IPAK-EDU Social (ipakedu.online) is operated by IPAK-EDU LLC. Our public marketing and donations sites are ipak-edu.org and ipaknowledge.org. Technical operations are directed by James Lyons-Weiler, PhD.

For privacy questions or data requests: privacy@ipak-edu.org.

The platform is 18+ by default. If you are under 18, you cannot create your own account.

If you are under 18 and wish to join, a parent or legal guardian must:

1. Create a paid adult account in their own name
2. Upload a government-issued photo ID (driver license, state ID, or passport)
3. Upload a current photo
4. Electronically sign a parental-consent statement accepting legal responsibility for the minor’s use of the platform

Once the parent is verified, the minor receives their own account. The parent has full view access to the minor’s account at all times — posts, messages, connections, and activity.

ID images and photos are used for verification only. After verification is complete, the uploaded ID image and photo are destroyed. We retain only a boolean marker (parent_verified: true), the timestamp of verification, and the method used (driver license / state ID / passport). We never store, transmit, or back up the ID image after verification.

When you create an account or use the platform we store:

• Account identity. Display name, email, hashed and salted password, account creation date.
• Content you create. Posts, comments, articles, direct messages, profile information, uploaded images, and replies — each tied to your user ID. Most of this is retained as long as you’re a member, because continuity of the experience depends on it.
• Connection graph. Who you’ve friended, blocked, or muted.
• Activity records. Login timestamps, pages visited while logged in, and actions taken.
• Course enrollments and progress. Which courses you’re enrolled in and session completion status.
• Payment metadata. For paid features, we retain only the minimum processor-issued identifier and transaction status needed to operate your account. We never see or store your full payment credentials.
• Aggregate analytics. We use WordPress.com’s built-in Jetpack Stats for basic platform analytics — pageviews, approximate geography, referring links, device type. This is aggregate, first-party, and never shared with advertising networks.
• Technical logs. IP address, user agent, and timestamps, retained typically 90 days for security and abuse prevention.

No cross-site tracking. No Facebook pixels. No Google Analytics. No advertising SDKs. No location data beyond approximate geography inferable from your IP. We never sell or rent your information to anyone, ever.

• WordPress.com (Automattic) — hosting, CDN, security infrastructure, Jetpack Stats
• Google Apps Script + Google Sheets — platform backend (profiles, posts, activity, events, enrollments)
• Third-party payment providers — processing for paid features; you’ll see the available options at checkout
• Vimeo — course video hosting
• cdnjs (Cloudflare) and Mozilla CDN — client-side JavaScript libraries
• Gmail (Google Workspace) — transactional emails

Each provider has its own privacy practices. We configure them to collect only what’s needed for the feature they power.

Our hosting providers store data in the United States. Both Automattic and Google maintain GDPR-compliant transfer frameworks — the EU-US Data Privacy Framework and Standard Contractual Clauses. If you join from outside the US, your information transfers to the US under these frameworks.

• To authenticate you and display your content
• To deliver messages, notifications, and weekly digests
• To process payments for paid features and courses
• To protect the community through spam prevention, abuse detection, and moderation

We will not use your data for purposes beyond these without asking you first.

Direct messages and private posts are stored in our backend as readable records. They are not end-to-end encrypted. A member of our SuperAdmin group — founders and designated operators acting on their behalf — may access them under three specific conditions only:

1. Platform improvement. Aggregate analysis to improve usability and suggest relevant courses. Individual messages are not read for this purpose; only patterns across many messages.
2. Reported abuse. If another member reports your message as abusive, a SuperAdmin may read the specific reported exchange to investigate.
3. Legal compulsion. Valid warrants, subpoenas, or court orders, handled according to the Legal Process section further down.

We never share private content. We never make it public. If you use DMs on this platform, treat them as content a SuperAdmin could theoretically read under the three conditions named here — which is true of most platforms, but we name it directly.

You control visibility. When you publish a post, article, comment, or upload to your gallery, you choose per item whether it is:

• Public — visible to anyone on the web, indexable by search engines
• Members-only — visible only to signed-in IPAK-EDU members
• Connections-only — visible only to people you’ve explicitly connected with

You keep ownership of what you post. We receive only the narrow operational license needed to display your content on the platform. We do not reuse private or members-only content outside the platform without your explicit permission.

