Privacy Policy
Effective Date: March 26, 2026
Last updated: March 26, 2026
1. Introduction & Identity
CrashCourse Weekly ("CCW," "the Service," "we," "us," or "our") is a subscription-based intelligence service for the collision repair industry, operated by:
Atlantic Collision Center, Inc.
[Address to be confirmed], Lowell, MA [ZIP]
Email: support@crashcourseweekly.com
This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you visit our website at crashcourseweekly.com, subscribe to our service, or otherwise interact with us.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.
This Privacy Policy is incorporated into and subject to our Terms of Service.
2. Data We Collect
2.1 Information You Provide
| Data Category | Examples | When Collected |
|---|---|---|
| Account Information | Name, email address, company name, job title | Account registration |
| Billing Information | Credit card number (last 4 digits only — full number handled by Stripe), billing address | Subscription checkout |
| Cryptocurrency Payment Data | Bitcoin transaction ID, on-chain wallet address, BTCPay invoice ID, payment amount in BTC/satoshis | BTC payment via BTCPay Server |
| Team Member Information | Email addresses of invited team members | When account holder sends seat invitations |
| Communications | Support requests, feedback, correspondence | When you contact us |
2.2 Information Collected Automatically
| Data Category | Examples | How Collected |
|---|---|---|
| Usage Data | Pages viewed, features accessed, content downloads, login timestamps, session duration, subscription tier, trial status | Application logs |
| Audio Access Data | Timestamps of audio content requests, signed URL generation events, subscription tier associated with access | Application logs |
| Device & Browser Data | IP address, browser type and version, operating system, device type | Server logs, Supabase auth |
| Referral Data | URL of the referring page, search terms used to find us | Server logs |
| Authentication & Session Data | Session tokens, authentication cookies, login events, password reset events | Supabase Auth system |
| Trial Status Data | Trial start date, trial end date (trial_ends_at), whether trial converted to paid subscription | Database |
2.3 Information About Trial Users
If you register for a free trial, we collect and store the information listed in Sections 2.1 and 2.2 beginning at registration. Your trial_ends_at timestamp is tracked to send trial reminder emails and to enforce trial expiration. If you do not convert to a paid subscription, your account and associated data are retained for 90 days following trial expiration before deletion, unless you request earlier deletion.
2.4 Information We Do NOT Collect
- Social Security numbers or government identification numbers
- Vehicle owner or consumer information from your repair operations
- Information about your customers or their vehicles
- Health or biometric information
- Detailed audio playback analytics (position in track, skip events, or playback duration) — audio is served via signed URLs and we do not track how you listen, only that access was requested
3. How We Use Your Data
We use the information we collect for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Provide the Service — Deliver reports and audio content, manage your subscription, authenticate your account | Performance of contract |
| Process Payments — Charge subscription fees, manage billing via Stripe or BTCPay Server, link BTC transactions to your account | Performance of contract |
| Manage Trial Access — Track trial periods, enforce trial expiration, send trial reminder emails | Performance of contract |
| Multi-User / Seat Management — Process team invitations, manage seat assignments and revocations | Performance of contract |
| Audio Content Delivery — Generate and serve signed URLs for AI-produced audio content; track access for tier enforcement | Performance of contract |
| Transactional Communications — Send subscription confirmations, payment receipts, seat invitation emails, trial reminders, account notices, and service alerts | Performance of contract |
| Product Improvement — Analyze usage patterns to improve Service features and content | Legitimate interest |
| Customer Support — Respond to your inquiries and resolve issues | Performance of contract |
| Security — Detect and prevent fraud, abuse, and unauthorized access | Legitimate interest |
| Legal Compliance — Comply with applicable laws, regulations, and legal processes | Legal obligation |
What We Do NOT Do With Your Data
- We do NOT sell your personal information. Not to data brokers, advertisers, or any third party. Period.
- We do NOT use your data for third-party advertising or ad targeting
- We do NOT share your data with unaffiliated third parties for their own marketing purposes
- We do NOT use your data to build profiles for sale
4. Legal Basis for Processing
We process your personal data under the following legal bases:
- Performance of Contract: Processing necessary to provide the Service you have subscribed to, including account management, billing, content delivery, and seat management.
