Privacy Policy
Introduction
At Advice Over Coffee (referred to as “AOC,” “we,” “us,” or “our”), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use our website and services (collectively, the “Services”). It applies to all users of our platform, including those seeking career advice (“Users” or “Advisees”) and those providing guidance (“Advisors”). By accessing or using AOC’s Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services.
AOC operates as a technology platform that facilitates connections between Users and Advisors. Except where explicitly stated, AOC does not act as the direct provider of advisory services and processes personal data primarily to enable these peer-to-peer interactions.
We strive to comply with all relevant data protection laws and regulations to protect your information. This includes, where applicable, adherence to frameworks such as the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and other privacy laws. We value your privacy and handle your data lawfully and responsibly in accordance with these requirements.
Your Consent: By using our website or Services, or by providing personal information to us, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you provide information on behalf of someone else, you confirm that you have the authority to do so and to allow us to use the information as described. You may withdraw your consent at any time as described in the Your Rights and Choices section below.
Information We Collect and How We Use It
We collect several types of information from and about users of our Services, including information you provide directly, data collected automatically, and information from third parties. We use this information to operate and improve our Services, to facilitate meaningful connections between Users and Advisors, and to communicate with you. Below we describe the categories of information we collect and the purposes for which we use them:
Information You Provide Directly: When you register for an account (either as a User or as an Advisor) or fill out forms on our platform, you provide personal information. This may include your name, email address, password, phone number, profile picture, and other contact details. You may also provide demographic and professional information such as your age, education, career history, skills, interests, and any goals or questions you share with Advisors. If you sign up as an Advisor, we may collect additional details like your professional qualifications, work experience, biography, and any verification documents or credentials you choose to submit to establish your expertise. We use this information to create and manage your account, to personalize your experience on AOC, and to enable the core functionality of our platform – for example, displaying your profile to others, matching Advisees with relevant Advisors, and facilitating scheduling of one-on-one conversations. We also use your contact information to communicate with you about service-related matters. This includes sending confirmations and reminders for booked sessions, notifications about messages or updates on our platform, and responding to any inquiries or support requests you send us. If you have opted in to receive marketing communications, we may use your email to send newsletters, blog updates, or special promotions about new features or Advisors that might interest you. (You can opt out of marketing emails at any time, as described below.) Rest assured, we do not use the personal information you provide for any purposes incompatible with the ones stated here.
Content and Communications: Any content that you voluntarily share on our platform will be collected. For example, when you fill out your profile bio or when you communicate with an Advisor through our Service (such as sending messages or participating in a chat or video session), we collect that information. Messages or communications between Users and Advisors may pass through our systems and could be stored, especially if we offer in-platform text messaging or email relay. We use the content of these communications solely to deliver the Service (for instance, to forward your message to the intended recipient), to monitor compliance with our Terms of Use (e.g. preventing harassment or other policy violations), and to improve our Services (for example, by allowing us to provide user support or analyze usage patterns). Note:AOC does not routinely monitor or record the audio/video of mentoring sessions conducted through third-party tools without appropriate notice and, where required, user consent. However, AOC reserves the right to implement monitoring or recording features for safety, quality assurance, fraud prevention, or dispute resolution purposes where legally permitted.
Payment and Transaction Information: If our Services involve any paid features (for example, if you purchase a premium membership or if Advisors charge a fee for sessions), we (or our third-party payment processor) will collect the information needed to process those payments. This can include payment card information (credit card number, expiration date, CVV) or other payment details, as well as billing name and address. We use reputable third-party payment processors to handle your transactions, which means your sensitive payment information (like full credit card numbers) is not stored on our servers. We only retain information related to your transactions such as the date and amount, the payment method, and an internal transaction ID. Payment information is used solely for processing payments you initiate and for compliance with applicable accounting and legal requirements. All payment processing is performed over encrypted connections, and we comply with applicable security standards (for instance, PCI-DSS) through our payment providers to safeguard your financial data.
Information Collected Automatically: Like most online services, we and our third-party partners automatically collect certain information about your device and how you interact with our website. This usage data may include your device’s IP address, device type, browser type, browser language, operating system, geographic location (general region inferred from IP), and timestamps of your visits. We also log information about your activity on our site, such as the pages or profiles you view, the features you use, the search queries you enter, referral URLs that led you to our site, and your engagement with content and links on the platform. This data is collected through server logs as well as tracking technologies (explained in our Cookies section below). We use this information to analyze and improve our Services – for example, understanding which pages are most frequently visited helps us optimize our interface, and knowing how long users spend on certain features helps us identify what’s useful. We also use automatically collected data to maintain security – for instance, IP addresses and log-ins are monitored to detect and prevent fraudulent or unauthorized activities. Additionally, this information enables us to troubleshoot technical issues and ensure the platform works correctly across different devices and browsers.
Cookies and Similar Technologies: When you use our Services, we may place small data files called cookies on your device, or use similar tracking technologies like web beacons and local storage. Cookies are used to remember your preferences and recognize you upon subsequent visits. For example, cookies allow us to keep you logged in during your session and recall your settings (so you don’t have to re-enter information). We also employ cookies and similar tools to collect usage statistics and understand how users navigate our site. This helps us analyze trends, personalize your experience, and improve our content and features. Some cookies may be set by third-party analytics and advertising partners (see Cookies and Tracking Technologies section below for details). The data we gather through cookies and scripts is generally aggregated and does not identify you directly; it provides us metrics like overall site visits, conversion rates, or which marketing campaigns are effective. We treat information collected by cookies and other technologies as non-personal information, except where local laws consider identifiers like IP addresses as personal data or where we combine cookie data with your other personal information. In such cases, we handle it as personal data.
