Legal

Privacy Policy

Last updated: May 24, 2026
Effective date: May 24, 2026

This Privacy Policy describes how English with Christinah ("we," "us," or "our"), operated by Christinah Mulder as a sole proprietor, collects, uses, shares, and protects personal information about you when you visit englishwithchristinah.com (the "Site"), apply for our courses or workshops via our online application form, or otherwise interact with us (collectively, the "Services").

We've tried to write this in plain English. If anything is unclear, please email us at privacy@englishwithchristinah.com.

Plain-English Summary

• We collect your name, email, country, time zone, English proficiency self-assessment, and what you tell us about your goals — through forms we host ourselves on this site.
• If you enroll in a paid course, we use Stripe to take payment; Stripe stores your card, not us.
• We use that information to evaluate your application, run the course, and (if you opt in) email you about future courses and workshops.
• Live workshops and courses are delivered over Zoom.
• We use the Meta Pixel on the Site for advertising measurement; if you opt in, we may also use your email to find similar learners on Meta and Google.
• We do not sell your personal information for money.
• You have rights to access, correct, delete, export, or opt out — including specific rights under GDPR (EEA/UK) and the CCPA/CPRA (California). Email us to exercise them.

The full details follow.

1. Who We Are (Data Controller)

For purposes of the EU and UK General Data Protection Regulation ("GDPR"), the data controller is:

Christinah Mulder, d/b/a English with Christinah
138 E 12300 S, Ste C-1087
Draper, UT 84020
United States
Email: privacy@englishwithchristinah.com

If you are in the European Economic Area (EEA) or the United Kingdom and have questions about our processing, please contact us at the email above. We are not currently required to appoint a Data Protection Officer or EU/UK representative under Article 27 GDPR, but we will respond promptly to data subject inquiries.

2. Personal Information We Collect

Information you provide directly via our application or workshop signup form:

• Identity and contact data: name, email address.
• Location data: country of residence, time zone (used for class scheduling). We also auto-detect your browser's IANA time zone (e.g., "America/New_York") so we can show class times in your local zone in confirmation emails.
• Educational background and self-assessment: years studying English, and ACTFL self-assessed proficiency in listening, speaking, reading, and writing.
• Application context: your main English-learning goal, your reasons for interest in the program, whether you can commit to attending sessions, your readiness to enroll in an 8-week program, how you heard about the course, and any free-text responses you provide.
• Marketing consent: whether you opted in via the form's marketing checkbox to receive future course and workshop communications.

Payment information (if you enroll in a paid course):

• Our payment processor is Stripe (Stripe, Inc.). Stripe collects your full card details on its own infrastructure; we never see or store full card numbers. From Stripe we receive only confirmation of payment, the last four digits of your card, billing country, a transaction (PaymentIntent) ID, the Stripe Customer ID, and — when applicable — the promotion code you redeemed (e.g., "EARLY26") so we can reconcile the discount.
• Stripe may offer "buy now, pay later" options at checkout (currently Affirm, Klarna, Afterpay, and Cash App Pay). If you choose one of these, your repayment relationship is with that provider and is governed by their own privacy policy; we still receive only the confirmation data listed above.

Information collected automatically when you visit the Site:

• IP address — used only for rate-limiting form submissions and detecting abuse. The raw IP is never stored; before storage we replace it with a one-way SHA-256 hash combined with a server-side secret. The original IP is not recoverable from the stored value.
• Browser type, operating system, referring URL, pages visited, time on site.
• Cookies and similar technologies: see Section 7.

Information from third parties:

• Aggregated audience insights from advertising platforms (does not personally identify you to us).

How signups are collected: Our application form, workshop signup form, and admin review interface are all hosted by us at englishwithchristinah.com and run on Cloudflare's edge platform. When you submit either form, your responses are stored in our Cloudflare D1 database (a serverless SQL database operated by Cloudflare, Inc., located in the United States). The administrative interface at /admin, used to review applications and manage enrollments, is password-protected and accessible only to Christinah Mulder.

We do not intentionally collect "sensitive personal information" as defined under the CPRA (e.g., precise geolocation, racial or ethnic origin, biometric data, health information). If you voluntarily share such information in correspondence with us, we use it only to respond to you.