- Legitimate Interests: Processing necessary for our legitimate business interests, including service improvement, security, and fraud prevention, where those interests are not overridden by your data protection rights.
- Consent: Where you have given us specific consent to process your data for a particular purpose (e.g., optional marketing communications). You may withdraw consent at any time.
- Legal Obligation: Processing required to comply with applicable laws, regulations, tax requirements, or legal processes.
5. AI-Generated Content & Audio
5.1 How Audio Content Is Created
Certain subscription tiers include access to AI-generated audio content:
- The Brief (all tiers): Weekly written intelligence report
- The Deep Dive (Shop Team tier and above): Extended written and audio reports
- Monthly Deep Dive Audio (Enterprise tier): Audio-format deep dive reports
Audio content is generated using artificial intelligence text-to-speech technology provided by Cartesia, Inc. (see Section 7.1 for Cartesia's privacy policy). The audio is synthetic and not recorded by a human voice actor.
Audio content is also generated using AI language model technology provided by Anthropic, PBC to produce the written content that underlies the audio. Anthropic processes aggregated industry data and our editorial inputs — not your personal subscriber information — to generate CCW content.
5.2 How Audio Is Stored and Served
Audio files are stored in a private Supabase storage bucket designated ccw-audio. Audio files are not publicly accessible. Access is controlled by our application layer, which enforces your subscription tier before generating a signed access URL.
Signed URLs expire after 6 hours from generation. After expiration, the URL is no longer functional and a new request must be made. We log the fact that a signed URL was generated (timestamp, associated account, subscription tier) but do not collect detailed playback data.
5.3 AI Processing Disclosure
In the course of operating the Service, the following AI systems process data:
- Anthropic (Claude): Processes editorial inputs, industry data, and publicly available information to generate written intelligence content. Your personal subscriber data (name, email, billing information) is not used as input to Anthropic's AI. Anthropic's API is subject to Anthropic's data processing terms.
- Cartesia: Converts generated written text into synthesized audio. No subscriber personal data is submitted to Cartesia; only the text content to be converted is transmitted. Cartesia's processing is governed by its privacy policy and applicable data processing agreements.
6. Multi-User Accounts & Seat Management
6.1 How It Works
Subscribers on eligible plans may add team members ("seats") to their account. The account holder (the subscriber who owns the billing relationship) may invite team members by entering their email address within the Service. Invitation emails are sent via our transactional email providers (Mailgun or Resend).
6.2 Data Collected for Invited Team Members
When a seat invitation is issued, we collect and store:
| Data | Purpose |
|---|---|
| Invitee email address | Delivery of invitation email |
| Invitation timestamp | Tracking invitation status and expiry |
| Invitation acceptance status | Account provisioning |
| Role/permission level (if applicable) | Access control within multi-user account |
Upon accepting an invitation, the invited user creates an account and is subject to this Privacy Policy in their own right.
6.3 Revocation and Deletion
If an account holder revokes a seat invitation before it is accepted, the invitee's email address is removed from our active records within 30 days.
If a team member's seat is revoked after account creation, that team member's account access is terminated. Their account data (email, usage history) is retained for the duration of the account holder's active subscription and for the standard post-cancellation retention period described in Section 8, unless the team member separately requests deletion under Section 9.
If the account holder's subscription is cancelled, all associated team member accounts lose access. Team member data is retained for the same 2-year post-cancellation period applicable to the account holder's data, then permanently deleted.
7. Data Sharing & Subprocessors
We share your data only with service providers ("subprocessors") who are necessary to operate the Service. We do not sell, rent, or trade your personal information.
