PYYRAH+ Header
Founding access · $99 lifetime · Closes in Get Pyyrah+
Get Pyyrah+
Security & Trust Centre · Pyyrah+ Skip to content
Security & Trust

How we protect your data.

Pyyrah+ is run on third-party infrastructure that handles payments, hosting, and email. Here’s exactly what each one does, what data they see, and how we protect everything else.

TLS 1.2+ everywhere Stripe-handled payments UK & EU GDPR compliant
01
Payment security
All card data is handled by Stripe, certified PCI DSS Level 1. We never see, store, or transmit your card number.
Read how payments work
02
Encryption & access
TLS 1.2+ on every connection. Least-privilege access internally, 2FA on admin accounts, credentials rotated when staff change.
Read data protections
03
UK & EU GDPR
Pyyrah Limited is registered in England & Wales. We comply with UK GDPR & EU GDPR for all users, regardless of where they live.
Read our GDPR posture
04
Sub-processor transparency
8 named third parties · Stripe, WordPress.com, Klaviyo, Google, Meta. Region + data category for each, fully published.
See the live list
05
Incident response
Notification to the ICO within 72 hours of a confirmed personal-data breach (UK GDPR Art 33). Affected users notified directly.
Read our commitments
06
Account security
Strong, unique passwords. No credential sharing. Verify the sender on every login email. Most account compromises happen at the user end.
Read the best practices
01Payments

How payments are handled.

Pyyrah+ uses Stripe as its payment processor for course purchases. Card data never touches Pyyrah+ infrastructure.

When you check out, you’re redirected to Stripe’s hosted checkout page. Your card details are entered directly into Stripe’s systems · we never see, store, or transmit them. The only information we receive back is a transaction ID, the amount, your email, and (where required) your billing country for tax purposes.

What Stripe handles for us

  • Card and payment-method capture · all sensitive payment data lives inside Stripe
  • PCI DSS Level 1 compliance · the highest level in the Payment Card Industry Data Security Standard
  • 3D Secure (SCA) authentication where required by your card issuer or the EU PSD2 regulations
  • Fraud detection and risk scoring on every transaction (Stripe Radar)
  • Sales-tax calculation and remittance where required by jurisdiction (EU OSS, US states, etc)

What Pyyrah+ stores after a payment

  • Your email address · so we can send you the receipt, the welcome email, and product updates
  • A Stripe customer ID · so we can match payments to your account without storing card data
  • Order metadata · product, price, currency, transaction ID, timestamp
  • We do not store full card numbers, CVV codes, or expiry dates · those live only in Stripe
i Stripe’s detailed security documentation is at stripe.com/docs/security. Pyyrah+ inherits the compliance posture of the processor for all card-data handling.
02Data protection

How we protect data we do hold.

Most of what we hold is straightforward · email addresses, account details, course progress. Here’s how it’s stored and who can reach it.

Encryption

  • In transit · all browser-to-server traffic served over TLS 1.2 or higher, with HSTS enforced and modern cipher suites only
  • At rest · personal data stored by our hosting and email providers is encrypted at rest using AES-256 (the standard each provider applies to all customer data)
  • Passwords are never stored in plaintext · they’re hashed with a salted one-way function by the platform that holds them

Access control

  • Least-privilege · staff only get access to the systems and data they need to do their job
  • Two-factor authentication required on every admin account · email, hosting, payment processor, analytics
  • Credentials are rotated when staff leave or when there’s any reason to suspect compromise
  • Vendor access logs reviewed periodically for unusual activity

Data retention

We keep your account data while you’re an active Pyyrah+ member and for a defined period after, then delete or anonymise it. Specific retention windows are documented in the Privacy Policy. You can request earlier deletion at any time by emailing Privacy@pyyrahplus.com.

Backups

Production data is backed up regularly by our hosting providers (WordPress.com, Stripe, Klaviyo, Google). We rely on the providers’ backup schedules and restoration procedures rather than running our own backup infrastructure on top.

03UK & EU GDPR

Our privacy & compliance posture.

