Data Protection Policy

1. Purpose and Scope

This policy applies to all personal data processed by the Platform, including data belonging to:

Learners (including minors aged 13–17 with parental consent)
Educators and content creators
Institutional administrators
Platform visitors

It covers data collected through the Platform, associated APIs, AI services, and any affiliated tools or communication channels.

2. Data Protection Principles

We process personal data in accordance with the following principles:

Lawfulness, fairness, and transparency — Data is processed lawfully, with clear communication to users about how their data is used.
Purpose limitation — Data is collected for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes.
Data avoidance and minimization — We actively avoid collecting personal data. Where collection is necessary, we gather only the minimum required for the stated purpose.
Accuracy — We take reasonable steps to ensure personal data is accurate and kept up to date.
Storage limitation — Data is retained only for as long as necessary to fulfil its purpose or meet legal obligations.
Integrity and confidentiality — Data is protected against unauthorized access, loss, destruction, or damage through appropriate technical and organizational measures.
Accountability — We maintain records and controls to demonstrate compliance with these principles.

3. Lawful Basis for Processing

We process personal data under the following legal bases:

Lawful Basis	Examples
Contract	Account creation, service delivery, subscription management, content monetization
Consent	Marketing communications, optional analytics, AI model improvement contributions
Legitimate interest	Platform security, fraud prevention, service improvement, usage analytics
Legal obligation	Tax records, regulatory reporting, law enforcement requests
Vital interest	Safeguarding minors from harm on the Platform

Where processing is based on consent, you may withdraw consent at any time through your account settings or by contacting us at privacy@keduka.com.

4. Data Classification

We classify data into the following categories to apply appropriate protection measures:

4.1 Public Data

Published course content and learning materials
Public profile information (display name, avatar, bio)
Shared AI agent configurations

4.2 Internal Data

Aggregated and anonymized usage analytics
Platform performance metrics
Non-personally identifiable research data

4.3 Confidential Data

Account credentials and authentication tokens
Email addresses and contact details
Learning progress and assessment records
Payment and billing information
AI agent training data and configurations
Support communications

4.4 Restricted Data

Passwords and security keys (stored only as cryptographic hashes)
Personal data of minors
Student education records subject to FERPA
Health or disability-related information voluntarily disclosed

Each classification level has corresponding access controls, encryption requirements, and retention rules.

5. Data Subject Rights

We uphold the rights of data subjects as required by applicable law:

Right	Description	How to Exercise
Access	Obtain a copy of your personal data	Account settings or email request
Rectification	Correct inaccurate or incomplete data	Edit your profile or email request
Erasure	Request deletion of your data	Account settings or email request
Portability	Receive your data in a machine-readable format	Email request
Restriction	Limit processing of your data	Email request
Objection	Object to processing based on legitimate interest	Email request
Withdraw consent	Revoke previously given consent	Account settings or email request
Complaint	Lodge a complaint with a supervisory authority	Contact your local data protection authority

We respond to all data subject requests within 30 days. Complex requests may take up to 60 days with prior notification.

To submit a request, contact privacy@keduka.com. We may verify your identity before processing the request.

6. Student and Minor Data Protection

6.1 Enhanced Safeguards

We actively avoid collecting personal data from students. Where data is collected, it receives heightened protection:

Data avoidance — We do not collect personal data beyond what is essential for the educational service. Student accounts require only an email address and password.
No profiling for non-educational purposes — Student data is used exclusively to support learning outcomes.
No advertising — We do not serve advertisements to students or use their data for ad targeting.
No data sales — Student data is never sold, rented, or traded.
Restricted access — Only authorized personnel with a legitimate educational need may access student data.
Parental controls — Parents and guardians of users under 18 may review, modify, or request deletion of their child’s data.

6.2 Institutional Data Agreements

When the Platform is used by educational institutions:

We enter into Data Processing Agreements (DPAs) with institutions upon request.
Student data provided by institutions is processed solely for the educational purposes defined in the agreement.
Institutions retain control over their students’ data and may request bulk export or deletion.
We support compliance with institutional data governance requirements.

