Sovereignty Stack

1. Who we are

Sovereignty Stack is a service operated by JumpUp Learning LDA, a Portuguese limited company registered in Portugal with tax number PT514145730 and registered office at Rua S. José Lote 34 1ºDto., S. Miguel das Encostas, 2775-746 Carcavelos, Portugal. JumpUp Learning LDA is the data controller for the personal data described in this policy. References to "we," "us," and "our" mean JumpUp Learning LDA.

This policy is written in plain language. It is intended for two readers: a subscriber who wants to understand what we hold and what they can do about it, and a regulator who wants to confirm that we hold what we say we hold under the basis we say we hold it.

2. What this policy covers

This Privacy Policy describes the personal data we collect when you visit mysovereigntystack.com, register for an account, subscribe to the course, purchase a book, sign up for the newsletter, use the AI course assistant, book a coaching session, or contact us through the support channel. It also describes how we use that data, the legal basis on which we hold it, the third parties who process parts of it on our behalf, the periods for which we keep it, and the rights you have over it.

The policy covers the website, the subscriber dashboard, the admin systems we operate behind it, the email program, and the printed and electronic editions of the book sold through the same checkout.

3. Regulatory framework

We process personal data under three regulatory frameworks at once.

The General Data Protection Regulation (GDPR) is the primary legal regime because JumpUp Learning LDA is established in Portugal and most of our subscribers are resident in the European Economic Area or interact with our services from it.

The California Consumer Privacy Act (CCPA) applies to the personal information we hold on residents of California. Where the CCPA grants a right that GDPR does not, we extend it to California residents specifically; where the two overlap, the GDPR procedure is used for everyone.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian regime. Where a subscriber resident in Canada exercises a PIPEDA right, we process the request under the same channel as a GDPR data-subject request and respond within the PIPEDA timeline.

Where any local consumer-protection law in your country of residence imposes a stricter standard than these three, the stricter standard applies in your favor.

4. What we collect

We collect five categories of personal data.

Account data. Your name, your email address, a hashed password, your selected segment (young men, mature men, young women, or mature women), and the timestamps of account creation, last login, and last password change. You provide name and email at signup. The password is hashed with bcrypt at cost factor twelve before it is written to the database; we never see the plaintext.

Commerce data. When you purchase a subscription, a book, or a coaching session, our payment processor (PayPal) handles the card transaction. We never see your full card number. We retain a transaction reference, the amount, the currency, the date, the SKU, and any shipping address we received for a printed book. For tax-record purposes, the invoice we issue carries your name and email at the moment of issue.

Application data. When you use the course, we store your lesson responses, your diagnostic results, your weekly competency scores, your chatbot conversations, your saved notes, your booking history, and the audit-log entries that record actions you took inside your account. This data is bound to your user record so the course can produce a coherent experience across sessions, and so we can investigate any account-security event.

Communication data. When you write to us through the support channel, we retain the content of the message and our reply. When you receive an email from us, our delivery system records the send time, whether the message was delivered, whether it bounced, and whether it produced a complaint or unsubscribe.

Technical data. Web server logs record your IP address, the pages you requested, the time of the request, and the response code. Logs of failed login attempts retain the email address used and the IP address. Cookies record session identifiers and consent preferences as described in our Cookie Policy.

5. Legal basis

We process each category of data on a specific legal basis.

Account, commerce, and application data are processed on the basis of contract performance under GDPR Article 6(1)(b). You cannot use the service we have agreed to provide without us holding this data.

Communication data and technical data are processed on the basis of our legitimate interest under GDPR Article 6(1)(f) in operating a secure service, in answering support requests competently, and in detecting abuse. Where the technical data includes any cookie that is not strictly necessary, that processing is conditioned on your consent under Article 6(1)(a), recorded through our consent banner.

The newsletter list is processed on the basis of your explicit consent under Article 6(1)(a). You may withdraw that consent at any time by clicking the unsubscribe link in any newsletter email or by writing to us at the support address.

Where we retain commerce records longer than the contract requires, we do so to meet our legal obligation under Article 6(1)(c), which includes the indefinite retention period set by Portuguese tax law for invoice and payment records.

6. Who we share data with

We share specific data with the following processors. Each of them operates under a written data-processing agreement that restricts the use of the data to the purpose for which we transferred it.

PayPal processes the card transaction and the recurring subscription billing. PayPal receives the amount, the currency, the SKU, and the email on the order. Card data is held by PayPal and not by us.
Resend delivers transactional and newsletter email. Resend receives the recipient address, the message subject, and the message body for the duration required to deliver the message and to record the delivery outcome.
Anthropic provides the language model that powers the AI course assistant. Anthropic receives the text of the chatbot conversation, the lesson context we attached to the request, and any saved notes you have explicitly enabled the chatbot to read.
Lulu prints and ships the book. Lulu receives your shipping address, the SKU, and a print-job reference only when you have purchased a printed book.
Cloudflare provides bot protection through Turnstile and content delivery. Cloudflare receives the headers of the request, including the IP address and the country code derived from it, and a small number of cookies and request signals used to distinguish a human visitor from automated traffic.
Calendly schedules coaching sessions. Calendly receives your name, email, and chosen time slot when you book a session.

