Privacy Policy

1. Who We Are

Sessionly Inc. (“Sessionly,” “we,” “us,” or “our”) operates the Sessionly platform at sessionly.co, a marketplace connecting students and clients with independent expert advisors and coaches. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our platform.

2. Information We Collect

Information You Provide Directly

• Personal identifiers: full name, email address, phone number, government-issued ID (for identity verification)
• Profile information: profile photo, biography, professional credentials, certifications, and expertise areas
• Communications: messages, session notes, reviews, support requests, and other user-generated content
• Payment information: billing address and payment method details (note: card numbers are processed directly by Stripe and never stored on Sessionly servers)
• Account preferences: notification settings, language preferences, and accessibility settings

Information We Collect Automatically

• Device information: IP address, browser type, operating system, device identifiers
• Usage data: pages visited, features used, session durations, click patterns, and navigation paths
• Location data: approximate geographic location derived from IP address (country and region level only — not precise GPS location)
• Log data: server logs, error reports, and performance data

Session Data

• Session recordings: video and audio recordings of sessions, where all participants have provided consent
• Transcripts: automated text transcriptions of sessions where enabled
• AI summaries: automated summaries and insights generated from session content
• Timestamps and connection data: session join/leave times, duration, and technical performance metrics

3. How We Use Your Information

• Provide, maintain, and improve the Sessionly platform and all its features
• Process payments and manage financial transactions through Stripe
• Match students with appropriate experts based on goals, preferences, and expertise
• Send transactional notifications including booking confirmations, session reminders, and receipts
• Detect, investigate, and prevent fraud, abuse, and policy violations
• Comply with applicable legal obligations, court orders, and regulatory requirements
• Power AI-driven features including session matching, summaries, and recommendations
• Analyze platform usage patterns to improve user experience and platform performance
• Communicate service updates, policy changes, and important platform notices
• Provide customer support and resolve disputes

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, Sessionly processes personal data under the following legal bases:

• Consent: Where you have explicitly consented to processing, such as for session recordings or marketing communications.
• Contract Necessity: Processing required to fulfill our contractual obligations to you, including providing the platform, processing payments, and facilitating sessions.
• Legitimate Interests: Processing for our legitimate business interests, including fraud prevention, platform security, and service improvement, where these interests are not overridden by your privacy rights.
• Legal Obligation: Processing required to comply with applicable laws, regulations, or court orders.

5. California Privacy Rights (CCPA/CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You have the right to request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale: You have the right to opt out of the “sale” or “sharing” of your personal information. Sessionly does NOT sell or share personal data with third parties for their independent marketing or advertising purposes.
• Right to Non-Discrimination: Sessionly will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, contact us at privacy@sessionly.co or submit a request through your account settings. We will respond within 45 days.

6. GDPR Rights (EU/UK Users)

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or applicable UK data protection law:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data, subject to legal retention requirements.
• Right to Restriction of Processing: Request that we limit how we use your personal data in certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, machine-readable format.
• Right to Object: Object to processing of your personal data based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting lawfulness of prior processing.

To exercise any GDPR rights, contact our Privacy team at privacy@sessionly.co. You also have the right to lodge a complaint with your local data protection supervisory authority.

7. Data Sharing

Service Providers We Work With

We share personal data with trusted third-party service providers who process data on our behalf:

• Stripe, Inc.: Payment processing — processes payment card data directly; subject to Stripe’s Privacy Policy and PCI DSS compliance
• Agora, Inc.: Real-time video and audio infrastructure for sessions
• MongoDB Atlas (MongoDB, Inc.): Cloud database hosting for platform data
• Vercel, Inc.: Cloud hosting and edge delivery infrastructure
• OpenAI, L.L.C.: AI feature processing including session analysis and matching (anonymized data only)
• Resend, Inc.: Transactional email delivery

What We Do NOT Do

• We do not sell personal data to any third party for any purpose.
• We do not share personal data with advertisers for advertising targeting.
• We only share personal data with service providers as necessary to operate the platform.
• We will share personal data with law enforcement or regulatory authorities only when required by applicable law or valid legal process.

8. Data Retention

• Active accounts: Personal data is retained for as long as your account is active and for a reasonable period thereafter.
• Session recordings: Retained for 90 days from the date of the session, unless the session is subject to an active dispute, in which case recordings are retained until the dispute is resolved.
• Payment and transaction records: Retained for 7 years as required by applicable tax and financial regulations.
• Deleted accounts: Following account deletion, personal data is retained for up to 30 days to allow for account recovery, after which it is permanently and irreversibly deleted.
• AI training data: Session data used for AI model improvement is anonymized before use and is not linked back to individual users.

9. Data Security

• All data transmitted between your device and Sessionly is encrypted using HTTPS/TLS protocols.
• Sensitive data including payment information and credentials is encrypted at rest.
• Access to personal data is restricted to authorized personnel on a need-to-know basis.
• We conduct regular security reviews, vulnerability assessments, and penetration testing.
• In the event of a data breach, we will notify affected users and relevant regulators within 72 hours as required by applicable law.

10. Children’s Privacy (COPPA)

The Sessionly platform is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided personal information to Sessionly without consent, please contact us immediately at privacy@sessionly.co. We will promptly delete such information upon verification.

11. International Data Transfers

Sessionly is based in the United States, and your personal data may be processed and stored in the United States or other countries where our service providers operate. If you are located outside the United States, please be aware that data protection laws in other countries may differ from those in your country. We implement appropriate safeguards for international data transfers in accordance with applicable law, including standard contractual clauses for transfers from the EEA and UK.

12. Cookie Policy

We use cookies and similar tracking technologies to operate and improve the Sessionly platform. For detailed information about the specific cookies we use, their purposes, and how to control them, please review our Cookie Policy at /legal/cookies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by:

• Sending an email notification to your registered email address at least 30 days before the changes take effect.
• Posting the updated Policy at /legal/privacy with a new effective date.

Your continued use of the Platform after the effective date of any update constitutes your acceptance of the updated Policy.

14. Contact Our Privacy Team

For any privacy-related questions, requests, or concerns:

• Email: privacy@sessionly.co
• General support: hello@sessionly.co
• Legal matters: legal@sessionly.co

We will respond to all privacy requests within the timeframes required by applicable law.