Privacy Policy

1. Introduction & Controller Identity

CourseFoundry provides education services focused on job-ready, studio-style learning workflows. The website is used to present our course tracks, explain our teaching approach, and allow visitors to request a syllabus or course details via our contact form.

This Privacy Policy applies to personal data processed through the website, including data provided through forms and data collected through cookies and similar technologies. Some processing is necessary for the website to function (essential cookies). Other processing, such as analytics and marketing measurement, is optional and only takes place if you provide consent through our cookie preference controls.

Effective Date: March 12, 2026.

2. Personal Data We Collect

We collect personal data in a few practical ways: when you submit a form, when you communicate with us, and when your browser interacts with the website. The categories below describe what we may collect depending on how you use the site.

2.1 Identity and contact data

• Name (for example, the “Full name” field in our form).
• Email address.
• Phone number (optional unless the form requires it for your request).

2.2 Form content and communications

• Messages you write in the form (for example, your learning goals, timeline, or questions).
• Course track preferences or selections (such as “Studio Foundations” or another track listed on our form).
• Email correspondence content when you contact us directly.

2.3 Technical data

• IP address (which may be used for security, fraud prevention, and approximate location inference at the city/region level).
• Browser type and version, device type, operating system, and language settings.
• Diagnostic data such as timestamps, error codes, and performance-related events.

2.4 Usage data

• Pages viewed, time spent on pages, referrer URL, click paths, and interactions with page elements.
• Conversion events (for example, a “contact form submitted” event) when analytics/marketing consent is given.

2.5 Cookies and identifiers

We use cookies and similar identifiers. Some are first-party cookies set by our site, and some are third-party cookies set by service providers. The categories and examples are described in Section 4 and in our Cookie Policy.

2.6 What we do not intentionally collect

We do not intentionally collect special-category data (such as health data, religious beliefs, political opinions), financial account details, or government-issued identifiers through the website. Please do not include such information in your message. If you submit such data unintentionally, we will take reasonable steps to delete it when identified, unless we are required to retain it by law.

3. Why We Process Personal Data & Legal Bases

If you are located in the EEA or the UK, we rely on the legal bases described in GDPR Article 6 to process your personal data. Where other privacy laws apply, we process personal data in line with the permitted grounds under those laws.

3.1 Responding to contact requests

Purpose: to respond to your request for course information, syllabi, cohort windows, and related questions; and to provide the services you ask about.

• Legal basis: Article 6(1)(b) (steps taken at your request prior to entering into a contract) and Article 6(1)(a) (consent where required for contact preferences).

3.2 Site analytics (optional)

Purpose: to understand how visitors use the site, improve content clarity, and reduce friction in navigation. We use aggregate insights to decide what pages to refine and which information should be easier to find.

• Legal basis: Article 6(1)(a) (consent).

3.3 Marketing measurement and remarketing (optional)

Purpose: to measure advertising performance, attribute conversions, and show relevant information about CourseFoundry to people who have previously visited our website (remarketing). This processing is controlled through your cookie preferences.

• Legal basis: Article 6(1)(a) (consent).

3.4 Security and fraud prevention

Purpose: to protect the website, prevent abusive traffic, detect automated form submissions, and maintain service availability. This includes monitoring unusual request patterns and filtering malicious activity.

• Legal basis: Article 6(1)(f) (legitimate interests) in maintaining a secure service and preventing abuse.

3.5 Legal and compliance

Purpose: to comply with applicable laws, respond to lawful requests, and keep required records (for example, where a transaction results in invoices).

• Legal basis: Article 6(1)(c) (legal obligation).

3.6 Automated decision-making (GDPR Article 22)

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. We may use basic automated filtering to reduce spam and abusive submissions, but this does not produce legal or similarly significant outcomes and is not used to make eligibility decisions.