Pyyrah Limited is registered in England & Wales. We apply UK GDPR & EU GDPR standards to every user worldwide, not just those in the UK or EU.

Data controller
Pyyrah Limited (trading as Pyyrah+), Company No. 12176473
Registered office
27 Old Gloucester Street, London WC1N 3AX, United Kingdom
Supervisory authority
UK Information Commissioner’s Office (ICO)
Privacy contact
Privacy@pyyrahplus.com
Lawful basis
Contract (your Pyyrah+ purchase) · consent (marketing emails) · legitimate interest (analytics, security)
International transfers
Standard Contractual Clauses (SCCs) where data leaves the UK / EEA

Your rights under UK & EU GDPR

  • Access · request a copy of the personal data we hold about you
  • Rectification · correct any inaccurate or incomplete data
  • Erasure · ask us to delete your data (subject to legal retention obligations)
  • Restriction · pause our processing in specific circumstances
  • Portability · receive your data in a machine-readable format
  • Objection · object to processing for direct marketing or based on legitimate interest
  • Withdrawal of consent · revoke consent at any time, for any future processing
  • Complaint · lodge a complaint with the ICO (UK) or your local supervisory authority (EU)

To exercise any of these rights, email Privacy@pyyrahplus.com. We respond within 30 days, free of charge in standard cases.

i For technical detail on processing terms when you act as a data controller using Pyyrah+, see the Data Processing Agreement.
04Sub-processors

Who else touches your data.

We rely on third-party providers for hosting, payment, email, and analytics. The list is fully published and kept current.

View the live list
8 sub-processors · all named, all linked
Stripe · Shopify · WordPress.com / Automattic · Klaviyo · Google Workspace & Drive · Google Analytics · Meta Pixel · WhatsApp. Region, data categories, and privacy policy for each.
05Incident response

What happens if there’s a breach.

No system is incident-proof. What matters is how quickly we detect, contain, and tell you.

Our commitments under UK GDPR

  • Notification to the UK Information Commissioner’s Office (ICO) within 72 hours of confirming a personal-data breach that meets the reporting threshold (UK GDPR Article 33)
  • Notification to affected users directly · by email, without undue delay · when the breach is likely to result in a high risk to your rights and freedoms (UK GDPR Article 34)
  • A clear description of what happened, what data was affected, what we’re doing about it, and what (if anything) we recommend you do

What we won’t do

  • Bury a security incident in a quiet legal update or a footer link
  • Wait for press attention before acknowledging an issue
  • Send a vague "we may have been affected" email without specifics
! If you suspect your Pyyrah+ account has been compromised, change your password immediately and email Support@pyyrahplus.com. We’ll review the account activity and help you secure it.
06For members

Securing your Pyyrah+ account.

Most account compromises happen at the user end · weak passwords, reuse across sites, phishing. These habits prevent most of it.

  • Use a strong, unique password · ideally generated by a password manager (1Password, Bitwarden, iCloud Keychain). Don’t reuse a password you use anywhere else
  • Don’t share your login · Pyyrah+ is one account per person. Sharing credentials breaches the Acceptable Use Policy
  • Check the sender on any email asking you to log in. Legitimate Pyyrah+ email comes from @pyyrahplus.com · never @pyyrah-plus.com, @pyyrah.support, or similar
  • If something feels off · pause and email Support@pyyrahplus.com directly from the browser address bar, not from a link in the suspicious email
  • Don’t enter your Pyyrah+ password on any page that isn’t hosted at pyyrahplus.com. We’ll never ask you to log in via a third-party form
RESPONSIBLE DISCLOSURE

Found a security issue? Tell us.

If you’ve found a vulnerability in Pyyrah+, email security@pyyrahplus.com with as much detail as you can. We’ll acknowledge within 2 business days, work through it with you, and credit you (with permission) once it’s fixed. Please don’t publish details publicly until we’ve had a reasonable window to remediate.

Email security@pyyrahplus.com
Acknowledged in 2 business days Credit on request once remediated No legal action for good-faith research
Last updated: 14 May 2026 · Reviewed quarterly & on material change