Privacy Policy for instructa.ai

Last updated: 11.02.2025

Introduction

Macherjek GmbH (“we”, “us”, or “our”) operates the instructa.ai platform and is fully committed to complying with the EU General Data Protection Regulation (GDPR) and applicable privacy laws. This Privacy Policy outlines what personal data we collect from you, how and why we process it, and the rights you have regarding your data. We value your privacy and handle your personal information with care and transparency in accordance with GDPR principles.

Data Collection and Processing

Personal Data We Collect: When you use instructa.ai or sign up for our courses, we may collect the following personal data:

  • Name: We collect your first and last name (or a chosen display name) to personalize your account and certificates, and for invoicing or billing records.

  • Email Address: We require your email to create and log into your account, send you account confirmations, course access links, and to communicate important updates or support responses.

  • Payment Information: If you purchase a course or subscription, payment details (such as credit/debit card information, billing address, and transaction amount) are collected via our payment partner Lemon Squeezy. We do not store your full payment card details on our servers; Lemon Squeezy processes payments securely on our behalf. We do receive information like your name, email, purchased course, and payment confirmation from Lemon Squeezy to activate your access and maintain legal financial records.

  • Support Communications: If you contact us for support or inquiries (for example, via email to support@instructa.org), we will collect and retain the information you provide in that communication (such as your name, contact info, and the content of your message) in order to assist you and resolve any issues.

Purposes of Processing: We only use your personal data for specific and legitimate purposes. In particular, we process the above data to:

  • Create and Manage Your Account: We use your name and email to register your user account, verify your identity during login, and maintain your profile on instructa.ai.

  • Provide Course Access: Your data allows us to enroll you in courses, track your course enrollments, and grant you lifetime access to the course materials you have signed up for. This ensures you can log in and view the content you’ve purchased or which has been made available to you.

  • Process Payments and Fulfill Orders: We (through Lemon Squeezy) use your payment information to handle transactions when you buy a course or subscription. This includes processing your payment, verifying that it was successful, and providing you with purchase confirmations or receipts.

  • Communicate and Provide Support: We use your contact details to communicate with you about important account or service updates (for example, confirmation emails, password resets, or changes to our terms). If you reach out for help, we will use the information in your support request to respond and resolve your issue.

  • Legal and Compliance Reasons: We process and retain certain data to fulfill our legal obligations. For example, we keep transaction records and invoices for accounting/tax purposes and to comply with Austrian and EU laws. We may also use or disclose data as required to respond to lawful requests by public authorities or to meet other legal requirements (such as fraud prevention or enforcing our Terms of Service).

We do not use your personal data for any purposes incompatible with the above. In particular, we do not sell your data to third parties or use it for unsolicited marketing without your consent.

Under the GDPR, we must have a valid legal basis to process your personal information. Depending on the context, our processing of your data is justified on one or more of the following bases under Article 6 GDPR:

  • Performance of a Contract (Art. 6(1)(b) GDPR): Most of our data processing is necessary to provide the services that you request from us. When you create an account, enroll in a course, or make a purchase, we must process your personal data to fulfill our contract with you. This includes using your data to register you as a user, grant you access to courses, process your payments, and deliver course content and related services you have paid for. Without this data, we cannot provide you with the core features of instructa.ai.

  • Legal Obligation (Art. 6(1)(c) GDPR): In some cases, we are required by law to process certain data. For example, when you make a purchase, we must retain transaction records, invoices, and payment details to comply with tax laws and accounting regulations. We may also need to disclose information to authorities if legally compelled (such as for law enforcement inquiries or auditing purposes). Such processing is done only to the extent required by applicable laws.

  • Legitimate Interests (Art. 6(1)(f) GDPR): We may process your data as necessary for our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. For instance, it is in our legitimate interest to maintain the security of our platform (e.g., using your login data and IP address to detect and prevent fraudulent access), to improve our services (e.g., analyzing how users navigate our site to enhance user experience), or to communicate with you about improvements or features related to courses you have purchased. When we rely on this basis, we ensure that our legitimate interests are balanced with your privacy rights. You have the right to object to processing based on legitimate interests (see User Rights below).

If we ever need to process your data for a purpose that requires your consent (Art. 6(1)(a) GDPR) – for example, if we wanted to send optional marketing emails or newsletters – we will ask for your consent beforehand, and you can withdraw that consent at any time. (As of now, instructa.ai does not use your data for any purpose that requires consent beyond the essential uses described above.)

