Privacy Policy

Version 0.1 — Draft

The English-language version of this policy shall take precedence over any translations.

Privacy at a Glance

Every piece of data we handle falls into one of three tiers. Filter by tier to see what we collect, why, how long we keep it, and who it is shared with.

Account
Persistent
Deletable
Source:
You provide
Purpose:
Authentication and identity
Retention:
Account lifetime
Shared with:
OAuth providers
Profile
Persistent
Deletable
Source:
You provide
Purpose:
Directory listing and community
Retention:
Account lifetime
Shared with:
Public / ActivityPub
Mentoring Profile
Persistent
Deletable
Source:
You provide
Purpose:
Mentor directory
Retention:
Account lifetime
Shared with:
Public
Mentoring Session
Temporary
Auto-Purged
Source:
Session activity
Purpose:
Real-time collaboration
Retention:
Session + 30 min
Shared with:
Session participants
Session Notes
Persistent
Deletable
Source:
You provide
Purpose:
Mentoring records
Retention:
Account lifetime
Shared with:
None
Articles
Persistent
Community Record
Source:
You provide
Purpose:
Community knowledge
Retention:
Archive: 3 months
Shared with:
Public / ActivityPub
Article Reviews
Persistent
Community Record
Source:
You provide
Purpose:
Editorial quality
Retention:
Follows article
Shared with:
Public
Social Posts
Persistent
Deletable
Source:
You provide
Purpose:
Social expression
Retention:
Always deletable
Shared with:
Public / ActivityPub
Social Graph
Persistent
Deletable
Source:
Your actions
Purpose:
Social features
Retention:
Account lifetime
Shared with:
ActivityPub peers
Events
Persistent
Community Record
Source:
You provide
Purpose:
Community events
Retention:
Archive: after event
Shared with:
Public
Event Photos
Persistent
Community Record
Source:
You provide
Purpose:
Event documentation
Retention:
Archive: 3 months post-event
Shared with:
Public
RSVPs
Persistent
Deletable
Source:
Your actions
Purpose:
Event management
Retention:
Account lifetime
Shared with:
Organizers / attendees
Payments
Persistent
3rd-Party Synced
Source:
You provide
Purpose:
Donations, memberships, merchandise
Retention:
Stripe: 7-year hold
Shared with:
Stripe / GoHighLevel
Uploads
Persistent
Community Record
Source:
You provide
Purpose:
Media hosting
Retention:
Follows content
Shared with:
Cloudflare R2 / Public
Analytics
Temporary
Auto-Purged
Source:
Automatic
Purpose:
Site analytics
Retention:
90 days
Shared with:
Cloudflare
OAuth
Temporary
3rd-Party Synced
Source:
OAuth provider
Purpose:
Authentication
Retention:
Token lifetime
Shared with:
Google / Apple
Email / Contacts
Persistent
3rd-Party Synced
Source:
You provide
Purpose:
Email communications
Retention:
Account lifetime
Shared with:
Brevo
CRM
Persistent
3rd-Party Synced
Source:
You provide
Purpose:
Contact management
Retention:
Account lifetime
Shared with:
GoHighLevel

Plain-Language Summary

What we collect: Account info you provide (email, name, profile details), content you create (articles, posts, photos), and minimal automatic data (IP address, browser info) for 90 days.

Three data tiers: Your data is either Persistent (stored while your account is active), Temporary (auto-deleted after use), or Peer Networking (exchanged directly between users, outside our control after transmission).

Deletion: Most of your data is deleted immediately on request. Content that becomes community record (articles after 3 months, completed events) can be anonymized but not fully removed, because the CC license you chose is irrevocable. Social posts are always fully deletable.

Third parties: We share data with Stripe (payments), Brevo (email), GoHighLevel (CRM), Cloudflare (hosting), and OAuth providers (Google, Apple). Each provider may retain data per their own policies after we request deletion.

Your rights: You can access, correct, delete, or export your data. We honor Global Privacy Control (GPC) signals. No data is sold.

No minors: You must be 18 or older. Accounts belonging to minors are terminated and data deleted.

1. What We Collect and Why

What we collect and why — detailed per-category disclosure per GDPR Art 13/14, CPRA, ISO 29184 — full legal text to be drafted.