Information from Third Parties: On occasion, we may obtain information about you from other sources to supplement what you provide. For example, if we offer the option to sign up or log in via a social network or single sign-on service (like signing in with Google, LinkedIn, or Facebook), we would receive certain profile information from those third parties (such as your name, email, and public profile) with your consent during the authentication process. Likewise, if you are registering as an Advisor, we might (with your permission) collect or verify information from publicly available sources or third-party services – for instance, we may view your LinkedIn profile or request references/certifications to confirm your credentials. Another example of third-party data is if a User invites you to the platform or refers you (we might receive your name and email from that user to send an invitation). We only use information from third parties for the purposes consistent with this Privacy Policy, such as to facilitate account creation, to verify qualifications, or to tailor our recommendations. Any third-party data is combined with what we have collected directly from you and is afforded the same protection under this Policy.
Sensitive Personal Data: We do not intentionally collect any sensitive personal information about you, unless you choose to provide it. Sensitive data includes things like your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic or biometric data, health information, or information about your sexual orientation. AOC’s Services are focused on career and mentorship, and we do not require any of these sensitive details. We advise you not to share sensitive personal information on your profile or in conversations unless it is directly relevant and you are comfortable doing so. If you do share such information with us or with an Advisor (for example, mentioning a health condition as context for career choices), you are consenting to our processing of that information for the purpose of delivering the Services to you. Any sensitive information incidentally collected will be treated with special care and security. We will never use sensitive data for marketing purposes or any purpose not explicitly consented to by you.
Cookies and Tracking Technologies
Like many websites, AOC uses cookies and similar tracking technologies to enhance your experience and gather information about how the site is used. This section explains our use of these technologies and your choices.
What Cookies Are: Cookies are small text files that websites send to your device (computer, smartphone, etc.) when you browse. Cookies are stored in your web browser’s memory and perform a variety of functions to improve your experience. Some cookies are session cookies that expire when you close your browser, while others are persistent cookies that remain until they expire or you delete them. We also may use related technologies like web beacons (tiny graphic images also known as pixel tags or clear GIFs) which work in conjunction with cookies to record usage data (for example, a beacon in an email can tell us if you opened it), and local storage (which can store data on your browser similar to cookies).
How We Use Cookies: We use cookies and similar technologies for the following purposes:
Essential Functions: Some cookies are necessary for our website to function properly. For example, when you log in to your account, we set authentication cookies to keep you logged in as you navigate between pages. These cookies also help us enforce security features and support our login functionality. Without these, certain Services (like account access or booking a session) may not be usable.
Preferences and Personalization: We use cookies to remember your preferences and settings. This includes remembering your chosen language, the role you selected (User or Advisor), or other customizations so that we can tailor the content to you without asking for the same information each time. These cookies make your experience more convenient and personalized.
Analytics and Performance: We employ cookies (and similar tools like scripts or pixels) to collect analytics information about how users interact with our platform. For instance, we (or third-party analytics providers working on our behalf) might set cookies to gather information about page load times, page visitation rates, user flows between pages, and any errors encountered. This data helps us understand which parts of our site are most popular, observe usage patterns, and identify areas for improvement. We currently use third-party analytics services such as Google Analytics to help us analyze this information. These providers may set their own cookies or use similar technologies to collect usage information and report site trends to us. We use this analytics data in aggregate form to improve our site’s performance and UX (for example, to ensure users find what they need easily) and to make business decisions (for example, deciding to add new features that users are frequently searching for).
Advertising and Marketing: At present, AOC does not host third-party advertisements on our platform, and we do not share personally identifying information with ad networks. However, we may use cookies for internal marketing efforts. For example, if you are already a registered user, we might use a cookie to avoid showing you promotional sign-up offers. In the future, we may engage in retargeting campaigns on platforms like LinkedIn or Google – for instance, placing a pixel on our site that allows us to show you a recruitment or mentorship-related advertisement on other platforms after you’ve visited our site. These marketing cookies would collect information about your browsing on our site (such as which pages you viewed) and then display relevant ads on other sites based on your interests. Any such practice will be done in compliance with applicable privacy laws, and where required, we will obtain your consent for the use of marketing cookies. If we ever introduce broad advertising on our platform, we will update this policy and provide you with appropriate opt-out mechanisms.
Third-Party Cookies: Some cookies and trackers on our site are placed by third parties acting on our behalf or in partnership with us. For example, as mentioned, analytics services like Google Analytics set their own cookies to gather information (e.g., Google Analytics may set cookies named _ga, _gid, etc. to track user behavior). We may also use email delivery and tracking services that place a beacon or unique ID in emails to tell us if you opened an email or clicked a link, helping us gauge the effectiveness of our communications. Additionally, if our site features content from other platforms (such as an embedded YouTube video or a social media share button), those third-party providers may set cookies as well. We do not control the data collected by third-party cookies, and their use is governed by the privacy policies of the third parties (we list some common third-party services in the Sharing and Disclosure section). However, we carefully choose third-party partners and strive to only work with those that uphold high privacy standards.