Third-Party Services and Data Sharing

We do not sell, rent, or exchange your personal information with unrelated third parties for their own use. However, to operate instructa.ai effectively and provide our services, we rely on a few trusted third-party service providers (subprocessors) who handle data on our behalf. We only share your data with these parties as necessary for the purposes stated above, and each provider is bound by strict data protection obligations (we have GDPR-compliant Data Processing Agreements in place). Below are the third-party services we use and what they do:

  • Clerk (Authentication): We use Clerk to manage user authentication and account management. When you register or log in, Clerk processes your login credentials (such as email and password or other authentication tokens) to verify your identity and securely log you into your instructa.ai account. Clerk may store your email and hashed password, and handle features like password reset or multi-factor authentication. This service ensures that your account is secure and that only you can access your personal dashboard and course content. Clerk acts as a data processor, only using your information to perform authentication on our instructions.

  • Supabase (Database Hosting): Supabase provides our primary database infrastructure. We store most of our application data (including your personal data like name, email, account info, course enrollments, and progress) in a Supabase database. Supabase hosts this database on servers located in the EU, ensuring your data remains within European jurisdictions. Supabase acts as a processor by storing and organizing data for us; they do not access or use your information except as needed to keep the database running (for example, backups and queries initiated by our application). This allows us to reliably save your data and retrieve it when you use our site (e.g., to load your profile or course status).

  • UploadThing (Static File Hosting): We use UploadThing to host and deliver static files and media used by instructa.ai. This includes things like images, PDFs, or other files that might be part of course materials or the website content. If, for example, you or course instructors upload an image or resource, that file is stored on UploadThing’s servers for efficient delivery to users. UploadThing may process file metadata and store the files, but it does not have access to your account details. Any personal data contained within those files (e.g., if you uploaded a profile picture or a document with personal info) is protected and only used to provide the hosting service. UploadThing’s infrastructure is also based in the EU, and it delivers content to you when you access our site or course materials.

  • Mux (Video Streaming): instructa.ai delivers course videos through Mux, a video streaming platform. When you play course videos, the video content is streamed from Mux’s servers to your device. In doing so, Mux may receive certain data necessary to facilitate the stream, such as your IP address, general location (derived from the IP for optimal server routing), and technical information about your device or browser (to adjust streaming quality). Mux uses this information solely to deliver the video efficiently (e.g., to buffer the video, adapt streaming quality, and track view counts or playback errors). We do not send Mux any more of your personal information like your name or email; Mux only processes data required for video delivery and performance analytics. Mux is a GDPR-compliant service provider, and any data it processes on our behalf is handled according to strict confidentiality and security standards.

  • Lemon Squeezy (Payments): All payments for instructa.ai courses and subscriptions are handled through Lemon Squeezy, our third-party payment processor. When you decide to purchase a course, you will be directed to a secure checkout page hosted by Lemon Squeezy. That service will collect your payment details (credit or debit card numbers, PayPal or other payment info if applicable, billing name and address) and process the transaction on our behalf. Macherjek GmbH (instructa.ai) does not see or store your full card information — that is securely handled by Lemon Squeezy. After a successful payment, Lemon Squeezy provides us with the necessary details of the purchase: for example, your name, email, the product/course you bought, the amount paid, and confirmation that the payment went through. We use this information to update your account (granting you access to the course) and for our accounting records. Lemon Squeezy may also send you a receipt or allow us to send you one. This payment processing is compliant with PCI-DSS (industry security standards), and Lemon Squeezy is obligated to protect your data and use it only for processing payments and related fraud prevention.

  • Storyblok (Content Management System): We use Storyblok as a headless content management system to create and manage website content (such as course descriptions, blog posts, and other informational pages on instructa.ai). The text, images, and layout for our site are stored in Storyblok and delivered to your browser when you visit our pages. When you access a page on instructa.ai, your browser may fetch content from Storyblok’s servers; in doing so, Storyblok may receive your IP address and browser details as part of the normal web content request. Storyblok does not collect any information from you beyond what is necessary to serve the content (it does not get your account data or any behavior tracking from our site). Essentially, Storyblok is a behind-the-scenes tool that ensures you can view our website content quickly and reliably. Storyblok is based in the EU (an Austrian company) and complies with GDPR; any personal data incidentally processed (like IP addresses in server logs) is handled according to legal requirements and is not used for independent purposes.

Aside from the above services, your data may be shared in a few special scenarios: for example, with accountants or legal advisors if needed for auditing or compliance, or if we are required by law to disclose data to authorities. In all cases, we will only share the minimum necessary information and ensure that anyone who processes your data is bound by confidentiality and data protection obligations. We never share your personal data with third parties for marketing purposes unless you have explicitly consented to such sharing.

User Rights

As a user of instructa.ai and a data subject under the GDPR, you have a number of important rights regarding your personal data. We are committed to upholding these rights. You may exercise any of the following rights by contacting us at gdpr@macherjek.at. We will respond to your request as soon as possible, and in any case within the GDPR-required timeframe (generally 1 month). Please note we might need to verify your identity for security reasons before fulfilling certain requests. Your rights include:

  • Right of Access: You have the right to obtain confirmation of whether we are processing your personal data, and if so, to request a copy of the personal data we hold about you. We will provide you with a summary of the data, along with details about how we use it and who we share it with, free of charge (unless the request is manifestly unfounded or excessive).