3. How We Use Your Information (Purposes and Legal Bases)

We use your personal information for the purposes below. Where GDPR applies, we identify our legal basis for each.

• Evaluate your application and place you in an appropriate course or workshop — Performance of a contract; legitimate interests (matching learners to suitable courses).
• Deliver the workshop or course you signed up for — Performance of a contract.
• Process payments and prevent fraud — Performance of a contract; legal obligation.
• Send transactional emails (application confirmations, course reminders, course materials) — Performance of a contract.
• Send marketing emails about future courses, workshops, and resources — Consent (you opt in via the form checkbox).
• Build advertising "Custom Audiences" and "Lookalike Audiences" on Meta and Google to find similar learners — Consent.
• Improve the Site and Services through analytics — Legitimate interests, or consent for non-essential cookies.
• Comply with legal obligations (tax, accounting, responding to lawful requests) — Legal obligation.
• Defend legal claims — Legitimate interests.

You can withdraw consent at any time by emailing privacy@englishwithchristinah.com or using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

4. Advertising, the Meta Pixel, and Custom Audiences

The Meta Pixel runs by default. We load the Meta Pixel (a JavaScript tracker provided by Meta Platforms, Inc.) on the Site so we can measure the effectiveness of our advertising. The Pixel fires standard events on your visit — at minimum a PageView, plus a Lead event when you complete a workshop signup, a SubmitApplication event when you submit the application form, and a Purchase event when a payment succeeds. Along with each event, the Pixel transmits technical browser and device data (such as IP address, user agent, and cookie identifiers) to Meta. We pair the Pixel with the Meta Conversions API server-side, using a hashed event ID to deduplicate the two signals. This tracking runs for all visitors regardless of marketing opt-in. If you do not want the Pixel to fire on your visits, you can block it with a browser extension or your browser's tracking protection settings. We plan to add a cookie/consent banner gating Pixel load for EEA/UK visitors; until then, please consider whether you are comfortable with this tracking before continuing to use the Site.

Custom Audiences and Lookalike Audiences (opt-in only). If you opt in via our application or workshop form's marketing checkbox, we may also upload your email address (in hashed form, where supported) to:

• Meta (Facebook/Instagram) Custom Audiences and Lookalike Audiences
• Google Ads Customer Match and Similar Audiences

These platforms use your information to (a) show you relevant ads and (b) identify other users who share characteristics with our existing learners so we can advertise to them. We do not receive personally identifiable information about lookalike users from these platforms.

The Pixel-based tracking and the email-based Custom Audience uploads may constitute "sharing" of personal information for "cross-context behavioral advertising" under California law (see Section 12) and "profiling" under GDPR (Section 11). You can opt out at any time using the methods in Section 13.

5. How We Share Your Information

We share personal information only with the categories of recipients listed below, and only as needed:

Service providers (processors):

• Website + form hosting: Cloudflare Workers (Cloudflare, Inc.) — runs the Site code and the API endpoints that receive form submissions.
• Database: Cloudflare D1 (Cloudflare, Inc.) — stores application and workshop submissions, payment records, and internal admin notes. Data is held in the United States.
• Rate-limit + session storage: Cloudflare KV (Cloudflare, Inc.) — short-lived counters used to prevent abuse, plus hashed admin session tokens.
• Email forwarding (inbound): Cloudflare Email Routing (Cloudflare, Inc.) — routes mail addressed to our domain to our personal inbox.
• Transactional email (outbound): Resend (Resend, Inc.) — sends application confirmations, workshop confirmations, cohort acceptance notices, refund receipts, and similar service-related messages on our behalf.
• Payment processing: Stripe (Stripe, Inc.) — accepts card payments and "buy now, pay later" transactions (Affirm, Klarna, Afterpay, Cash App Pay), stores cards we never see, and tracks redemption of our promotion codes.
• Class delivery: Zoom Video Communications, Inc. — hosts our live workshops and cohort sessions. When you join a session, your interaction with Zoom is governed by Zoom's own privacy policy in addition to this one.

