Trust Center
How we handle your money and your data
Last updated: July 4, 2026. Written in plain language on purpose — trust pages that need a lawyer to decode aren't trust pages.
Payments
- All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of payment-security certification. Card numbers go from your device to Stripe; they never touch our servers and we cannot see them.
- Checkout supports Apple Pay, Google Pay, cards and (where enabled) Klarna, all inside Stripe's secured checkout.
- Refunds for the 8-Week Protocol: reply to your Stripe receipt within 7 days. Processed through Stripe, back to your original payment method.
Data we hold (all of it)
- If you buy: your email, what you bought, and the amount — from Stripe's checkout record. Used for access recovery and refunds.
- If you join a waitlist or the quiz letter: your email and which list. One-click removal, actually deleted.
- If you just browse: anonymous page-view events (path, referrer, screen width). First-party only, no cookies for analytics, no fingerprinting, no third-party trackers on any content page.
Security posture
- TLS 1.2+ on every connection (HTTPS enforced, certificates auto-renewed).
- Hosted in the EU (Germany) on infrastructure we control; the application runs in an isolated container with least-privilege access.
- Program access uses signed, HttpOnly, Secure cookies; payment verification happens server-side against Stripe's API on every access grant.
- Secrets (API keys) are stored in environment files with restricted permissions, never in code or the browser.
- No third-party JavaScript on the site — no tag managers, no ad pixels, no CDN scripts. What runs in your browser is ours and minimal.
Your rights (GDPR & beyond)
Access, correction, export or deletion of anything we hold: email club@hipdips.co. We answer within 30 days, usually within one. This applies to everyone, not just EU residents.
Compliance status, stated honestly
We are a small company. We do not currently hold a SOC 2 attestation or ISO 27001 certificate, and we won't imply otherwise with badge-wall theater. What we do instead: run on audited providers (Stripe for everything payment-related), collect radically little, and operate a written security framework aligned with SOC 2's Trust Services Criteria as we grow into a formal audit. Found a vulnerability? club@hipdips.co — we respond fast and credit researchers who want it.