1. Information we collect
We only collect what we need to run the Service, improve it, and meet our legal obligations. We group the data into three buckets:
a) Information you give us directly
- Account data: your email address, name, and (when you set them) profile preferences.
- Funnel and quiz responses: the answers you provide during the onboarding quiz so we can personalize your learning path. We collect quiz responses and your email before you create an account or pay — see Section 7 for what happens to that data if you do not subscribe.
- Billing data: we do not store full card numbers. Payments are processed by Lemon Squeezy (see Section 4 for its merchant-of-record status). We receive a tokenized customer identifier, the last four digits and brand of the card, the billing country, and the status and amount of each charge.
- Support messages: anything you send to privacy@risemi.io or through in-app feedback.
b) Information we collect automatically
- Usage data: which lessons you open, how long you spend on them, which exercises you complete, streaks, and certificate progress.
- Device and log data: IP address, browser type, operating system, language, device type, timestamps, and pages visited. We use this for security, debugging, and aggregated analytics.
- Cookies and similar technologies: see Section 6.
c) Information from third parties
- Authentication providers (e.g. Google, Apple) when you choose to sign in with them — limited to your email address and a stable user identifier.
- Marketing platforms (Meta/Facebook, TikTok, Google Ads) for attribution of how you reached us — see Section 6(d) for what is shared back to Meta in particular.
2. Why we use your information
- To create and maintain your Risemi account.
- To personalize your learning path based on your quiz answers and progress.
- To process subscriptions, prevent fraud, and manage refunds (see our Subscription Policy).
- To send essential service emails (receipts, password resets, lesson reminders if you opted in).
- To send marketing communications, but only where you have given consent or where allowed by applicable law. You can opt out at any time.
- To measure the performance of our advertising on Meta, TikTok, Google and similar platforms — see Section 6(d).
- To measure and improve the product — what content works, where users get stuck, what to build next.
- To meet our legal, regulatory, tax, and accounting obligations.
3. Legal bases (EEA / UK users)
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:
- Performance of a contract — to provide the Service you signed up for.
- Legitimate interests — to keep the Service secure, prevent abuse, and analyze aggregated usage.
- Consent — for non-essential cookies and marketing emails. You can withdraw consent at any time without affecting prior processing.
- Legal obligation — to retain billing records for accounting and tax law.
4. Sharing your information
We do not sell your personal data. We share it only with:
- Lemon Squeezy, LLC — our merchant of record. All subscription payments are processed and invoiced by Lemon Squeezy. Lemon is the seller of record for tax purposes (VAT, GST, sales tax), holds your card details on its PCI-compliant infrastructure, and is the party named on your bank statement. We share with Lemon the data needed to bill you (email, name, country, IP at time of purchase, the plan you chose). Lemon’s privacy practices are governed by its own policy.
- Infrastructure providers who host the Service: Fly.io (application servers, Frankfurt), Neon (Postgres database, Frankfurt), Vercel (web frontend), Supabase Storage (course assets such as PDFs and videos). They act under contract and only on our instructions.
- Analytics, email, and ad measurement providers named in Section 6 below.
- Authorities if we are required to do so by valid legal process, or to protect our rights, our users, or the public.
- A successor in the event of a merger, acquisition, or asset sale — in which case we will notify you in advance and give you a chance to object where required by law.
5. International transfers
Risemi’s primary infrastructure is hosted in the European Union (Frankfurt). Some of our service providers operate in the United States or elsewhere — including Lemon Squeezy (Delaware, USA), Vercel (USA), and Meta (USA). When we transfer personal data outside the EEA / UK, we rely on adequacy decisions issued by the European Commission, the European Commission’s Standard Contractual Clauses (SCCs), or the EU–US Data Privacy Framework where applicable, plus supplementary safeguards (encryption in transit, access controls) where appropriate.
6. Cookies and tracking
We use a small set of cookies and similar technologies for four purposes:
- (a) Strictly necessary — to keep you signed in (
risemi_jwt,better-auth.*) and to make the Service work. These are always on. - (b) Analytics — to understand how the product is used in aggregate. You can decline these in our cookie banner.
- (c) Marketing — to measure the performance of our ads. Off by default; only enabled with your consent.
