Last updated: June 2026
This page documents lawful bases under GDPR Article 6 and default retention periods for Coursfy processing activities.
Coursfy / Lumeena.io is the controller for consumer accounts. Academy owners are controllers for their community member data; Coursfy acts as processor under a DPA.
Access, rectification, erasure, restriction, portability, and objection — exercise via Settings → Privacy or privacy@coursfy.com.
| Activity | Data categories | Lawful basis | Retention |
|---|---|---|---|
| Account registration & authentication | Name, email, password hash, IP, user agent | Contract (Art. 6(1)(b)) — necessary to provide the service | Until account deletion + 30 days operational backup |
| Academy membership & course enrolment | Profile, progress, payment references | Contract (Art. 6(1)(b)) | Duration of membership + statutory accounting periods |
| Payment processing | Billing metadata via Stripe; no full PAN on Coursfy | Contract + legal obligation (tax/accounting) | Per Stripe and local accounting law (typically 7 years for invoices) |
| Marketing newsletter | Email, consent timestamp | Consent (Art. 6(1)(a)) — withdraw anytime | Until unsubscribe or 24 months inactivity |
| Analytics / error monitoring (Sentry) | Pseudonymous events, scrubbed stack traces | Consent (Art. 6(1)(a)) | 90 days default Sentry retention |
| AI assistant (academy/course) | Questions, answers, optional conversation IDs | Consent for personalization; contract for core Q&A when enabled by academy | Per academy settings; default 12 months conversation logs |
| Security & audit logs | User ID, action type, timestamp, IP (hashed where possible) | Legitimate interest (Art. 6(1)(f)) — security of processing | 12 months rolling (see retention policy) |
| Category | Period | Action after period |
|---|---|---|
| Active user account | While account is active | Full profile and content access |
| Deleted user account | 30 days after erasure request | Hard delete or anonymize PII; backups expire per cycle |
| Consent preferences | 3 years after last update | Proof of consent for regulatory requests |
| Security / access audit logs | 12 months | Append-only store; then aggregate or delete |
| Payment & invoice records | 7 years (or local statutory minimum) | Anonymize where possible after legal hold ends |
| Marketing contacts | Until unsubscribe + 30 days | Remove from mailing lists |
| AI conversation logs | 12 months default | Academy owners may request shorter window |
| Server/application logs | 90 days | PII redacted at ingestion |