Skip to main content
M irai .
EN
  • RU
Sign in / Sign up
Dashboard

Legal

Privacy Policy

Version: 1.0 · Last updated: July 1, 2026

1. Who we are

MoiraiOnline (“MoiraiOnline”, “we”, “us”) is an online filmmaking education business operated as a sole proprietorship, based in New York, USA. We operate the website moiraionline.pro and provide online filmmaking courses and cohort-based programmes.

Data controller: MoiraiOnline
Contact: moiraionlinepro@gmail.com

2. What data we collect

2.1 Data you provide directly

  • At registration: email address, password (stored as a one-way hash — we never store the plaintext), display name, language preference (en/ru)
  • At OAuth sign-in (Google/Discord): your provider account email and provider user ID — used to identify you on return; we do not retain your Google or Discord access or refresh tokens after initial verification
  • In profile/account settings: name updates, language changes, password changes
  • At enrollment: programme purchased; we do not process or store your payment card — this is handled entirely by Stripe
  • In homework submissions: text, scripts, videos, images you upload
  • In communications: email correspondence with our team

2.2 Data generated through your use of the service

  • Authentication sessions: a random session identifier (HttpOnly cookie), the SHA-256 hash of the refresh secret, expiry timestamp, user-agent string, and a hashed IP address (we never store your plaintext IP)
  • Account roles: which roles you hold (student, instructor, admin) and when each was granted
  • Course progress: module completion, homework submissions, instructor feedback, last-seen timestamps
  • Audit log: security-relevant events (login success/failure, password reset, role changes) with timestamp, hashed IP, user-agent — retained for fraud and abuse investigation

2.3 Short-lived technical data

Stored only for the duration of a flow (10 minutes to 1 hour):

  • OAuth PKCE state and verifier
  • Email verification and password-reset tokens
  • Rate-limit counters (per IP / per email, for anti-abuse)

2.4 Data we do not collect

  • Plaintext passwords — we store only a PBKDF2-SHA256 hash with a unique random salt
  • Plaintext IP addresses — we store only a SHA-256 hash with a server-side salt
  • Payment card data — Stripe handles this end-to-end; we receive only a transaction reference
  • Google or Discord OAuth tokens — used once during sign-in and discarded
  • Analytics tracking data — no Google Analytics, no Mixpanel, no marketing pixels
  • Retargeting or third-party advertising data
  • Special-category data (race, religion, health, political opinions, sexual orientation, biometric or genetic data)
  • Personal data of users under 16 (see §9)

2.5 Data we do not buy or receive from third parties

We do not purchase data from brokers, ad networks, or marketing lists. All data originates from your direct interaction with our service.

3. Legal basis for processing (GDPR Art. 6)

PurposeLegal basis
Delivering the course you purchased, managing your accountContract performance (Art. 6(1)(b))
Security, fraud prevention, audit loggingLegitimate interest (Art. 6(1)(f))
Transactional emails (enrollment confirmation, homework feedback)Contract performance (Art. 6(1)(b))
Marketing emailsConsent (Art. 6(1)(a)) — opt-in only
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

4. Cookies and similar technologies

See our Cookie Policy for the full list of cookies, their purpose, and how to manage them.

5. Data sharing

We share data only with the following service providers, strictly for the purposes described:

ProviderPurpose
CloudflareHosting, edge caching, security (Pages, Workers, D1)
StripePayment processing
ResendTransactional email delivery
Google / DiscordOnly if you sign in via OAuth
Cloudflare TurnstileAnti-bot verification on auth forms

We do not sell, rent, or share your data with advertisers or data brokers.

6. Data retention

Data typeRetention
Active account dataUntil you delete your account
Inactive accountsAnonymized after 24 months of no activity
Audit logs12 months
Email delivery logs6 months
Short-lived technical data (OAuth state, reset tokens)10 minutes to 1 hour

When you delete your account, we delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate fraud/abuse investigation.

7. Your rights

Depending on your location, you may have the following rights:

GDPR (EU/EEA residents):

  • Access your personal data
  • Correct inaccurate data
  • Request deletion (“right to be forgotten”)
  • Restrict processing
  • Data portability (machine-readable export)
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your national data protection authority

CCPA (California residents):

  • Know what personal information we collect
  • Know whether we sell or disclose personal information (we do not)
  • Opt out of sale (not applicable — we do not sell personal information)
  • Non-discrimination for exercising your rights
  • Request deletion of personal information

To exercise any of these rights, email moiraionlinepro@gmail.com. We respond within 30 days.

8. International data transfers

Data is processed on Cloudflare’s global edge network, Stripe’s infrastructure, and Resend’s email infrastructure. All three maintain Standard Contractual Clauses (SCCs) for transfers of EU personal data outside the EEA.

9. Children and minors

The service is available to users aged 16 and older. Users aged 16–17 must have verifiable parental or guardian consent before creating an account or enrolling. We do not knowingly collect personal data from users under 16. If we become aware that personal data has been collected from a user under 16 without consent, we will delete it promptly.

10. Changes to this policy

We will notify registered users by email at least 30 days before any material changes take effect. The current version and effective date are shown at the top of this page.

11. Complaints

  • EU/EEA residents: you may lodge a complaint with your national data protection authority.
  • UK residents: you may contact the Information Commissioner’s Office (ICO) at ico.org.uk.
  • California residents: you may contact the California Privacy Protection Agency (CPPA).
MoiraiOnline.
BeginnerIntermediateWorksJournalFAQContact
© 2026 MoiraiOnline · Privacy · Terms · Refund · Cookies