NASBA sponsorship pending. Courses are currently provided for informational purposes only and do not yet qualify for CPE credit.
CPE Zone

Legal

Privacy Policy

Last updated: June 17, 2026

1. Who we are

CPE Zone ("CPE Zone," "we," "us") operates this nano continuing professional education platform for finance and accounting professionals. This Privacy Policy explains what personal data we collect, why we collect it, how we store it, and the limited circumstances in which we share it. By creating an account or otherwise using the service, you agree to this Policy and to our Terms & Conditions.

2. Data we collect

We collect only what we need to provide CPE, issue compliant certificates, and improve the product.

  • Account & identity data — name, email, professional headline, profile photo, LinkedIn profile URL, and (if you provide them) professional credentials, license state and number, and NASBA Registry ID. Sign-in is delegated to LinkedIn OAuth; we receive only the fields you consent to share.
  • Learning records — course enrollments, slide progress, server-side seat-time events, assessment attempts and scores, completion timestamps, certificate numbers, and CPE credits earned.
  • Content you submit — if you are a content creator or admin, the courses, slides, narration scripts, and assessment questions you author.
  • Integration tokens — when you connect LinkedIn for publishing, we store the OAuth access token and its expiration time so we can post on your behalf. Tokens are not returned to your browser after they are stored.
  • Technical & usage data — IP address, browser/user-agent, log timestamps, and basic event analytics used to operate, secure, and improve the service.

3. How we use your data

  • Provide the service: authenticate you, deliver courses, run assessments, and award CPE credit.
  • Issue NASBA-style certificates of completion and maintain the records required for sponsor compliance.
  • Publish content to your LinkedIn account, but only at your explicit request and within the scopes you granted.
  • Operate, secure, and debug the platform (rate-limiting, fraud prevention, error monitoring).
  • Communicate service announcements and respond to your support requests.

We do not sell your personal data. We do not use your learning records or content for advertising and we do not train third-party advertising models on your data.

4. Legal bases (EEA/UK users)

We rely on (i) performance of a contract with you to deliver the service, (ii) your consent for optional integrations such as LinkedIn publishing, (iii) our legitimate interest in operating and securing the platform, and (iv) compliance with legal and regulatory record-keeping obligations applicable to CPE sponsors.

5. How and where we store data

Application data is stored in a managed PostgreSQL database operated by our hosting provider, with Row-Level Security policies that restrict each row to the authenticated user it belongs to (with limited admin and content-creator access scoped to the courses they own). Data is encrypted in transit (TLS) and at rest. Database backups are encrypted and retained on a rolling basis by the hosting provider. Audio narration files are stored in private object storage and served via short-lived signed URLs. Generated certificates are produced on demand and are not stored as files; the underlying completion record is retained.

6. Service providers (sub-processors)

We use a small set of vetted providers to operate the service. Each is bound by a written agreement and processes data only on our instructions.

  • Hosting, database, auth, storage — our cloud backend provider.
  • LinkedIn — identity (sign-in) and, at your request, publishing.
  • ElevenLabs — text-to-speech generation of slide narration from instructor-authored scripts. Narration scripts are sent for synthesis; voice clones are not created from your data.
  • AI model providers (Lovable AI Gateway) — assist content creators with lesson-plan drafting. Prompts authored by content creators may be sent for completion; learner personal data is not sent.

7. Sharing with third parties

We share personal data only: (a) with the sub-processors above to operate the service; (b) when you direct us to (e.g., publishing to LinkedIn, sharing a certificate); (c) to comply with law or valid legal process; or (d) to protect the rights, safety, and property of CPE Zone, our users, or the public. In the event of a merger or acquisition, data may transfer to the successor entity subject to this Policy.

8. Retention

Account data is retained while your account is active. CPE completion records and certificates are retained for at least five (5) years after the date of completion to satisfy NASBA QAS Nano Learning sponsor record-keeping requirements, even if you delete your account. Other data is deleted within a reasonable period after it is no longer needed, subject to legal obligations.

9. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, to withdraw consent, and to object to or restrict certain processing. To exercise these rights, contact us using the address below. We will respond within the timeframes required by applicable law.

10. Children

The service is intended for working professionals and is not directed to children under 16. We do not knowingly collect data from children.

11. International transfers

Our infrastructure may process data in jurisdictions other than your own, including the United States. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses).

12. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including least-privilege access controls, row-level security in the database, encrypted transport and storage, server-side validation of CPE completion, and audit logging. No system is perfectly secure; please use a strong, unique password on your LinkedIn account and notify us promptly of any suspected unauthorized access.

13. Business Associate Agreement (HIPAA)

CPE Zone is not designed for the processing of Protected Health Information (PHI). If your organization needs to exchange data that constitutes PHI under HIPAA in connection with the service, contact us to execute our standard Business Associate Agreement before any PHI is transmitted to the platform.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced in-product or by email. Continued use of the service after a change takes effect constitutes acceptance of the updated Policy.

15. Contact

Questions or requests: admin@cpezone.com.