  • Right to Rectification: If any of your personal information stored by us is inaccurate or incomplete, you have the right to have it corrected. You can update some of your account information directly in your profile, or ask us to make the correction for you. We encourage you to keep your data up to date so we can serve you best.

  • Right to Erasure: Also known as the “right to be forgotten,” this right allows you to request the deletion of your personal data. You can ask us to erase your data if it’s no longer necessary for the purposes we collected it, if you have withdrawn consent (in cases where consent was used), or if you believe we are unlawfully processing your data. We will honor valid erasure requests by deleting or anonymizing your data, except for information we are required to keep by law (for example, we might need to retain proof of transactions for tax reasons even if you delete your account). If complete deletion isn’t immediately possible (e.g., data stored in backups), we will securely isolate your data from any further use until deletion is feasible.

  • Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain circumstances. For example, if you contest the accuracy of your data, you can ask us to “freeze” its use until we verify correctness; or if you need us to retain data you want deleted for a legal claim, we can restrict further processing. When processing is restricted, we will store your data securely and only process it with your consent or for specific legal reasons.

  • Right to Data Portability: For data that you have provided to us and that we process by automated means on the basis of your consent or for performance of a contract, you have the right to obtain that data in a structured, commonly used, machine-readable format (for example, a CSV or JSON file). You also have the right to request that we transmit that data directly to another service provider, where technically feasible. This allows you to reuse your data across different services. (For instance, you could ask for a copy of your account details and course enrollment information if you wanted to back it up or use it elsewhere.)

  • Right to Object: You may object at any time to processing of your personal data that we have based on legitimate interests (Art. 6(1)(f)), including any profiling based on those interests. If you lodge an objection, we will review the reasons for your objection and cease the processing in question unless we have compelling legitimate grounds to continue (such as a legal requirement or an overriding interest). You also have an absolute right to object to any processing of your data for direct marketing purposes – however, note that instructa.ai does not currently send any marketing emails or use your data for marketing without consent. If that ever changes, you can opt out at any time.

  • Right to Withdraw Consent: In the rare cases where we rely on your consent to process personal data (for example, if you subscribed to an optional newsletter), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it won’t affect processing under other legal bases. If you withdraw consent for a service that requires it, we will stop processing your data for that purpose and, if applicable, stop providing that service (unless we can rely on another legal basis).

  • Right to Lodge a Complaint: If you believe that we have violated your data protection rights or GDPR obligations, you have the right to file a complaint with a supervisory data protection authority. You can do this in the EU member state where you live, where you work, or where the alleged infringement occurred. As Macherjek GmbH is an Austrian company, our lead supervisory authority is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde). You can find their contact details on their official website. We would, however, appreciate the chance to address your concerns directly before you approach the authorities – so please feel free to contact us at gdpr@macherjek.at, and we will do our best to resolve any issue in a timely and satisfactory manner.

Data Retention and Security

Data Retention: We keep your personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. In practice, this means: as long as you have an active account with instructa.ai and are enrolled in courses, we will retain your account information so that we can provide you with ongoing access (our courses come with lifetime access). We consider your account active unless you request deletion or it has been dormant for an extended period of time and we decide to clean up inactive accounts (if we ever implement such a policy, we will inform you beforehand). If you decide to cancel your account or request that your data be deleted, we will remove or anonymize your personal information from our active systems. Some information may be retained in our backups or archives for a short period until those are cycled out. Additionally, even after account deletion, we might retain certain data as necessary for legal compliance – for example, records of purchases and invoices must be kept for a number of years under tax laws, and basic support correspondence might be saved to demonstrate compliance or resolve future disputes. Any data retained for legal obligations will be isolated and secured, and we will not use it for any other purpose. We regularly review the data we hold and delete or anonymize information that is no longer needed.

Data Security: We take the security of your personal data very seriously. Macherjek GmbH has implemented a variety of technical and organizational measures to protect your information from unauthorized access, loss, alteration, or disclosure. These measures include, for example:

  • Encryption of data in transit (your connection to instructa.ai is protected via HTTPS/SSL encryption, which prevents others from intercepting your data as it travels between your device and our servers).

  • Secure password management (user passwords are stored in hashed form via our authentication provider, and never in plain text).

  • Access controls and confidentiality policies (only authorized personnel who need to process your data for the purposes outlined have access to it, and they are bound by confidentiality agreements and trained in data protection).

  • Regular updates and patching of our software and infrastructure to address security vulnerabilities, plus network safeguards like firewalls to protect against external attacks.

