1. Who We Are
Course Fusion is operated by Course Fusion Ltd. We are the data controller for the personal data we collect through our platform at coursefusion.co.uk and associated services. You can contact us at hello@coursefusion.co.uk.
2. Information We Collect
Information you provide
- Account information: name, email address, password (hashed), and profile details when you register.
- Google OAuth data: if you sign in with Google, we receive your name, email and profile picture from Google.
- Payment information: payment processing is handled by Stripe. We do not store your card details. Stripe may collect billing information as described in their privacy policy.
- Content: courses, pages, emails, media uploads and other content you create on the Platform.
- Communications: community messages, support enquiries and email correspondence.
- Subscriber data: if you are an email subscriber to a brand on our Platform, the brand owner collects your email, name and any tags you provide.
Information collected automatically
- Usage data: pages visited, features used, timestamps and interaction patterns.
- Device information: browser type, operating system, screen resolution and device identifiers.
- IP address: used for rate limiting, security and approximate geolocation.
- Cookies: session tokens stored in your browser to keep you logged in. See Section 7 below.
3. How We Use Your Information
We use your personal data to:
- Provide, maintain and improve the Platform.
- Authenticate your account and manage sessions.
- Process payments and manage subscriptions via Stripe.
- Send transactional emails (account verification, purchase confirmations, sequence emails).
- Provide AI-powered content generation features.
- Analyse usage patterns to improve the product (via Google Analytics).
- Prevent fraud, abuse and enforce our Terms of Service.
- Respond to support requests.
4. Legal Basis for Processing (UK GDPR)
- Contract: processing necessary to provide the service you signed up for.
- Legitimate interests: product improvement, security, fraud prevention and analytics.
- Consent: marketing emails and non-essential cookies (where applicable).
- Legal obligation: where we are required to retain data by law.
5. Third-Party Services
We share data with the following third parties, each acting as a data processor:
| Service | Purpose | Data shared |
|---|
| MongoDB Atlas | Database hosting | All platform data (encrypted at rest) |
| Amazon Web Services (S3) | File storage | Uploaded media files |
| Stripe | Payment processing | Email, payment details, transaction data |
| Brevo (Sendinblue) | Transactional email | Recipient email and name |
| Google Analytics | Website analytics | Anonymised usage data, cookies, IP address |
| Google OAuth | Social sign-in | Email, name, profile picture |
| Cerebras | AI content generation | Prompts and content context (not personal data) |
| Google Gemini | AI image generation | Image prompts (not personal data) |
We do not sell your personal data to any third party.
6. Data Retention
- Account data: retained for as long as your account is active, plus 30 days after deletion.
- Content: retained until you delete it or close your account.
- Payment records: retained for 7 years as required by UK tax law.
- Analytics data: retained by Google Analytics for up to 26 months.
- Server logs: retained for up to 90 days.
7. Cookies
We use the following cookies:
| Cookie | Type | Purpose | Duration |
|---|
| accessToken | Essential | Keeps you logged in | Session |
| _ga, _gid | Analytics | Google Analytics tracking | Up to 2 years |
Essential cookies are required for the Platform to function. Analytics cookies help us understand how the Platform is used. You can disable non-essential cookies through your browser settings.
8. Your Rights
Under the UK GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your personal data ("right to be forgotten").
- Restrict processing in certain circumstances.
- Data portability — receive your data in a portable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email hello@coursefusion.co.uk. We will respond within 30 days.
9. International Transfers
Your data may be processed outside the UK by our third-party providers (e.g. AWS, Stripe, Google). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or equivalent mechanisms.
10. Children
The Platform is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), hashed passwords (bcrypt), database-level access controls, and regular security reviews. No system is 100% secure, and we cannot guarantee absolute security.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Platform. The "Last updated" date at the top reflects the most recent revision.
13. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
14. Contact
For any privacy-related questions, contact us at hello@coursefusion.co.uk.