Privacy Policy

Last updated: November 22, 2025

This Privacy Policy explains how Sherpo ("we," "us," or "our") collects, uses, protects, and discloses the personal data of our customers ("you" or "your") when you purchase, access, or interact with our digital content through our platform. By purchasing, using, or accessing our services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy is designed to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

What data do we collect?

To deliver and improve our services, we may collect the following categories of personal data:

1. Personal Information:

   • Name, email address, billing address, and other contact details provided during the purchase or registration process.

2. Purchase and Transaction Information:

   • Details about the digital content you purchase, including transaction amounts, dates, order history, and payment method type (not the full payment details).

3. Technical and Usage Information:

   • Information about your device and how you access our content, including:
     • IP address and geolocation data.
     • Browser type, version, and language preferences.
     • Device type, operating system, and screen resolution.
     • Pages visited, time spent on pages, and navigation patterns.
     • Referring URLs and exit pages.
     • Date and time stamps of access.

4. Payment Information:

   • Payment details, such as credit card information, are processed securely via Stripe, a PCI-DSS compliant third-party payment processor. We never store or directly handle your full payment card details on our servers.

5. Communications and Support:

   • Any messages, inquiries, feedback, or support requests you send to us, including email correspondence.

6. Account Information:

   • Username, password (encrypted), account preferences, and security settings if you create an account.

7. Cookies and Tracking Data:

   • Information collected through cookies, web beacons, and similar tracking technologies (see "Cookies and Tracking Technologies" section below).

How do we collect your data?

We collect data directly from you when:

• You purchase or access our digital content.
• You create an account or register for our services.
• You contact us for support, inquiries, or provide feedback.
• You subscribe to our newsletter or marketing communications.
• You participate in surveys, promotions, or contests.
• You interact with our platform or use its features.

We may also collect data automatically through:

• Cookies and Similar Technologies: When you access our platform, we use cookies, web beacons, pixels, and other tracking technologies to collect usage data.
• Analytics Services: Third-party analytics providers (such as Google Analytics) that help us understand platform usage.
• Log Files: Our servers automatically record certain information when you use the platform.

We may also receive information from:

• Payment Processors: Transaction confirmation and payment status from Stripe.
• Third-Party Services: If you choose to authenticate via third-party services (e.g., Google, OAuth providers).
• Public Sources: Information that is publicly available or provided by data partners for fraud prevention.

How do we use your data?

We use your data for the following purposes:

1. Service Delivery: Deliver and manage your access to the digital content you purchase.
2. Payment Processing: Process payments, issue invoices, and prevent fraudulent transactions.
3. Customer Support: Respond to your inquiries, provide technical support, and resolve issues.
4. Account Management: Create, maintain, and secure your account.
5. Legal Compliance: Comply with legal obligations, enforce our Terms of Use, and protect our rights.
6. Service Improvement: Analyze usage trends, gather feedback, and improve our offerings and user experience.
7. Communication: Send transactional emails (order confirmations, receipts, account notifications) and, with your consent, marketing communications.
8. Security: Detect, prevent, and address fraud, security issues, and technical problems.
9. Personalization: Customize your experience and provide relevant content recommendations.
10. Analytics: Understand how users interact with our platform to optimize performance.

Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

1. Contract Performance: Processing is necessary to fulfill our contractual obligations to you (e.g., delivering purchased content).
2. Consent: You have given explicit consent for specific processing activities (e.g., marketing emails, non-essential cookies).
3. Legitimate Interests: Processing is necessary for our legitimate business interests, such as:
   • Fraud prevention and security.
   • Improving our services and platform functionality.
   • Understanding user behavior and preferences.
   • Direct marketing (where permitted by law).
4. Legal Obligation: Processing is required to comply with applicable laws and regulations.

You have the right to withdraw consent at any time or object to processing based on legitimate interests.

How do we protect your payment information?

We do not collect or store your credit card information. All payment transactions are processed securely through Stripe, a trusted PCI-DSS Level 1 compliant third-party payment processor that encrypts and handles your payment data using industry-standard security measures. This ensures your financial information remains private and secure.

Stripe uses tokenization to process payments, meaning your actual payment details are never transmitted to or stored on our servers. For more information about Stripe's security practices, please visit their Privacy Policy and Security documentation.

How do we protect your data?

