This Privacy Policy describes how Cobuntu (“we”, “us”, or “the Platform”) collects, uses, and protects your personal information. It applies to both the user-facing community apps (each at <tag>.cobuntu.com) and the admin app at admin.cobuntu.com.

1. Information We Collect

1.1 Account Information

When you create a Cobuntu account, we collect:

• Name and email address
• Profile image (optional)
• Username/usertag
• Bio and signature (optional)
• Marketing preferences (opt-in / opt-out for non-essential email)

1.2 Authentication Data

Cobuntu supports two authentication methods:

Email & Password

• Passwords are hashed with bcrypt and a per-user salt; we never store plain-text passwords.
• Email verification is required via a one-time signed token.
• Password resets are sent as one-time links that expire in one hour.

Google OAuth

When you sign in with Google, we receive:

• Your basic profile (name, email, profile picture)
• Optional access to Google Calendar (only if you opt in to calendar syncing for your events)

We do not request any other Google scope. We do not access your Gmail, Drive, contacts, or any other Google service.

1.3 Magic-Link Tokens

Cobuntu issues short-lived signed tokens (HS256 JWT) for guest actions like cancelling a registration, downloading a paid product, or completing payment after event approval. These tokens contain only the resource ID, the email of the recipient, and an expiration timestamp. Tokens are validated server-side and are scope-locked to a single resource.

1.4 Community & Social Data

• Community memberships and roles
• Friendship connections and requests
• Event attendance, applications, and invitations (including registration form answers)
• Content interactions: posts, reactions, article views

1.5 Payment Information

For purchases and subscriptions:

• Stripe handles all card data; Cobuntu never sees or stores your card number, CVV, or full card details.
• We retain transaction records: amounts, currency, status, refund history, and the email associated with the buyer.
• For sellers and community operators, we store the connected Stripe account ID and payout history.

1.6 Usage Analytics

• Product and event view counts
• Cart and checkout interactions (for funnel analysis)
• Article view counts and approximate read time
• IP address and user agent (for security and abuse detection only — not used for ad targeting)
• Approximate geographic location (country, city, region) derived from your IP for tax and currency purposes

1.7 Purchase Snapshots

When you buy a digital product, we create an immutable snapshot of the product files at the time of purchase. This guarantees you perpetual access to what you bought, even if the seller later modifies or archives the original. Snapshots are stored in encrypted Google Cloud Storage and accessible from your purchase library.

2. How We Use Your Information

2.1 Service Provision

• Provide community platform features (membership, events, marketplace)
• Process payments, payouts, and refunds via Stripe
• Sync with Google Calendar (only if you opt in)
• Send transactional notifications: receipts, confirmations, refund confirmations, host approvals/rejections

2.2 Analytics & Improvement

• Track product and event performance for sellers
• Analyze platform-wide engagement to improve features
• Detect fraud, abuse, and security threats

2.3 Communication

• Service-related notifications (always sent)
• Marketing emails (only with your explicit opt-in; you can unsubscribe at any time)
• Customer support correspondence

3. Information Sharing

3.1 Third-Party Services

We integrate with the following third-party services:

• Stripe — payment processing, subscriptions, and Stripe Connect for community payouts
• Google — OAuth login and optional Calendar integration
• Resend — transactional and marketing email delivery
• Google Cloud Storage — encrypted file storage for product snapshots, banners, and receipts
• Vercel — application hosting and edge delivery

3.2 Within Communities

• Your profile information is visible to other members of communities you join.
• Your event attendance and marketplace activity may be visible to community leaders for moderation and analytics purposes.
• Registration form answers you submit to a host are visible to that event’s host(s) only.

3.3 Legal Requirements

We may disclose information if required by law or to:

• Comply with a valid legal obligation
• Protect the rights, property, or safety of Cobuntu, our users, or the public
• Investigate fraud or platform abuse

4. Data Storage & Security

4.1 Storage

• Application data is stored in PostgreSQL on Google Cloud Platform.
• Files (product snapshots, banners, profile images, receipt PDFs) are stored in Google Cloud Storage with server-side encryption.
• Sensitive tokens (OAuth refresh tokens, Stripe webhook secrets) are encrypted at rest.
• We perform automated daily backups for disaster recovery.

4.2 Security Measures

• HTTPS for all data in transit
• JWT-based authentication with reasonable session expiration
• OAuth 2.0 for third-party integrations
• Per-community Stripe Connect (your community’s payment data is segregated)
• Permission-based access control (role groups + per-feature permissions)

4.3 Region & GDPR

Application data is hosted in the EU region (europe-west1) for GDPR compliance. International data transfers (e.g., to Stripe in the US, to Google services) are governed by Standard Contractual Clauses and the third-party’s adequacy program.

4.4 Local Storage in Your Browser

We use browser localStorage to persist:

• Authentication tokens (JWT, automatically expired)
• Theme and language preferences
• Your active community context (which community’s storefront you’re viewing)

5. Your Rights

5.1 Account Management

• Update your profile, preferences, and notification settings at any time
• Disconnect Google OAuth from your account
• Disconnect a Stripe Connect account from a community you operate

5.2 Data Access & Portability (GDPR Article 15 & 20)

• Request a copy of the personal data we hold about you
• View your purchase history, attendance history, and active subscriptions in your account
• Export your data in a machine-readable format on request

5.3 Data Deletion (GDPR Article 17 — Right to Erasure)

You can request deletion of your account by emailing support@cobuntu.com or via your account settings. On deletion:

• Your profile and account data are removed.
• Your community memberships are removed.
• Active subscriptions are cancelled.
• Records required for legal or financial compliance (purchase records, refund records, tax records) are retained for the period required by law and the buyer email is anonymized where feasible.

5.4 Marketing Opt-Out

You can opt out of marketing emails at any time via the unsubscribe link in any marketing email or your account preferences. Transactional emails (receipts, confirmations, security alerts) are not affected by marketing opt-outs.

6. Cookies & Tracking

6.1 Essential Cookies

• Authentication and session management
• Security (CSRF protection, fraud prevention)
• User preferences (theme, language, community context)

6.2 Analytics

We track aggregate usage analytics to improve the platform — page views, feature usage, checkout funnels. We do not use third-party advertising or behavioral-targeting trackers on the platform.

6.3 Third-Party Cookies

• Stripe sets cookies during checkout for fraud prevention
• Google sets cookies during Google OAuth authentication

7. International Data Transfers

Your data may be transferred to and processed in countries other than your own (notably the United States, where Stripe and some Google services operate). We rely on Standard Contractual Clauses, the EU–US Data Privacy Framework where applicable, and our hosting region in the EU to provide appropriate safeguards.

8. Children’s Privacy

Cobuntu is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at support@cobuntu.com and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to active users and posted here with an updated “Last updated” date.

10. Contact

For questions about this Privacy Policy or how your data is handled, contact us at support@cobuntu.com.