7.1 Subprocessors
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing (credit/debit cards) | Name, email, billing address, payment card details |
| BTCPay Server | Bitcoin payment processing (self-hosted instance) | Bitcoin transaction ID, on-chain wallet address, invoice amount, invoice status. Self-hosted; no third-party data transfer. On-chain transaction data is publicly visible on the Bitcoin blockchain. See Section 7.3. |
| Supabase, Inc. | Database hosting, authentication, and file storage | Account data, usage data, audio files, all application data, authentication tokens |
| Mailgun (Sinch) | Transactional email delivery (primary) | Name, email address, email content, delivery metadata |
| Resend | Transactional email delivery (backup) | Name, email address, email content, delivery metadata |
| Vercel, Inc. | Website and application hosting, edge functions | IP address, request data, server logs |
| Anthropic, PBC | AI language model for content generation | Editorial inputs, industry data (no subscriber personal data) |
| Cartesia, Inc. | AI text-to-speech for audio content generation | Text content to be synthesized (no subscriber personal data) |
7.2 Other Disclosures
We may also disclose your information:
- Legal Requirements: When required by law, subpoena, court order, or governmental regulation
- Protection of Rights: To protect the rights, property, or safety of CCW, our subscribers, or others
- Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case the successor entity will be bound by this Privacy Policy
- With Your Consent: When you have explicitly consented to the disclosure
7.3 Bitcoin Payments and Public Blockchain Data
If you pay using Bitcoin via our BTCPay Server integration, you should be aware of the following:
Bitcoin transactions are pseudonymous, not anonymous. On-chain transaction data — including the sending wallet address, receiving wallet address, transaction amount (in BTC), and transaction timestamp — is permanently and publicly recorded on the Bitcoin blockchain. This data is visible to anyone who accesses the blockchain and is not under our control to delete or modify.
We link your BTCPay invoice ID to your subscription account for the purpose of activating and managing your subscription. The invoice ID and your account email may be linked in our internal records. We do not link your Bitcoin wallet address to your real-world identity except as may be required by applicable law (e.g., in response to a valid legal process).
If you require payment privacy, you should carefully evaluate whether Bitcoin payments meet your needs, as blockchain transaction data is permanently public.
8. Data Retention
We retain your personal data only as long as necessary for the purposes described in this Privacy Policy.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of active subscription + 2 years after cancellation | Account recovery, support history, re-subscription |
| Billing & Financial Records | 7 years after the transaction | IRS record-keeping requirements (26 U.S.C. § 6001) and Massachusetts tax record requirements |
| Bitcoin Transaction Records | 7 years after the transaction | Financial record-keeping obligations; note that on-chain blockchain data exists permanently and independently of our records |
| Usage Data | 12 months from collection | Product improvement and security monitoring |
| Audio Access Logs | 12 months from access event | Security monitoring, tier enforcement verification |
| Audio Files (Supabase Storage) | Duration of Service operation; individual files may be archived or replaced as new editions are published | Content management |
| Trial User Data (non-converting) | 90 days after trial expiration | Grace period for re-subscription; then permanently deleted |
| Seat Invitation Data (not accepted) | 30 days after revocation or expiration | Administrative cleanup |
| Team Member Account Data | Per account holder's retention period | Tied to subscription lifecycle |
| Server Logs | 90 days | Security, debugging, abuse prevention |
| Communications (support tickets, emails) | Duration of active subscription + 2 years | Support reference and dispute resolution |
After the applicable retention period, personal data is permanently deleted or anonymized so that it can no longer identify you.
You may request earlier deletion of your data in accordance with Section 9 (Your Rights), subject to our legal retention obligations.
9. Your Rights
Regardless of where you are located, we provide the following rights with respect to your personal data:
9.1 Right of Access
You may request a copy of the personal data we hold about you.
9.2 Right to Rectification
You may request that we correct any inaccurate or incomplete personal data.
9.3 Right to Deletion
You may request that we delete your personal data, subject to our legal obligations to retain certain records (e.g., financial records for tax purposes).
9.4 Right to Data Portability
You may request a copy of your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
9.5 Right to Object
You may object to the processing of your personal data based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
9.6 Right to Restrict Processing
You may request that we restrict the processing of your personal data while a dispute about accuracy or processing is resolved.
9.7 How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: support@crashcourseweekly.com
Subject line: "Privacy Rights Request"
We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. There is no fee for exercising your rights.
If we are unable to fulfill your request (e.g., due to legal retention requirements), we will explain why in writing.
10. Massachusetts Data Protection
The Service is operated by a Massachusetts corporation and is governed by the laws of the Commonwealth of Massachusetts.
10.1 Massachusetts Data Security Regulations (201 CMR 17.00)
Atlantic Collision Center, Inc. complies with the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00). Our Written Information Security Program (WISP) governs the handling of "personal information" as defined under Massachusetts law (M.G.L. c. 93H), which includes an individual's first name and last name combined with their financial account number, Social Security number, or driver's license number.
