How we handle your data

1. What we collect

We collect five categories of data, and only what each category requires:

• Account — email address (required), display name, password hash (argon2id), and optional phone number for two-factor auth.
• Learning records — lecture progress timestamps, Job Twin submissions, mentor review scores and free-text comments, and per-skill assertion history.
• Credentials — the JSON-LD credential, its public_id, the Ed25519 signature, issuance and revocation timestamps, and the issuer key id.
• Communications — employer outreach metadata (which employer contacted which talent, when, with what subject line), and your support tickets.
• Technical signals — IP address (for rate limiting), user-agent, request timestamps, and session refresh-token identifiers. We do not run third-party analytics or advertising trackers.

2. How we use it

Each piece of data has a stated purpose. We do not repurpose data outside these uses without asking you first.

• Deliver curriculum — lecture progress drives the next unlock and your dashboard state.
• Calibrate grading — mentor reviews feed an internal inter-rater agreement model so scores stay consistent across mentors.
• Issue credentials — once you pass the calibrated bar, we sign a credential with our Ed25519 issuer key and pin its JSON-LD to durable storage.
• Match talent to employers — only if you have set consent.scope to employer_index or public.
• Fraud prevention — per-IP and per-user rate limits, anomaly checks on review submissions, and revocation of credentials traced to plagiarism.

3. What we publish

Your talent profile in the public skills directory is opt-in. The default consent.scope is private. You can move to employer_index (employers see you, the public does not) or public (the directory at /skills lists you) and back at any time. Changes take effect on the next request.

4. Who we share with

• Mentors — see only the submissions in their own grading queue and only for as long as the claim is open. They never see your email or contact details.
• Employers — see talent rows that match your consent.scope. Once an employer sends outreach we record the metadata (employer id, timestamp, subject) so you can see who contacted you.
• Payment processor — Stripe handles tuition and payouts. We send them the minimum fields they need (email, amount, currency); they handle card data directly.
• Infrastructure — our hosting, database, and email-delivery providers act as processors under written DPAs. They are listed in the sub-processor schedule, available on request.
• Data brokers — we do not sell, rent, or syndicate your data to brokers, ad networks, or AI training datasets. Ever.

5. How long we keep it

6. Your rights

If the GDPR, UK GDPR, or California CPRA apply to you, you have the rights below. We honor them for everyone, regardless of jurisdiction.

• Access — ask for a copy of every record we hold against your account.
• Export — receive that copy as machine-readable JSON.
• Deletion — close the account and purge personal data, subject to the credential carve-out in section 5.
• Rectification — correct anything inaccurate (display name, profile fields, mentor scores you believe are wrong).
• Consent revocation — flip consent.scope back to private at any time; we will stop showing your profile to employers on the next request.
• Complaint — you can lodge a complaint with your local data protection authority. We would prefer you tell us first so we can fix it.

To exercise any of these, email founders@upskillzone.com from the address on your account. We respond within 30 days, usually faster.

7. Security posture

The controls below are the ones that actually protect your data, not a vendor checklist:

• Sessions — refresh tokens live in HttpOnly + SameSite=lax cookies that JavaScript cannot read; access tokens are 15-minute JWTs held in memory only and never written to localStorage.
• Credentials — every credential and hire attestation is signed with an Ed25519 key; the public verification key is published so any third party can verify without contacting us.
• Abuse control — per-IP and per-user rate limits on every authenticated and unauthenticated route.
• Storage — MongoDB is encrypted at rest in production; backups are encrypted and access-controlled; passwords are argon2id with per-user salts.
• Transport — TLS 1.2+ on every public endpoint, HSTS preload pending.

8. International transfers and DPA

UpSkillZone is incorporated in Delaware and our primary infrastructure is in the United States. If you are in the UK or the EEA, your personal data is transferred to the US under the European Commission’s Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum. Our sub-processors are bound by the same SCCs back-to-back.

If you are an employer, mentor partner, or institution that needs a signed Data Processing Agreement, email founders@upskillzone.com and we will send the current DPA along with the sub-processor schedule.