Other third parties (only if and when we engage them):

• An analytics provider to measure Site performance.
• An email marketing platform to deliver newsletters to subscribers who have opted in.

We will update this Policy when any of these services are added.

Advertising partners: Meta, Google — only if you have opted in (see Section 4).

Legal/safety recipients: law enforcement, regulators, or other parties when required by law, to protect rights, or to investigate fraud.

Successors: a buyer or successor in connection with a merger, acquisition, or sale of assets, subject to this Policy.

We do not sell your personal information for monetary consideration as defined under applicable law.

6. International Data Transfers

We are based in the United States. If you access the Services from outside the US, your personal information will be transferred to, stored, and processed in the US and other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland to the US:

• Where our service providers are currently certified under the EU-US Data Privacy Framework, UK Extension, or Swiss-US Data Privacy Framework, we rely on those certifications. As of the effective date of this Policy, Google LLC and Cloudflare, Inc. are participants in the Data Privacy Framework. We will revise this language if certification status changes or the Framework is invalidated.
• Otherwise, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the UK's International Data Transfer Agreement (IDTA) with our processors, supplemented by additional safeguards as needed.

You may request a copy of the relevant transfer mechanism by emailing privacy@englishwithchristinah.com.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Make the Site work (essential cookies).
• Remember your preferences (functional cookies).
• Measure traffic and improve the Site (analytics cookies, when enabled).
• If you opt in: deliver and measure advertising (advertising cookies).

If you are in the EEA, UK, or another jurisdiction requiring prior consent, we will request your consent via a cookie banner before any non-essential cookies are set. You can change your preferences at any time via the cookie settings link in our footer or by clearing cookies in your browser.

In addition to first-party cookies, the Meta Pixel described in Section 4 sets advertising-related cookies on Site visits. Stripe also sets cookies on its hosted Checkout page when you complete a payment; those cookies are governed by Stripe's own privacy policy.

8. Data Retention

We keep personal information only as long as necessary for the purposes described in this Policy:

• Application and workshop form responses: retained in our Cloudflare D1 database for as long as needed to evaluate and follow up on your application, plus 3 years thereafter for tax, accounting, and legal-defense purposes. The database does not auto-purge; we delete or anonymize records manually after this period. You can request earlier deletion under Section 10 or 13.
• Course participants: for the duration of your enrollment plus 3 years.
• Marketing list subscribers: until you unsubscribe or request deletion, plus a short suppression-list period to honor your opt-out.
• Payment records: 7 years (in both our database and at Stripe) to comply with US tax law.
• IP rate-limit hashes: typically less than 24 hours in Cloudflare KV, then expired automatically.
• Admin session tokens (hashed): up to 7 days, then expired and deleted.
• Website analytics: 14 months in aggregated form, when analytics are enabled.
• Backups: Cloudflare D1 retains automatic point-in-time backups for up to 30 days under Cloudflare's service terms.

When a retention period ends, we delete or anonymize the information.

9. Security

We use industry-standard technical and organizational measures to protect your personal information, including encryption in transit (HTTPS), access controls, vendor due diligence, and limited internal access on a need-to-know basis. No system is perfectly secure; we cannot guarantee absolute security.

Specific measures worth noting:

• IP hashing. IP addresses received with form submissions are hashed (SHA-256 combined with a server-side secret) before being stored, and are used only for rate-limiting and abuse detection. We do not retain raw IPs in our database.
• Admin access. The administrative review interface at /admin is password-protected and accessible only to Christinah Mulder. Session tokens are stored as SHA-256 hashes (we cannot reverse them to a usable token) and expire after 7 days.
• Payment data. We never see or store full card numbers. Stripe handles all card data on its own PCI-DSS certified infrastructure.

If we learn of a personal data breach affecting your information, we will notify you and applicable regulators as required by law.

10. Your Rights — Everyone

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your information (subject to our legal obligations to retain certain records).
• Withdraw consent where we rely on consent (e.g., marketing, advertising audiences).
• Object to processing based on legitimate interests.
• Receive a copy of your information in a portable format.
• Lodge a complaint with a supervisory authority (see Sections 11 and 12).

