Privacy Policy

Version 0.1 — Draft

The English-language version of this policy shall take precedence over any translations.

Privacy at a Glance

Every piece of data we handle falls into one of three tiers. Filter by tier to see what we collect, why, how long we keep it, and who it is shared with.

Account
Persistent
Deletable
Source:
You provide
Purpose:
Authentication and identity
Retention:
Account lifetime
Shared with:
OAuth providers
Profile
Persistent
Deletable
Source:
You provide
Purpose:
Directory listing and community
Retention:
Account lifetime
Shared with:
Public / ActivityPub
Social Posts
Persistent
Deletable
Source:
You provide
Purpose:
Social expression
Retention:
Always deletable
Shared with:
Public / ActivityPub
Social Graph
Persistent
Deletable
Source:
Your actions
Purpose:
Social features
Retention:
Account lifetime
Shared with:
ActivityPub peers
Payments
Persistent
3rd-Party Synced
Source:
You provide
Purpose:
Donations, memberships, merchandise
Retention:
Stripe: 7-year hold
Shared with:
Stripe / GoHighLevel
Uploads
Persistent
Community Record
Source:
You provide
Purpose:
Media hosting
Retention:
Follows content
Shared with:
Cloudflare R2 / Public
Analytics
Temporary
Auto-Purged
Source:
Automatic
Purpose:
Site analytics
Retention:
90 days
Shared with:
Cloudflare
Email / Contacts
Persistent
3rd-Party Synced
Source:
You provide
Purpose:
Email communications
Retention:
Account lifetime
Shared with:
Brevo
CRM
Persistent
3rd-Party Synced
Source:
You provide
Purpose:
Contact management
Retention:
Account lifetime
Shared with:
GoHighLevel

Plain-Language Summary

What we collect: Account info you provide (email, name, profile details), content you create (articles, posts, photos), and minimal automatic data (IP address, browser info) for 90 days.

Three data tiers: Your data is either Persistent (stored while your account is active), Temporary (auto-deleted after use), or Peer Networking (exchanged directly between users, outside our control after transmission).

Deletion: Most of your data is deleted immediately on request. Content that becomes community record (articles after 3 months, completed events) can be anonymized but not fully removed, because the CC license you chose is irrevocable. Social posts are always fully deletable.

Third parties: We share data with Stripe (payments), Brevo (email), GoHighLevel (CRM), Cloudflare (hosting), and OAuth providers (Google, Apple). Each provider may retain data per their own policies after we request deletion.

Your rights: You can access, correct, delete, or export your data. We honor Global Privacy Control (GPC) signals. No data is sold.

No minors: You must be 18 or older. Accounts belonging to minors are terminated and data deleted.

1. What We Collect and Why

What we collect and why — detailed per-category disclosure per GDPR Art 13/14, CPRA, ISO 29184 — full legal text to be drafted.

2. The Three Data Tiers

All personal and user-generated data falls into exactly one of three tiers. Each tier determines how your data is stored, how long it is retained, and what happens when you request deletion.

Persistent Data

Stored for the lifetime of your account or longer.

Deletable on Request

Deleted immediately upon confirmed request.

  • Account credentials and authentication tokens
  • Profile information (contact, address, descriptions, images, social links)
  • Mentoring profile (expertise, languages, bio, hourly rate)
  • Notification preferences
  • Intake form submissions
  • Session notes and mentoring session metadata
  • Social graph (follows, followers, likes)
  • RSVPs and event attendance records

Community Record

Anonymizable but not deletable after archive threshold. Content is CC-licensed (irrevocable).

  • Published articles (archive: 3 months after publication)
  • Social timeline posts (no archive threshold — always fully deleted)
  • Event records (archive: after event completion)
  • Event photos (archive: 3 months after event)
  • Article peer review comments (archive: follows article)

Third-Party Synced

Deletion initiated but subject to provider retention policies.

  • Stripe — email, payment method, transaction history (7-year legal hold)
  • Brevo — email, name, list membership
  • GoHighLevel — contact ID, email, name
  • Google OAuth — email, name, profile image (received, not sent)
  • Apple OAuth — email, name (received, not sent)
  • Cloudflare R2 — uploaded media files
  • ActivityPub peers — federated posts, actor profiles, follows

Temporary Data

Retained only as long as necessary to provide a specific service, then automatically purged.

  • Mentoring session signaling and WebRTC connection metadata
  • Whiteboard state (purged 30 min after session ends)
  • Real-time chat messages during mentoring sessions
  • Session video/audio streams (never recorded server-side unless explicitly enabled)
  • OAuth tokens and transient authentication state
  • IP addresses and user-agent strings (90-day analytics window)
  • Email verification and magic-link tokens (expire per config)
  • Event livestream SRT ingestion keys (valid only during stream)

Peer Networking Data

Exchanged directly between participants. Pana MIA Club facilitates but does not control after transmission.

  • Video and audio streams during mentoring sessions (WebRTC peer-to-peer)
  • Whiteboard content visible to session participants
  • Chat messages seen by the other participant before deletion
  • Co-author content shared during article collaboration
  • Profile information visible to other users
  • Event RSVP and attendance information visible to organizers/attendees
  • Social posts, replies, likes, and follows federated via ActivityPub
  • Information shared at in-person events (verbal, written, photos)

3. The Archive Threshold

Certain content becomes part of the community record after a defined period. All user-generated content is CC BY or CC BY-SA licensed. The CC license is irrevocable — once granted, downstream recipients retain their rights regardless of whether the licensor stops distributing.

Archive threshold details — when content becomes permanent, deletion vs anonymization options — full legal text to be drafted.

4. Who We Share Data With

Third-party sharing details — Stripe, Brevo, GoHighLevel, Cloudflare, OAuth providers, ActivityPub federation peers — full legal text to be drafted.

5. Your Content Is CC-Licensed

All content you publish on Pana MIA Club is licensed under Creative Commons (CC BY 4.0 or CC BY-SA 4.0, your choice). This means the license grant survives even if the content is later removed from the platform. See our Terms of Service for details.

6. Your Choices and Rights

User rights — access, delete, correct, port, opt out, anonymize (GDPR + CPRA + ISO 29184) — full legal text to be drafted.

7. How We Protect Your Data

Security measures — encryption at rest/transit, password hashing, WAF, environment variable segregation — full legal text to be drafted.

8. Global Privacy Control (GPC)

We honor the Global Privacy Control signal. When your browser sendsSec-GPC: 1, we treat it as a valid CPRA opt-out of sale/sharing and disable any non-essential analytics sharing.

9. Children's Privacy

Pana MIA Club is not directed at children under 18. We do not knowingly collect personal information from minors. If we discover that a user is under 18, their account will be terminated and their data deleted.

10. International Users

International users — jurisdiction-neutral framing per ISO 29184 — full legal text to be drafted.

11. How to Contact Us

For privacy inquiries, data access requests, or to report a suspected data breach:

Pana MIA Club, Corp.
Email: hola@panamia.club

12. How We Notify You of Changes

Change notification — versioned updates, email + in-app notice, advance notice period — full legal text to be drafted.

Related