Privacy Policy

Last updated: 24 May 2026

1. Who we are

AI Constellation Engineering is an online course operated from Spain. For the purposes of the EU General Data Protection Regulation (GDPR), AI Constellation Engineering is the data controller responsible for your personal data.

Data Controller

AI Constellation Engineering

Email: ai.constellation.engineering@gmail.com

Location: Spain (European Union)

Questions about this policy, or requests to exercise your data rights, can be sent to the email above. We will respond within 30 days as required by law.

2. What data we collect

We collect only what is necessary to run the platform and deliver your course experience.

Account information

When you register, we collect your email address (entered directly or received via Google sign-in), your account tier (free or paid), the date you registered, and how you signed up. For Google OAuth users, we also receive your email verification status and Google user ID. We do not receive your Google password or any other Google account data.

Purchase information

When you buy the course through Payhip, we receive your buyer email, the product name, the payment amount, and the purchase date via a webhook. We do not receive or store your payment card number, billing address, or any other financial details — Payhip handles all of that.

Course progress

We track which lessons you have completed and when your progress was last updated, so you can pick up where you left off. Progress is stored on our servers and also cached locally in your browser for faster loading. The server copy is always the authoritative record.

Authentication data

After you log in, we set a signed cookie (ce_token) containing your email address and account tier, which expires automatically after 30 days. During Google sign-in, a temporary CSRF-protection cookie (oauth_state) is set for 10 minutes and deleted once sign-in completes. These are the only cookies we set.

Client-side preferences

Your display preferences (theme, font size, auto-advance toggle) and a cached copy of your email, tier, and lesson progress are stored in your browser’s localStorage. This data stays entirely in your browser and is never transmitted to our servers.

Rate-limiting data

We temporarily record your IP address solely to enforce rate limits on login, registration, and verification endpoints. This data is stored with automatic expiry (60 seconds to 1 hour depending on the endpoint), is never linked to your user account, and deletes itself when the window closes.

What we do not collect

We do not use tracking pixels, analytics scripts, or advertising cookies. We do not collect browsing history, device fingerprints, or behavioral data beyond what is described above.

3. Why we process your data

Under the GDPR, every use of personal data requires a lawful basis. Here are ours:

Data	Purpose	Legal basis
Email, account tier, progress (paid users)	Delivering the course you purchased	Contract — Art. 6(1)(b)
Purchase details (via Payhip)	Verifying payment and granting access	Contract — Art. 6(1)(b)
Google OAuth data	Authenticating your identity at sign-in	Contract — Art. 6(1)(b)
Free-tier registration	Providing free preview access	Consent — Art. 6(1)(a)
IP addresses (rate limiting)	Protecting the platform from automated abuse	Legitimate interest — Art. 6(1)(f)
Essential cookies (`ce_token`, `oauth_state`)	Authentication and CSRF protection	Strictly necessary — ePrivacy Art. 5(3)

We do not use automated decision-making or profiling as described in Article 22 of the GDPR. No decisions about your course access or experience are made by automated means without human involvement.

Providing your email address is required to access the platform. Without it, registration is not possible. For paid users, this data is also necessary to fulfil our contractual obligation to deliver the course you purchased.

4. Where your data is stored and how long we keep it

Data	Location	Retention
User records & progress	Cloudflare Workers KV	Until you delete your account
Auth token (`ce_token`)	Your browser (cookie)	30 days, then auto-expires
OAuth CSRF cookie (`oauth_state`)	Your browser (cookie)	10 minutes, then auto-expires
Rate-limit counters	Cloudflare Workers KV	60 seconds to 1 hour (auto-deletes)
Preferences & cached data	Your browser (localStorage)	Until you clear your browser data
Payment card & billing details	Payhip (we never receive this)	Per Payhip’s policy

All data stored in Cloudflare Workers KV is encrypted at rest by Cloudflare. Authentication tokens are signed using HMAC-SHA256. All platform connections use HTTPS.

5. Third-party services

We use three external services to run the platform. We do not sell, rent, or share your data with anyone else.

Payhip — payment processing

When you purchase the course, Payhip processes your payment and sends us a confirmation containing your email, the product name, the amount paid, and the purchase date. Payhip handles all payment card details, billing addresses, and refunds directly. We never see or store your card information. Payhip Privacy Policy →

Google — optional sign-in

If you choose to sign in with Google, we receive your email address, email verification status, and Google user ID. We request only the email and profile scopes — we do not access your contacts, calendar, or any other Google data. Sign-in with email and password is always available as an alternative. Google Privacy Policy →

Cloudflare — hosting and infrastructure

The course site is hosted on Cloudflare Pages, the API runs on Cloudflare Workers, and your account and progress data is stored in Cloudflare Workers KV. All data stored with Cloudflare is encrypted at rest. Cloudflare may collect standard server access logs (IP addresses, request metadata) as part of normal infrastructure operation. Cloudflare Privacy Policy →

6. Cookies and local storage

We use only cookies that are strictly necessary for the platform to function. We do not use tracking, analytics, advertising, or preference cookies. Because these cookies are essential to providing the service you requested, they are exempt from cookie consent requirements under Article 5(3) of the ePrivacy Directive.

