Last updated: Jun 22, 2026 · 22:10 BST (London time) — Version 1.1
Privacy Policy
This privacy policy applies to all services offered by Lucky North Star LLC (hereinafter “MVN”, “we” or “the Data Controller”) via the marcusvance.com website and any associated application. It describes, in a comprehensive manner, the personal data we collect, the purposes and legal bases of each processing activity, the retention periods, the recipients of your data, transfers outside the European Union, as well as all the rights you have.
1. Identity of the Data Controller
2. Data Protection Officer (DPO)
Marcus Vance Network has designated a Privacy Officer responsible for ensuring compliance with the GDPR (Regulation (EU) 2016/679), CCPA/CPRA, and applicable US federal and state privacy laws. You may contact the Privacy Officer for any question regarding your personal data or to exercise your rights:
Privacy Officer / DPO
E-mail: Privacy form
Mailing address: Lucky North Star LLC, Attn: Privacy Officer, 1309 Coffeen Ave, Sheridan, WY 82801-5777, USA
Guaranteed response time: 30 calendar days from receipt of your request (which may be extended by a further 2 months for complex requests, with notice).
3. Data collected, legal bases and purposes
We apply the principle of data minimization (Art. 5(1)(c) GDPR): only the data strictly necessary for each purpose is collected. The table below details the processing activities, their legal basis and their retention period.
| Category | Data | Legal basis | Purpose |
|---|---|---|---|
| Account | E-mail, first name, last name (optional), username, hashed password (bcrypt), security question and hashed answer | Performance of the contract (Art. 6(1)(b)) | Account creation and management, authentication, password recovery (via security question) |
| Session | JWT token, connection date/time, device type, OS | Legitimate interest — security (Art. 6(1)(f)) | Account security, detection of unauthorized access |
| Payment | Stripe identifier (token), last 4 digits of card, subscription status — no full card number stored by MVN | Performance of the contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) | Payment processing, subscription management, tax compliance |
| Progress | Courses viewed, quiz results, podcast listening time, MVN credits accumulated | Performance of the contract (Art. 6(1)(b)) | Progress tracking, credit calculation, content resume |
| P2P network | nodeId (local pseudonym), aggregated contribution statistics, reliability score, partial IP address (2 octets) | Performance of the contract + Consent for the nodeId (Art. 6(1)(a)/(b)) | P2P routing optimization, load balancing, credit system |
| Communications | In-app messages, device push token (Expo) | Performance of the contract (transactional) / Consent (push, Art. 6(1)(a)) | Transactional notifications delivered in-app and via push only (account, learning, credits, support) — MVN does not send transactional e-mails |
| Identity verification (optional) | Selfie photo, voluntarily submitted to obtain verified “Elite” status (adult members 18+ only) | Consent (Art. 6(1)(a)) | Manual human review to confirm a real person — no automated facial-recognition or biometric processing. The image is retained only for the time needed to complete the verification, then deleted. |
| Security logs | Full IP address, timestamp, action performed, response code | Legitimate interest — security (Art. 6(1)(f)) | Detection and prevention of abuse, forensics in case of incident |
| First-party analytics | Pages visited, session duration, browser type (anonymized, without IP) | Consent (Art. 6(1)(a)) | Service improvement, audience measurement (self-hosted solution) |
Apart from the optional identity-verification selfie described above — reviewed manually by a team member, never by automated facial-recognition or biometric technology, and deleted after the decision — we do not collect any sensitive data within the meaning of Article 9 of the GDPR (health data, political opinions, religious beliefs, biometric data, etc.), any precise geolocation data, nor any content of private communications.
Your data is never used for advertising targeting, commercial profiling, or to train third-party artificial intelligence models.
4. Retention periods
In accordance with the storage limitation principle (Art. 5(1)(e) GDPR), your data is kept only for as long as strictly necessary for the purposes for which it was collected.
| Data type | Active retention period | Archiving / deletion |
|---|---|---|
| Account data (email, name, username) | Lifetime of the active account | Deleted within 30 days following account closure |
| Hashed password (bcrypt) | Lifetime of the active account | Deleted immediately upon account closure |
| JWT session tokens | Session duration (max. 30 days) | Automatic expiration or immediate revocation on logout |
| Payment data (Stripe token) | Lifetime of the account + 10 years | 7 years per US tax record-keeping requirements (IRS guidelines) |
| Progress data (courses, quizzes, podcasts) | Lifetime of the active account | Deleted within 30 days following closure |
| Aggregated and anonymized P2P statistics | 36 months | Automatically deleted after 36 months (non-re-identifiable data) |
| Security logs (IP address, actions) | 12 months | Automatically deleted after 12 months, unless legal proceedings are ongoing |
| Anonymized analytics data | 13 months | Auto-deleted after 13 months (industry best practice) |
| Consents (cookies, marketing) | 5 years | Retained as proof of compliance, then deleted |
If your account is inactive for 24 consecutive months, you will receive an in-app and push notification. Without a response within 30 days, your account will be archived and then deleted in accordance with the periods set out above.
