Edufy Privacy Policy

Data We Collect

We collect various types of personal and non-personal data to provide and improve our services. This includes:

• Identity Data: Full name, username, date of birth, gender, profile picture, government-issued ID (for verification purposes)
• Contact Data: Email address, phone number, mailing address (for certificate delivery), emergency contact information
• Technical Data: IP address, browser type and version, operating system, device information (model, unique identifiers), network information, crash reports
• Usage Data: Pages visited, features used, time spent, clickstream data, search queries, session recordings (for UX improvement), heatmaps
• Profile Data: Interests, preferences, feedback responses, survey answers, learning style assessments
• Financial Data: Payment card details (processed securely via PCI-compliant providers), billing address, transaction history, subscription details
• Academic Data: Test scores, course progress, assignment submissions, quiz results, completion certificates, learning analytics (time per question, accuracy trends)
• Behavioral Data: Interaction patterns with tutors, response times, engagement metrics, participation in discussions
• Performance Data: Skill assessments, strengths/weaknesses analysis, improvement tracking over time
• Biometric Data: Facial recognition data (for identity verification during proctored exams) stored temporarily and securely deleted after verification

We collect this data through various means including: direct interactions (when you register, use our services, or contact us), automated technologies (cookies, server logs), and third parties (payment processors, analytics providers, educational institutions).

How We Use Your Data

We process your personal data lawfully, fairly and transparently for specific purposes:

• Service Delivery: To create and manage your account, authenticate access, process payments, deliver courses, provide learning materials, and facilitate communication between students and tutors
• Personalization: To tailor content recommendations, adjust difficulty levels, suggest study paths, and customize the interface based on your learning preferences and history
• Analytics & Improvement: To analyze usage patterns, measure engagement, identify technical issues, test new features, and enhance overall platform performance and educational effectiveness
• Academic Integrity: To verify student identity during exams, detect potential cheating, and maintain assessment validity through proctoring technologies
• Support & Communication: To respond to inquiries, provide technical assistance, send service notifications, deliver important updates about your account or courses
• Research & Development: To study learning patterns, develop new educational methodologies, improve our AI algorithms, and contribute to pedagogical research (data anonymized where possible)
• Legal Compliance: To meet regulatory requirements, respond to lawful requests from authorities, enforce our terms of service, and protect against fraudulent or illegal activities
• Marketing: To inform you about relevant courses, promotions, or educational opportunities (only with your explicit consent where required by law)
• Performance Tracking: To generate progress reports, provide feedback on learning outcomes, and suggest areas for improvement based on your performance metrics

We process this data under one or more legal bases including: contract performance (when providing services you requested), legitimate interests (for platform improvement and security), legal obligations, and in some cases your explicit consent (for marketing communications or sensitive data processing).

Data Security

We employ state-of-the-art security measures to protect your data:

• Encryption: All data is encrypted both in transit (using TLS 1.2+ protocols) and at rest (AES-256 encryption for stored data)
• Access Controls: Strict role-based access policies with multi-factor authentication for all staff, regular access reviews, and principle of least privilege enforcement
• Infrastructure Security: Hosted on ISO 27001 certified cloud providers with regular vulnerability scanning, intrusion detection systems, and DDoS protection
• Data Minimization: We only collect data necessary for specified purposes and retain it only as long as needed (maximum 5 years unless legally required otherwise)
• Security Testing: Regular penetration testing by independent security firms, bug bounty program, and continuous monitoring for vulnerabilities
• Incident Response: Documented breach notification procedures that comply with GDPR and other regulations, with 72-hour notification window for significant breaches
• Employee Training: Mandatory privacy and security training for all staff with annual refreshers and role-specific additional training
• Physical Security: Data centers with biometric access controls, 24/7 surveillance, and environmental protections against fire/flood

While we implement these robust measures, no system is 100% secure. We recommend you use strong passwords, enable two-factor authentication, and be cautious about sharing account credentials. In the unlikely event of a data breach, we will notify affected users promptly in accordance with applicable laws.

Your Rights

Under data protection laws, you have rights including:

• Access: Request copies of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your personal data
• Restriction: Request limitation of processing your data
• Portability: Request transfer of your data to another organization
• Objection: Object to processing of your personal data

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including legal, accounting, or reporting requirements. Inactive accounts are deleted after 24 months of inactivity.

Third-Party Data Sharing

We disclose personal data only when necessary and with appropriate safeguards:

• Service Providers: Carefully vetted partners who process data on our behalf under strict contractual terms (Data Processing Agreements) including:
  • Payment processors (Stripe, PayPal) for secure transaction handling
  • Cloud infrastructure providers (AWS, Google Cloud) for data hosting
  • Customer support platforms (Zendesk) for ticket management
  • Analytics services (Google Analytics, Amplitude) for usage tracking
  • Email service providers (SendGrid) for communications
  • Proctoring services (ProctorU) for exam supervision
• Academic Partners: Universities or certification bodies only when you explicitly request score reporting or credential verification
• Legal Requirements: When compelled by law enforcement, court order, or regulatory authorities through proper legal channels
• Business Transfers: In case of merger, acquisition, or asset sale, with notice and continuation of privacy protections
• Anonymized Data: Aggregated, non-identifiable data may be shared with researchers or for marketing our services

We conduct thorough due diligence on all third parties and ensure they meet our security standards. International transfers (outside your home country) only occur with appropriate safeguards like EU Standard Contractual Clauses or Privacy Shield certification. A complete list of subprocessors is available upon request.

International Transfers

Your data may be transferred to and processed in countries outside of your own. We ensure all transfers comply with applicable data protection laws and implement appropriate safeguards like standard contractual clauses.

Contact & Complaints

For any privacy-related inquiries or to exercise your rights, contact our Data Protection Officer at:

• Email: [email protected]
• Phone: +998 77 110 23 39
• Telegram: @edufysupport

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.