Public content is treated differently. When you choose to publish something publicly on IPAK-EDU Social, you grant us a broad, royalty-free, unrestricted license to reuse that public content in newsletters, course materials, marketing, and related publications. The reasoning: you already chose to make it public.

We use cookies and browser sessionStorage for login persistence, preferences, and platform function. No cross-site tracking cookies. No ad-targeting cookies. WordPress.com (our host) sets its own cookies for security and spam prevention; those are operationally necessary.

We honor the Global Privacy Control (GPC) signal when your browser sends it. We treat it as an opt-out request under applicable privacy laws and as an instruction to minimize non-essential data processing related to your session.

• Access. View your profile, posts, messages, and activity at any time from your member page.
• Edit or delete individual content. Most content can be edited or deleted directly by you.
• Soft-delete your account. Request account deletion and we process it immediately. Your content becomes invisible to other members the same day. The underlying records are retained internally for up to one year in case you return and want your presence restored — a kindness to members who change their minds, not a data grab. After one year, retained data is permanently destroyed, except where we are required by law to retain specific records (e.g., transaction records under US tax law).
• Hard-delete on request. If you want immediate permanent deletion without the one-year grace window, email privacy@ipak-edu.org and we will hard-delete within 30 days.
• Export your data. Request a copy of your profile and content by email. We are rolling out export tooling now; initial exports cover the most recent 3 months of your data. We’re a small, member-funded platform, and expanded export windows will roll out as our storage budget grows.
• Control notifications. From your account settings page.
• Unsubscribe from emails. Every marketing and digest email contains an unsubscribe link. Transactional emails (password resets, payment receipts) cannot be unsubscribed because they’re tied to core account function.

In addition to the rights above, California residents have the right to:

• Know what categories of personal information we collect, the purposes, and the categories of third parties we share with
• Delete personal information we hold about you, subject to narrow legal exceptions
• Correct inaccurate personal information
• Opt out of sale or sharing. We do not sell or share personal information as defined under CCPA/CPRA. There is nothing to opt out of. If that changes, we will provide the opt-out mechanism required by law.
• Limit use of sensitive personal information. Parent-verification ID data is destroyed immediately after verification; we do not use sensitive personal information for any purpose beyond the narrow verification itself.
• Non-discrimination for exercising these rights. Exercising any right here will never result in denial of service, different pricing, or degraded service quality.

To exercise California rights, email privacy@ipak-edu.org with the subject line “CCPA Request” and specify which right you’re exercising.

In addition to the general rights, EU, UK, and EEA residents have the right to:

• Access their personal data (Article 15)
• Rectification of inaccurate data (Article 16)
• Erasure — “the right to be forgotten” (Article 17)
• Restriction of processing in specified circumstances (Article 18)
• Data portability — receive data in a machine-readable format (Article 20)
• Object to processing based on legitimate interest (Article 21)
• Withdraw consent at any time, where processing is based on consent (Article 7)
• Not be subject to automated decision-making that produces legal or similarly significant effects (Article 22). We do not currently engage in this kind of automated decision-making.
• Lodge a complaint with your supervisory authority if you believe your rights have been violated

Legal bases for processing. We process personal data on one or more of the following bases: consent you give, performance of our service agreement with you, compliance with legal obligations, and our legitimate interests in operating and protecting the platform, balanced against your rights.

To exercise EU/UK/EEA rights, email privacy@ipak-edu.org. We respond within one month, as required by GDPR Article 12.

We implement reasonable technical and organizational security measures for a platform of our size and stage. We are conducting a comprehensive security review before full public launch.

If we discover a security breach affecting your personal data, we will notify affected users within 72 hours of discovery, through both:

• Email to the address on file
• An in-platform system broadcast visible the next time you log in, so stale email addresses do not create notification gaps

The notice will describe what happened, what data was affected, what we are doing in response, and what we recommend you do.

We comply with valid legal process. We challenge requests we believe are overbroad or improper. We analyze requested information for intent before any private disclosure. We notify affected users of legal requests touching their data unless legally prohibited from doing so.

Under-18 access is handled through the parent-gated process described earlier in this policy. If we learn we have collected data from a minor without verified parental consent, we will destroy it promptly.

Minor wording fixes are posted with an updated effective date at the top of this page. Material changes — new categories of data collected, new third-party services added, or any reduction of your rights — trigger both an email to active members and an in-platform banner for 30 days before the change takes effect. You are always free to export your data and delete your account before a material change becomes effective. Objections may be sent to privacy@ipak-edu.org.