5. Sharing with third parties and processors
We never sell your personal data to third parties, and we do not rent or trade it for commercial purposes. Your data may be shared only in the following cases, with strict contractual safeguards:
Hostinger International Ltd. — Database & application hosting
Role: Processor (Art. 28 GDPR). Hosts the backend API and the relational database (user accounts, progress, MVN credits).
Server location: Germany (Frankfurt), European Union. Company headquarters: Lithuania (European Union).
Safeguards: signed DPA (Data Processing Agreement), ISO/IEC 27001 certified. Privacy policy: hostinger.com/privacy-policy
Stripe Inc. — Payment processing
Role: Independent data controller for the payment part; MVN processor for subscription management. Stripe receives payment data directly from your browser — MVN stores no card number.
Location: United States — transfer governed by the European Commission's Standard Contractual Clauses (SCCs).
Safeguards: PCI-DSS Level 1 certified, DPA signed with MVN. Privacy policy: stripe.com/privacy
Vercel Inc. — Web hosting
Role: Processor. Hosts the Next.js web interface (marcusvance.com). Vercel may temporarily process IP addresses in its content delivery network (CDN) logs.
Headquarters: 340 Pine Street Suite 701, San Francisco, CA 94104, United States. Transfer governed by SCCs.
Safeguards: signed DPA, SOC 2 Type II. Privacy policy: vercel.com/legal/privacy-policy
Expo (650 Industries, Inc.) — Push notification delivery
Role: Processor. Relays in-app/transactional notifications to your device via the Expo Push Service and the underlying platform gateways (Apple APNs, Google FCM). Receives only your device push token and the notification content — no account credentials. MVN does not send transactional e-mails; notifications are delivered in-app and via push.
Location: United States — transfer governed by SCCs. You can disable push notifications at any time from your device or in-app settings.
Privacy policy: expo.dev/privacy
Competent authorities — Legal obligation
Your data may be disclosed to competent judicial or administrative authorities when required by a legal provision, a court decision or an order from a regulatory authority. We undertake to inform you to the extent that applicable law does not prohibit us from doing so.
6. Data transfers outside the European Union
Some of our processors are established in the United States (Vercel, Stripe, Expo). These transfers to third countries that do not have an adequacy decision from the European Commission are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021 (Implementing Decision (EU) 2021/914), in accordance with Article 46(2)(c) of the GDPR.
The backend API and main database (Hostinger) are hosted in Germany (Frankfurt), within the European Union — that data does not leave the EU, so no third-country transfer is involved for it. This limits transatlantic transfers to only the technical metadata strictly necessary for the operation of the Vercel and Stripe services.
You may obtain a copy of the applicable SCCs by contacting us at Privacy form.
7. Your rights (GDPR — Regulation (EU) 2016/679)
If you reside in the European Economic Area (EEA), the United Kingdom or Switzerland, you have the following rights over your personal data. All requests must be addressed to Privacy form with an identity document allowing us to verify your identity. Guaranteed response time: 30 calendar days.
Right of access (Art. 15 GDPR)
Obtain confirmation that your data is being processed and receive a complete copy of it in a readable format, together with information on the purposes, categories, recipients and retention periods.
Right to rectification (Art. 16 GDPR)
Have inaccurate data concerning you corrected without undue delay, and have incomplete data completed.
Right to erasure — “right to be forgotten” (Art. 17 GDPR)
Request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw your consent, or when you object. This right does not apply where processing is necessary to comply with a legal obligation (e.g., accounting data to be kept for 10 years).
Right to data portability (Art. 20 GDPR)
Receive your data in a structured, commonly used and machine-readable format (JSON or CSV), and transmit it to another data controller. This right applies to data provided on the basis of consent or a contract.
Right to object (Art. 21 GDPR)
Object at any time to the processing of your data based on legitimate interest (in particular for personalization and analytics). You can disable push and in-app notifications at any time from your in-app notification settings.
Right to restriction of processing (Art. 18 GDPR)
Request the temporary suspension of the processing of your data — for example while its accuracy or the lawfulness of the processing is being verified. During the restriction period, we retain your data without using it.