- (d) Meta Pixel & Conversions API: we use the Meta Pixel (dataset ID
35757181100596321) on every page of risemi.io, paired with Meta’s server-side Conversions API on our backend. The pixel sets the cookies_fbp(always) and_fbc(when you arrived via a Facebook ad) and fires events when you load a page, start the quiz, submit an email (Lead), open the paywall (InitiateCheckout), and subscribe (Purchase). For each event we additionally transmit to Meta — server-side, through the Conversions API — a SHA-256 hash of your email address, your IP address, your browser user-agent, and the_fbp/_fbccookie values, so Meta can match the event back to your Facebook/Instagram account for ad attribution. We do not share your email in plaintext, your quiz answers, your password, or any payment details with Meta. You can opt out by declining marketing cookies in our cookie banner, or by using your browser’s tracking-prevention features (Safari ITP, Brave shields, Global Privacy Control). Opting out does not affect your access to the Service.
7. Quiz-funnel data — before you have an account
Most visitors to risemi.io start by taking our personalization quiz, which asks for your email address near the end. If you provide your email but do not subsequently subscribe, we keep your quiz session and email for up to 90 days, so we can send you a reminder, complete your purchase if you come back, and measure funnel performance. After 90 days we either:
- delete the session if no further engagement, or
- retain it linked to your account if you have, by then, registered and subscribed.
You can ask us to delete your pre-account data at any time before the 90-day mark by emailing privacy@risemi.io from the same email address you used in the quiz.
8. Data retention
- Account data: kept while your account exists, then deleted within 90 days of deletion request, except for items we are legally required to keep (billing records).
- Quiz and progress data: kept for the lifetime of the account, anonymized after closure.
- Pre-account quiz responses: 90 days (see Section 7).
- Billing records: kept for up to 10 years where accounting law requires it (held primarily by Lemon Squeezy as our merchant of record).
- Support tickets: kept for up to 3 years after the last interaction.
- Ad-attribution logs (event_id, fbp/fbc, hashed email): retained by Meta under Meta’s policies. We retain server-side mirror logs for up to 90 days for debugging and dedup verification.
9. Your rights (EEA / UK / Switzerland)
Under the GDPR / UK GDPR you have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing based on legitimate interests. You can exercise these rights by emailing privacy@risemi.io. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
EU representative. If you are in the EEA, you can contact us about your GDPR rights at privacy@risemi.io. We are in the process of formally appointing an Art. 27 GDPR representative and will update this section with the representative’s contact details once that arrangement is in place.
10. Your rights (California residents — CCPA / CPRA)
If you reside in California, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), gives you the following rights:
- Right to know what personal information we have collected, used, disclosed, and (if applicable) “sold” or “shared” in the preceding 12 months.
- Right to correct inaccurate personal information.
- Right to delete personal information we collected from you, subject to legal exceptions.
- Right to opt out of “sharing” for cross-context behavioral advertising. Under the CCPA, our use of the Meta Pixel and Conversions API qualifies as “sharing” personal information for cross-context behavioral advertising even though we receive no money in exchange. You can opt out by clicking “Do Not Sell or Share My Personal Information” in the footer of risemi.io, or by emailing privacy@risemi.io.
- Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose requiring the limit-of-use right.
- Right to non-discrimination. We will not deny you the Service, charge you a different price, or provide a lesser quality of Service because you exercised a CCPA right.
- Authorized agent. You may designate an authorized agent to make a CCPA request on your behalf. We will ask for verification of the agent’s authority before fulfilling the request.
We honor Global Privacy Control (GPC) signals from your browser as a valid opt-out of cross-context advertising sharing.
We have not “sold” personal information for monetary consideration in the past 12 months. We have “shared” personal information with Meta for cross-context behavioral advertising, as disclosed in Section 6(d).
11. Children
Risemi is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with information, please contact privacy@risemi.io and we will delete it.
12. Security
We use industry-standard practices: encryption in transit (TLS), encrypted storage at rest for sensitive fields, role-based internal access, password hashing through Better Auth (Neon Auth), short-lived access tokens (JWT, 15 minutes) and regular dependency audits. No system is perfectly secure, but we work hard to minimise risk.
13. Data breach notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify our lead supervisory authority within 72 hours where required by Art. 33 GDPR, and notify affected users without undue delay where required by Art. 34 GDPR or equivalent state law (including California Civ. Code § 1798.82).
14. Changes to this policy
We may update this Privacy Policy from time to time. If the changes are material, we will notify you by email or via the Service before they take effect. The “Last updated” date at the top always reflects the most recent revision.
15. Contact
Questions, requests, or complaints? Email privacy@risemi.io. We read every message.