We do not sell your personal data. We do not share your personal data with advertisers. We do not run third-party analytics that build profiles across other sites you visit.

7. International transfers

Our infrastructure is hosted within the European Economic Area. Several of the processors named above are based in the United States. Transfers to those processors take place under the European Commission's Standard Contractual Clauses, the supplementary measures required after the Schrems II judgment, and the EU-US Data Privacy Framework where the processor is certified to it. Copies of the Standard Contractual Clauses applicable to a given processor are available on request.

8. Retention

Account, commerce, application, communication, and technical data are retained while your account is active. After your account is deleted under section 10, the following retention rules apply.

Account record. Identifying fields (name, email, password hash) are erased. The user-record row itself is retained with anonymous identifiers so that historical foreign-key references in other tables do not break.
Commerce records. Orders, payments, invoices, refunds, and tax records are retained indefinitely. Portuguese tax law requires retention of invoice and payment records for the period it specifies; we retain them for at least that period and treat the invoice copy of name and email as the source of record for tax authorities.
Application data. Lesson responses, diagnostic results, and chatbot conversations are retained in anonymised form for research and aggregate quality work. The link from the data to your identity is severed at deletion.
Communication data. Support-channel messages are retained for two years from the date of the last message in the thread, then deleted.
Technical data. Successful-login audit entries are retained for ninety days. Failed-login audit entries are retained for one year. Web server logs are retained for thirty days. Email-delivery records are retained for one year.

9. Security

We protect personal data with the controls described in our security architecture (business-logic.md §14 and the /security skill).

Passwords are hashed with bcrypt at cost factor twelve. Session tokens are generated with crypto.randomBytes(32) and hashed before storage.
All transport between your browser and our service is encrypted with TLS.
Database backups are encrypted at rest. The production database file is held outside the web root and is not reachable from the public network.
The service runs as an unprivileged user behind a hardened reverse proxy with strict security headers and rate limits on the authentication and payment endpoints.
We do not store full card numbers, full bank-account numbers, or any other primary financial credential. PayPal holds those on our behalf.

If we discover a breach of security that affects your personal data and meets the GDPR notification threshold, we will notify the supervisory authority within seventy-two hours of becoming aware of it, and we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms. We commit to a thirty-day investigation and notification window even where the GDPR threshold is not met.

10. Your rights

Subject to the regulatory framework that applies to you, you have the following rights over the personal data we hold on you.

The right of access: a copy of the personal data we hold on you and a description of how we are using it.
The right of rectification: correction of any inaccurate or incomplete personal data we hold on you.
The right of erasure: deletion of your account and the personal data attached to it, subject to the retention exceptions in section 8.
The right to portability: a structured, machine-readable copy of the personal data you provided to us, where the legal basis for processing is contract or consent.
The right to object: an end to processing carried out on the basis of legitimate interest, including direct marketing.
The right to restrict processing: a freeze on processing while a dispute about the data is being resolved.
The right to withdraw consent: an end to any processing that depends on your consent (newsletter, non-essential cookies), with no effect on lawful processing carried out before the withdrawal.
The right to lodge a complaint with a supervisory authority. The Portuguese supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD), at cnpd.pt. You may also lodge a complaint with the supervisory authority of your country of residence.

You may exercise any of these rights by writing to support@mysovereigntystack.com or by submitting the data-subject request form on the support page. We respond within thirty days. Where the request is unusually complex, we may extend the response window by sixty days and will tell you why.

11. EU representative

JumpUp Learning LDA is established in the European Union, so it does not appoint a separate EU representative under GDPR Article 27.

12. Automated decision-making

We do not make decisions about you that produce legal effects or significantly affect you using fully automated means. The AI course assistant is an interactive support tool, not a decision-making system; it does not approve or deny accounts, refunds, or coaching engagements.

13. Children

The service is intended for adults. You must be at least sixteen years old to register an account; this is the lower bound for valid consent under Portuguese implementation of GDPR. If we become aware that we hold personal data on a person under sixteen, we will delete it.

14. Changes to this policy

We will update this page when we change the way we handle personal data. The effective date below tracks the most recent change. Where a change materially expands the scope of processing, we will notify subscribers by email at least thirty days in advance.

15. How to contact us

For any privacy-related question, write to support@mysovereigntystack.com with the words "Data Subject Request" in the subject line. For postal correspondence, write to JumpUp Learning LDA at the registered address listed in section 1.