1 — Who we are
Potter Academy is operated by Thomas Potter. This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit our website, make a purchase, or use our learning platform.
2 — What data we collect
We collect the following types of data:
- Account data: Name, email address, password (hashed), and progress through course materials.
- Purchase data: Email, payment confirmation, product purchased, amount, currency, and transaction ID. We do not store card details.
- Analytics data: Page views, button clicks, and referral source (e.g. which YouTube video or email brought you here). See Section 5 for details.
- Technical data: IP address, browser type, and device information (collected automatically by our hosting and payment providers).
3 — How we use your data
| Purpose | Legal basis |
|---|---|
| Authenticating you and maintaining your session | Contractual necessity |
| Delivering course content and tracking progress | Contractual necessity |
| Processing payments and granting access | Contractual necessity |
| Sending transactional emails (magic links, receipts) | Contractual necessity |
| Understanding which content drives sales so we can improve our offerings | Legitimate interest |
| Preventing fraud and duplicate purchases | Legitimate interest |
| Maintaining platform security | Legitimate interest |
We do not use your data for targeted advertising or profiling.
4 — How we share your data
We do not sell, rent, or trade your personal data.
We share data only with the following service providers:
- Convex — backend database and authentication.
- Creem — payment processing.
- PostHog — cookieless analytics (see Section 5).
- Resend — transactional email delivery.
5 — Analytics & tracking
We use PostHog to understand how visitors interact with our website and which content drives sales. This helps us improve our courses and marketing.
What we track:
- Page views and navigation paths
- Button clicks (e.g. "Get Instant Access") and CTA interactions
- Referral source — if you arrived via a tracking link (e.g. from a YouTube video or email), we record that reference to attribute any purchase to the correct content
- UTM parameters (source, medium, campaign) when present in the URL
- Checkout completions (recorded server-side from our payment provider webhooks)
What we do NOT do:
- We do not use cookies for analytics. PostHog is configured to use memory-only storage ("cookieless" mode).
- We do not track you across other websites.
- We do not build advertising profiles or share analytics data with ad networks.
PostHog data is hosted in the EU. You can opt out of analytics tracking by enabling Do Not Track (DNT) in your browser, or by contacting us to request deletion of your analytics data.
6 — Cookies
We use strictly necessary session cookies to maintain your login state on the learning platform. These cannot be disabled as they are essential for the Platform to function.
We do not use tracking or advertising cookies. Our analytics (PostHog) runs in cookieless mode with memory-only storage.
7 — Data retention
- Account & progress data: Retained while your account is active. Deleted upon account deletion.
- Purchase records: Minimal records (course name, date, amount, payment ID, purchase email) may be retained after account deletion for legal and tax compliance, dissociated from personal identity where possible.
- Guest purchases: Retained for up to 2 years so we can link them to your account if you later register with the same email.
- Analytics data: Retained for up to 2 years, then automatically purged by PostHog.
8 — Your rights
Under UK GDPR, you have the right to access, correct, delete, export, or object to processing of your personal data. To exercise any of these rights, email contact@thomaspotter.uk. We will respond within 30 days.
9 — Data security
Data is stored in a secure backend environment. Authentication uses encrypted session tokens. Payments are processed by a PCI-DSS compliant payment provider. We never store payment card numbers.
10 — International transfers
Our infrastructure providers may process data in the United States or other jurisdictions. Such transfers are conducted in accordance with appropriate safeguards under UK GDPR, including standard contractual clauses.
11 — Children's privacy
The Platform is not directed at children under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.
12 — Embedded content
Some lessons may contain embedded video content. These providers may collect viewing data and set their own cookies. We recommend reviewing their respective privacy policies.
13 — Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform before taking effect.
14 — Contact & complaints
Questions or complaints about our data practices? Email contact@thomaspotter.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.