Privacy Policy

OurVaya is operated by Billimen Inc. ("we," "us," or "our"). This Privacy Policy explains what information we collect when you use ourvaya.com (the "Platform"), how we use it, who we share it with, and what rights you have over your data.

We have written this policy in plain English intentionally. If something is unclear, email us at founder@partnastudio.com.

What We Collect

Information You Provide

Email address — required to create an account and to receive transactional emails.

Display name — the name shown on your profile and the leaderboard. You choose this; it does not have to be your legal name.

Profile avatar — an image you upload voluntarily. Stored via Vercel Blob.

Subscription tier — whether you are on a free or paid plan, and when your subscription began or renewed.

Information Generated When You Use the Platform

Learning progress — courses started, lessons completed, exercises submitted, quiz attempts and scores.

Credentials earned — digital badges and certificates issued when you complete a learning milestone.

Game activity — games completed, IP (Intellectual Points) earned, current level, daily streak.

Session activity — pages visited, actions taken within a session, timestamps.

IP address — logged by our hosting provider (Vercel) as part of standard web server operations. Not linked to your profile.

What We Do Not Collect

Passwords. We use magic-link email login and Google OAuth via Auth.js v5. We never store or see a password.

Payment card details. All payment processing is handled entirely by Stripe. We receive only a Stripe customer ID and subscription status — never raw card numbers, CVVs, or bank account information.

How We Use Your Information

We use your information to: create and maintain your account; deliver your learning experience; send transactional emails (welcome, level-up, credential earned, subscription receipt); send the optional weekly digest; process subscription payments; detect abuse and maintain platform security; improve the Platform via aggregated analytics; operate the leaderboard; and issue and verify credentials.

We do not sell your data. We do not use your data for behavioral advertising or third-party ad targeting.

Third-Party Services

Stripe

Stripe processes all subscription and one-time payments. We receive a Stripe customer ID and subscription status only. Stripe does not share your card data with us. Privacy policy: stripe.com/privacy

Resend

Resend delivers all transactional and digest emails. Your email address is transmitted to Resend for delivery. Resend does not use your email for its own marketing. Privacy policy: resend.com/legal/privacy-policy

MongoDB Atlas

Your account data, learning progress, credentials, and game activity are stored in MongoDB Atlas, a cloud database service hosted in the United States. MongoDB Atlas is a data processor acting on our behalf under a Data Processing Agreement.

Vercel

OurVaya is hosted on Vercel's infrastructure, based in the United States. Vercel processes requests, serves pages, and stores uploaded avatars (via Vercel Blob). Vercel may log request metadata including IP addresses for security and operational purposes.

Microsoft Clarity

We use Microsoft Clarity for session recordings and heatmaps. Sensitive routes — including account settings, subscription management, credential pages, and authenticated checkout — are masked and excluded from recording. No recordings are made on those pages.

Google Analytics 4

We use Google Analytics 4 to measure page views, navigation patterns, and feature usage in aggregate. GA4 uses cookies and may associate activity with a pseudonymous identifier.

Google OAuth

If you sign in with Google, we receive your email address and display name from Google to create or match your OurVaya account. We do not receive your Google password or broader account access.

Google AdSense

We display advertisements on OurVaya served by Google AdSense, a service operated by Google LLC. Google AdSense uses cookies to serve ads based on your prior visits to this website or other websites. You may opt out of personalised advertising by visiting Google's Ads Settings at adssettings.google.com. If you decline analytics cookies via our consent banner, we request that Google serve non-personalised ads only. Privacy policy: policies.google.com/privacy

Cookies and Local Storage

Authentication cookies: Auth.js sets an encrypted session cookie when you sign in. This is strictly necessary for the Platform to function.

Analytics cookies: Microsoft Clarity and Google Analytics 4 set their own cookies. These are not required for the Platform to function. Where required by law, we request your consent before setting non-essential cookies.

localStorage: We use your browser's localStorage to save your daily game streak and in-progress game state. This data stays on your device and is not transmitted to our servers unless it triggers a progress save.

