Compliance & Trust

• Yes
  Terms of Service published

  View →
• Yes
  Privacy Policy published

  View →
• Yes
  Contact email for privacy requests

  hello@learnsomethin.com
• N/A
  Legal entity

  Operating under the LearnSomethin trade name as a sole proprietor in India. Permissible at this scale; formalize as the project grows.

• Yes
  User actively enters their email
• Yes
  No pre-checked consent boxes
• Yes
  Clear explanation of what you're subscribing to
• Yes
  Double opt-in confirmation flow
• Yes
  Signup timestamp recorded
• Yes
  Consent version stamping

  Every signup and re-opt-in is tagged with the published policy version (currently 2026-06-08) for a defensible audit trail of which terms you accepted.
• Yes
  Source / referrer logging

  Each signup records the HTTP referrer (the page you came from, if your browser sent it) and any utm_* campaign tags on the landing URL. Used to understand which channels bring subscribers. Disclosed in the privacy policy.
• Planned
  Anti-bot protection

  Planned: Cloudflare Turnstile on the signup form.
• Deliberate omission
  IP address (not stored)

  The checklist suggests recording it; we don't persist it anywhere we control. Data minimization is a feature — the IP isn't needed to deliver the service.

• Yes
  Unsubscribe link in every email
• Yes
  Unsubscribe works immediately (RFC 8058 one-click)
• Yes
  Sender identity clearly visible

  From: LearnSomethin <daily@mail.learnsomethin.com>
• Yes
  Valid reply-to address

  hello@learnsomethin.com — replies reach a real human.
• Yes
  No purchased or scraped lists
• Planned
  Physical business address in footer

  Active gap. Required for CAN-SPAM and a recommended Gmail deliverability signal. Will add once a real address is finalized.

• Yes
  Withdraw consent at any time

  One-click unsubscribe link in every email.
• Partial
  Delete your data

  Email hello@learnsomethin.com with subject “delete my data.” We respond within 30 days. A self-service flow is planned.
• Partial
  Export your data

  Same path as deletion — email us and we'll send back a copy of what we hold.
• Partial
  Correct your data

  Same path as above.

• Yes
  HTTPS everywhere
• Yes
  Database access restricted

  Service-role key only; row-level security enabled with no policies (service-role-only access pattern).
• Yes
  Daily backups, encrypted at rest

  Managed by the database provider on AWS.
• Partial
  Audit logging

  Runtime logs and email-event webhooks flow into operational dashboards. No consolidated audit table yet.
• Planned
  MFA on admin accounts

  Not currently enabled across every vendor account (Vercel, Supabase, AWS, GoDaddy, OpenAI, GitHub). Planned: enable on all six and document in our internal runbook.
• N/A
  Strong password policy

  LearnSomethin is passwordless — you sign in by clicking a link in your inbox.

All four sub-processors are disclosed in the privacy policy along with what each one does and where data is stored. Subscriber data lives in AWS us-east-1.

• Yes
  Vendor list maintained and publicly disclosed

  See the privacy policy for the processor table →
• Yes
  Storage location documented
• Yes
  Cross-border transfer disclosed
• Yes
  Data retention policy stated

  Active subscribers indefinitely while active; unsubscribed addresses retained in suppressed state to prevent accidental re-mailing.

The active gaps above, in rough priority order:

1. Physical mailing address in the email footer (blocked on finalizing the address).
2. Anti-bot protection on the signup form (Cloudflare Turnstile).
3. Documented data subject request runbook plus a self-service export endpoint.
4. MFA enabled on every vendor account that touches subscriber data (Vercel, Supabase, AWS, GoDaddy, OpenAI, GitHub).

Spot something we’ve missed? Email hello@learnsomethin.com.