Privacy Policy

This Privacy Policy describes how Asshole University (“A.U.,” “we”) handles information collected through assholeuniversity.org and related services (the “Service”).

(The Registrar is of the view that if a policy needs a glossary, it has already failed.)

1. Information We Collect

We collect only what is necessary to process your order, deliver your digital product, and communicate with you about it:

• Your email address, provided at checkout or sign-in. Used for magic-link authentication, order receipts, and certificate delivery.
• Payment details, collected and stored by Stripe on its own hosted checkout page. We never see or store your full card number.
• Optional name on certificate, if you elect to personalize a diploma. You may use a pseudonym; we do not verify it.
• Cart and order contents, stored in our Convex-hosted database so we can fulfill what you bought.
• Chatbot transcripts, if you interact with “Kyle” or any other on-site chat interface. These are processed in real time to produce a response.

(We ask for very little. The Bursar considers this a virtue.)

2. Information We Do Not Collect

We do not require your legal name, date of birth, government ID, mailing address, or phone number. We do not run Google Analytics, Meta Pixel, TikTok Pixel, Segment, PostHog, Mixpanel, or any other third-party analytics or advertising pixel on this site. We do not sell, rent, or trade your information. We do not build behavioral profiles for targeting.

(This is not a virtue-signal. It is simply the current state of the codebase, which you are welcome to audit.)

3. How We Use Your Information

Strictly to operate the Service: fulfilling orders, issuing certificates, sending transactional email (receipts, magic-link sign-in, certificate delivery, refund confirmations), authenticating you on return visits, and processing refund requests. We do not send marketing email. If we ever decide to, we will ask first and make it easy to decline.

4. Third-Party Processors

The Service relies on a small set of named processors. Each has its own privacy policy, which we recommend reading:

• Stripe, Inc. — processes payments and stores card details. We receive only a token, last four digits, and the charge outcome.
• Resend — delivers transactional email on our behalf. Receives your email address and the message body.
• OpenAI — powers the on-site chatbot. If you chat, your messages are sent to OpenAI's API to generate a response. Do not share information with the chatbot that you would not want a third party to process.
• Convex — our hosted database provider. Stores orders, accounts, and certificate records.
• Vercel — hosts the website and serves requests. Standard server logs (IP address, user-agent, timestamp) are retained for a short period for security and operations.

We also disclose information when required by law, subpoena, or to protect our rights or the safety of others.

5. Cookies and Local Storage

We use a small number of first-party cookies and browser-local values strictly to operate the Service:

• Session cookie — set by our authentication provider to keep you signed in after you click a magic-link.
• Cart localStorage — keeps your cart contents on your device so they survive a page refresh. Never transmitted except when you check out.
• Stripe cookies — set on Stripe's hosted checkout page for fraud prevention, governed by Stripe's policy.

(No banner. No “accept all.” No consent-management platform. These cookies are strictly necessary; EU law permits them without prior consent.)

6. Your Rights

Regardless of where you live, you may ask us to confirm what information we hold about you, provide a copy, correct anything wrong, or delete your account — subject to our obligation to retain tax and transaction records for the period required by law (typically seven years in the U.S.). Email registrar@asshole.university with the subject “Privacy Request” and we respond within thirty (30) days.

(These rights satisfy CCPA, GDPR, and UK-GDPR requests alike; we do not differentiate by jurisdiction.)

7. Security, Retention, Minors, and Updates

We use industry-standard encryption in transit (TLS) and at rest via our named processors; no system is perfectly secure, and we make no such claim. Order and certificate records are retained for the life of your account plus any period required for tax and accounting; chatbot transcripts are retained only as long as operationally necessary.

The Service is not directed at children under 13 (or under 16 in the EEA/UK). If you believe a minor has provided information, email the Registrar and we will delete it.

We may update this policy from time to time; material changes are reflected in the effective date below and, where required, announced by email to account holders.