HackTheKnowledge logo
InicioCursosLaboratoriosPreciosNosotrosBlogComunidadContactoCarrito
Cargando…

Privacy Policy

Last updated: March 2026

HackTheKnowledge ("HTK", "we", "us") is committed to protecting your privacy. This Policy explains what personal data we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and applicable Spanish law.

1. Data Controller

The data controller is HackTheKnowledge. For data protection enquiries, contact us at privacy@hacktheknowledge.com.

2. Data We Collect

Account Data

  • Name, email address, and hashed password when you register.
  • Email verification status and verification timestamps.
  • Account role (student / admin) and creation date.

Billing Data

  • Purchase history (product, price, status, date).
  • Stripe customer ID (your payment card data is held by Stripe, not HTK).
  • Billing address country (used to route lab VMs to the nearest Azure region).
  • Applied coupon codes and discount amounts.

Learning & Lab Data

  • Course enrolment, lesson progress, quiz scores, and flag submissions.
  • Lab session logs: launch times, status transitions, region used, TTL consumed.
  • XP points earned and leaderboard position.
  • Assignment submissions and grades.

Technical Data

  • IP address (used for rate limiting and fraud prevention; not stored persistently).
  • Browser and device information collected by analytics providers (see Section 5).
  • Server logs retained for up to 90 days for security and debugging.

3. Legal Bases for Processing

  • Contract (Art. 6(1)(b) GDPR): account management, course delivery, lab provisioning, and billing.
  • Legitimate interest (Art. 6(1)(f) GDPR): platform security, fraud prevention, rate limiting, and improving the service.
  • Consent (Art. 6(1)(a) GDPR): optional analytics cookies (Plausible, Google Analytics) when you accept via the cookie banner.
  • Legal obligation (Art. 6(1)(c) GDPR): retaining transaction records for tax and accounting purposes.

4. How We Use Your Data

  • Providing access to purchased courses and lab environments.
  • Processing payments and issuing receipts via Stripe.
  • Sending transactional emails (purchase confirmation, password reset, verification).
  • Tracking learning progress and awarding certificates.
  • Enforcing rate limits and detecting abuse.
  • Improving course content and platform performance.

5. Third-Party Processors (Sub-processors)

  • Stripe — Payment processing. Data: billing details, transaction history. Stripe Privacy Policy
  • Neon (PostgreSQL) — Database hosting (EU region). Data: all platform data.
  • Vercel — Application hosting and edge delivery. Data: server logs, IP addresses.
  • Microsoft Azure — Lab VM provisioning. Data: userId, courseId, labId (no PII beyond pseudonymous IDs).
  • Resend — Transactional email. Data: name and email address.
  • Plausible Analytics — Privacy-friendly analytics (no cookies, no cross-site tracking, EU hosted). Data: anonymised page views.
  • Google Analytics / GTM — Analytics (only when consent given via cookie banner). Data: anonymised usage metrics.
  • Cookiebot — Cookie consent management.

6. Data Retention

  • Account data: retained while your account is active + 3 years after deletion.
  • Transaction records: 7 years (Spanish tax law obligation).
  • Lab session events: 90 days (configurable via admin).
  • Server logs: 90 days.
  • Password reset and email verification tokens: deleted immediately on use or expiry.

7. Your Rights (GDPR)

  • Access: request a copy of all personal data we hold about you.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your account and personal data (subject to legal retention obligations).
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: withdraw analytics consent at any time via the cookie banner.

To exercise these rights, email privacy@hacktheknowledge.com. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish data protection authority (AEPD) at www.aepd.es.

8. International Transfers

Some sub-processors may process data outside the EEA (e.g. Stripe, Vercel, Resend). All such transfers are covered by Standard Contractual Clauses (SCCs) or an EU adequacy decision. See our Data Processing Addendum for details.

9. Security

We implement technical and organisational measures including: bcrypt password hashing, HMAC-signed API calls, HTTPS-only access, HSTS, rate limiting, and role-based access control. No system is 100% secure; please report security concerns to security@hacktheknowledge.com.

10. Changes to This Policy

We may update this Policy. Material changes will be communicated by email at least 15 days before taking effect.