Our WISP includes:
- Designated personnel responsible for maintaining security measures
- Procedures for assessing third-party service provider security practices
- Secure user authentication protocols with access controls
- Encryption of personal information transmitted over public networks
- Up-to-date firewall and malware protection on systems storing personal information
- Procedures for detecting, reporting, and responding to security incidents
10.2 Massachusetts Breach Notification (M.G.L. c. 93H)
In the event of a security breach involving the personal information of Massachusetts residents, we will:
- Notify affected Massachusetts residents as soon as reasonably possible following discovery of the breach
- Notify the Massachusetts Attorney General's Office and the Director of Consumer Affairs and Business Regulation as soon as reasonably possible following discovery
- Provide notice in the form and manner required by M.G.L. c. 93H and 201 CMR 17.03
10.3 Governing Law
This Privacy Policy and any disputes arising from it are governed by the laws of the Commonwealth of Massachusetts, without regard to conflict of law principles.
11. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
11.1 Right to Know
You have the right to request that we disclose:
- The categories of personal information we have collected about you
- The categories of sources from which personal information is collected
- The business purpose for collecting personal information
- The categories of third parties with whom we share personal information
- The specific pieces of personal information we have collected about you
11.2 Right to Delete
You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal compliance, completing transactions).
11.3 Right to Opt-Out of Sale
We do not sell personal information. We do not sell, rent, or share personal information with third parties for monetary or other valuable consideration. Because we do not sell your data, there is no need to opt out. However, you may still contact us if you have concerns.
11.4 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, a different quality of service, or be denied service for making a privacy request.
11.5 How to Submit a CCPA Request
To submit a request under the CCPA:
- Email: support@crashcourseweekly.com with subject "CCPA Request"
- We will verify your identity before processing any request
- We will respond within 45 days (extendable by an additional 45 days with notice)
11.6 Authorized Agent
You may designate an authorized agent to submit a CCPA request on your behalf. The agent must provide written authorization signed by you, and we may still require you to verify your identity directly.
11.7 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information (as defined by the CCPA):
| CCPA Category | Collected? | Sold? | Shared for Cross-Context Behavioral Advertising? |
|---|---|---|---|
| Identifiers (name, email, IP address) | Yes | No | No |
| Commercial information (subscription records, payment history, trial status) | Yes | No | No |
| Internet activity (usage data, audio access events, browsing history on our site) | Yes | No | No |
| Professional information (company name, job title) | Yes | No | No |
| Financial information (last 4 digits of card; BTC transaction/wallet data) | Yes | No | No |
12. GDPR Baseline (European Economic Area)
The Service is primarily directed at U.S.-based collision repair businesses. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following provisions apply.
12.1 Data Controller
The data controller for your personal data is:
Atlantic Collision Center, Inc.
[Address to be confirmed], Lowell, MA [ZIP]
Email: support@crashcourseweekly.com
12.2 Data Subject Rights
In addition to the rights described in Section 9, EEA data subjects have the right to:
- Lodge a complaint with a supervisory authority in their member state
- Withdraw consent at any time where processing is based on consent
- Object to automated decision-making — we do not engage in automated decision-making or profiling that produces legal effects concerning you
12.3 International Data Transfers
Your data is processed and stored in the United States. We rely on the following mechanisms to ensure adequate protection of your data:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
- Our subprocessors' own adequacy mechanisms (see Section 7.1 for links to their privacy policies)
12.4 Data Processing Agreements
We maintain data processing agreements with each of our subprocessors that include appropriate data protection obligations.
12.5 Contact for GDPR Inquiries
Email: support@crashcourseweekly.com
Subject line: "GDPR Inquiry"
We will respond within 30 days as required by the GDPR.
13. Cookies & Session Data
13.1 What Are Cookies
Cookies are small text files placed on your device when you visit a website. They help us recognize your browser, maintain your authenticated session, and understand how you use the Service.
