How We Handle Your Data, Your Money, and Your Privacy
No tracking pixels. No data selling. No surveillance theater. Just the actual security architecture — and what we don't do.
We Never See Your Card
Stripe handles all billing. We never touch your payment data at any point in the transaction.
What we see
- Your email address
- Your name (what you give us)
- Purchase amount and date
What we never see
- Card number
- CVV / security code
- Billing address
- Card expiry date
Stripe is PCI DSS Level 1 certified — the highest level of payment security certification available.
Your Password Is Not Recoverable Even By Us
We don't store your password. We store a one-way hash — meaning there is no "decrypt and retrieve" operation available, to anyone.
PBKDF2 with 100,000 iterations via the Web Crypto API. Even if our database leaked, brute-forcing the hashes would take centuries at modern hardware speeds.
JWT session cookies with HttpOnly, Secure, and SameSite=Lax flags. They expire after 30 days. JavaScript on the page cannot read them.
We don't offer "Sign in with Google" or "Sign in with Facebook." We don't want them knowing you're here either.
What We Don't Track
- No Google Analytics
- No Facebook Pixel
- No tracking pixels on member pages — logged-in routes are pixel-free
- No third-party advertising cookies
- No session recording (Hotjar, FullStory, or equivalent)
- Self-hosted Plausible analytics — cookie-free, GDPR-compliant, served from our own domain at applause.dominant-guide.com
- Server-side purchase events — only on confirmed purchases, no per-page profile building
- UTM capture for source attribution — first-touch only, deleted after 30 days
What's In Your Subscriber Profile
We use Kit.com (formerly ConvertKit) to manage our email list. Here's the complete picture of what that profile contains:
- Email address
- First name — if you chose to provide it
- Subscriber tags showing which content interests you (e.g. quiz result, purchased products)
That's it. No demographic profiling. No inferred attributes. No shared lists. No data sold to third parties for any reason.
You can request a full data export or request deletion at hello@dominant-guide.com. We process both within 5 business days.
Edge-Hardened by Default
The site runs on Cloudflare Pages with hardened HTTP headers on every response. None of this requires you to configure anything — it's baked in.
Strict-Transport-Security max-age=15552000 — browsers enforce HTTPS for 6 months, even if you type the URL manually
Content-Security-Policy Strict policy blocking unauthorized scripts, styles, and resource origins
X-Frame-Options DENY — this site cannot be embedded in an iframe on another domain
Referrer-Policy strict-origin-when-cross-origin — we don't leak full URLs to third-party services
Cloudflare DDoS Enterprise-grade DDoS mitigation at the edge before traffic reaches our origin
TLS 1.3 All routes served over TLS 1.3 — the latest and most secure transport protocol
30-Day No-Questions Refund
Bought the 21-Day Dominance Challenge and it didn't deliver? Reply to your welcome email within 30 days. We refund. We don't ask why.
The button doesn't disappear after day 1. The window doesn't quietly expire. Reply to any email we've sent you and say the word.
Learn About the 21-Day ChallengeThe Lines We Won't Cross
- We won't sell your data. Not to advertisers. Not to data brokers. Not to AI training companies. Not to anyone.
- We won't add tracking pixels to member-only pages. What you consume behind the login stays between you and us.
- We won't email-bomb you. Unsubscribe is one click. We honor it instantly — no re-subscribing you, no "final offer" loop.
- We won't quietly sunset your account. If we ever shut down, you get 90 days notice and a data export before anything goes dark.
- We won't change these promises without telling you in writing. If this page changes materially, we notify our list first.
Questions about security or data?
hello@dominant-guide.comLinus replies personally within 48 hours.