Privacy Policy — Attract (by ScratchPub)

Effective date: 25 August 2025
Contact: data@scratchpub.com
Applies to: attract.scratchpub.com and related services

1) Controller

Attract (a sub-brand of ScratchPub) — Kinshasa, DRC (postal address to be added)
Email: data@scratchpub.com
EU/EEA Representative (Art. 27 GDPR, if required): to be designated; contact the controller until then.

2) Scope

This policy explains how Attract processes personal data of visitors, learners, instructors, partners, and community members on our BuddyBoss-based WordPress Multisite with Tutor LMS, WooCommerce, Elementor/Crocoblock, Presto Player, Rank Math, LiteSpeed Cache, Wordfence, WPS Hide Login. It also covers transfers to Kinshasa (DRC) and other countries for business purposes.

3) Categories of personal data

Account & Profile: name, username, display name, avatar, bio, role, language, timezone, organization, links, BuddyBoss profile fields/visibility.
Contact: email; optional phone; billing/shipping (WooCommerce).
Authentication: hashed passwords; social login identifiers/metadata (Google, LinkedIn, X/Twitter, Facebook).
Transactions: orders, invoices, tax info, payment status (card data processed by payment provider, not stored by us).
Learning (Tutor LMS): enrollments, progress, quiz results, certificates, notes, assignments, instructor feedback.
Community (BuddyBoss): posts, comments, messages, reactions, groups, connections, timestamps, moderation records.
Media & Playback (Presto Player): starts/stops, watch time, engagement, device/browser; embedded platforms/CDNs receive your IP and user agent.
Device & Usage: IP address, device/browser type, pages visited, referrer, timestamps, approximate geolocation from IP; security logs (Wordfence).
Cookies & Similar Tech: consent preferences, session/functional cookies, analytics/marketing (only after consent where applicable).
Support & Compliance: support messages, data-subject requests, consent logs, legal records.

4) Purposes & legal bases (Art. 6 GDPR)

Service & contracts (account, courses, certificates, community, purchases): Art. 6(1)(b).
Security & fraud prevention (firewall, abuse/spam, incident logs): Art. 6(1)(f) and where required 6(1)(c).
Payments & billing (WooCommerce/payment providers): 6(1)(b), 6(1)(c).
Analytics & improvement (Rank Math/internal): 6(1)(a) where non-essential; otherwise limited 6(1)(f).
Marketing & communications (newsletters, offers, partner promos): 6(1)(a).
Social logins (Google, LinkedIn, X, Facebook): 6(1)(b) for auth; 6(1)(a) for any non-essential tracking by providers.
Legal claims & compliance: 6(1)(c) and 6(1)(f).

You can withdraw consent at any time with future effect.

5) Sources

Data comes from you (forms, activity), your device (logs), or chosen third parties (social login, payment providers).

6) Recipients / processors

Hosting: Hostinger.
Security: Wordfence (firewall/malware; IP/event logs).
LMS: Tutor LMS (local processing).
Community: BuddyBoss (local; visibility per your settings).
Video: Presto Player; third-party/CDN embeds receive IP/device data.
E-commerce: WooCommerce; payment providers (e.g., Stripe/PayPal) act as controllers or processors—see their notices.
Email: transactional/marketing services if configured.
Analytics/SEO: Rank Math (non-essential only with consent).
Caching/Performance: LiteSpeed Cache.
UI/Dev: Elementor, Crocoblock (local).
Partners (business purposes): limited data (contact, engagement, course context) shared with selected partners/affiliates, including in Kinshasa (DRC) and other countries, for services, co-programs, certifications, mentoring, events, or business support—under safeguards and within stated purposes.

We sign DPAs with processors. Independent controllers (e.g., social logins, payment providers) set their own purposes.

7) International transfers (incl. DRC/Kinshasa)

Where no EU adequacy decision exists, we rely on Standard Contractual Clauses (SCCs) and, where necessary, supplementary measures. Some transfers may use GDPR Art. 49 derogations (explicit consent, contract performance, legal claims). Request details at data@scratchpub.com.

Using social login lets the provider confirm your identity and may expose usage data (IP, browser, timestamps) to them under their policies. Review your provider’s privacy controls.

9) Community visibility

Public profile fields and activity may be visible to members per your settings. Private messages are confidential, subject to lawful moderation (e.g., abuse handling). Adjust visibility in your account.

10) Cookies & consent

We use strictly necessary cookies for core functions. Non-essential analytics/marketing/social cookies run only after consent via our banner.

Manage cookie settings | Manage cookie settings

11) Retention

Account/profile: until deletion or per inactivity policy; some security logs longer if needed.
Learning records: for access duration and legitimate archiving (certificate validation), then minimized/anonymized.
Transactions/invoices: per commerce/tax laws (typically 6–10 years).
Security logs: ~90–180 days, longer for incidents.
Marketing consents: until withdrawal + short audit window.
Support: until resolved/required.

12) Your rights

Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent; complaint to an EU/EEA supervisory authority. Exercise rights: data@scratchpub.com. You can also use our Privacy Center to submit export/erase requests and set sharing preferences.

13) Security

TLS/HTTPS, Wordfence firewall/malware scanning, role-based access, strong auth (e.g., 2FA for admins), least privilege, encrypted backups where applicable.

14) Children

For adults (16+). If you believe we hold a child’s data, contact us for prompt deletion.

15) Changes

Updates will be posted here. The online version is authoritative.