2. The Three Data Tiers

All personal and user-generated data falls into exactly one of three tiers. Each tier determines how your data is stored, how long it is retained, and what happens when you request deletion.

Persistent Data

Stored for the lifetime of your account or longer.

Deletable on Request

Deleted immediately upon confirmed request.

  • Account credentials and authentication tokens
  • Profile information (contact, address, descriptions, images, social links)
  • Mentoring profile (expertise, languages, bio, hourly rate)
  • Notification preferences
  • Intake form submissions
  • Session notes and mentoring session metadata
  • Social graph (follows, followers, likes)
  • RSVPs and event attendance records

Community Record

Anonymizable but not deletable after archive threshold. Content is CC-licensed (irrevocable).

  • Published articles (archive: 3 months after publication)
  • Social timeline posts (no archive threshold — always fully deleted)
  • Event records (archive: after event completion)
  • Event photos (archive: 3 months after event)
  • Article peer review comments (archive: follows article)

Third-Party Synced

Deletion initiated but subject to provider retention policies.

  • Stripe — email, payment method, transaction history (7-year legal hold)
  • Brevo — email, name, list membership
  • GoHighLevel — contact ID, email, name
  • Google OAuth — email, name, profile image (received, not sent)
  • Apple OAuth — email, name (received, not sent)
  • Cloudflare R2 — uploaded media files
  • ActivityPub peers — federated posts, actor profiles, follows

Temporary Data

Retained only as long as necessary to provide a specific service, then automatically purged.

  • Mentoring session signaling and WebRTC connection metadata
  • Whiteboard state (purged 30 min after session ends)
  • Real-time chat messages during mentoring sessions
  • Session video/audio streams (never recorded server-side unless explicitly enabled)
  • OAuth tokens and transient authentication state
  • IP addresses and user-agent strings (90-day analytics window)
  • Email verification and magic-link tokens (expire per config)
  • Event livestream SRT ingestion keys (valid only during stream)

Peer Networking Data

Exchanged directly between participants. Pana MIA Club facilitates but does not control after transmission.

  • Video and audio streams during mentoring sessions (WebRTC peer-to-peer)
  • Whiteboard content visible to session participants
  • Chat messages seen by the other participant before deletion
  • Co-author content shared during article collaboration
  • Profile information visible to other users
  • Event RSVP and attendance information visible to organizers/attendees
  • Social posts, replies, likes, and follows federated via ActivityPub
  • Information shared at in-person events (verbal, written, photos)

3. The Archive Threshold

Certain content becomes part of the community record after a defined period. All user-generated content is CC BY or CC BY-SA licensed. The CC license is irrevocable — once granted, downstream recipients retain their rights regardless of whether the licensor stops distributing.

Archive threshold details — when content becomes permanent, deletion vs anonymization options — full legal text to be drafted.

4. Who We Share Data With

Third-party sharing details — Stripe, Brevo, GoHighLevel, Cloudflare, OAuth providers, ActivityPub federation peers — full legal text to be drafted.

5. Your Content Is CC-Licensed

All content you publish on Pana MIA Club is licensed under Creative Commons (CC BY 4.0 or CC BY-SA 4.0, your choice). This means the license grant survives even if the content is later removed from the platform. See our Terms of Service for details.

6. Your Choices and Rights

User rights — access, delete, correct, port, opt out, anonymize (GDPR + CPRA + ISO 29184) — full legal text to be drafted.

7. How We Protect Your Data

Security measures — encryption at rest/transit, password hashing, WAF, environment variable segregation — full legal text to be drafted.

8. Global Privacy Control (GPC)

We honor the Global Privacy Control signal. When your browser sendsSec-GPC: 1, we treat it as a valid CPRA opt-out of sale/sharing and disable any non-essential analytics sharing.

9. Children's Privacy

Pana MIA Club is not directed at children under 18. We do not knowingly collect personal information from minors. If we discover that a user is under 18, their account will be terminated and their data deleted.

10. International Users

International users — jurisdiction-neutral framing per ISO 29184 — full legal text to be drafted.

11. How to Contact Us

For privacy inquiries, data access requests, or to report a suspected data breach:

Pana MIA Club, Corp.
Email: hola@pana.social

12. How We Notify You of Changes

Change notification — versioned updates, email + in-app notice, advance notice period — full legal text to be drafted.

Related