Your Choices for Cookies: When you first visit our site, you may be presented with a cookie notice or banner (especially if required by law in your region) that gives you options to accept or manage cookies. Whether or not such a banner appears, you always have the ability to control cookies through your browser settings. Most web browsers allow you to refuse new cookies, delete existing cookies, or notify you when new cookies are set. Please note that if you disable or delete certain cookies (particularly those needed for authentication or security), some features of our Service may not function correctly – for example, you might not be able to stay logged in or use interactive features.
If you want to learn more about cookies and how to manage or disable them, resources such as AllAboutCookies.org provide detailed guidance for various browsers. For information on how Google Analytics collects and processes data and how you can opt out, Google provides a browser add-on (the Google Analytics Opt-Out Browser Add-on) to prevent your data from being used by Google Analytics. For other third-party tools, refer to their privacy statements for opt-out methods.
“Do Not Track” Signals: Some web browsers offer a “Do Not Track” (DNT) setting that lets you signal to websites that you do not want to be tracked across different sites. Currently, there is no uniform standard for how to respond to DNT signals. Therefore, our website does not respond to browser DNT signals at this time. We treat all users’ data according to this Privacy Policy, regardless of DNT. If a standard for online tracking is adopted in the future, we will update our practices accordingly. In the meantime, you can use the other opt-out methods described here (browser settings, cookie banners, etc.) to manage online tracking.
Sharing and Disclosure of Information
AOC understands that your personal information is important, and we are not in the business of selling it to third parties. We share information in a limited number of circumstances, each described below, and always with appropriate safeguards and respect for your privacy.
Sharing with Other Users (Platform Participants): Our platform is designed to facilitate connections and conversations, so some information will be shared with other users by necessity. If you are a Advisee (user seeking advice) and you decide to schedule a chat or mentoring session with an Advisor, that Advisor will be provided with information about you in order to conduct the session. This typically includes your name, the basic profile details or background info you have provided (for example, your profession or the questions/goals you indicated), and any message you included with your meeting request. Advisors need this information to prepare for and personalize the advice they give you. Similarly, if you as a User send an Advisor a direct message or question through our platform, the Advisor will see your name and whatever information you include in that message. If you are an Advisor, the profile information you provide (such as your full name, photo, professional title, bio, qualifications, and any other details you choose to list) will be visible to Users on the platform. Advisor profiles may be browsed by all registered Users, and portions of advisor profiles (for example, name, photo, title, and summary) may also be visible to unregistered visitors on our public website to showcase our roster of Advisors. This publicity helps Users decide which Advisor to approach. Please note that we expect all Users and Advisors to respect each other’s privacy and to use any personal information obtained through AOC solely for the purposes of the mentoring interaction. Advisors are not allowed to misuse personal details of Users (such as contacting them for unrelated offers or sharing their stories without consent), and vice versa. However, AOC cannot fully control what users do with information they obtain in a session or through the platform. We urge you to be mindful about what you share and with whom. Do not share information that you would not want to be known publicly. If you believe an Advisor or User is misusing your personal information beyond the intended scope, please contact us immediately. We will take appropriate action in line with our Terms of Service (such as investigating and potentially removing the offending user from the platform), but we are not liable for the independent actions of users outside our Services.
Service Providers and Vendors: We employ trusted third-party companies and individuals to perform certain functions on our behalf in order to provide the Services. These service providers have access to personal information only as needed to perform their tasks and are obligated not to disclose or use it for other purposes. They are contractually bound to protect your data and to use it only in accordance with our instructions. Categories of service providers with whom we may share data include:
Hosting and Infrastructure Providers: We may host our website and databases on third-party servers (for example, cloud computing platforms or web hosting services). These providers store or process data on secure servers, backup data, and ensure our site remains available online. They typically process data such as account information and content on our behalf to keep the service running. We ensure any hosting provider we use employs robust security measures to safeguard your data.
Analytics and Performance Tools: As mentioned in the Cookies section, we use third-party analytics services (like Google Analytics) to help us understand usage of our platform. These services may process certain personal data (e.g. IP address or device ID) and usage information. We share or allow them to collect only the information needed for analytics purposes, and we do not permit them to use or disclose the data for their own marketing or other purposes. For instance, Google Analytics may process usage data to tell us what pages are popular, but cannot identify you personally in their reports to us.
Email and Communication Services: We rely on email service providers (ESP) and possibly SMS gateways to send out communications to you. For example, if we send a platform notification or newsletter, it might be delivered via a service like SendGrid, MailChimp, Amazon SES, or similar. These providers will have access to your email address and the content of the message (and in some cases, your name) to properly format and deliver the emails. They are not allowed to use your email for any purpose outside of sending our communications. We may also use customer support platforms or CRM (Customer Relationship Management) tools to track and respond to user inquiries; in doing so, information you send to support (like your email and support request details) could be stored on those third-party systems. All such providers are carefully vetted for strong privacy practices.
Payment Processors: If financial transactions are involved, we share relevant information with the payment processing company that actually processes payments. For example, if you pay for a session or subscription, your credit card information is sent directly from your browser to our payment processor (such as Stripe, PayPal, or other), and they will communicate to us whether the payment was approved or declined. We might share your name or user ID and a transaction amount with the processor to tie the payment to your account, and in return we receive confirmation and details like the last four digits of your card or a payment token. Payment processors are independent data controllers for your payment information, meaning they are responsible for complying with laws regarding your financial data. We recommend you review the privacy policy of any payment provider we use to understand how they handle your data. In addition, payouts to Advisors may be facilitated through third-party payout providers such as Payoneer or similar services. Where applicable, limited personal information (such as name, email, payout details, and transaction information) may be shared with such providers solely for the purpose of enabling Advisor payments. These providers act as independent data controllers for the information they process in accordance with their own privacy policies.
