Privacy Policy

Doctalytics (“DataPath,” “we,” “us”) operates the DataPath platform at datapathlearn.com. We are the data controller for personal data we process about you in connection with the Service.

Questions, requests, or complaints about this policy can be sent to privacy@datapathlearn.com.

• Account data — your email address, display name, and authentication identifiers (provided by you or by your single-sign-on provider, such as Google).
• Profile and preferences — timezone, tier (free/paid), and any settings you configure.
• Learning activity — lesson progress, code submissions you run, challenge attempts, hint usage, and timestamps.
• Consent records — which versions of these legal documents you accepted, when, and (for some flows) the IP address and user agent at the time of acceptance.
• Technical data — IP address, browser/user-agent, device and session identifiers, and request logs needed to operate and secure the Service.
• Communications — content of any messages you send us (e.g. support requests).

We do not ask you to submit real personal data of yourself or others into code exercises or datasets, and our Terms prohibit doing so.

• To provide the Service (creating your account, running your code, saving your progress) — performance of a contract with you.
• To secure the Service and prevent abuse (rate-limiting, fraud detection, audit logs) — our legitimate interests in protecting users and the platform.
• To communicate operational messages (account confirmations, security alerts, service updates) — performance of a contract.
• To send marketing emails (if you opt in) — your consent, which you can withdraw at any time.
• To meet legal obligations (responding to lawful requests, tax records) — compliance with a legal obligation.

We share personal data only with sub-processors that help us run the Service, and only to the extent necessary for the purposes above. Each sub-processor is bound by a data-processing agreement requiring appropriate security and confidentiality.

• Supabase — authentication, database, and file storage.
• Vercel — application hosting and request logs.
• Google (YouTube) — when you watch an embedded lesson video, YouTube may set cookies and process technical data under its own policies. We embed videos using the privacy-enhanced (“no-cookie”) mode where available.
• Email and analytics providers — added as needed for transactional email and product analytics. The current list is available on request.

We do not sell your personal data, and we do not share it for cross-context behavioural advertising.

Some of our sub-processors are located outside the UK / European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards (such as the UK International Data Transfer Addendum or EU Standard Contractual Clauses) to ensure your data continues to be protected.

We keep your personal data for as long as your account is active and for a limited period afterwards in line with the table below, unless we are required to retain it longer to comply with a legal obligation or to resolve disputes.

• Account, profile, and learning activity — until you delete your account; deleted within 30 days thereafter, except for backups which are rotated within 60 days.
• Consent records — retained for up to six years after account deletion as evidence of past consent (legitimate interest / compliance).
• Server and security logs — typically retained for up to 90 days.

Subject to applicable law, you have the right to:

• access the personal data we hold about you;
• have inaccurate or incomplete data corrected;
• have your data deleted (right to erasure);
• receive a copy of your data in a portable format;
• restrict or object to certain processing;
• withdraw consent where processing is based on consent;
• lodge a complaint with your local data-protection authority (in the UK, the Information Commissioner's Office at ico.org.uk).

You can exercise the access, deletion, and portability rights directly from your account settings. For other requests, email privacy@datapathlearn.com. We aim to respond within 30 days.

We use industry-standard technical and organisational measures to protect your personal data, including encryption in transit, access controls, and short-lived authentication tokens. No system is perfectly secure; you remain responsible for keeping your account credentials confidential. If we ever become aware of a personal-data breach affecting you, we will notify you and the relevant supervisory authority as required by law.

We use cookies and similar technologies to keep you signed in, secure the Service, and (with your consent where required) measure how the Service is used. See our Cookies Policy for details and how to manage your preferences.

The Service is not directed at, or intended for, children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data without appropriate consent, please contact privacy@datapathlearn.com and we will delete it.

We may update this Privacy Policy from time to time. The version and effective date at the top of the page indicate when it was last updated. Material changes will be communicated in-product or by email and you may be asked to accept the updated policy before continuing to use the Service.

For privacy questions or to exercise your rights, contact privacy@datapathlearn.com. The legal entity responsible is Doctalytics, registered at Portsmouth, UK.