privacy policy

Last updated: February 2026

Latent Patterns is operated from Australia. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes what personal information we collect, why we collect it, and how we handle it.

1. information we collect

We collect only what is necessary to provide the service:

• Email address — provided when you sign in via magic link or OAuth. Used for authentication and account communications.
• OAuth profile data — when you sign in with LinkedIn or another OAuth provider, we receive your email address and locale from the provider. We derive a country code from the locale. We do not access your connections, posts, or other social data.
• Discord identity — if you choose to link your Discord account, we store your Discord user ID and username. If you have set a display name in your profile, it is synced as your server nickname in our Discord community unless you opt out. Your opt-out preference is stored on your account.
• GitHub identity — if you choose to link your GitHub account, we store your GitHub user ID and username. If your profile does not yet have a display name, your GitHub name is used as your display name.
• Discord community messages — if you post messages in our Discord community, we sync and store your messages for community health monitoring and support. Stored data includes your Discord user ID, username, message content, channel name, timestamps, and metadata (whether the message has attachments, embeds, or is a reply). Messages in private or moderator-only channels are not synced.
• Professional profile data — on your first login, we look up your email address via People Data Labs to retrieve publicly available professional information: job title, employer, industry, company size, inferred salary range, and location. This data helps us understand our audience and improve our content. It is re-checked every 90 days.
• Payment information — processed entirely by Airwallex. We store an Airwallex customer ID and subscription status. We never see or store your card number.
• Course progress — which lessons you have marked as completed, stored against your account.
• Survey responses — if you complete a survey, your answers are stored against your respondent record. Anonymous respondents are tracked via a cookie-based identifier.
• Support tickets — if you submit a support request, we store the ticket subject, messages, and status against your account.
• Exit ticket responses — if you complete a learning assessment (exit ticket), your answers and any AI-generated grading feedback are stored against your account.
• Live interaction data — if you participate in a live session (polls, Q&A, quizzes), your responses are stored against your participant record. Anonymous participants are tracked via a cookie-based identifier.
• Terminal session data — if you use an interactive terminal, we record session metadata (embed identifier, duration, status) and LLM token usage for budget enforcement. Code you run in the terminal is processed by third-party AI providers (see section 3) but is not stored by us beyond the session lifecycle.
• Display name — optionally provided when claiming a certification. Displayed on your certificate and the public verification page.
• Personal email — optionally provided for certification portability. Verified via magic link. Used to associate certifications with your identity across accounts. Displayed on the public verification page only if you explicitly opt in.
• Certification records — when you claim a proficiency certification, we store the certification identifier, course completed, issue date, expiration date, your display name (if provided), and your personal email (if provided). Certification status is publicly verifiable by anyone with your certification ID — no account is required to verify.
• Email preferences — your per-category email opt-in/opt-out choices (newsletter, product updates, course activity, marketing).
• Referral and campaign data — when you first visit our site, we record the URL you came from (referrer) and any UTM campaign parameters (source, medium, campaign, content, term) present in the link. This helps us understand which channels bring visitors to our site. This data is stored on your user record if you later create an account.
• Cookies — see section 7 below for a full list of cookies we use. None contain personal information and none are shared with third parties.

2. how we use your information

• To authenticate you and maintain your session
• To manage your subscription and process payments via Airwallex
• To track your learning progress across courses
• To grade learning assessments and provide AI-powered feedback
• To provide interactive terminal sessions and enforce usage budgets
• To facilitate live interactive sessions (polls, Q&A, quizzes)
• To manage your support requests and respond to inquiries
• To understand our audience and improve course content (professional profile data)
• To understand how visitors find our site (referral and UTM campaign data)
• To collect feedback and improve our offerings (survey responses)
• To send you transactional emails (login links, newsletter if subscribed)
• To link your Discord identity and manage your community roles and server nickname
• To link your GitHub identity and populate your display name
• To monitor community health and support users (Discord community messages)
• To issue and verify proficiency certifications
• To display certification status on the public verification page (certification ID, course name, display name, and email only when you opt in)
• To respect your email communication preferences

3. disclosure to third parties

We share personal information only with:

• PlanetScale — for database hosting. All application data is stored in PlanetScale-hosted PostgreSQL. See PlanetScale's privacy policy.
• Airwallex — for payment processing. Airwallex acts as an independent data controller for payment data. See Airwallex's privacy policy.
• Resend — for delivering magic link and transactional emails. The provider receives your email address and the email content.
• People Data Labs — for profile enrichment. We send your email address to People Data Labs to look up publicly available professional information. No other personal data is shared with them.
• Daytona — for sandbox container infrastructure powering interactive terminal sessions. Receives sandbox configuration (Docker image, environment setup). No personal data is sent beyond the session identifier. See Daytona's privacy policy.
• Anthropic — for AI-powered coding assistance in terminal sessions. Receives code context and chat messages during terminal sessions. Enterprise users may supply their own API keys. See Anthropic's privacy policy.
• Cloudflare Workers AI — for on-edge AI inference used in learning assessment grading. Assessment answers are processed within Cloudflare's network using Meta Llama models and are not sent to external services.
• Discord — if you link your Discord account, we interact with Discord's API to verify your identity, assign community roles (subscriber, verified, region), and optionally set your server nickname to your profile display name. Discord receives your user ID and, unless you opt out, your display name. We also use a Discord bot to read messages from public community channels for community health monitoring — Discord makes this data available to server administrators via its API. See Discord's privacy policy.
• Honeycomb — for application observability and reliability monitoring. Receives operational telemetry including pseudonymized email addresses and IP addresses. Pseudonyms are one-way HMAC-SHA256 transformations that cannot be reversed without our server-side key. Honeycomb does not receive raw email addresses, raw IP addresses, user content, or payment information. See Honeycomb's privacy policy.

