Privacy Policy
Last updated: April 2, 2026
1. Controller
Daniel Arndt
Gödinghover Weg 11
40627 Düsseldorf, Germany
Email: contact@pathtomastery.io
2. What data we collect
We collect and process the following categories of data:
Intake form data
When you submit the intake form, we collect:
- Name and email address
- Your goal, current position, motivation, and available resources
- Your selected depth preference
- Optional notes
Usage data
When you visit our website, the following data may be collected automatically:
- IP address (anonymized where applicable)
- Browser type and version, operating system
- Pages visited, time of access, referral source
- Device information (screen resolution, device type)
Payment data
Payment information (credit card details, billing address) is collected and processed directly by our payment provider Lemon Squeezy. We do not store your payment details on our servers.
3. Purpose and legal basis
We process your data based on the following legal grounds:
- Art. 6(1)(b) GDPR - Contract performance: Processing your intake data to create your personalized strategy report, delivering the report via email, and processing your payment.
- Art. 6(1)(a) GDPR - Consent: Analytics and marketing cookies (Google Analytics, Google Ads) are only activated after you give explicit consent via our cookie banner. You can withdraw consent at any time.
- Art. 6(1)(f) GDPR - Legitimate interest: Server logs and technically necessary cookies for website operation, security, and abuse prevention.
4. Data processors and third-party services
Your data is processed by the following service providers:
- Supabase (database) - Your intake responses are stored in a PostgreSQL database hosted by Supabase in the EU (Frankfurt, Germany). Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992.
- Vercel (hosting and analytics) - The website is hosted on Vercel's edge network. Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Vercel processes server logs (IP address, browser information) for operational purposes. We also use Vercel Analytics, which collects anonymized, aggregated usage data (page views, web vitals) without setting cookies or collecting personal data. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website optimization).
- Lemon Squeezy (payment) - Lemon Squeezy, LLC acts as our Merchant of Record and processes all payment transactions, including billing data, name, and email address. Lemon Squeezy is an independent data controller for payment data. See Lemon Squeezy's Privacy Policy.
- Anthropic (AI processing) - Your intake form responses are sent to the Claude API for strategy report generation. Anthropic, PBC, San Francisco, CA, USA. Data submitted through the API is not used to train Anthropic's models. Transfer basis: EU Standard Contractual Clauses (SCCs).
- OpenAI (AI processing) - Intake data may also be processed via OpenAI's API for report generation. OpenAI, Inc., San Francisco, CA, USA. Data submitted through the API is not used to train OpenAI's models. Transfer basis: EU Standard Contractual Clauses (SCCs).
- Resend (email delivery) - We use Resend for transactional emails including report delivery and order confirmations. Resend Inc., San Francisco, CA, USA. Processes: email address, name. Transfer basis: EU Standard Contractual Clauses (SCCs).
- Google Analytics - See Section 5 below.
- Google Ads - See Section 6 below.
5. Google Analytics
This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
Google Analytics uses cookies to analyze your use of the website. The information generated by cookies about your use of this website is usually transmitted to a Google server in the USA and stored there. We use IP anonymization, so your IP address is truncated by Google within the EU before transmission.
Legal basis: Art. 6(1)(a) GDPR - your consent. Google Analytics is only activated after you explicitly consent via our cookie banner.
Cookies set:
_ga- Distinguishes unique users. Duration: 2 years._ga_*- Maintains session state. Duration: 2 years.
Opt-out: You can prevent cookie storage by rejecting analytics cookies in our cookie banner. You can also install the Google Analytics Opt-out Browser Add-on. For more information, see Google's Privacy Policy.
Transfer to the USA is covered by Google's participation in the EU-US Data Privacy Framework.
6. Google Ads and conversion tracking
We use Google Ads conversion tracking and remarketing services provided by Google Ireland Limited. These services help us measure the effectiveness of our advertising campaigns and display relevant ads to users who have previously visited our website.
When you click on a Google ad and visit our website, a conversion tracking cookie may be placed on your device. This cookie allows Google to recognize that you visited our site and helps us understand which ads lead to actions on our website.
Legal basis: Art. 6(1)(a) GDPR - your consent. Google Ads tracking is only activated after you explicitly consent to marketing cookies via our cookie banner.
For more information, see Google's Advertising Policies. You can opt out of personalized advertising at Google Ads Settings.
8. Email communication
We send transactional emails (order confirmation, report delivery) via Resend. These emails are necessary for contract fulfillment and are sent based on Art. 6(1)(b) GDPR.
If you opt in, we may also send you informational emails related to personal development and mastery (nurture sequence). These are based on your consent per Art. 6(1)(a) GDPR. Every such email includes an unsubscribe link, and you can opt out at any time.
9. Data retention
Your intake data is retained for the duration of service delivery and for up to 12 months afterwards for support and quality assurance purposes. You may request earlier deletion at any time.
Payment records are retained for 10 years in accordance with German tax law (§ 147 AO). Analytics data is retained according to Google's default retention settings (14 months).
10. Your rights
Under the GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Request deletion of your data
- Restrict processing
- Data portability
- Lodge a complaint with a supervisory authority (for Düsseldorf: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen)
To exercise any of these rights, contact us at contact@pathtomastery.io.
11. Right to object (Widerspruchsrecht)
Where we process your data based on legitimate interest (Art. 6(1)(f) GDPR), you have the right to object at any time for reasons relating to your particular situation.
Where your data is processed for direct marketing purposes, you have the right to object at any time without giving reasons. Upon receiving your objection, we will stop processing your data for that purpose.
12. Transfer to third countries
Your intake data is stored within the EU (Supabase, Frankfurt). However, some of our service providers are based in the USA:
- Vercel (hosting, server logs)
- Anthropic (AI report generation)
- OpenAI (AI report generation)
- Resend (email delivery)
- Lemon Squeezy (payment processing)
- Google (analytics, advertising)
These transfers are safeguarded by EU Standard Contractual Clauses (SCCs) and, where applicable, the provider's certification under the EU-US Data Privacy Framework (DPF).
13. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a revised date. We encourage you to review this page periodically.