Privacy Policy
Last updated: May 18, 2026
1. Information We Collect
When you create an account, we collect your name, email address, and password (hashed with bcrypt — we never store plaintext passwords). If you sign in with Google or GitHub, we receive your name, email, and profile picture from that provider.
During onboarding, we ask about your background, goals, weekly time available, English self-rating, and a short open-text response about why you want to learn cloud engineering. This information helps us personalize your learning path. The open-text response is processed by our AI to recommend a starting point — it is not shared with anyone outside CloudPath.
When you use the platform, we collect learning activity data including lessons completed, quiz scores, time spent, and XP earned. Messages you post in community and team channels are stored on our servers and linked to your account (see Section 3). Ask Onyx tutor conversations are not stored on our servers — they are kept only in your browser session for context continuity and are cleared when you close the tab or log out.
When you make a payment, Stripe processes your payment information directly. We receive a subscription status and customer ID from Stripe but never see or store your card number.
2. How We Use Your Information
- To provide and operate the CloudPath Academy platform
- To personalize your learning path and Ask Onyx responses
- To send transactional emails (welcome, password reset, certificates)
- To send occasional product updates and educational content (you can unsubscribe at any time)
- To display anonymized progress data in community activity feeds (your name may appear, e.g. "Alex completed a lesson")
- To improve the platform through aggregate analytics (only with your consent — see Section 7)
3. Ask Onyx, Community Chat, and Message Data
Ask Onyx (AI tutor): Messages you send to Ask Onyx are processed by Anthropic's Claude API to generate responses. We do not store your Ask Onyx conversation history on our servers — it exists only in your browser session and is cleared when you close the tab or log out. Anthropic's privacy policy governs how they handle API request data.
Community and team channel messages: Messages you post in community or team chat channels are permanently stored in our database and associated with your account. Other participants in those channels can read your messages. If you delete your account, your community messages are deleted within 30 days.
4. Data Sharing and Sub-Processors
We do not sell your personal data. We share data only with the following service providers to operate the platform:
- Stripe — payment processing (processes billing data; Stripe Privacy Policy)
- Anthropic — AI responses via Claude API (processes your tutor messages; Anthropic Privacy Policy)
- AWS — hosting, infrastructure, and database (stores all platform data; AWS Privacy Policy)
- Neon — serverless PostgreSQL database hosting (stores account and learning data; Neon Privacy Policy)
- Resend — transactional and marketing email delivery (processes your email address; Resend Privacy Policy)
- PostHog — product analytics and session replay (US; loaded only with consent; PostHog Privacy Policy)
- Meta (Facebook) — advertising and retargeting via Meta Pixel (US; loaded only with consent; Meta Privacy Policy; opt out via Facebook Ad Preferences)
- LinkedIn — B2B advertising and retargeting via LinkedIn Insight Tag (US; loaded only with consent; LinkedIn Privacy Policy; opt out via LinkedIn Opt-out)
Analytics and advertising sub-processors (PostHog, Meta, LinkedIn) only receive data if you have provided cookie consent. You can withdraw consent at any time via the cookie preferences link in the footer.
5. Data Retention
We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where required by law (e.g. billing records, which are retained for 7 years per accounting requirements).
6. Your Rights
You have the right to access, correct, or delete your personal data. You may also request a copy of your data in a portable format. To exercise these rights, email us at admin@cloudpathportal.com.
If you are in the EU or UK, you have additional rights under GDPR/UK GDPR, including the right to object to processing and the right to lodge a complaint with your supervisory authority.
7. Cookies & Tracking Technologies
We use cookies in three categories. A consent banner is shown on your first visit — optional cookies are only set after you click Accept All or opt in via the preferences panel.