To exercise any right, email privacy@englishwithchristinah.com. We will respond within the timeframes required by applicable law (generally 30 days under GDPR; 45 days under the CCPA/CPRA, extendable once).

11. Additional Rights for EEA, UK, and Swiss Residents (GDPR)

If you are in the EEA, UK, or Switzerland, you have the rights described in Section 10 plus:

• Right to restriction of processing in certain circumstances.
• Right to object to direct marketing at any time.
• Right not to be subject to solely automated decisions producing legal or similarly significant effects. Our use of Custom and Lookalike Audiences (Section 4) involves profiling but does not produce legal or similarly significant effects on you. You may still object at any time.
• Right to lodge a complaint with your local supervisory authority. A list of EEA authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.

12. Additional Rights for California Residents (CCPA/CPRA)

This section supplements the rest of this Policy and applies only to California residents.

Categories of personal information collected in the past 12 months:

• Identifiers (name, email, IP address)
• Customer records (payment confirmation data, if you enroll in a paid course)
• Internet/network activity (cookies, page views, referring URLs)
• Geolocation data (country and time zone you provide, plus approximate location derived from IP)
• Education information (years studying English, self-assessed ACTFL proficiency, learning goals)
• Commercial information (courses or workshops you express interest in or enroll in)
• Inferences (interests inferred from your interaction with marketing communications, if you opt in)

Sources, business purposes, and recipients for each category are described in Sections 2, 3, and 5.

Sale or sharing of personal information: We do not sell personal information for money as the term "sell" is defined under California law. We share identifiers (as that term is defined under California law) with advertising partners (Meta, Google) to perform cross-context behavioral advertising — only if you opt in. We do not knowingly sell or share the personal information of consumers under 16.

Your California rights:

• Right to know the categories and specific pieces of personal information we have collected about you.
• Right to delete personal information we have collected.
• Right to correct inaccurate personal information.
• Right to opt out of "sharing" for cross-context behavioral advertising.
• Right to limit use of sensitive personal information (we do not use sensitive personal information for purposes that would trigger this right).
• Right to non-discrimination for exercising any of these rights.

How to exercise:

• Email privacy@englishwithchristinah.com with the subject line "California Privacy Request."
• Or use our "Do Not Sell or Share My Personal Information" link in the website footer to opt out of sharing.

We will verify your request by matching the email and other identifying information you provide against our records. Authorized agents may submit requests on your behalf with proof of authorization and your verification.

13. How to Exercise Your Rights

To submit any privacy request — access, correction, deletion, opt-out, or otherwise — email privacy@englishwithchristinah.com. Please include:

• Your full name and the email address you used to interact with us.
• The right you wish to exercise.
• Any relevant context (e.g., date of workshop or course application).

We will acknowledge receipt within 10 days and respond within the timeframes required by applicable law.

14. Children's Privacy

Our Services are intended for adults aged 18 and over. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If you believe a child has provided us personal information, please contact us at privacy@englishwithchristinah.com and we will delete it.

15. Email Marketing (CAN-SPAM)

If we send you marketing emails, every such email will include:

• A clear identification of the sender.
• A valid physical mailing address: 138 E 12300 S, Ste C-1087, Draper, UT 84020, United States.
• A working unsubscribe link that we honor within 10 business days.

You can also email privacy@englishwithchristinah.com to be removed from all marketing communications. Transactional emails about a course you have enrolled in or applied to will continue until your involvement ends.

16. Third-Party Links

The Site may contain links to third-party websites and platforms (e.g., Stripe's hosted Checkout page when you pay, Zoom when you join a workshop or class session, social media accounts). We are not responsible for their privacy practices. Please review their policies separately.

17. Changes to This Policy

We may update this Policy from time to time. We will post the new version on this page and update the "Last updated" date. If changes are material, we will notify you by email or a prominent notice on the Site at least 30 days before the changes take effect, where required by law.

18. Contact Us

For any privacy-related questions, requests, or complaints:

English with Christinah
Christinah Mulder, Sole Proprietor
138 E 12300 S, Ste C-1087
Draper, UT 84020
United States
Email: privacy@englishwithchristinah.com