Scheduling and Video Call Providers: Our platform’s purpose is to enable virtual meetings, so we may integrate third-party tools to facilitate scheduling and calls. For scheduling, we might use a service like Calendly or Google Calendar integration – if so, when you book a session, your basic details (name, email, and meeting details) may be transmitted to that scheduling service and to the Advisor’s calendar. For virtual meetings, we may use trusted video conferencing services (e.g., Zoom, Microsoft Teams, Google Meet, or similar). If meetings are conducted via an integrated third-party video platform, that provider will handle the audio/video data. We will only share what is necessary (perhaps your name and email to set up the meeting room invite). Those interactions are subject to the third party’s terms (for instance, a Zoom meeting is subject to Zoom’s privacy policy regarding data in transit). We do not record video or audio calls through these services unless explicitly stated and agreed by participants, as noted earlier.
In all cases, we seek to minimize the data shared with service providers – giving them only what they need to perform their function – and we require them to keep your information confidential. We also endeavor to choose providers who store data in jurisdictions with strong data protection laws or who certify to international data protection frameworks.
Business Partners and Affiliates: Currently, Advice Over Coffee is a standalone service. If in the future we enter into partnerships or affiliations (for example, partnering with a university, career center, or another mentoring network to expand opportunities), we might share some information with those partners with your knowledge and consent. For instance, if we collaborate with a university’s alumni office to help students find mentors, and you sign up through that university program, we may share usage stats or necessary personal info with the program administrators. Any such sharing will be transparently communicated to you at the time of data collection or whenever the partnership is formed. We do not share your personal data with third parties for their own marketing or advertising purposes without your explicit consent. In other words, we do not sell or rent your personal information to outside companies for them to promote their products to you. Your data is used to serve you on our platform, not as an asset to monetize in unsolicited ways.
Legal Compliance and Protection: We may disclose personal information outside of our organization if we have a good-faith belief that such disclosure is necessary to:
Comply with the law or legal process. If we receive a valid subpoena, court order, or other legally binding request (for example, from law enforcement or a regulatory agency), we may be required to disclose certain data. We will evaluate each request carefully and only provide the minimum information necessary to comply with it. Where allowed, we might attempt to notify you of such requests (for instance, if a government requests your data) so you have an opportunity to object, unless we are legally prohibited from doing so.
Enforce our Terms and policies. We may share information if necessary to investigate or enforce violations of our Terms of Service, Advisor agreements, or other legal agreements. For example, if needed to investigate fraudulent transactions, threats, or abuse on our platform, we might share data with security consultants or law enforcement.
Protect rights, property, and safety. We may disclose information if we believe it’s necessary to prevent harm to our users, Advisors, AOC, or the public. This includes exchanging information with other companies and organizations for the purposes of fraud protection, spam/malware prevention, and credit risk reduction. If you threaten or harass someone through our platform, or if someone’s safety is at risk, we reserve the right to cooperate with authorities as needed by providing relevant information.
These disclosures will be made in accordance with applicable laws. Nothing in this Privacy Policy is intended to limit any legal defenses or objections you may have to a third party’s (including a government’s) request to disclose your information.
Sale or Merger of Business: In the event that AOC (Advice Over Coffee) undertakes a business transition such as a merger, acquisition by another company, bankruptcy, or sale of all or a portion of its assets, your personal information may be among the assets transferred. This means that your information could be transferred to a company that is successor to our business or part of a reorganization. If such a transfer occurs, we will ensure that your personal data continues to be protected in accordance with this Privacy Policy and applicable law. We will also provide notice on our website (and, if feasible, directly to you via email) of any such change in ownership or control of your personal information, along with any choices you may have. The new entity would have the right to continue using your data, but only in the manner set out in this Privacy Policy (unless you agree otherwise).
With Your Consent: In situations other than those above, if we need to share your information for a purpose outside the scope of this Privacy Policy, we will ask for your consent. You have the right to say no. For instance, if we ever consider sharing user testimonials or success stories publicly (containing personal details like your name or image), we will only do so with your explicit permission. Another example is if you opt in to a feature where your profile or question is shared with a broader community or a partner site – we would explain the scope of such sharing and honor your choice. We will not share or disclose your personal data in any new way without notifying you and obtaining appropriate consent.
To summarize this section: We share your information only to run our Services (with service providers and within the platform community), to comply with the law, to protect rights and safety, or as part of corporate changes, and we do not sell your personal information to third parties for profit. We maintain accountability for any personal data we transfer to third parties and remain committed to safeguarding your privacy.
Data Security and Storage
We understand that the security of your personal information is important. AOC uses a combination of administrative, technical, and physical security measures to protect the personal data we store. However, no method of transmitting or storing data is completely secure, so we want to be transparent about how we safeguard your data and the residual risks.
Security Measures: We take reasonable and industry-standard measures to secure your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption: Our website is protected by HTTPS, implementing TLS/SSL encryption. This means that when you enter personal information on our site (such as your login credentials or any profile data), that information is encrypted in transit between your device and our servers. If we store sensitive information (for example, passwords or any sensitive personal data you might provide), we encrypt it at rest or use secure one-way hashing. Passwords, for instance, are stored in hashed form (not in plain text) for your protection.
