USA) — transactional email delivery (receipts, certificates).
• Anthropic / OpenAI — used only by optional in-product AI features (the portfolio copilot) when explicitly engaged. The training platform itself doesn't send your data to LLM providers.

Each sub-processor is bound by a data-processing agreement. International transfers to the USA rely on the UK's adequacy decision for the EU/EEA where applicable, and on Standard Contractual Clauses where not.

• Account data — until you delete your account.
• Purchase records — at least 6 years (UK tax law) even after account deletion. These records will be limited to what tax law requires (name, amount, date, VAT) and won't include training progress.
• Server logs — typically 30 days.
• Support correspondence — retained as long as needed to resolve and for a reasonable follow-up window.

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data (you can do this yourself from your profile page).
• Portability — request your data in a structured, machine-readable format.
• Restriction or objection — limit how we use your data.
• Withdraw consent — for anything we process on the basis of consent (cookies, future marketing).
• Complain to the ICO — the UK supervisory authority (ico.org.uk) if you believe we've handled your data unlawfully.

To exercise any of these, email tom@tomphillips.uk. We aim to respond within 30 days.

We use industry-standard practices: TLS in transit, password hashing via Supabase Auth (bcrypt), database row-level security so a query run as one user can't see another user's data, and least- privilege keys for third-party integrations. Card data is handled entirely by Stripe and never touches our servers.

No system is perfectly secure. If you discover a vulnerability, report it responsibly to tom@tomphillips.uk — we won't take legal action against good-faith researchers.

The Service isn't aimed at children under 18 and accounts are restricted to adults. If you believe a child has registered, please tell us.

We may update this policy from time to time. Material changes will be flagged on the homepage and (if relevant) notified by email. The effective date at the top of this page indicates the most recent revision.

For any privacy question — including data access, deletion, or complaint — email tom@tomphillips.uk.