Black GirlMaxxing
Sign in / Join

Legal

Privacy Policy

Last updated: 29 April 2026

This policy explains how SF Education Group Limited ("we", "us") collects, uses and protects your personal data when you use Black Girl Maxxing. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act 2018.

1. Data controller

SF Education Group Limited is the data controller for personal data processed via the Service. You can contact us at info@solidfoundations.co.uk.

2. What we collect

  • Account data: name, email address, password (hashed), profile preferences.
  • Subscription data: plan, billing status, partial payment details (we never see full card numbers).
  • Content you create: journal entries, day check-ins, reflections.
  • Usage data: pages visited, features used, device and browser type, approximate location from IP.
  • Cookies and similar technologies: see our Cookie Policy.

3. Why we use your data and our legal bases

  • To provide the Service - performance of a contract.
  • To process payments and prevent fraud - performance of a contract and legitimate interests.
  • To send transactional emails (receipts, password resets, account notices) - performance of a contract.
  • To send marketing emails - your consent (you can unsubscribe at any time).
  • To improve the Service and analyse usage - legitimate interests, or your consent for non-essential cookies.
  • To meet legal obligations (tax, accounting, responding to lawful requests) - legal obligation.

4. Who we share data with

We share data only with trusted processors who help us run the Service, under data processing agreements:

  • Supabase - database, authentication and file storage.
  • Stripe - payment processing.
  • Email delivery providers - for transactional and marketing emails.
  • Hosting & infrastructure providers - to serve the website.

We never sell your personal data.

5. International transfers

Some processors are based outside the UK/EU. Where data is transferred internationally we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or adequacy decisions.

6. How long we keep data

We keep account and content data for as long as you have an active account. If you delete your account, we delete or anonymise personal data within 30 days, except where we must keep it for legal reasons (e.g. tax records - typically 6 years).

7. Your rights

Under UK and EU GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Erase your data ("right to be forgotten").
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time, where we rely on consent.
  • Lodge a complaint with a supervisory authority - in the UK, the Information Commissioner's Office (ico.org.uk); in the EU, your local data protection authority.

To exercise any of these rights, get in touch via our contact page.

8. Security

We use industry-standard measures including encryption in transit (TLS), encryption at rest, role-based access control and regular backups. No system is 100% secure, but we work hard to protect your data.

9. Children

The Service is not intended for anyone under 16. We do not knowingly collect personal data from children. If you believe a child has shared data with us, contact us so we can delete it.

10. Changes to this policy

We may update this policy from time to time. We will post the updated version here and, for material changes, notify you by email or in-app.