Access Controls: We restrict access to personal data to AOC employees, contractors, and agents who need to know that information in order to operate, develop, or support our Services. All personnel who have access to personal data are bound by strict confidentiality obligations and are subject to disciplinary action (including termination and legal action) if they fail to meet these obligations. We limit administrative privileges on our systems to only those who require it. Advisors and Users only have access to the information that is reasonably necessary to participate in the platform (for example, an Advisor can see a User’s profile info and messages to them, but not the User’s full account data or other private info). Internally, we use unique IDs and pseudonymization where feasible to reduce direct exposure of personal identifiers.
Network & System Security: (Hosting on AWS & GoDaddy):
Our application back end is hosted on Amazon Web Services (AWS) and our public website is hosted on GoDaddy. We operate under the shared-responsibility model, meaning AWS and GoDaddy secure the underlying infrastructure (“security of the cloud”), while AOC secures its own configurations, applications, and data (“security in the cloud”). Within these environments, AOC maintains appropriate security and access controls, including role-based access, multi-factor authentication (MFA), encryption, and least-privilege permissions. Network protections are provided through AWS and GoDaddy’s built-in security infrastructure, such as firewalls, DDoS protection, intrusion detection, and encrypted communication (HTTPS/TLS). AOC monitors access and activity within its hosted environments, applies software updates and patches promptly, and follows secure-development practices to mitigate vulnerabilities. While AOC does not operate the physical infrastructure of these hosting providers, it relies on their independently audited, industry-certified security frameworks and retains full responsibility for the confidentiality and integrity of its own application-level and data-level security.Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks. We may perform periodic penetration tests or security audits, either internally or through third-party specialists, to evaluate the strength of our security posture. Additionally, we maintain logs of important actions and access events on our systems to trace any unauthorized activities. If we detect suspicious activity, we take immediate steps to investigate and mitigate any potential breach.
Despite all measures in place, it’s important to note that no security is 100% foolproof. The transmission of information via the internet is not completely secure, and we cannot guarantee that our safeguards will never be overcome by unlawful hacking, hardware or software failure, and other unforeseen events. While we strive to protect your information, we cannot warrant the absolute security of data transmitted to our site or stored in our databases. You should also play a part in protecting your information by keeping your account credentials confidential and by using a strong, unique password for our site. If you suspect that your account or data has been compromised (for example, if you notice any unauthorized access or suspicious activity in your account), please contact us immediately.
Data Breach Response: AOC maintains internal procedures for detecting, investigating, containing, and reporting any suspected personal-data breach in line with applicable data-protection laws, including the EU General Data Protection Regulation (GDPR). While a separate “plan” document is not legally required, GDPR Articles 33 and 34 require controllers to have a structured process for breach notification and documentation.
If a breach is likely to result in a risk to individuals’ rights or freedoms, AOC will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. If the breach presents a high risk to affected individuals, we will also inform those individuals promptly and in clear language, describing the nature of the breach, its likely consequences, and the measures taken or proposed to address it.
We maintain a record of all personal-data breaches (their facts, effects, and remedial actions) and will communicate transparently with users as required. Our priority is to act swiftly to contain any incident, remediate vulnerabilities, and provide guidance to affected users on steps they may take to protect themselves for example, changing passwords or remaining alert to phishing attempts.
Data Storage and International Transfers: The personal information we collect from you may be stored and processed on servers in multiple countries, depending on where our infrastructure and service providers are located. Currently, our primary data storage is stored on AWS with region set to be in the United States, subject to change, and we may use cloud services that geographically distribute data for reliability and speed. This means that your information could be transferred to or accessed from jurisdictions outside of your home country. For example, if you are located in the European Economic Area (EEA) or United Kingdom, your personal data might be transferred to a country with data protection laws that are different or less protective than those in your jurisdiction (such as the United States or Pakistan, where our team may be based). We want to assure you that regardless of where data is stored, we apply the same level of protection described in this Privacy Policy.
When we transfer personal data internationally, we take steps to ensure appropriate safeguards are in place to comply with applicable data protection laws. These safeguards may include:
Standard Contractual Clauses: We may incorporate the European Commission’s standard data protection clauses (also known as Model Contracts) into our contracts with service providers or affiliates if we transfer EU/UK personal data to countries not deemed adequate by the EU/UK. These clauses impose data protection obligations on the recipient and provide legal rights for individuals whose data is transferred.
Data Transfer Agreements: For internal transfers (for example, between an EU branch and a non-EU head office), we use agreements that commit all parties to uphold privacy protections equivalent to EU standards.
Certification Mechanisms: Where applicable, we may rely on frameworks like the EU-U.S. and Swiss-U.S. Data Privacy Framework (if our service providers are certified under these frameworks) or any similar arrangements that might be in place for international data transfer compliance.
User Consent: In the absence of other safeguards, we may ask for your explicit consent to transfer your data to a particular third country. You have the right to refuse or withdraw such consent at any time.
Legal Derogations: In certain cases, transfers may be necessary to perform a contract with you (for example, if you’re outside our main country of operation and we need to route data to you) or to fulfill a compelling legitimate interest that does not outweigh your rights – such transfers would be limited and assessed case-by-case.