13.2 Cookies We Use
| Cookie Type | Provider | Purpose | Duration | Required? |
|---|---|---|---|---|
| Authentication Session | Supabase | Stores your session token after login to keep you authenticated across pages. Set by Supabase Auth. | Session / up to 7 days (refresh token) | Yes — you cannot log in without this cookie |
| CSRF Protection | Supabase / App | Prevents cross-site request forgery attacks | Session | Yes — security requirement |
| Preference / UI State | App | Remembers your settings and display preferences | Up to 1 year | No |
| Analytics | App / Third-party (if applicable) | Understand usage patterns and improve the Service | Up to 2 years | No |
13.3 Supabase Auth Cookies
The Service uses Supabase for authentication. When you log in, Supabase sets one or more cookies containing your encrypted session token. These cookies are:
- HttpOnly — not accessible by JavaScript, reducing XSS risk
- Secure — transmitted only over HTTPS
- SameSite — limited to same-site requests to reduce CSRF exposure
Your session token is used solely to authenticate you to the Service. It does not contain your password or payment information.
13.4 How to Manage Cookies
You can control cookies through your browser settings:
- Most browsers allow you to block or delete cookies via Settings > Privacy
- Blocking authentication cookies will prevent you from logging in to the Service
- To log out and clear session cookies, use the Sign Out function within the Service
13.5 Do Not Track
Some browsers offer a "Do Not Track" (DNT) signal. There is currently no industry standard for handling DNT signals. We do not currently respond to DNT signals, but we do not engage in cross-site tracking.
14. Security
We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it, including as required by Massachusetts 201 CMR 17.00.
14.1 Technical Measures
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS
- Encryption at Rest: Sensitive data is encrypted at rest within Supabase
- Access Controls: Row-Level Security (RLS) enforced at the database level ensures that subscribers can only access their own data
- Authentication: Passwords are hashed using industry-standard algorithms via Supabase Auth; we never store plaintext passwords
- Payment Security: Credit card data is handled entirely by Stripe (PCI DSS Level 1 certified) — we do not store full card numbers on our servers
- Signed URLs: Audio content is served via expiring signed URLs (6-hour expiry) rather than public links
14.2 Organizational Measures
- Access to personal data is limited to personnel who require it for their job function
- Regular security reviews of our application and infrastructure
- Incident response procedures in place for data breaches
- Third-party service providers reviewed for compliance with data security requirements
14.3 Breach Notification
In the event of a data breach that affects your personal data, we will:
- Notify affected subscribers by email without undue delay
- Notify the Massachusetts Attorney General's Office and Director of Consumer Affairs and Business Regulation as required by M.G.L. c. 93H
- Notify applicable regulatory authorities as required by law (including within 72 hours where required by GDPR)
- Provide information about the breach and steps you can take to protect yourself
14.4 Your Security Responsibilities
You are responsible for:
- Maintaining the confidentiality of your login credentials
- Notifying us immediately if you suspect unauthorized access to your account
- Using a strong, unique password for your CCW account
- Logging out of shared devices after use
15. Children's Privacy
The Service is a business-to-business product designed for collision repair professionals. The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18.
If we learn that we have inadvertently collected personal information from an individual under 18, we will promptly delete that information. If you believe we have collected information from a minor, please contact us at support@crashcourseweekly.com.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
16.1 How We Notify You
- Material Changes: We will notify you by email at the address associated with your account at least 30 days before material changes take effect
- Non-Material Changes: Updated on this page with a revised "Last Updated" date
- We encourage you to review this Privacy Policy periodically
16.2 Effective Date
The "Effective Date" at the top of this policy indicates when this version became effective. The "Last Updated" date indicates the most recent revision.
16.3 Prior Versions
Prior versions of this Privacy Policy are available upon request by contacting support@crashcourseweekly.com.
17. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
CrashCourse Weekly
Atlantic Collision Center, Inc.
[Address to be confirmed], Lowell, MA [ZIP]
Email: support@crashcourseweekly.com
| Request Type | Subject Line | |
|---|---|---|
| General Privacy Questions | support@crashcourseweekly.com | "Privacy Inquiry" |
| Privacy Rights Requests (access, deletion, portability) | support@crashcourseweekly.com | "Privacy Rights Request" |
| California CCPA Requests | support@crashcourseweekly.com | "CCPA Request" |
| GDPR / EEA Inquiries | support@crashcourseweekly.com | "GDPR Inquiry" |
| Security Concerns / Breach Reports | support@crashcourseweekly.com | "Security Concern" |
We aim to respond to all inquiries within 30 days.