Privacy Policy
Effective July 6, 2026
This policy explains what personal information Jason R Media LLC (“we,” “us”) collects when you use Course in a Box and AuthBox, why we collect it, and what your choices are. It applies to getcourseinabox.com, auth.courseinabox.app, the Course in a Box dashboard, and the hosted AuthBox service.
The short version: we collect the minimum needed to run the product — email addresses, names, and purchase status. We run no analytics, no advertising trackers, and no third-party tracking cookies, and we never sell or share personal information for advertising.
1. Two roles: our customers, and their members
Course in a Box is used by course creators (“course owners”) to run their own membership sites. That means personal information reaches us in two distinct ways:
- Data we control. When you buy Course in a Box or subscribe to AuthBox, we are the “data controller” of your account information. Sections 2–3 describe this.
- Data we process for course owners. When a member signs in to a course owner's site through hosted AuthBox, we store that member's information on the course owner's behalf. The course owner is the controller of their members' data; we are their “processor.” Section 4 describes this.
2. Information we collect from account holders
When you sign in to the dashboard
- Your email address — used as your account identifier and to deliver one-time sign-in codes. We do not use passwords.
- Purchase and subscription status — retrieved from our payment provider, Lemon Squeezy, to confirm your Course in a Box purchase or AuthBox subscription.
- Dashboard preferences — display settings tied to your account.
When you contact support
- Your name, email address, and the contents of your message. Tickets are delivered to our support inbox and a copy is retained in our storage so we don't lose your request.
When you configure AuthBox projects
- Your course site's details — site origin, project name, and the payment-provider credentials (Lemon Squeezy API key and webhook secret, or Stripe equivalents) you supply so we can verify your members' purchases. These are stored server-side only and used solely for that verification.
3. What we deliberately do not collect
- No payment card data. All checkout is handled by Lemon Squeezy as merchant of record. Card numbers never touch our systems.
- No analytics or behavioral tracking. We do not use Google Analytics, advertising pixels, session recording, or any similar tools.
- No sign-in codes in readable form. One-time codes are stored only as salted cryptographic hashes and expire within minutes.
4. Member data we process for course owners
When a student signs in to a course that uses hosted AuthBox, we store, on that course owner's behalf:
- The member's email address and, where provided, name;
- Their entitlement status — whether a qualifying purchase exists in the course owner's payment account (including order, subscription, and product identifiers reported by Lemon Squeezy or Stripe);
- Sign-in timestamps.
Each course's member data is isolated per project and is visible only to that course's owner. We use it exclusively to provide sign-in and access control for that course — never for our own marketing, and never across courses.
5. Cookies and local storage
We use exactly one cookie: cm_session, set when you sign in to the dashboard. It is a first-party, strictly-necessary session cookie (HttpOnly, expires after 30 days) whose only job is keeping you signed in. Because it is essential to the service and used for nothing else, no consent banner is required for it under EU ePrivacy rules.
On course owners' sites, hosted AuthBox keeps the member's session token in the browser's localStorage rather than a cookie. It identifies the member to our service and nothing else. We set no advertising or analytics cookies anywhere, and no third party sets cookies through us.
6. Service providers
We rely on a small set of infrastructure providers, each of which processes data only as needed to provide their service to us:
| Provider | Role | Data involved |
|---|---|---|
| Cloudflare | Hosting, database, and file storage for the entire service | All data described in this policy, stored and processed on Cloudflare's network |
| Resend | Transactional email delivery | Recipient email addresses and the contents of sign-in and support emails |
| Lemon Squeezy | Payments (merchant of record) and purchase verification | Purchase, order, and subscription records; buyer emails |
| Stripe | Purchase verification, only for course owners who connect their own Stripe account | That course's purchase records and buyer emails |
Each provider publishes its own privacy policy. We do not share personal information with anyone else except as required by law.
7. Data retention
- Account, project, member, and entitlement records are kept for as long as the related account or project is active. If an AuthBox subscription lapses, the service pauses but nothing is deleted — everything is restored if you resubscribe. You may request deletion at any time (Section 10).
- One-time sign-in codes expire and become unusable within minutes of being issued.
- Support tickets are retained so we can reference the history of an issue, and are deleted on request.
8. Security
All traffic is encrypted in transit (HTTPS/TLS). Session tokens are cryptographically signed; sign-in codes are stored only as salted hashes; payment-provider webhooks are verified by signature before being trusted; and provider credentials you supply are held server-side, never exposed to browsers. No system is perfectly secure, but the service was designed to fail closed — when in doubt, it denies access rather than granting it.
9. International transfers
We are a United States company, and data is processed in the United States and on Cloudflare's global network. If you use the service from the EU, UK, or elsewhere, you understand your information is processed as described in this policy.
10. Your rights and choices
Depending on where you live (for example, under the EU/UK GDPR or California law), you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. We honor these requests for everyone, regardless of jurisdiction:
- Email jasonr.audio@gmail.com from the address associated with your account, describing what you'd like — a copy of your data, a correction, or deletion.
- We will respond within 30 days. Deletion is permanent and includes our service providers' copies where applicable.
- We do not sell or share personal information as those terms are defined in the California Consumer Privacy Act, so there is nothing to opt out of.
11. Children
The service is not directed to children under 13 (or the higher age some jurisdictions require), and we do not knowingly collect their information. If you believe a child has provided us personal information, contact us and we will delete it.
12. Changes to this policy
If we change this policy, we will update the effective date above; material changes will be noted on this page or communicated to account holders by email. Continued use of the service after a change means you accept the updated policy.
13. Contact
Jason R Media LLC
Email: jasonr.audio@gmail.com