4. Cookies & Tracking Technologies

Cookies are small text files placed on your device. We also use similar technologies such as pixel tags and server-side event forwarding when marketing or analytics features are enabled. You can control optional categories using the cookie preference tools accessible from the site footer.

4.1 Essential cookies (always active)

These cookies are required for core site functionality, security, and preference storage. They do not require consent in many jurisdictions because they are necessary to provide the service you request.

• _site_session: supports session continuity and basic site security. Retention: session to up to 12 months depending on implementation.
• cookie_consent: stores your cookie category choices. Retention: 12 months.
• CSRF and similar security tokens may be used to protect form submissions. Retention: typically session.

4.2 Analytics cookies (optional, consent required)

If you opt in, we may use Google Analytics 4 (“GA4”) to understand site usage. Where supported, IP anonymization is enabled. Analytics data is used in aggregate to improve content and navigation, not to make individual-level decisions.

• Examples: _ga (2 years), _ga_XXXXXXXXXX (2 years).
• Analytics retention setting: 14 months.

4.3 Marketing cookies (optional, consent required)

If you opt in, marketing cookies may be used to measure advertising performance and support remarketing. This can include tracking conversions (such as form submissions) and building audiences based on site interactions.

• Examples: _gcl_au (Google Ads, 90 days), _fbp (Meta Pixel, 90 days), _fbc (Meta click identifier, 90 days when click ID is present).
• Marketing may involve pixel tags (for example, gtag.js or Meta Pixel) or server-side integrations (for example, Meta Conversion API) that transmit event data, including cookie identifiers and conversion events.

4.4 Beyond cookies

Depending on your consent settings, tracking can include pixel tags, SDK-like scripts, and server-side event forwarding. These may process device identifiers derived from browser context (IP address + user agent) and cookie identifiers. We use these tools to understand which content is effective and to avoid showing irrelevant ads to people who have already requested information.

For a detailed list and management instructions, see our Cookie Policy.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies (and related technologies) activate only after explicit, informed, freely given consent under Article 6(1)(a).

Consent is recorded in the cookie_consent cookie (stored for 12 months). You can withdraw consent at any time by using “Manage cookie preferences” in the site footer or by clearing cookies in your browser settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

6. Sharing With Advertising & Service Partners

We share personal data only as needed to operate the website, respond to your requests, and (if you consent) measure and improve marketing performance. We do not sell personal data. We use the following categories of partners:

6.1 Google LLC

If you consent to analytics and/or marketing cookies, Google may receive cookie identifiers, usage data, and conversion events to provide services such as Google Analytics 4 and Google Ads measurement/remarketing. Google’s privacy policy is available at https://policies.google.com/privacy.

6.2 Meta Platforms, Inc.

If you consent to marketing cookies, Meta may receive events (such as page views and form conversions), cookie identifiers, and audience membership information to provide remarketing and conversion attribution. Meta’s privacy policy is available at https://www.facebook.com/privacy/policy.

6.3 Cloudflare

We may use Cloudflare for content delivery and security. Cloudflare can process IP addresses and request metadata to detect threats and improve reliability. Cloudflare’s privacy policy is available at https://www.cloudflare.com/privacypolicy/.

We do not permit these providers to use site data for their own independent commercial purposes outside of providing services to us, subject to their contractual and platform terms.

7. International Transfers

CourseFoundry is based in the United States. If you access the website from the EEA, the UK, or Switzerland, your personal data may be transferred to and processed in countries that may not provide the same level of data protection as your home jurisdiction.

Where applicable, we rely on recognized transfer mechanisms, which may include the EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. DPF, where relevant) and Standard Contractual Clauses (EU 2021/914) as a fallback. For UK transfers, the UK IDTA may be used as a fallback mechanism.

