Privacy Policy
Last updated July 2026
We take privacy seriously. This policy explains what personal data we collect, why, how long we keep it, and your rights under UK GDPR.
1. Who is the data controller
LIMITLESS is the data controller for personal data processed through this platform. Contact us via the LIMITLESS Discord server.
2. What we collect and why
We collect the following categories of personal data:
Account data (from Discord)
- Your Discord ID, username, display name, email address, and avatar URL.
- Your Discord server roles (to determine access tier).
- Legal basis: performance of our contract with you.
Usage data
- Pages and videos you visit, with timestamps;
- Your IP address on every video playback (used for anti-piracy concurrent-session detection and audit);
- Browser user-agent (used to enforce desktop-Chrome-only playback);
- Security events: PrintScreen detection, Developer Tools detection, focus-loss events;
- Your rank changes and badges.
- Legal basis: our legitimate interest in protecting the educational content from piracy, plus performance of contract.
Content you submit
- Homework submissions and assignment files (stored in Cloudflare R2);
- Trade journal entries, screenshots, notes, and statistics;
- Daily journal entries and photos;
- Nutrition log entries;
- Habits, goals, and comments.
- Legal basis: performance of contract.
Watermarking
Every video stream is overlaid with a per-viewer watermark that includes your display name, email address, and IP address. This is visible only to you during playback and exists to deter piracy.
3. Cookies
We use only strictly necessary cookies — the session cookie issued by NextAuth to keep you signed in, and supporting CSRF cookies. We do not use analytics, advertising, or tracking cookies. No cookie banner is required for strictly necessary cookies under UK PECR.
4. Who we share data with
We share data only with these processors:
- Discord — for authentication and role checks (your Discord ID is sent on every login);
- Cloudflare R2 — for video, image, and document storage;
- Neon — for our PostgreSQL database;
- Vercel — for hosting and serverless function execution.
We do not sell or rent your personal data to anyone. We do not use it for advertising. We do not share trading P&L, journal entries, or screenshots with other members — admins can access this data solely for support, moderation, and homework review.
5. International transfers
Our processors may store data in the EU, UK, or US. Where data leaves the UK/EEA, the transfer is covered by appropriate safeguards (such as UK IDTA, Standard Contractual Clauses, or adequacy decisions).
6. How long we keep your data
- Account, journal, and progress data: until you delete your account, after which we erase it within 30 days.
- Watch logs and security incidents: retained for 12 months for anti-piracy purposes, then deleted.
- Admin audit logs: retained for 24 months.
- Anonymised aggregate statistics may be retained indefinitely.
7. Your rights under UK GDPR
You have the right to:
- Access a copy of the personal data we hold about you;
- Rectify inaccurate data;
- Erase your data (the “right to be forgotten”);
- Restrict or object to processing in certain circumstances;
- Data portability — receive your data in a machine-readable form;
- Withdraw consent at any time where processing is based on consent.
You can exercise the right to erasure immediately by visiting your /account page and clicking “Delete my account” — this removes your data from our database and storage within 30 days. For other requests, contact us via the LIMITLESS Discord server.
If you believe we have mishandled your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We use industry-standard security: HTTPS everywhere, signed-URL access to video files with short expiry, password-less Discord OAuth (no passwords stored), session cookies marked HttpOnly + Secure + SameSite, and least-privilege admin access. No system is perfectly secure; in the event of a personal data breach affecting you, we will notify you and the ICO within 72 hours as required by UK GDPR.
9. Changes to this policy
Material changes to this policy will be announced via the platform and Discord server. Continued use after changes take effect constitutes acceptance.