Privacy Policy
Last updated: April 19, 2026
Xpresso Learning ("we", "our", "us") operates the learning management platform at learn.xpressolearning.com(the "Service"). This Privacy Policy explains what we collect when you use the Service, how we use it, and how to contact us with questions or requests. We comply with Canadian federal privacy law (PIPEDA) and applicable provincial privacy laws.
1. Who we are
Xpresso Learning is a Canadian business operated from 330 Burnhamthorpe Rd W, Mississauga, ON, Canada. For privacy questions or access requests, email mik@xpressolearning.com.
2. Information we collect
Account information
When you or your employer creates your account: first name, last name, email address, optional phone number, optional position/job title, password (stored as a one-way bcrypt hash — never in plain text), and, if you sign in via Google or Microsoft SSO, the provider's account identifier.
Organization context
Which organization you belong to, your role within it (learner, org admin, platform admin), and your active/inactive status.
Learning data
Course enrollments, progress (lesson completions, quiz attempts, scores), completion dates, issued certificates, event registrations, attendance records, and post-event survey responses.
Billing data
Your organization's subscription tier, billing interval, seat usage, and Stripe customer and subscription identifiers. We never see or store your credit card number — payment details are handled directly by Stripe, our payment processor.
Technical data
Session cookies (a single xl_session cookie, HttpOnly, 7-day expiry), IP address and browser user-agent at sign-in for security and rate limiting, server logs of API requests, and the timestamp of your last login.
3. How we use your information
- Provide the learning service — enrollments, progress tracking, certificates, events, reports
- Send transactional emails — welcome, verification, password reset, course and event reminders, trial expiry, billing notifications
- Process subscription payments via Stripe and bill seat overages where applicable
- Authenticate sign-ins and protect against abuse (rate limiting, session expiry)
- Provide learning analytics and reporting to your organization's admins
- Comply with legal, tax, and audit obligations
We do not use your data for advertising. We do not sell your data.
4. Who we share data with
We share the minimum data necessary with third-party service providers to operate the platform. All are bound by contractual confidentiality and security obligations.
- Stripe — payment processing (stripe.com)
- Supabase — database and file storage hosting
- Vercel — web application hosting
- Cloudflare Stream — video hosting for course content
- Resend — transactional email delivery
- Upstash — Redis for rate limiting
- Google / Microsoft — only if you choose to sign in via their SSO
Your organization's admins can see your learning data within the organization (progress, completions, certificates). If you are a platform admin at Xpresso Learning, we may see your account data in the course of providing support.
We may disclose data if legally required (court order, subpoena, government request).
5. Data retention
- Active accounts: retained while your subscription is active.
- Cancelled subscriptions: data retained for 90 days after cancellation in case you resubscribe, then learner records are anonymized or deleted.
- Deleted user accounts: hard-deleted within 30 days of your deletion request; residual copies in rolling backups are purged within a further 90 days.
- Audit and billing records: retained for 7 years as required by Canadian tax and corporate law.
6. Your rights under PIPEDA
- Access — request a copy of the personal information we hold about you
- Correction — ask us to correct inaccurate or incomplete information
- Deletion — ask us to delete your account and associated personal data
- Portability — export your learning data in CSV format
- Withdraw consent — opt out of non-essential processing at any time
- Complaint — lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca)
To exercise any of these rights, email mik@xpressolearning.com. We will respond within 30 days.
7. Security
- All traffic to the Service is encrypted with TLS 1.2+
- Passwords are hashed with bcrypt (never stored in plain text)
- Session cookies are HttpOnly and SameSite-restricted
- Database rows are isolated per organization via row-level security on Supabase
- Login attempts are rate-limited per IP
- Our third-party providers maintain SOC 2 Type II certification (Vercel, Supabase, Stripe)
No security system is perfect. If you suspect a breach, email us immediately.
8. Cookies
We use a single first-party session cookie (xl_session) to keep you signed in. We do not use third-party advertising or tracking cookies.
9. International data transfers
Our primary database and file storage are hosted in Canada. Our payment processor (Stripe) and some infrastructure providers process data globally, subject to adequate contractual safeguards including the EU Standard Contractual Clauses and compliance with their respective privacy frameworks.
10. Children
The Service is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders. The "Last updated" date at the top of this page reflects the current version.
12. Contact
Xpresso Learning
330 Burnhamthorpe Rd W
Mississauga, ON, Canada
mik@xpressolearning.com