Data Retention

Account and profile data: retained while your account is active. Deleted within 30 days of account deletion. Learning progress, credentials, and game activity: deleted with your account. When you delete your account via Account Settings → Delete Account at /account/delete, we permanently delete all associated records from our database within 30 days.

Stripe payment history may be retained longer where required by law or financial regulation.

Your Rights

For Everyone

You have the right to: access the data we hold about you; correct inaccurate data (update your display name and avatar directly in your profile); delete your account and all associated data via /account/delete; and withdraw consent for non-essential communications (unsubscribe link in every email).

European Union and United Kingdom (GDPR)

You additionally have the right to: data portability — receive a copy of your data in a structured, machine-readable format; restriction of processing — ask us to pause processing while a dispute is resolved; object to processing based on legitimate interest; and lodge a complaint with your national supervisory authority.

California Residents (CCPA / CPRA)

Under California law, you have the right to: know what personal information we collect and how we use it; delete your personal information; correct inaccurate personal information; and opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising. California residents may submit requests by emailing founder@partnastudio.com with "California Privacy Request" in the subject line.

Children's Privacy

OurVaya is intended for users 13 years of age and older. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has created an account, we will delete that account and all associated data promptly. Contact: founder@partnastudio.com.

Data Security

We implement reasonable technical and organizational measures to protect your data, including: encrypted connections (HTTPS/TLS); encrypted session cookies; role-based access controls on MongoDB Atlas; and sensitive pages excluded from session recording.

Changes to This Policy

If we make material changes to this Privacy Policy, we will notify you by email and update the "Last Updated" date at the top of this page. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

Contact

Billimen Inc. — operating ourvaya.com

Email: founder@partnastudio.com

For GDPR inquiries: subject line "GDPR Request". For CCPA inquiries: subject line "California Privacy Request".

Data Controller and Representatives

Data Controller

The data controller for personal information collected on ourvaya.com is: Billimen Inc., a Delaware corporation. Contact: founder@partnastudio.com.

EU/UK Representative

OurVaya does not currently solicit users from the European Economic Area (EEA) or United Kingdom. If you are an EEA or UK resident and access this platform, please contact us at founder@partnastudio.com before creating an account and we will advise on applicable data handling. We do not have a designated EU representative under GDPR Art. 27 at this time. If EU traffic grows materially, we will appoint an EU representative and update this policy accordingly.

Data Protection Officer

We are not required to appoint a Data Protection Officer (DPO) under GDPR Art. 37, as we do not engage in large-scale systematic processing of sensitive data categories or public authority processing. No DPO has been appointed. For any privacy inquiries, contact founder@partnastudio.com.

Lawful Basis for Processing (GDPR Art. 13)

For users in the EEA or UK, the following table describes the lawful basis for each category of processing:

Account creation and service delivery — Lawful basis: Contract (Art. 6(1)(b)). We process your name, email, and authentication credentials to create and manage your account and deliver the platform you signed up for.

Analytics: Microsoft Clarity and Google Analytics 4 — Lawful basis: Consent (Art. 6(1)(a)). These analytics tools are loaded only after you accept cookies via the consent banner. You may withdraw consent at any time via Cookie Policy or Account Settings.

Advertising: Google AdSense — Lawful basis: Consent (Art. 6(1)(a)). AdSense is loaded only after cookie consent. If you decline, non-personalised ads are served without consent-requiring cookies. You may withdraw consent at any time.

Platform security, fraud prevention, and abuse detection — Lawful basis: Legitimate interest (Art. 6(1)(f)). We process log data and usage patterns to protect the integrity of the platform and prevent misuse.

Payment processing via Stripe — Lawful basis: Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)). We process payment data to fulfil subscription and one-time purchase contracts and to comply with financial record-keeping requirements.

Weekly digest emails — Lawful basis: Consent (Art. 6(1)(a)). The digest is opt-in only. You may withdraw consent at any time by toggling the setting in Account Settings or clicking Unsubscribe in any digest email.

Legal record retention — Lawful basis: Legal obligation (Art. 6(1)(c)). We retain certain transaction and communication records as required by applicable law.