8. Data Retention

We keep personal data only for as long as needed for the purposes described in this policy, unless a longer retention period is required or permitted by law. Typical retention periods are:

• Contact form submissions: up to 2 years from the last interaction, so we can respond to follow-ups and maintain continuity.
• Email correspondence: duration of the relationship plus 1 year, unless a longer period is needed for dispute handling.
• Analytics data: 14 months (typical GA4 retention setting), subject to your consent and cookie settings.
• Marketing cookies: retained for the cookie lifetime (for example, 90 days for _fbp and _gcl_au), subject to your consent.
• Server and security logs: up to 90 days, unless longer is necessary to investigate abuse.
• Cookie consent records: up to 3 years for audit and compliance purposes.
• Legal and tax records: as required by applicable law (often 6–10 years for invoicing records where relevant).

9. Your Rights (GDPR & UK GDPR)

If GDPR or UK GDPR applies to you, you have the following rights in relation to your personal data:

• Right of access (Article 15).
• Right to rectification (Article 16).
• Right to erasure (Article 17).
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20).
• Right to object (Article 21).
• Right to withdraw consent at any time (Article 7(3)) where processing is based on consent.
• Right to lodge a complaint with a supervisory authority (Article 77).

To exercise your rights, email us at [email protected]. We aim to respond within 30 days. For complex requests, we may extend the response time by up to 60 days as permitted by law, and we will explain why an extension is needed.

Supervisory authority resources:

• EU: https://edpb.europa.eu
• UK (ICO): https://ico.org.uk
• Germany (BfDI): https://www.bfdi.bund.de
• France (CNIL): https://www.cnil.fr
• Poland (UODO): https://uodo.gov.pl
• Spain (AEPD): https://www.aepd.es

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own DNT handling policies. You can control optional analytics and marketing features through our cookie preferences panel.

12. Account & Data Deletion Requests

We do not require a user account to request course details. If you want us to delete personal data associated with a form submission or email thread, contact us at [email protected] with the subject line “Data Deletion Request”.

We may ask for reasonable information to verify your identity before deleting data. We aim to complete requests within 30 days where possible. We may retain limited information if required to comply with legal obligations or to establish, exercise, or defend legal claims.

13. Business Transfers

If CourseFoundry is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred to a successor entity as part of that transaction. If the transfer materially changes how your personal data is used, we will provide a notice on the website.

14. California Privacy Notice (CCPA/CPRA)

This section applies to California residents where the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), applies.

In the last 12 months, we may have collected the following categories of personal information:

• Identifiers (such as name, email address, IP address, cookie identifiers).
• Internet or network activity (such as browsing interactions and page views), when you consent to analytics/marketing cookies.
• Inferences (such as interests or preferences inferred from site activity), when marketing measurement is enabled by consent.

We disclose personal information to service providers (for example, security/CDN vendors) and, if you opt in, to advertising partners for measurement and remarketing. We do not sell personal information as defined by CCPA. We do share personal information for cross-context behavioral advertising when you opt in to marketing cookies. California residents may opt out via our cookie preferences panel.

Your rights may include the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. To submit a request, email [email protected] with the subject line “California Privacy Request”. We may require identity verification. Authorized agents may submit requests with written proof of authorization.

15. Virginia Privacy Notice (VCDPA)

If the Virginia Consumer Data Protection Act (“VCDPA”) applies to you, you may have rights including access, correction, deletion, portability, and the ability to opt out of targeted advertising.

We do not sell personal data or engage in profiling that produces legal or similarly significant effects. To submit a request, email [email protected] with the subject line “Virginia Privacy Request”.

If we decline to take action on your request, you may appeal by emailing us with the subject line “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days. If your appeal is not resolved, you may contact the Virginia Attorney General.

16. Nevada Notice

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject line “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will provide notice on the homepage at least 14 days before the changes take effect when feasible.

The “Last Updated” date at the top of this page indicates when the policy was most recently revised.

18. Contact

If you have questions about privacy, data protection, or this policy, contact:

CourseFoundry Learning LLC
1355 Market St, Suite 488, San Francisco, CA 94103, United States
Email: [email protected]
Phone: +1 415 523 9826