System Design Lab (“we”, “us”, “the Platform”) provides a subscription video learning platform for designers. It is operated by Dave Connis as a sole proprietorship, based in Georgia, USA.

For GDPR purposes, we are the data controller for the personal data described in this policy. For questions or to exercise your rights: hello@systemdesignlab.co.

• Account data: first name, last name, email, optional company name. You provide these at signup.
• Billing data: processed by Stripe. We store a Stripe customer ID, subscription status, plan, and billing dates. We do not store your card number or CVV — those stay with Stripe.
• Learning activity: lessons watched, video progress timestamps, notes you write, search queries, and feedback you submit.
• Email engagement: whether you opened a transactional or marketing email and which links you clicked. Provided by our email vendor.
• Waitlist data: if you signed up before launch, your email and optional first name.
• Technical data: authentication cookies (strictly necessary), standard server logs (IP address, user-agent, timestamp), and Mux video playback metrics.

• To provide your account and deliver the service (lessons, progress tracking, notes, payment processing) — legal basis: contract.
• To send transactional emails (welcome, receipts, payment failures, cancellation confirmations, password resets) — legal basis: contract.
• To send marketing emails (launch announcement, new-lesson announcements, occasional product updates) — legal basis: consent (revocable anytime via unsubscribe).
• To secure the Platform and prevent fraud (rate limits, abuse detection) — legal basis: legitimate interest.
• To improve the product (aggregate, non-identifying analytics on which lessons get watched and where people drop off) — legal basis: legitimate interest.
• To comply with legal obligations (tax records, responding to lawful requests) — legal basis: legal obligation.

We share the minimum data needed with the third-party services that run the Platform. Each is bound by its own data-processing agreement and security commitments.

• Supabase (USA, EU regions available) — database and authentication. Receives all account data, learning activity, notes, and waitlist data.
• Stripe (USA) — payment processing. Receives name, email, and payment details (which you enter directly with Stripe; we never see your card).
• Mux (USA) — video hosting and playback. Receives video viewing activity tied to a per-user signed token, not your account profile.
• Resend (USA) — transactional and marketing email delivery. Receives your email and the email content we send you, plus open/click engagement.
• Vercel (USA, global edge) — application hosting. Receives standard web request metadata (IP address, user-agent) in server logs.

We do not sell your personal data and we do not share it for cross-context behavioral advertising.

Our sub-processors are primarily based in the United States. For data transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, which each of our sub-processors has incorporated into their data-processing terms.

• Account data, learning activity, notes: for as long as your account is active. When you delete your account, we erase this data within 30 days.
• Billing records: retained for 7 years after the end of the tax year they relate to, as required by US tax law.
• Marketing email engagement: kept while you're subscribed and for 24 months after you unsubscribe, then deleted.
• Server logs: 30 days, then automatically purged.
• Waitlist: deleted within 90 days after launch unless you've also created an account.

To exercise any of these rights, email hello@systemdesignlab.co. We'll respond within 30 days (GDPR) or 45 days (CCPA). You can also export or delete your data directly from your account settings.

We use strictly-necessary cookies only: an authentication cookie to keep you signed in, and a CSRF cookie to protect form submissions. We do not use advertising or third-party tracking cookies.

If we ever add analytics or marketing cookies, we will ask for your consent first via a cookie banner.

The Platform is intended for users aged 16 or older. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

We protect your data with industry-standard measures: TLS encryption in transit, encryption at rest on Supabase, Stripe-hosted payment forms (we never touch card data), row-level security on the database, and access controls limiting administrative access to Dave Connis.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.

We will update this page if our practices change and revise the date at the top. Material changes will be announced by email to the address on your account at least 14 days before they take effect.

For privacy questions, data requests, or anything else: hello@systemdesignlab.co.