By using our Services, you understand that your information may be transferred to and stored in countries other than your own, including the United States and possibly other jurisdictions where we or our service providers operate. However, our handling of your personal data will always be governed by this Privacy Policy. If you have questions about international data handling or need more specifics about where your data is stored, you can contact us for more information.
Data Retention: We will retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In practice, this means:
Active Account Data: If you have an account with AOC, the information associated with your account (profile info, communication history, etc.) will be kept until you delete your account or until we no longer need the data to provide Services to you. We do not have a preset expiration date for user accounts – we assume you wish to continue benefiting from our platform unless you indicate otherwise.
Inactive Accounts: If you stop using AOC for an extended period, we may in the future implement a policy to deactivate or delete dormant accounts (for example, accounts inactive for over a certain number of years) to reduce the amount of data we store. If we do so, we will provide notice (e.g., sending an email to the address on file) giving you an opportunity to keep the account active or retrieve any data before deletion.
Communications: If you contact us via support email or other channels, we may retain those communications and any attached information for a period of time that is appropriate to resolve your issue, provide any follow-up, and improve our support processes. Typically, support emails are retained for a few years, unless you request their deletion and we have no legal obligation to keep them.
Legal Requirements and Disputes: In certain cases, we may need to retain specific information for longer periods if required by law or if necessary to resolve disputes or enforce our agreements. For example, financial transaction records are generally kept for a minimum period for tax and accounting purposes. If we banned an account for malicious activity, we might retain certain data about that account to prevent them from re-registering. If there’s an outstanding issue, claim, or legal dispute involving your data, we’ll retain the necessary information until it’s resolved.
When we no longer have a legitimate need or legal obligation to keep your personal information, we will securely delete, anonymize, or aggregate it. For instance, we might aggregate usage data (so it no longer identifies you) and keep that for analytics. If you request deletion of your data (see Your Rights below), we will process that request and delete applicable data from active systems, unless retention is required by law. Please note that complete removal of your data from backup systems might not be immediate but will occur as those backups naturally expire or are replaced.
We may also retain certain information as necessary to prevent fraud, enforce our Terms of Service, resolve disputes, comply with financial and regulatory obligations, or protect the security and integrity of the platform.
Your Rights and Choices
You have rights and choices regarding your personal information. AOC respects these rights and has processes in place to enable you to exercise them. The availability of certain rights may depend on where you live and which laws apply to our processing of your data, but we aim to grant these controls to all users as far as practicable.
Access, Correction, and Portability: You have the right to access the personal information we hold about you and to receive a copy of it in a structured, commonly used, machine-readable format. This is often called a “data subject access request.” You also have the right to request the correction of any inaccurate or incomplete personal data. For example, if you find that your profile information or account details are incorrect or outdated, you can update it by logging into your account settings (where available) or by contacting us for assistance. If you need, you can ask us to provide the data you gave us in a format that can be transferred to another service (this is the right to data portability), which we will do as long as it’s technically feasible and legally required – typically this applies to data you provided directly (like your profile info) and data generated by your activities (like your session history), where the processing is based on your consent or a contract with you.
Deletion (Right to be Forgotten): You have the right to request deletion of your personal information in certain circumstances. You can request that we delete your account and remove your personal data. For example, if you no longer want to use our Services, you can ask that we erase the personal data we have about you. We will honor deletion requests provided that we do not have a compelling reason or legal obligation to retain the data. Note that deleting your data is irreversible – if your account is removed, you will lose access to any mentoring history or content you provided (so you might want to save any information you need beforehand). After we delete your data from active systems, residual copies may take a short period to be removed from our backups. Also, as noted, we might retain certain minimal information (like a record that we fulfilled your request or a transactional record for legal compliance) as required. To request deletion, you can use any provided account deletion function (if available in your account settings) or contact us directly through the Contact channels listed below.
Withdrawal of Consent / Opting Out: In cases where we rely on your consent to process your personal data (for instance, for sending marketing emails or for processing sensitive information you provided), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it will not affect processing of your data under other legal grounds. If you no longer wish to receive our newsletter or promotional communications, you can always opt out by clicking the “unsubscribe” link at the bottom of any marketing email, or by adjusting your email preferences in your account settings (if such option is available). You can also contact us to be removed from our mailing list. Please note that even if you opt out of marketing messages, we may still send you transactional or service-related communications (such as appointment reminders, security alerts, or changes to terms) as these are not promotional but necessary for using our Services. If you have given consent for any other optional data processing, contact us to withdraw that consent and we will stop the processing.
Objection to Processing: You have the right in some situations to object to our processing of your personal information. For example, if we are processing your data based on legitimate interests, you can object to that processing if you feel it infringes on your rights. One common use of this right is objecting to data processing for direct marketing purposes – however, as noted, we do not share your data with third parties for their direct marketing without consent, and for our own marketing you can opt out as described above. Another example might be if we were conducting research or analytics in a way that involves your data, and you have a personal situation that gives you the right to object. In each case, if you raise an objection, we will consider your request and stop or adjust processing unless we have compelling legitimate grounds to continue that override your interests, rights, and freedoms (for instance, a legal requirement). We will respond to let you know the outcome of your objection request.
