OTSEC OTSEC
Sign in Enroll
Legal

Privacy Policy

Last updated: 2026-05-25

The short version

We collect the minimum data needed to run the training service. We never sell your data. We use privacy-friendly analytics that don't track you across the web.

What we collect

When you visit the site

Anonymous, aggregated page-view statistics via Plausible Analytics (no cookies, no cross-site tracking, no personal data). We can see "12 visitors viewed /training/ today"; we can't see who you are.

When you sign up for the waitlist or course

  • Email address — to send you the magic-link sign-in, course updates, and (if applicable) your receipt and certificate.
  • Optional profile fields — name (required for the certificate), country, organization, professional title.

When you purchase the course

  • Payment data — handled by PayPal. We never see or store your card data. We do record the transaction ID, amount, currency, and PayPal payer email for accounting and refunds.
  • Coupon used (if any) — for fraud prevention and to honor the code's terms.

When you watch lessons

  • Progress data — which lessons you've started and how much of each you've watched. Used to resume where you left off, mark completions, and issue your certificate.
  • Standard server logs — IP address, user agent, request timestamps. Kept for 30 days for security/abuse detection.

What we don't do

  • We don't sell, rent, or trade your data.
  • We don't use advertising trackers (no Facebook Pixel, no Google Ads tags).
  • We don't use third-party analytics that profile you across sites.
  • We don't email you marketing from third parties.

Who we share data with

Only the service providers we need to run the platform:

  • PayPal — for processing payments and refunds.
  • Supabase — our database and authentication provider (hosts your account, hashed credentials, course progress).
  • Bunny Stream — our video CDN (delivers course videos; receives an anonymous session token, not your account details).
  • Resend — sends transactional email (receipts, magic links, certificates).
  • Plausible — anonymous, aggregate site analytics.

Each of these is bound by their own privacy commitments and processes data on our instructions.

Your rights

You can:

  • See your data — log in and check your profile and billing pages.
  • Export your data — email hello@otsec.io and we'll send you a JSON dump of everything we hold on you.
  • Correct your data — edit your profile, or email us if a field isn't user-editable.
  • Delete your data — email us and we'll erase your account within 14 days. Note: financial transaction records are kept for accounting/tax requirements (typically 5 years).

Email

Transactional email (receipts, sign-in links, certificates, course-update notices to active accounts) is sent regardless of marketing preferences. Marketing email (article digests, new-course announcements) requires explicit opt-in and an obvious unsubscribe link.

Cookies

We use the minimum: a session cookie when you're signed in, and a CSRF cookie. No advertising or tracking cookies. No cookie banner needed because we have nothing to consent to.

International transfers

Our infrastructure is hosted internationally (primary regions: EU and US). By using the service you agree to your data being processed in those regions, with the protections described above.

Children

The service is intended for adult professionals. Don't create an account if you're under 18.

Changes

Material changes will be announced via email to active accounts at least 30 days before they take effect.

Contact

Email hello@otsec.io.