Right to withdraw consent (Art. 7(3) GDPR)
Withdraw at any time a consent previously given (optional cookies, newsletter) without affecting the lawfulness of processing carried out before that withdrawal. You can withdraw your consent to cookies via the consent banner or from your profile.
Right to define post-mortem instructions
Define instructions regarding the storage, deletion, and communication of your personal data after your death.
8. Supervisory Authorities
If you believe that the processing of your personal data does not comply with applicable regulations, you have the right to lodge a complaint with the competent supervisory authority:
US — Federal Trade Commission (FTC)
For US residents with privacy or consumer protection complaints.
Website: www.ftc.gov
EU residents — Local Data Protection Authority
EU/EEA residents may lodge a complaint with the supervisory authority in their country of residence (e.g., CNIL for France, BfDI for Germany, ICO for the UK).
EU DPA list: edpb.europa.eu
We invite you, before filing any complaint, to contact us at Privacy form so we can address your request promptly.
9. Cookies and trackers
MVN uses cookies and similar technologies. For comprehensive information on the cookies placed, their purposes and how to manage them, see our cookie policy. You can change your preferences at any time via the consent banner accessible at the bottom of each page.
10. Data security
We implement the following technical and organizational measures, in accordance with Article 32 of the GDPR:
- Encryption in transit: TLS 1.2 minimum on all communications between your browser and our servers.
- Encryption at rest: database storage encrypted by our hosting provider (Hostinger) on its German (Frankfurt, EU) infrastructure.
- Password hashing: bcrypt algorithm with an adaptive cost factor (cost factor ≥ 12).
- JWT tokens: limited lifetime, automatic rotation, immediate revocation possible.
- Restricted access: principle of least privilege — only employees who need to access the data have access to it.
- Security audits: regular security reviews of the code and infrastructure configurations.
- CSRF protection: anti-CSRF token on all state-changing requests.
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we undertake to notify you within 72 hours of becoming aware of the incident, in accordance with Article 34 of the GDPR.
11. Protection of minors
The Marcus Vance Network Service is intended for an adult audience and for persons who have reached the applicable digital age of majority in their country of residence:
- European Union: minimum age 16 years for consent to data processing (Art. 8 GDPR — some Member States have adopted 13, 14 or 15 years; MVN applies the most protective limit, namely 16 years).
- United States (COPPA): minimum age 13 years. No service is intended for children under 13 years. If we discover that a child under 13 has created an account, we proceed with the immediate deletion of the data.
- Other countries: the user declares that they have reached the legal age to consent to digital services in their country of residence. If in doubt, the minimum age of 16 years applies.
To report an account belonging to a minor: Legal form
12. Specific rights for California residents (CCPA / CPRA)
If you reside in California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:
Right to know
Know the categories and specific pieces of personal data collected about you, the categories of sources, the business purposes and the categories of third parties with whom it is shared.
Right to deletion
Request the deletion of your personal data, subject to legal exceptions (retention obligations, security, exercise of legal rights).
Do Not Sell or Share My Personal Information
MVN does not sell or share your personal data with third parties for cross-context behavioral advertising purposes. The categories of personal data collected by MVN are: identifiers (e-mail, username), account data, browsing data on MVN, purchase data (via Stripe). None of these categories is sold.
Right to non-discrimination
You will not suffer any discrimination for having exercised your CCPA rights. MVN will not deny services, will not charge different prices, and will not change the quality of the service in response to the exercise of your rights.
Right to correction
Have inaccurate personal data concerning you corrected.
Right to limit the use of sensitive data
MVN does not collect any sensitive data within the meaning of the CPRA (social security numbers, full financial data, health data, biometric data, precise geolocation, private communications, information about race/origin, religion, sexual orientation).
To exercise your CCPA rights, contact us at Legal form or at Privacy form. Response time: 45 days (extendable by a further 45 days with notice). You may also submit a verifiable request on behalf of an authorized third party.
MVN has processed fewer than 100,000 California consumers over the past 12 months and has generated no revenue from the sale of personal data.
13. Changes to this policy
This policy may be updated to reflect legal, regulatory or operational developments. The date of the last revision appears at the top of this page. In the event of a material change affecting your rights or the nature of the processing, we will inform you by in-app and push notification at least 30 days before the changes take effect.
Continued use of the Service after the effective date of the changes constitutes acceptance of the updated policy. If you do not accept the changes, you have the right to close your account and request the deletion of your data.
14. Contacts
Privacy Officer / DPO
To exercise your GDPR rights, or for any question regarding personal data.
Legal Department
CCPA requests, intellectual property, legal obligations, third-party rights.