Restriction of Processing: You have the right to request that we limit the processing of your personal information under certain conditions. This means we would still store your data but temporarily stop any other processing. You can request restriction if: (a) you contest the accuracy of your personal data (for a period enabling us to verify it); (b) the processing is unlawful but you oppose erasure and request restriction instead; (c) we no longer need the data but you need us to keep it for the establishment, exercise, or defense of legal claims; or (d) you have objected to processing (as above) and we’re verifying whether our legitimate grounds override yours. If your data is under restriction, we will mark it as such and process it only with your consent or for legal reasons.
Response Time: We will endeavor to respond to any legitimate privacy rights request as soon as possible, and in any event within the timeframes required by law. For example, under GDPR we generally have one month to respond to your request, which can be extended by two further months for complex requests (in which case we would inform you of the extension). We will not charge you a fee for exercising your rights unless the requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse the request, but we will explain our reasoning).
Identity Verification: To protect your security and prevent unauthorized access, we may take steps to verify your identity before fulfilling your request. For instance, we might ask you to confirm some personal details we already have on file, or to go through your password-protected account to make the request, or provide a government ID for certain sensitive requests. You do not have to provide additional ID if we are able to verify you through other methods, but if we cannot adequately verify your identity, we may not be able to comply with certain requests (we’ll inform you if that’s the case).
California Privacy Rights: If you are a resident of California, you have specific privacy rights under the California Consumer Privacy Act (CCPA) (as amended by the CPRA). These include: (1) the right to know what personal information we collect, use, disclose, and “sell” (if applicable) about you; (2) the right to access the specific pieces of personal information we have collected about you (you can request a copy in a readily usable format); (3) the right to delete personal information we have collected from you (with some exceptions, such as if the data is required to complete a transaction or for legal compliance); (4) the right to opt-out of the sale or sharing of your personal information; and (5) the right not to be discriminated against for exercising your CCPA rights. AOC does not sell your personal information as “sale” is defined under the CCPA – meaning we do not exchange your data for money with third parties for their independent use, and we do not knowingly share personal information of users under 16 years of age without affirmative authorization. If in the future our practices change such that we fall under CCPA’s definition of “selling” data, we will provide a clear opt-out (“Do Not Sell My Personal Information”) on our site. To exercise your California rights, you (or an authorized agent acting on your behalf) can submit a request to us through the contact methods provided. We may need to verify your Californian residency and identity. Once verified, we will disclose the required information or perform the deletion to the extent required by law. Note that some information we collect is exempt from CCPA (for example, information governed by other privacy laws like GLBA or HIPAA, or de-identified data), but we will explain any denial of deletion or access if it occurs. For transparency, in the last 12 months (and generally), we have collected the categories of information described in the “Information We Collect” section of this Policy (identifiers, characteristics, internet activity, etc.) from our users for the business and commercial purposes described in the “How We Use It” and “Sharing” sections, and we have disclosed certain categories of information to service providers (such as identifiers to our email or hosting providers, internet activity to our analytics providers, etc.) for our business purposes. This disclosure is not a “sale” under CCPA but rather falls under the exceptions for business purposes. We will update this notice if these practices change.
GDPR Rights (EU/UK): If you are in the European Economic Area (EEA) or United Kingdom (or in some cases, other countries with similar laws), the rights described in this section (access, rectification, erasure, restriction, objection, portability, consent withdrawal) are granted under the GDPR or UK privacy laws. AOC is the data controller for your personal information processed in connection with the Services (unless stated otherwise for specific integrations or third-party services). You also have the right to lodge a complaint with a data protection supervisory authority. If you believe we have infringed your data protection rights or processed your data unlawfully, you can complain to the supervisory authority in the country where you live, where you work, or where the issue took place. For example, in the UK you would contact the Information Commissioner’s Office (ICO); in France, the CNIL; in Germany, the applicable state DPA; and so on. We would appreciate the chance to address your concerns before you approach a regulator, so please consider reaching out to us first, and we will do our best to resolve the issue.
Exercising Your Rights: To exercise any of your rights or make requests regarding your personal data, please contact us using the information in the Contact section below. Specify which right you want to exercise and the scope of the request. You do not have to cite a law; just describe your request (for example, “I want a copy of my data” or “Please delete my account and data”). We will confirm receipt of your request and communicate with you through the process. If we need more information from you to process the request (for example, verification info), we will let you know. Once your identity is verified and the request is clarified, we will take appropriate action and reply with the results or confirmation. If we cannot fulfill part of your request, we will explain the reason (e.g., legal exemption or conflicting rights). We will not charge a fee for processing your request in most cases. However, if you make repetitive, excessive, or unfounded requests, we reserve the right as allowed by law to either charge a reasonable fee (based on administrative cost) or refuse the request with an explanation.
We are committed to empowering you with control over your personal information. Using our platform should be a choice you feel comfortable with, and part of that comfort comes from knowing you can inquire, change, or remove your data as you see fit. Please do not hesitate to reach out to us with any questions or concerns about your privacy rights.
Children’s Privacy
Our Services are not intended for children under the age of 13, and we do not knowingly collect personal information from children under 13 years old. If you are under 13, please do not register or provide any information about yourself to us. This is both to comply with laws like the U.S. Children’s Online Privacy Protection Act (COPPA) and because our platform is designed for those at stages of education or career typically above that age. We do not market to or knowingly invite children in this age group to participate on AOC.
If we learn that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete such information from our records. For example, if a 12-year-old registers using false information about their age, once discovered, we will remove their account and data.
