Privacy Policy

Last updated: June 2026

This Privacy Policy explains what personal data NewRoleKit collects, why we collect it, how we use it, and what rights you have. We are committed to handling your data with care and transparency.

NewRoleKit is operated by Ofir Ozon, based in Israel. Contact: ofirozon@gmail.com

1. What Data We Collect

Account data

When you register, we collect your email address, display name (optional), and a hashed password. We never store your password in plain text.

Learning progress

We record which topics you have completed and which quizzes you have passed. For guests (no account), this data is stored only in your browser's local storage and never sent to our servers. For registered users, progress is stored in our database and synced to your account when you log in.

Subscription and payment data

Payments are not yet enabled. When billing is introduced, payment processing will be handled by a third-party merchant of record (such as Paddle or Lemon Squeezy). We will never receive or store your card number. We will store your subscription status (free or pro) and the provider's transaction reference.

Analytics data

If you accept analytics cookies, we use PostHog to collect anonymised usage data: which pages you visit, which features you use, and general behaviour patterns. This data does not identify you personally and is used only to improve the product. If you decline, no analytics data is collected.

Technical data

Our infrastructure provider (Supabase / Vercel) may log standard technical data such as IP addresses and browser type for security and reliability purposes. We do not use this data for marketing.

2. Why We Collect It (Legal Basis)

• Account and progress data — necessary to perform the contract with you (providing the learning service you signed up for).
• Analytics — based on your consent, which you can withdraw at any time via the cookie banner or by emailing us.
• Technical/security logs — our legitimate interest in keeping the platform secure and operational.

3. How We Use Your Data

• To create and manage your account
• To save and sync your learning progress across devices
• To enforce subscription entitlements (free vs Pro)
• To send transactional emails — account confirmation, password reset. We do not send marketing emails without your separate consent.
• To improve the platform using anonymised analytics (if consented)
• To respond to your support requests

4. Who We Share Your Data With

We do not sell your personal data. We share it only with:

• Supabase — our database and authentication provider, hosted on AWS (us-east-1). Supabase processes data under their Privacy Policy.
• Vercel — our hosting provider. Vercel processes data under their Privacy Policy.
• PostHog (if you consent) — analytics provider. See PostHog Privacy Policy.
• Payment processor (when billing is live) — Paddle or Lemon Squeezy will act as the merchant of record and handle payment data under their own privacy policies.
• Law enforcement — if required by a valid legal request or to protect the safety of users.

5. Data Storage and Security

Your data is stored on Supabase servers located in the United States (us-east-1 region). We use Row-Level Security (RLS) on all database tables, meaning your data is only accessible to your own account. Passwords are hashed and never stored in plain text. All connections use HTTPS/TLS encryption.

No system is completely secure. If we become aware of a data breach that affects your personal data, we will notify you within 72 hours by email.

6. How Long We Keep Your Data

• Active accounts — data is retained for as long as your account exists.
• Deleted accounts — account data is deleted immediately when you request deletion. Backups are purged within 30 days.
• Analytics data — PostHog retains anonymised events for up to 12 months.

7. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you
• Correction — update inaccurate data (you can do this directly in your Account page)
• Deletion — delete your account and all associated data (available directly in your Account page, or by emailing us)
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — withdraw analytics consent at any time via the cookie banner

To exercise any of these rights, email ofirozon@gmail.com. We will respond within 30 days. If you are in the EU or EEA, you also have the right to lodge a complaint with your local data protection authority.

8. Cookies and Local Storage

NewRoleKit uses the following:

• Session cookies (essential) — set by Supabase to keep you logged in. These are strictly necessary and cannot be disabled.
• Local storage (essential) — stores guest learning progress and your cookie consent preference in your browser. Not transmitted to our servers.
• Analytics cookies (optional) — set by PostHog only if you accept. You can decline or change your preference at any time using the cookie banner at the bottom of the page, or by clearing your browser's local storage.

We do not use advertising, tracking, or social-media cookies.

9. Children's Privacy

NewRoleKit is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. International Transfers

Your data is stored in the United States (Supabase / AWS us-east-1). If you are located in the EU or EEA, this constitutes a transfer of data outside the European Economic Area. Supabase and Vercel maintain Standard Contractual Clauses (SCCs) with their EU customers as a transfer mechanism.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the platform at least 14 days before the changes take effect.

12. Contact

For any privacy-related questions or requests: ofirozon@gmail.com

This Privacy Policy was drafted in plain language as a starting point and has not yet been reviewed by a qualified lawyer. If you have users in the EU, obtain legal review to ensure full GDPR compliance before collecting personal data at scale.