Privacy Policy

Effective date: April 30, 2026

Last updated: June 8, 2026

This Privacy Policy describes how GoaTech AI LLC, a California limited liability company (CA entity number B20260198511) with a principal office at 2108 N Street #4923, Sacramento, CA 95816 (“Sheepit,” “we,” “us,” or “our”) collects, uses, and protects your personal information when you use the platform at sheepit.ai, our courses, our SDKs, and any associated services (collectively, the “Services”).

1. Information We Collect

When you create an account we collect your name, email address, country, preferred language, and a hashed password. When you purchase a course or subscription we process payment through our payment provider (Paddle and/or Stripe); we never store full card numbers on our servers.

We automatically collect usage data such as page views, feature-flag evaluations, click and scroll signals, error reports, and event analytics to improve the platform. This data is associated with your account and is accessible from your dashboard.

Categories of Personal Information We Collect (CCPA / CPRA)

• Identifiers — name, email, account ID, IP address, device identifiers, and a profile photo (avatar) when you sign in with a social provider such as Google or GitHub.
• Customer records — payment metadata (last-4, brand, country) supplied by our payment provider; billing address.
• Commercial information — purchase history, enrollments, gift-claim history.
• Internet / electronic activity — pages viewed, time-on-page, click and scroll events, feature-flag evaluations, error and crash reports.
• Geolocation — coarse country/region inferred from IP for tax, localization, and fraud prevention.
• Inferences — derived attributes used for product analytics (e.g., experiment cohort, engagement tier).

We do not collect sensitive personal information (Social Security numbers, government IDs, precise geolocation, biometrics, health data) from end users in the ordinary course of providing the Services.

2. How We Use Your Information

• Provide, maintain, and improve the Sheepit platform and courses.
• Process transactions and send transactional emails (verification, receipts, gift notifications, refund confirmations).
• Monitor platform health, detect abuse, and enforce usage limits.
• Communicate product updates when you have opted in.
• Comply with legal obligations and respond to lawful requests.

Legal Basis for Processing (EU / UK / EEA)

• Contract — account creation, login, course access, payment processing, customer support.
• Legitimate interest — product analytics, error monitoring, fraud prevention, platform security.
• Consent — marketing emails, optional analytics cookies (where applicable).
• Legal obligation — tax recordkeeping, responding to lawful requests, retaining transaction records.

Internal Analytics — Sheepit on Sheepit

We also use Sheepit to run analytics on Sheepit itself. We mirror our own registered account-holders into an internal Sheepit analytics project — copying only your account ID, email, name, role, and profile photo (avatar), all of which we already hold — so that we can analyse our own signup funnel, monitor the health of our own releases, and operate our business on our own product. We rely on our legitimate interest (GDPR Art 6(1)(f)) in understanding and improving our own product for this processing. It introduces no new categories of data beyond what is described in Section 1, shares nothing with any third party, and inherits the retention and deletion described in Sections 4 and 6. You may object to this specific processing at any time under Art 21 by emailing security@sheepit.ai; on objection we remove you from the internal directory without affecting your account. Deleting your account also removes you.

3. Data Sharing

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We share information only with the following categories of recipients:

• Payment providers — Paddle.com Market Limited (Paddle), which acts as our Merchant of Record for consumer course purchases and is an independent data controller for transaction data; and Stripe, Inc., which we may use for legacy or B2B flows.
• Infrastructure providers — Vercel (web hosting), Railway (API hosting), Neon (database), Cloudflare (R2 object storage and DNS), Resend (email delivery).
• Analytics — first-party analytics through our own Sheepit SDK; we do not share data with third-party advertising networks. Because Sheepit is itself a product-analytics platform, we are our own first customer: we mirror our own registered account-holders (name, email, account ID, role, and profile photo) into an internal Sheepit analytics project so that our own team appears in our own user directory. This is first-party, internal-only processing on the same infrastructure described in this policy — it is not a disclosure to any third party.

Each of the above acts under a written data-processing agreement (or as an independent controller, in the case of Paddle) and is bound to use the data only for the purposes for which it was disclosed.

4. Data Retention

We retain personal information only as long as needed for the purposes described in this policy or as required by law. Indicative retention windows:

• Account data (name, email, password hash) — for the life of the account; deleted within 30 days of account-deletion request, except where retention is required by law.
• Transaction records (purchases, refunds, invoices) — at least 7 years to comply with US tax recordkeeping rules.
• Event analytics and logs — 12 months by default; aggregated metrics beyond that point.
• Crash reports and error logs — 90 days.

You may request deletion of your account and associated data at any time from your account settings or by emailing us at the address below.

5. International Data Transfers

Sheepit is established in the United States, and our infrastructure providers process data in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal information will be transferred to the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK's International Data Transfer Addendum (IDTA), together with supplementary technical and organizational measures, as the lawful mechanism for such transfers.

6. Your Privacy Rights

California Residents (CCPA / CPRA)

You have the right to:

• Know — what personal information we collect, the sources, the purposes, and the categories of recipients.
• Delete — request deletion of personal information we have collected about you.
• Correct — request correction of inaccurate personal information.
• Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, but you have the right to direct us not to.
• Limit use of sensitive personal information — we do not use sensitive personal information for purposes that would trigger this right, but it is reserved.
• Non-discrimination — we will not deny service, charge a different price, or provide a different level of quality because you exercised any of these rights.

To exercise any of these rights, email security@sheepit.ai from the email address on your account. You can delete your account in-app from your account settings; for a copy of your data, contact us at the address above. We will respond within 45 days.

European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

You have the right to:

• Access the personal data we hold about you (Art 15).
• Rectify inaccurate or incomplete personal data (Art 16).
• Erase personal data in defined circumstances (Art 17).
• Restrict processing in defined circumstances (Art 18).
• Receive a portable copy of personal data you provided to us (Art 20).
• Object to processing based on legitimate interest, including profiling (Art 21).
• Withdraw consent at any time, where processing is based on consent (Art 7(3)). Withdrawal does not affect prior lawful processing.
• Lodge a complaint with your local supervisory authority (Art 77).

We currently operate below the small-scale-processing threshold under GDPR Article 27(2) and have not appointed an EU representative. We will appoint one if our processing materially increases.

Do Not Track

Some browsers transmit a Do-Not-Track (DNT) signal. Because there is no industry-wide standard for how to interpret DNT, we do not currently respond to DNT signals. Our analytics are first-party and we do not share data with third-party advertising networks.

7. Children's Privacy

The Services are not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal information, contact security@sheepit.ai.

8. Cookies and Similar Technologies

See our Cookie Policy for the specific cookies and storage keys we set and how to manage them.

9. Security

We protect your data with encryption in transit (TLS), hashed passwords (bcrypt), hashed API keys (SHA-256), and HttpOnly session cookies. We conduct regular security reviews of our codebase and dependencies. No method of electronic storage is 100% secure; we cannot guarantee absolute security.

10. Changes

We may update this policy from time to time. Material changes will be communicated via email or an in-app banner at least 30 days before they take effect. Continued use of the Services after the effective date constitutes acceptance.

11. Contact

Questions about this policy or to exercise any of the rights described above? Email security@sheepit.ai or write to us at:

GoaTech AI LLC
2108 N Street #4923
Sacramento, CA 95816
United States