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, loss, or destruction. These measures include:

1. Encryption: Data is encrypted in transit using TLS/SSL protocols and at rest where appropriate.
2. Access Controls: Strict access controls limit who can access personal data to authorized personnel only.
3. Secure Infrastructure: Our platform is hosted on secure, industry-standard cloud infrastructure with built-in security features.
4. Regular Security Audits: We conduct regular security assessments and vulnerability testing.
5. Employee Training: Our team is trained on data protection best practices and confidentiality obligations.
6. Monitoring: We monitor our systems for suspicious activity and potential security breaches.
7. Data Minimization: We collect only the data necessary to provide our services.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

How long do we retain your data?

We retain your personal data only as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. Retention periods vary depending on the type of data and the purpose for which it was collected:

1. Account Information: Retained for as long as your account is active or as needed to provide you services.
2. Transaction Records: Retained for a minimum period required by tax and accounting regulations (typically 7-10 years).
3. Communication Records: Retained for the duration necessary to address your inquiry or as required for legal compliance.
4. Marketing Data: Retained until you withdraw consent or opt out.
5. Technical and Usage Data: Typically retained for 12-24 months unless needed for security or legal purposes.

After the retention period expires, we will securely delete or anonymize your personal data. You may request earlier deletion of your data by contacting us, subject to our legal obligations to retain certain records.

Who do we share your data with?

We may share your data with the following categories of third parties:

1. Payment Processors:

   • Stripe: To process transactions securely and handle payment-related services.

2. Service Providers and Business Partners:

   • Cloud hosting providers (for infrastructure and content delivery).
   • Analytics services (e.g., Google Analytics) to understand platform usage.
   • Email service providers for transactional and marketing communications.
   • Customer support tools and ticketing systems.
   • Content delivery networks (CDNs) for faster content distribution.

3. Legal Authorities and Compliance:

   • Government authorities, law enforcement, or regulatory bodies if required by law, court order, or in response to valid legal requests.
   • To enforce our Terms of Use or protect the rights, property, or safety of Sherpo, our users, or others.

4. Business Transfers:

   • In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring entity.

5. Professional Advisors:

   • Lawyers, accountants, auditors, and other professional advisors who require access to data for business purposes.

We do not sell, rent, or share your personal data with third parties for their direct marketing purposes. All third-party service providers are contractually obligated to protect your data and use it only for the purposes for which it was disclosed.

Your rights

Depending on your location and applicable laws, you have the following rights regarding your personal data:

1. Right to Access: Request copies of the personal data we hold about you.
2. Right to Correction (Rectification): Request correction of inaccurate or incomplete data.
3. Right to Deletion (Erasure): Request deletion of your personal data under certain conditions, subject to legal retention requirements.
4. Right to Restriction: Request that we limit the processing of your data under certain circumstances.
5. Right to Data Portability: Receive your data in a structured, commonly used, and machine-readable format and transfer it to another controller.
6. Right to Object: Object to the processing of your data for direct marketing, legitimate interests, or research purposes.
7. Right to Withdraw Consent: If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
8. Right Not to be Subject to Automated Decision-Making: Request human review of automated decisions that have legal or significant effects on you.
9. Right to Lodge a Complaint: File a complaint with your local data protection authority if you believe your rights have been violated.

How to Exercise Your Rights:

To exercise any of these rights, please contact us at support@sherpo.io with a clear description of your request. We will respond to your request within the timeframe required by applicable law (typically 30 days).

We may request additional information to verify your identity before processing your request. In some cases, we may be unable to fulfill your request due to legal obligations or legitimate business needs, in which case we will explain the reason for the denial.

Cookies and tracking technologies

We use cookies and similar tracking technologies to enhance your experience, analyze platform usage, and deliver personalized content. Cookies are small text files stored on your device when you visit our platform.

Types of Cookies We Use:

1. Essential Cookies: Required for the platform to function properly (e.g., authentication, security, session management).
2. Analytics Cookies: Help us understand how users interact with the platform (e.g., Google Analytics).
3. Functional Cookies: Remember your preferences and settings.
4. Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness (with your consent where required).

Managing Cookies:

You can manage your cookie preferences through your browser settings. Most browsers allow you to:

• View and delete cookies.
• Block third-party cookies.
• Block all cookies (note: this may affect platform functionality).
• Receive notifications when cookies are set.

International data transfers

Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including countries that may not have the same data protection laws as your jurisdiction.