Name	Purpose	Duration
`ce_token`	Authentication — keeps you logged in between sessions	30 days
`oauth_state`	CSRF protection during Google sign-in flow	10 minutes
`admin_session`	Admin panel authentication (not student-facing; HttpOnly)	7 days

In addition, we store the following data in your browser’s localStorage. This data stays entirely on your device and is never sent to our servers:

ce_email — cached email address for display
ce_tier — cached account tier to avoid repeated server lookups
ce_progress_{email} — cached lesson progress (server copy is authoritative)
ce_settings — display preferences: theme, font size, auto-advance

7. Your rights under the GDPR

If you are in the EU or EEA, the following rights apply to your personal data. To exercise any of them, email ai.constellation.engineering@gmail.com. We will respond within 30 days.

Access — Your email and account tier are visible in the course interface; your lesson progress is displayed on the course index page. You can also request a full copy of your data by email.
Erasure (“right to be forgotten”) — Delete your account using the Delete account button in the course, or by contacting us. See Section 8 for how deletion works.
Rectification — You can update your lesson progress directly in the course. To correct your email address, contact us and we will update it manually.
Portability — You can request a machine-readable export of your data. This is not yet available as a self-service feature — email us and we will prepare your data export manually.
Object or restrict processing — You can object to processing based on legitimate interest (rate limiting). Account deletion is the primary mechanism. Contact us to discuss alternatives.
Withdraw consent — Free-tier users may withdraw consent at any time by deleting their account, which results in immediate and permanent removal of all associated data.

Supervisory authority: If you believe we have not respected your data rights, you have the right to lodge a complaint with the Spanish Data Protection Agency — Agencia Española de Protección de Datos (AEPD) — at www.aepd.es, or with the supervisory authority in your country of residence if you are in another EU/EEA state.

8. Deleting your account

You can delete your account at any time using the Delete account button on the course index page, or by contacting us directly.

Free accounts

Deletion is immediate and permanent. Your account, email address, and all progress data are removed from our servers instantly. This action cannot be undone.

Paid accounts — 30-day grace period

To protect against accidental deletion, we apply a 30-day grace period. Your account is marked for deletion and a countdown begins. If you log back in within those 30 days, the deletion is automatically cancelled and your account is fully restored. After 30 days with no login, your account and all progress data are permanently and irreversibly deleted.

Once deletion is complete, no personal data associated with your account remains on our servers. Purchase records held by Payhip are governed by Payhip’s own retention policy.

9. How we protect your data

All connections use HTTPS — data in transit is encrypted end-to-end.
Authentication tokens are signed with HMAC-SHA256 and cannot be forged or tampered with without the server-side secret.
Data stored in Cloudflare Workers KV is encrypted at rest by Cloudflare.
Rate limiting protects all authentication endpoints against brute-force attacks (login: 10 attempts per 60 seconds; registration: 5 per hour; admin login: 5 per 5 minutes).
Google OAuth sign-in uses CSRF protection via a short-lived oauth_state cookie.
Admin sessions use HttpOnly cookies, inaccessible to JavaScript.
No passwords are stored — authentication is token-based or delegated to Google OAuth.

If you believe your account has been compromised, contact us immediately at ai.constellation.engineering@gmail.com.

10. International data transfers

Your data is stored in Cloudflare’s globally distributed edge network, with servers outside the EEA. Cloudflare uses Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard transfers of personal data outside the EEA, and includes data processing terms in its standard service agreement. See Cloudflare’s privacy policy for details.

When you use Google sign-in, Google processes your authentication data internationally under Google’s standard terms, which include data processing provisions for API usage. Payhip independently controls payment data and applies its own international transfer safeguards — see their respective privacy policies in Section 5.

11. Children’s privacy

This course is intended for adults and is not directed at anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has registered on the platform, please contact us at ai.constellation.engineering@gmail.com and we will delete the data promptly.

12. Changes to this policy

If we make material changes to this policy — for example, collecting new categories of data or changing how existing data is used — we will update the “Last updated” date at the top of this page and notify registered users by email before the changes take effect.

Minor updates (spelling corrections, clarifications that do not affect your rights) may be made without direct notification. Continued use of the platform after material changes take effect constitutes acceptance of the updated policy.

13. Contact and jurisdiction

Data controller: AI Constellation Engineering

Email: ai.constellation.engineering@gmail.com

Applicable law: This policy is governed by the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Spanish Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

Supervisory authority: Agencia Española de Protección de Datos (AEPD) — www.aepd.es