Legal

Privacy Policy

Effective July 6, 2026

This policy explains what personal information Jason R Media LLC (“we,” “us”) collects when you use Course in a Box and AuthBox, why we collect it, and what your choices are. It applies to getcourseinabox.com, auth.courseinabox.app, the Course in a Box dashboard, and the hosted AuthBox service.

The short version: we collect the minimum needed to run the product — email addresses, names, and purchase status. We run no analytics, no advertising trackers, and no third-party tracking cookies, and we never sell or share personal information for advertising.

1. Two roles: our customers, and their members

Course in a Box is used by course creators (“course owners”) to run their own membership sites. That means personal information reaches us in two distinct ways:

2. Information we collect from account holders

When you sign in to the dashboard

When you contact support

When you configure AuthBox projects

3. What we deliberately do not collect

4. Member data we process for course owners

When a student signs in to a course that uses hosted AuthBox, we store, on that course owner's behalf:

Each course's member data is isolated per project and is visible only to that course's owner. We use it exclusively to provide sign-in and access control for that course — never for our own marketing, and never across courses.

If you are a member of someone's course: the course owner is responsible for your data under privacy law. Direct access or deletion requests to them — though you can also email us (Section 10) and we will help route the request.

5. Cookies and local storage

We use exactly one cookie: cm_session, set when you sign in to the dashboard. It is a first-party, strictly-necessary session cookie (HttpOnly, expires after 30 days) whose only job is keeping you signed in. Because it is essential to the service and used for nothing else, no consent banner is required for it under EU ePrivacy rules.

On course owners' sites, hosted AuthBox keeps the member's session token in the browser's localStorage rather than a cookie. It identifies the member to our service and nothing else. We set no advertising or analytics cookies anywhere, and no third party sets cookies through us.

6. Service providers

We rely on a small set of infrastructure providers, each of which processes data only as needed to provide their service to us:

ProviderRoleData involved
CloudflareHosting, database, and file storage for the entire serviceAll data described in this policy, stored and processed on Cloudflare's network
ResendTransactional email deliveryRecipient email addresses and the contents of sign-in and support emails
Lemon SqueezyPayments (merchant of record) and purchase verificationPurchase, order, and subscription records; buyer emails
StripePurchase verification, only for course owners who connect their own Stripe accountThat course's purchase records and buyer emails

Each provider publishes its own privacy policy. We do not share personal information with anyone else except as required by law.

7. Data retention

8. Security

All traffic is encrypted in transit (HTTPS/TLS). Session tokens are cryptographically signed; sign-in codes are stored only as salted hashes; payment-provider webhooks are verified by signature before being trusted; and provider credentials you supply are held server-side, never exposed to browsers. No system is perfectly secure, but the service was designed to fail closed — when in doubt, it denies access rather than granting it.

9. International transfers

We are a United States company, and data is processed in the United States and on Cloudflare's global network. If you use the service from the EU, UK, or elsewhere, you understand your information is processed as described in this policy.

10. Your rights and choices

Depending on where you live (for example, under the EU/UK GDPR or California law), you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. We honor these requests for everyone, regardless of jurisdiction:

11. Children

The service is not directed to children under 13 (or the higher age some jurisdictions require), and we do not knowingly collect their information. If you believe a child has provided us personal information, contact us and we will delete it.

12. Changes to this policy

If we change this policy, we will update the effective date above; material changes will be noted on this page or communicated to account holders by email. Continued use of the service after a change means you accept the updated policy.

13. Contact

Jason R Media LLC
Email: jasonr.audio@gmail.com