When we transfer data internationally, we implement appropriate safeguards to protect your information, including:

1. Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers from the EEA.
2. Adequacy Decisions: Transfers to countries deemed to provide adequate data protection.
3. Binding Corporate Rules: Internal policies ensuring data protection across borders.
4. Your Consent: Where required, we obtain your explicit consent for international transfers.

By using our platform, you acknowledge and consent to the transfer of your data as described in this Privacy Policy.

Children's privacy

Our platform and services are not intended for children under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@sherpo.io, and we will promptly delete such information from our systems.

If we discover that we have inadvertently collected personal data from a child, we will take immediate steps to delete it.

California privacy rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

1. Right to Know: You can request information about the categories and specific pieces of personal data we have collected, the sources, purposes, and third parties with whom we share it.
2. Right to Delete: You can request deletion of your personal data, subject to certain exceptions.
3. Right to Opt-Out: You have the right to opt out of the "sale" of your personal data. We do not sell your personal data.
4. Right to Correct: You can request correction of inaccurate personal data.
5. Right to Limit Use of Sensitive Personal Information: If applicable, you can limit our use of sensitive personal information.
6. Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

Shine the Light Law:

California residents may request information about the disclosure of personal information to third parties for their direct marketing purposes. We do not share personal data with third parties for their direct marketing purposes.

To Exercise Your California Rights:

Contact us at support@sherpo.io with "California Privacy Rights" in the subject line. We will verify your identity before processing your request.

European data protection rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have enhanced rights under the General Data Protection Regulation (GDPR):

• All rights listed in the "Your Rights" section above apply to you.
• You have the right to lodge a complaint with your local supervisory authority (data protection authority).
• You can object to processing based on legitimate interests or for direct marketing at any time.
• You have the right to not be subject to automated decision-making, including profiling, that produces legal or significant effects.

Marketing communications

With your consent, we may send you marketing emails about our products, services, promotions, and updates. You can opt out of marketing communications at any time by:

1. Clicking the "unsubscribe" link in any marketing email.
2. Updating your communication preferences in your account settings.
3. Contacting us at support@sherpo.io.

Even if you opt out of marketing communications, we will still send you transactional emails related to your purchases and account (e.g., order confirmations, receipts, password resets).

Data breach notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

1. Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by law).
2. Notify affected users without undue delay if the breach is likely to result in high risk to your rights and freedoms.
3. Provide information about the nature of the breach, potential consequences, and measures taken to mitigate harm.

We maintain incident response procedures to detect, respond to, and recover from security incidents.

Automated decision-making and profiling

We may use automated systems to analyze your data for purposes such as:

• Fraud detection and prevention.
• Personalized content recommendations.
• Platform optimization and performance.

We do not make automated decisions that produce legal effects or significantly affect you without human intervention. If we do engage in such processing, we will inform you and provide an opportunity to contest the decision.

Third-party links and services

Our platform may contain links to third-party websites, services, or applications that are not operated by us. We are not responsible for the privacy practices or content of these third parties.

We encourage you to review the privacy policies of any third-party sites or services you visit. This Privacy Policy applies only to information collected through our platform.

Business transfers

If Sherpo is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our platform of any change in ownership or use of your personal data, as well as any choices you may have regarding your data.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Updates will be posted on this page with an updated effective date at the top.

Significant Changes:

If we make material changes to how we handle your personal data, we will provide additional notice by:

• Sending an email notification to the address associated with your account.
• Displaying a prominent notice on our platform.
• Requesting your consent where required by law.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the platform after changes are posted constitutes your acceptance of the updated Privacy Policy.

Data retention and deletion

When you request deletion of your data or close your account:

• We will delete or anonymize your personal data within a reasonable timeframe.
• Some data may be retained for legal, regulatory, or legitimate business purposes (e.g., transaction records for tax compliance).
• Cached or archived copies may take additional time to delete.
• Data shared with third parties may be subject to their retention policies.

Contact information and data protection officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@sherpo.io

Data Protection Inquiries: For specific data protection questions, privacy rights requests, or complaints, please include "Privacy Request" or "Data Protection" in your email subject line.

Response Time: We aim to respond to all inquiries within 30 days, or within the timeframe required by applicable law.

Supervisory Authority:

If you are located in the EEA, UK, or Switzerland and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority.

We will make reasonable efforts to address your concerns and resolve any disputes in a timely and satisfactory manner.