Privacy Policy
How Top 10 Dev Training collects, uses, and protects your information.
Last updated: April 2026
Here's what you should know
We only collect what the product needs. No tracking pixels, no behavioral profiles, no advertising data.
Your employees' data belongs to your company. We process it on your behalf to deliver the service. That's the relationship.
We use five vendors. Netlify for hosting, Supabase for the database and authentication, Stripe for payment processing, ZeptoMail (Zoho) for transactional email, and PostHog for product analytics. That's the complete list.
We don't sell your data. Not to data brokers, advertisers, or anyone else.
You can ask us to delete your data at any time. Email
admin at top10devtraining dot comand we'll handle it.
1. Who We Are
Top 10 Dev Training is a security awareness training platform that helps development teams learn and attest to the OWASP Top 10. The service is operated by Top 10 Dev Training ("we," "us," "our"). For questions about this policy, contact admin at top10devtraining dot com.
2. What We Collect and Why
| Data | Purpose |
|---|---|
| Email address and full name | Account creation, login, and identity |
| Training progress and quiz scores | Core product functionality |
| Attestation timestamps | Compliance record-keeping for your organization |
| Company name and domain | Multi-tenant account management and isolation |
| Session and analytics cookies | Maintaining your login session and product analytics (PostHog) |
| Page views and navigation events | Product analytics via PostHog, used to understand how the product is used and improve it. Not used for advertising. |
| OAuth provider identity (GitHub or Google) | Email address and display name only, returned by the OAuth provider if you choose social sign-in. Not collected if you use email and password. |
We do not collect or store payment card data. Payment information is entered directly into Stripe's hosted interface and processed entirely by Stripe. We receive only a purchase status and customer identifier in return.
3. Legal Basis for Processing
We process personal data on the basis of contractual necessity (to deliver the service you signed up for) and legitimate interest (to maintain security, prevent abuse, and improve the product). We do not rely on consent for core processing, but you may withdraw from the service at any time by requesting account deletion.
4. How We Use Your Information
- Deliver training content and track completion
- Generate compliance reports and attestation records for your organization
- Authenticate users and maintain session security
- Respond to support requests
- Detect and prevent abuse or unauthorized access
- Analyze product usage patterns to improve the platform. We use PostHog for this purpose. Data collected includes page views, navigation events, and your account identifier. It is not used for advertising.
We do not use your data to train machine learning models, run advertising, or build profiles for sale to third parties.
5. Data Sharing and Subprocessors
We do not sell personal data. We share data only with the vendors required to operate the service:
| Vendor | Role | Data Shared | Location |
|---|---|---|---|
| Netlify | Application hosting and content delivery | Standard web request metadata (IP address, browser headers) | U.S. |
| Supabase (on AWS) | Database, authentication, and session management | All account and training data listed in Section 2 | U.S. |
| Stripe | Payment processing | Company name, billing email, and purchase history. Payment card data is entered directly in Stripe's interface and never touches our servers. | U.S. |
| ZeptoMail (Zoho) | Transactional email delivery (invitations, course notifications). Password reset emails are delivered separately by Supabase. | Recipient email address and message content for each transactional email sent | U.S. |
| PostHog | Product analytics | Supabase user ID, email address, page URLs visited, and navigation events | U.S. (us.i.posthog.com) |
| GitHub (Microsoft) | Optional OAuth identity provider | If you sign in with GitHub, GitHub shares your verified email address and display name with us | U.S. |
| Optional OAuth identity provider | If you sign in with Google, Google shares your verified email address and display name with us | U.S. |
Each vendor is contractually bound to process data only as directed by us and in accordance with applicable privacy law. We use one analytics service, PostHog, for product improvement only. We do not use advertising networks or data broker services. GitHub and Google OAuth are optional sign-in methods. If you register or sign in with email and password, no data is shared with those providers. We may also disclose data when required by law, legal process, or to protect the rights and safety of our users.
6. Cookies and Tracking
We use three categories of cookies:
Session cookies (necessary): Set by Supabase to maintain your authenticated session. These are required for the product to function. They are scoped to this domain and expire when your session ends or is refreshed.
Analytics cookies (PostHog): We use PostHog to understand how the platform is used. PostHog sets cookies in your browser to track page views and session continuity across visits. Data collected includes the pages you visit, navigation patterns, and your account identifier (Supabase user ID and email). This data is sent to PostHog's U.S. cloud infrastructure at us.i.posthog.com. It is used exclusively for product improvement and is not shared with advertisers or data brokers.
Partner referral cookie: If you arrive at the site via a referral link (a URL containing ?ref=CODE), we set a partner_ref cookie that persists for 30 days. This records which referral partner introduced you to the platform and is used solely to attribute new registrations to the correct partner. It is not used for advertising or cross-site tracking.
We do not use advertising cookies, tracking pixels, or any cookies for cross-site behavioral profiling.
7. Data Retention
We retain your data for as long as your account is active. If your company account is closed, data may be retained for up to 60 days for billing reconciliation and audit continuity, after which it will be permanently deleted. You may request earlier deletion at any time.
8. Your Rights (U.S. Residents)
Depending on the state where you reside, you may have certain rights regarding your personal data:
- The right to access the personal data we hold about you
- The right to request correction of inaccurate data
- The right to request deletion of your data
- The right to opt out of certain data uses
California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what categories of data are collected, the right to opt out of sale (we do not sell data), and the right to non-discrimination for exercising your rights.
To exercise any of these rights, email admin at top10devtraining dot com. We will respond within 30 days.
If you are located in the European Union or United Kingdom, you have additional rights under GDPR and UK GDPR, including the right to object to processing based on legitimate interests and the right to data portability. Contact us at the address above to exercise these rights.
9. Children's Privacy
This service is intended for use by working professionals and is not directed at children under the age of 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected data from a minor, contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify account administrators by email before the changes take effect. The "last updated" date at the top of this page reflects the most recent revision.
11. Contact
Privacy questions, data requests, or concerns: admin at top10devtraining dot com. We respond to all privacy inquiries personally.