We do not sell your personal information. We do not use third-party analytics vendors, advertising trackers, or social media pixels. We do operate a first-party event and pageview measurement system for product and reliability analysis.

4. data storage and security

• Your data is stored in PlanetScale PostgreSQL, accessed via Cloudflare Hyperdrive connection pooling. The database is not directly exposed to the internet.
• Sessions use cryptographically random identifiers.
• Magic link tokens expire after 15 minutes and can only be used once.
• All connections are served over HTTPS.
• Enterprise API keys (BYOK) are encrypted at rest using AES-256-GCM.
• Database backups are managed by PlanetScale with automatic point-in-time recovery.

5. data retention

• Account data is retained for as long as your account exists.
• Session records expire after 30 days.
• Used magic link tokens are retained for audit purposes and periodically purged.
• First-party tracking datapoints (pageviews/events and journey transitions) are retained for up to 90 days and then removed.
• Professional profile data is refreshed every 90 days and removed when your account is deleted.
• Support ticket data is retained for as long as your account exists. Stale tickets in waiting_on_customer status are auto-resolved after 30 days.
• Terminal session metadata is retained for operational monitoring and cost attribution. Session content (terminal I/O) is not persisted after the session ends.
• Live interaction data (poll votes, Q&A, quiz answers) is retained for the lifetime of the session.
• Discord community messages are retained for as long as the community exists. If you delete a message in Discord, it is not automatically removed from our database. If you delete your account, messages you posted remain stored but are not linked to your Latent Patterns account.
• Exit ticket responses and AI feedback are retained for as long as your account exists.
• Enterprise BYOK API keys can be revoked by enterprise administrators; revoked keys remain encrypted in storage for audit purposes until the enterprise plan is deleted.
• Certification records are retained for as long as your account exists. Revoked certifications are retained with their revocation reason for audit purposes.
• If you delete your account, all associated data (progress, sessions, subscription records, professional profile data, support tickets, survey responses, certifications) is permanently removed. Certifications associated via personal email remain on their original accounts.

6. your rights

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you
• Correct any information that is inaccurate or out of date
• Request deletion of your account and all associated data
• Complain to the Office of the Australian Information Commissioner if you believe we have breached the APPs

To exercise any of these rights, email privacy@latentpatterns.com.

7. cookies

We use the following cookies, all of which are first-party, httpOnly, and Secure:

• session — user authentication. SameSite=Lax. Expires after 30 days.
• admin_session — admin authentication (admin users only). SameSite=Strict. Expires after 4 hours.
• utm — stores UTM campaign parameters from your first visit. SameSite=Lax. Expires after 30 days.
• ref — stores the external URL you arrived from. SameSite=Lax. Expires after 30 days.
• lp_anon — first-party anonymous journey identifier used to associate pre-login activity with your account after authentication. SameSite=Lax. Expires after 1 year, rotated every 90 days.
• lp_journey — first-party journey state (journey id + step counters) used for transition analysis. SameSite=Lax. Expires after 1 year.
• sitewide_notification_dismissed_key — remembers the last sitewide notification message you dismissed so it is not shown again unless a new message is published. SameSite=Lax. Expires after 365 days.
• survey_anon_* — identifies anonymous survey respondents to prevent duplicate submissions. SameSite=Lax. Expires after 30 days.
• return_to — preserves your destination during login. SameSite=Lax. Expires after 10 minutes. Deleted after use.
• provider_oauth_state — CSRF protection during OAuth sign-in. SameSite=Lax. Expires after 10 minutes. Deleted after use.
• discord_link_state — CSRF protection during Discord account linking. SameSite=Lax. Expires after 10 minutes. Deleted after use.
• github_link_state — CSRF protection during GitHub account linking. SameSite=Lax. Expires after 10 minutes. Deleted after use.
• live_anon_<sessionId> — identifies anonymous live interaction participants within a session. SameSite=Lax. Session-scoped.

We do not use third-party cookies or advertising cookies. We do use first-party tracking cookies (lp_anon, lp_journey) for product measurement and journey continuity. We do not currently honor browser Do Not Track (DNT) or Global Privacy Control (GPC) signals.

8. changes to this policy

We may update this policy from time to time. Material changes will be noted at the top of this page with an updated date. Continued use of the service after changes constitutes acceptance.

9. contact

For privacy inquiries: privacy@latentpatterns.com