Essential cookies (always active)
Required for the platform to function. Cannot be disabled.
| Cookie | Purpose | Retention |
|---|---|---|
| next-auth.session-token | Keeps you logged in (NextAuth session) | 30 days / logout |
| next-auth.csrf-token | Protects forms from cross-site request forgery | Session |
| __stripe_mid / __stripe_sid | Set by Stripe during checkout — fraud prevention | 1 year / session |
| cloudpath-cookie-consent | Stores your cookie preference so we don't ask again | 1 year |
Analytics cookies (consent required)
Only set after you accept analytics cookies. Used to understand how the platform is used and improve it.
| Provider | Cookie / Technology | Purpose | Retention |
|---|---|---|---|
| PostHog (US) | ph_* | Product analytics, funnel tracking, session replay. Data stored in the US on PostHog Cloud. | 1 year |
Advertising / retargeting cookies (consent required)
Only set after you accept analytics cookies, and only when these integrations are enabled by us. Used to build retargeting audiences on paid social platforms. These cookies are third-party and subject to the providers' own privacy policies.
| Provider | Cookie / Technology | Purpose | Opt-out |
|---|---|---|---|
| Meta Platforms (US) | _fbp, _fbc | Meta Pixel — tracks page views for retargeting audiences on Facebook / Instagram ads | Facebook Ad Settings |
| LinkedIn (US) | li_sugr, UserMatchHistory | LinkedIn Insight Tag — tracks page views for B2B retargeting audiences on LinkedIn Campaign Manager | LinkedIn Opt-out |
You can update your cookie preferences at any time by clicking the Cookie Preferences link in the site footer.
8. Children's Privacy
CloudPath Academy is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you are in the EU/EEA or UK, the minimum age is 16 (or the lower digital-consent age set by your member state). If we discover we have collected data from a user below the applicable age, we will delete it. Parents who believe we may have collected their child's data should email admin@cloudpathportal.com.
9. California Residents (CCPA/CPRA) — Do Not Sell or Share My Personal Information
If you are a California resident, you have the right to: (a) know what personal information we collect, use, and share; (b) request deletion of your personal information; (c) correct inaccurate personal information; (d) opt out of any sale or sharing of personal information for cross-context behavioral advertising (see below); (e) be free from discrimination for exercising these rights. To exercise these rights, email admin@cloudpathportal.com.
We do not sell your personal information. However, if you have consented to analytics cookies, we may share certain browsing data with Meta Platforms and LinkedIn for retargeting purposes, which may qualify as "sharing" under the CPRA. You can opt out of this sharing by declining analytics cookies in our cookie preferences panel, or by using the opt-out links in Section 7 above.
10. Data Residency & International Transfers
Your data is stored on AWS infrastructure in the United States (us-east-1 region) and on Neon's serverless PostgreSQL service (US region). If you access CloudPath from outside the US, your data is transferred to and processed in the US.
Transfer mechanisms by sub-processor (EU/UK to US):
- AWS: EU–US Data Privacy Framework certification + Standard Contractual Clauses (Module 2 controller-to-processor).
- Stripe: EU–US Data Privacy Framework certification + Standard Contractual Clauses; payment data processing per PCI DSS Level 1.
- Anthropic: Standard Contractual Clauses via Anthropic's Data Processing Agreement. API request logs are retained per Anthropic's published retention schedule (typically up to 30 days for trust & safety review); CloudPath does not control retention on the upstream side.
- Resend: Standard Contractual Clauses via Resend's Data Processing Agreement; transactional email metadata retained per Resend's published policy.
- PostHog: EU instance (eu.posthog.com) when configured for EU users; US instance otherwise under Standard Contractual Clauses. Analytics consent is required before any event is sent.
- Meta (Facebook), LinkedIn: EU–US Data Privacy Framework certifications + Standard Contractual Clauses; only loaded after analytics consent.
- Neon, IONOS: Standard Contractual Clauses per each provider's published terms.
Copies of executed DPAs / SCCs are available on request to privacy@cloudpathportal.com. UK-based users: where the EU SCCs do not directly cover the transfer, we rely on the UK's International Data Transfer Addendum (IDTA) in addition.
11. Security
We use HTTPS for all data transmission, bcrypt for password hashing, IAM least-privilege access controls on infrastructure, and follow AWS security best practices. No system is 100% secure — if you discover a vulnerability, please contact us at admin@cloudpathportal.com and we will investigate promptly.
12. Changes to This Policy
We may update this policy from time to time. We will notify you by email of material changes at least 30 days before they take effect. Continued use of the platform after changes constitutes acceptance of the updated policy.
13. Contact
Questions about this policy or want to exercise your data rights? Email admin@cloudpathportal.com.