Privacy Notice

CTR Factor Non-Profit Alliance, a 501(c)(3) nonprofit organization operating CTR Factor Debate Academy, is the data controller for the personal information described in this notice. References to "we", "us", or "our" refer to CTR Factor Non-Profit Alliance.

We collect the following categories of personal data:

• Account & registration data: parent name, student name, email, phone, student grade, school, session choice, experience level, and program goals.
• Authentication credentials: email/password or third-party sign-in (e.g. Google OAuth) when you create an account.
• Donation & order data: order amount, currency, and a transaction reference. Payment card and billing details are collected directly by our payment provider, Paddle, and are never stored on our servers.
• Communications: emails and support messages you send us.
• Technical data: IP address, device/browser information, and basic usage analytics (page views).

• Provide programs and process registrations — legal basis: performance of a contract.
• Process donations and send receipts — legal basis: contract / legal obligation (tax acknowledgment).
• Communicate about sessions, schedules, and updates — legal basis: legitimate interest in serving enrolled families, or consent where required.
• Security, fraud prevention, and platform integrity — legal basis: legitimate interest.
• Improve our programs and website — legal basis: legitimate interest.
• Marketing — only where you have opted in; you may withdraw consent at any time.

We do not sell parent or student information.

We share personal data only with the following categories of recipients:

• Paddle.com Market Ltd ("Paddle") — Merchant of Record and payment processor. Paddle handles checkout, payment processing, billing, tax compliance, invoicing, refunds, and subscription management for all purchases and donations made on our site. See Paddle's Privacy Notice.
• Hosting and backend providers — Lovable Cloud (built on Supabase) for database, authentication, and storage; Cloudflare for edge hosting and content delivery.
• Email delivery — our transactional email provider, used to send registration confirmations, donation receipts, and account emails.
• Authentication providers — Google (if you sign in with Google).
• Analytics — lightweight aggregate analytics; not used to identify individual children.
• Professional advisers — legal, accounting, and audit professionals where required.
• Authorities — where required by law, court order, or to protect rights and safety.

We are based in the United States, and our hosting providers may process data in the US and other countries. Where personal data is transferred from the UK/EEA, transfers are protected by appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

We retain registration and donation information for as long as needed to serve the family, meet program recordkeeping needs, and comply with tax and legal obligations (typically up to 7 years for financial records). Data is deleted or anonymized when no longer needed. You can request earlier deletion using the contact below.

Depending on where you live, you have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase ("right to be forgotten") your data, subject to legal retention;
• Restrict or object to certain processing;
• Data portability — receive your data in a portable format;
• Withdraw consent at any time where processing is based on consent;
• Lodge a complaint with your local supervisory authority (e.g. the UK ICO or your EU data protection authority).

To exercise any of these rights, email us at the address below. We will respond within 30 days.

We use appropriate technical and organizational measures to protect personal data, including encryption in transit (HTTPS), encrypted storage, row-level security policies on our database, and access controls limiting staff access to authorized administrators. No system is perfectly secure, but we work to minimize risk.

Our programs serve students, and registrations must be submitted by a parent or guardian. We ask parents to submit student information on the student's behalf. Parents can request access, correction, or deletion of a student's record at any time using the contact below.

We use essential cookies required for the site to function (e.g. authentication session). We use lightweight analytics to understand which pages families visit so we can improve the site. We do not use analytics to identify individual children. Where required, we will request your consent before non-essential cookies are set.

We may update this Privacy Notice from time to time. The "Last updated" date above will reflect the most recent revision. Material changes will be highlighted on the site.

CTR Factor Non-Profit Alliance
Privacy & data requests: alejandro@ctrfactor.com
General contact: social@ctrfactor.com

See also our Terms & Conditions and Refund Policy.