Privacy Policy

1. Who We Are

The Relationship Codex™ is operated by Liliana Coventina. Our platform provides relational transformation coaching, educational content, community, and AI-assisted reflection tools. Our website is therelationshipcodex.com. For privacy inquiries: [email protected].

2. Information We Collect

We collect information you provide directly to us and information generated through your use of our platform.

• Account information: Name, email address, username, and password hash when you create an account.
• Profile data: Any optional information you add to your Mirror profile (photo, bio, social links).
• Quiz and assessment results: Your responses to the Spot the Pattern inventory and any framework assessments you complete · stored to personalise your portal experience.
• Journal entries: Private written reflections you create in The Journal. These are visible only to you.
• Community content: Posts and messages you share in The Circle · visible to other members according to your privacy settings.
• C.O.D.E.X AI sessions: Conversation history with our AI reflection tool, used to personalise guidance and track your practice arc.
• Payment information: Handled entirely by Stripe. We do not store credit card numbers. We receive confirmation of payment and your Stripe customer ID.
• Usage data: Pages visited, features used, session duration · collected via Umami Analytics (privacy-first, no cross-site tracking).
• Device and technical data: IP address, browser type, operating system · standard server logs, retained for 30 days.
• Intake form responses: Post-purchase intake data submitted after enrolling in a Pathway or booking a session.

3. How We Use Your Information

• Provide, personalise, and improve the platform experience
• Process payments and manage your membership
• Send transactional emails (account confirmation, password reset, purchase receipts)
• Send practice and community emails you opt into · you may unsubscribe at any time
• Analyse platform usage to improve content and features (via anonymised Umami analytics)
• Facilitate session bookings and facilitator communications
• Provide AI-assisted reflection (C.O.D.E.X) · your session data informs your arc position and depth score, not any third-party profiling
• Comply with legal obligations

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process your data under the following legal bases:

• Contract: To provide the services you signed up for
• Legitimate interests: To improve our platform, prevent fraud, and send relevant communications
• Consent: For marketing emails (you may withdraw consent at any time)
• Legal obligation: Where required by applicable law

5. Data Sharing

We do not sell your personal data. We share your data only with:

• Stripe · payment processing. Their privacy policy: stripe.com/privacy
• Resend · transactional email delivery. Your email address is shared to deliver emails you request.
• Cloudflare R2 · secure file storage for course content and uploaded media.
• OpenRouter · AI model routing for C.O.D.E.X sessions. Conversation data is sent to generate responses; it is not used to train models.
• Railway · cloud hosting provider. Application data resides on their infrastructure.
• Guest Facilitators · if you enrol in a course delivered by a guest facilitator, your name, email, and intake responses are shared with that facilitator for course delivery purposes only.
• Legal authorities · where required by law or to protect the safety of our community.

6. Cookies

We use the following cookies:

• Session cookie: Keeps you logged in. Expires when you close your browser (or after 30 days if you check "Remember me").
• Preference cookies: Remembers whether you've dismissed the welcome popup (stored in localStorage, not transmitted to servers).
• Analytics: Umami Analytics · privacy-first, GDPR-compliant, no third-party tracking, no fingerprinting. Data is anonymised.

We do not use advertising cookies or third-party tracking pixels.

7. Data Retention

• Active accounts: data is retained while your account is active
• Deleted accounts: personal data removed within 30 days of deletion request, except where required for legal or financial records (payment records retained for 7 years per tax law)
• Journal entries, AI sessions, quiz results: deleted within 30 days of account deletion
• Server logs: retained for 30 days

8. Your Rights

Depending on your location, you have rights including:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and personal data ("right to be forgotten")
• Portability: Request your data in a portable format
• Objection: Object to processing based on legitimate interests
• Opt-out of marketing: Unsubscribe from marketing emails at any time via any email footer link or by contacting us
• CCPA (California residents): We do not sell personal information. You have the right to know, delete, and opt-out as described above.

To exercise any right, email us at [email protected]. We will respond within 30 days.

9. Data Security

We implement industry-standard security measures including:

• Passwords stored as salted hashes (PBKDF2-SHA256) · we cannot read your password
• HTTPS/TLS encryption for all data in transit
• Encrypted storage for sensitive facilitator credentials
• Access controls limiting data access to authorised personnel only

No system is perfectly secure. In the event of a breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

10. Children's Privacy

The Relationship Codex™ is intended for adults 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it promptly.

11. International Transfers

Our services are hosted in the United States. If you are based in the EEA or UK, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses and the data processing agreements of our US-based processors (Stripe, Resend, Cloudflare, Railway) to provide adequate safeguards for these transfers.

12. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email or via a prominent notice on the platform at least 14 days before the changes take effect. The updated date at the top of this page will always reflect the most recent version.