If you are a parent or guardian and you become aware that your child under 13 has provided personal information to AOC, please contact us immediately. We will work with you to remove the information and terminate the child’s account if one exists. We may ask for proof of your relationship to the child (to ensure we are communicating with the rightful guardian) before processing such requests.
For minors aged 13 to 16: Our platform may be used by teenagers (for example, high school students seeking career or college advice). While we allow users under 18 to use the Services (with the understanding that the content is oriented towards education/career guidance), we strongly encourage such users to involve a parent or guardian in their use of AOC. If you are under 18, please review this Privacy Policy and our Terms of Service with your parent or guardian to make sure you understand them. We do not require parental consent for users 13 or older to register on our platform (except as required by specific local laws), but we expect all our users to be honest about their age and to use the platform responsibly.[HE1]
Some jurisdictions provide additional rights regarding personal data of minors. For instance, California’s “Privacy Rights for California Minors in the Digital World” law allows registered under-18 users to request removal of content they have publicly posted. If you are a minor and have posted content on our site (e.g., a public testimonial or comment) that you cannot remove via normal means, you can contact us to request deletion of that content. Note that removal does not ensure complete erasure (for example, content that was re-posted by others or archived by search engines may persist).
In summary, AOC is not directed to young children, and we aim to prevent the collection of data from children under 13. We are committed to complying with applicable laws aimed at protecting children’s privacy. If you have any concerns about a child’s data, please contact us using the details in the Contact section, and we will address the issue.
Third-Party Links and Services
Our website and Services may contain links to websites, content, or services that are owned or operated by third parties. For example, Advisor profiles might include a link to their personal blog or LinkedIn profile, or our FAQ may reference external resources. Additionally, parts of our platform might integrate with third-party services (such as a scheduling widget or video chat tool as discussed). Please be aware that this Privacy Policy applies only to AOC’s own website and Services. Once you click a link to an external site or use a third-party service, you will be subject to that third party’s terms and privacy policy, not this one.
We do not control the content, security, or privacy practices of any third-party websites. For example, if you follow a link to an Advisor’s external blog, we have no say in how that blog collects or uses data about you. Similarly, if you use a third-party login feature or share content from AOC to a social network, those third parties may collect information based on your interaction. We cannot accept responsibility or liability for the privacy practices of these external sites or services, as we do not manage them.
We strongly encourage you to exercise caution and review the privacy policies of any third-party websites or services that you visit or utilize. This is a good practice whenever you leave one site for another, especially when you intend to provide personal information to the new site. If you discover a third-party link on our platform that you believe is malicious or improper, let us know and we will investigate and remove it if necessary.
In summary, when you leave AOC’s platform by clicking external links or enabling third-party integrations, this Privacy Policy no longer applies, and the handling of your data is governed by the third party. We include this section to remind you to stay informed and safe beyond our environment.
(Note: AOC may sometimes partner with trusted third parties or embed certain third-party content to enhance your experience. We will do our best to ensure these partners are reputable and have good privacy practices, but you should still review their policies. If you have questions about whether a particular feature of our site involves a third party, feel free to reach out to us.)
Changes to this Privacy Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other purposes. When we make changes, we will post the updated Privacy Policy on this page and update the “Last Updated” date at the top or bottom of the policy. Any modifications will become effective when posted (unless a later effective date is indicated). We encourage you to review this page periodically to stay informed about how we are protecting your information.
If we make any material changes to this Privacy Policy – particularly changes that affect your rights or how we use personal data – we will provide a more prominent notice. This may include, for example, a notification on our website’s homepage or dashboard, or an email to the address associated with your account, informing you of the upcoming changes. For instance, if we were to expand the types of personal data we collect or the ways we use it, we would let you know in advance so you can understand the implications.
Where required by law, we will also seek your consent to significant changes (for example, if a change would legally require new consent). Otherwise, your continued use of the Services after the updated Privacy Policy is posted will signify your acceptance of the changes. However, if you do not agree to the revised policy, you should discontinue use of our Services and may request us to delete your personal data.
In summary, we won’t surprise you with significant privacy changes without appropriate notice. We value the trust you place in us and will always strive to be transparent and upfront about how we handle your data.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please do not hesitate to contact us. We are here to help and address any issues you may have about your personal information.
You can reach our privacy team by email at support@adviceovercoffee.com. This is our primary contact for privacy-related matters. We monitor this inbox and will respond as promptly as possible, generally within a few business days.
Alternatively, you may contact us through the Contact Us page on our website (if you prefer to send a message through our site). If you write to us, please include sufficient detail about your question or request, including the email address associated with your account (if you have one), so that we can locate your information and respond appropriately.
Postal Mail: Unit No: RET-R6-004
Detached Retail R6
Plot No: JLT-PH2-RET-R6
Jumeirah Lakes Towers
Dubai
United Arab Emirates
We are committed to resolving any complaints or disputes regarding privacy and the collection or use of personal data. If you contact us with a privacy concern, we will do our best to address it and find a satisfactory solution. For users in jurisdictions with formal complaint processes, as noted above, you also have the right to contact your local data protection authority.
Thank you for taking the time to read our Privacy Policy. We hope it has clarified how your information is handled in the Advice Over Coffee community. Your privacy is important to us, and we will continue working hard to protect it.
If anything remains unclear, or if you need any further information, please get in touch via the contact methods above. We appreciate your trust in AOC and look forward to supporting your career journey in a secure and private manner.