  • Careful selection of third-party service providers (like the ones listed above) who must meet high security standards; we ensure they use measures such as encryption and industry-standard security practices to protect the data they handle for us.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. However, we continuously work to improve our security practices. In the unlikely event of a data breach that affects your personal data, we will follow GDPR requirements to inform the relevant authorities and notify you without undue delay if there’s a significant risk to your rights and freedoms.

Cookies and Tracking Technologies

Cookies: instructa.ai uses cookies to ensure our website functions properly and to provide you with a smooth user experience. Cookies are small text files stored on your device by your web browser. The cookies we use are primarily essential cookies necessary for the operation of the site and certain features, such as:

  • Authentication Cookies: When you log in, we (or our auth provider Clerk) set a cookie to keep you logged in as you navigate through the course content. This prevents you from having to re-enter your credentials on every page.

  • Preference/Session Cookies: These help remember your preferences (like language selection, if applicable) or maintain your session state as you use the site. They also assist with basic functionalities like video playback (ensuring the streaming works via Mux) and content delivery via our CDN services.

Importantly, we do NOT use any non-essential or advertising cookies. This means we do not use cookies for analytics, marketing, or tracking your behavior across other sites. We do not employ third-party tracking pixels, social media plugins that harvest data, or any fingerprinting technologies. In short, we only utilize the minimum cookies and similar technologies needed for security and to deliver the service you expect.

Because we only use essential cookies and no optional tracking, we do not present a cookie consent banner with granular controls. Under EU law, strictly necessary cookies do not require user consent. Of course, you are free to control cookies through your browser settings. Most web browsers allow you to block or delete cookies. However, please be aware that if you block all cookies (including the essential ones), certain features of instructa.ai may not work correctly – for example, you might not be able to stay logged in or play course videos. We therefore recommend allowing cookies from instructa.ai to ensure you get the full functionality of our platform. By continuing to use our site without disabling cookies, we assume you agree to our use of these essential cookies.

(For transparency, aside from cookies, our third-party providers like Mux and Storyblok may temporarily collect device identifiers or IP information as explained above when delivering content, but this is not used to track you – it’s only used for providing the service in real time. We do not use Google Analytics or any similar analytics platform that would track your usage.)

International Data Transfers

We understand the importance of keeping your data within jurisdictions that afford strong privacy protections. All personal data we collect is stored and processed within the European Union. Our own servers and databases (e.g., Supabase) are located in the EU, and we have chosen service providers that either operate from the EU or provide EU data centers for our use. This means that your data is not transferred to countries outside the EU/EEA in the normal course of operations.

In particular, whenever possible we have configured our third-party services to use EU-based servers: for example, as noted, our database is in the EU, and content delivery (videos, files) is either from EU servers or via global CDNs that are GDPR-compliant. We do not send your personal data to the United States or other third countries without proper safeguards. If in the future we ever need to transfer your data outside the European Economic Area (for example, if we integrate a new service based in a third country), we will ensure such transfer complies with GDPR Chapter V requirements. That means we would only transfer data to a country deemed adequate by the European Commission, or we would put in place appropriate safeguards such as Standard Contractual Clauses (SCCs) along with any necessary supplementary measures to protect your information. We would also inform you of such a change in our data handling.

As of now, you can be confident that your personal information remains under the protection of European data privacy laws and is not subjected to jurisdictions with lower privacy standards.

Children’s Data

Our services are not directed to children, and we do not knowingly collect personal data from individuals under the age of 16. instructa.ai is a platform intended for adult learners and professionals. By creating an account and using our services, you affirm that you are at least 16 years old (or the minimum age required in your country for providing consent to personal data processing) or that you have obtained consent from a parent or legal guardian. If we discover that we have inadvertently collected personal information from a child under 16 without proper consent, we will take immediate steps to delete that information from our records. If you are a parent or guardian and believe your child under 16 has provided personal data to us, please contact us at gdpr@macherjek.at, and we will promptly remove the data and terminate the child’s account if applicable.

Changes to the Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated Privacy Policy on this page and update the “Last Updated” date at the top. If the changes are significant, we will take additional steps to notify you: for example, we might send a notice to the email address associated with your account or display a prominent announcement on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of instructa.ai after any updates to this policy will be deemed acceptance of those changes, subject to any additional legal requirements for obtaining your consent. If you do not agree with the changes, you have the right to discontinue use of our services and request that we delete your personal data.

Contact Us: If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us. You can reach our team at support@instructa.org for general inquiries or gdpr@macherjek.at for privacy-specific matters. We are here to help and will gladly address any issues or clarify any points regarding your privacy and data protection.

Thank you for trusting instructa.ai. We are committed to safeguarding your personal data and ensuring your rights are respected. Your privacy is important to us, and we will continue working hard to protect it in compliance with GDPR and beyond.