6.3 Age Verification

Account registration requires users to confirm they are at least 13 years of age.
Users between 13 and 17 must indicate parental or guardian consent during registration.
We do not knowingly collect personal information from children under 13. If we identify such an account, we will suspend it and delete the associated data.

7. Technical and Organizational Measures

7.1 Encryption

In transit — All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher.
At rest — Sensitive data stored in databases and object storage (Cloudflare R2) is encrypted at rest.
Passwords — User passwords are stored as salted cryptographic hashes and are never stored in plaintext.

7.2 Access Controls

Role-based access — Staff access to personal data is restricted based on job function and follows the principle of least privilege.
Authentication — Platform APIs support JWT, token-based, and session authentication with enforced expiration.
Multi-factor authentication — Available for administrative accounts.

7.3 Infrastructure Security

Containerized deployment — The Platform runs in isolated Docker containers with non-root user execution.
Reverse proxy — Nginx handles SSL termination, request filtering, and rate limiting at the network edge.
Content Security Policy — Nonce-based CSP headers mitigate cross-site scripting and code injection risks.
Rate limiting — API endpoints are rate-limited to prevent brute-force attacks and abuse (anonymous: 2/min, authenticated: 10/min).
Certificate management — SSL certificates are managed through Let’s Encrypt with automated renewal.

7.4 Monitoring and Logging

Application monitoring — Prometheus metrics track platform health and security events.
Access logging — Authentication events, data access, and administrative actions are logged.
Visit analytics — Platform visit data is collected for operational purposes and stored separately from personal data.
Log retention — Security logs are retained for a minimum of 12 months.

7.5 Development Practices

Secure configuration — Environment-based configuration with secrets managed through environment variables, never committed to source control.
Dependency management — Dependencies are regularly reviewed and updated to address known vulnerabilities.
Static file integrity — Static assets are served through WhiteNoise with compressed manifest storage for integrity verification.

8. Data Processing Agreements

8.1 Sub-processors

We engage the following categories of sub-processors to deliver our services:

Sub-processor	Purpose	Data Processed
Stripe	Payment processing	Billing details, transaction records
Cloudflare	CDN, security, media storage (R2)	Uploaded media, cached content
Email provider	Transactional email delivery	Email addresses, notification content
Hosting provider	Infrastructure and compute	All Platform data (encrypted)

All sub-processors are bound by Data Processing Agreements that require them to:

Process data only on our documented instructions.
Implement appropriate technical and organizational security measures.
Notify us of any data breaches without undue delay.
Delete or return data upon termination of the agreement.

8.2 Sub-processor Changes

We will notify users of material changes to our sub-processor list via email or platform notification at least 30 days in advance. Users may object to new sub-processors by contacting us within the notification period.

9. Data Breach Response

9.1 Detection and Containment

In the event of a suspected data breach:

Identify — Assess the scope, nature, and impact of the breach.
Contain — Isolate affected systems and prevent further unauthorized access.
Assess — Determine the categories of data and individuals affected.
Remediate — Apply fixes and strengthen controls to prevent recurrence.

9.2 Notification

Supervisory authorities — We will notify the relevant data protection authority within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms.
Affected users — Users whose data is compromised will be notified without undue delay, with clear information about the breach and recommended protective actions.
Institutional partners — Educational institutions will be notified in accordance with our Data Processing Agreement.

9.3 Record Keeping

All data breaches, including those that do not require notification, are documented in an internal breach register with details of the incident, its effects, and the remedial actions taken.

10. Data Retention Schedule

Data Category	Retention Period	Basis
Active account data	Duration of account	Contract
Closed account data	30 days after closure (export window)	Contract
Payment and billing records	7 years after transaction	Legal obligation
Security and access logs	12 months	Legitimate interest
Anonymized analytics	Indefinite	Legitimate interest
Support communications	2 years after resolution	Legitimate interest
Student education records	Duration of enrollment + 3 years	Legal obligation
Marketing consent records	Duration of consent + 1 year	Legal obligation

After the retention period expires, data is securely deleted or irreversibly anonymized.

11. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA) or other jurisdictions with data transfer restrictions:

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
We conduct Transfer Impact Assessments to evaluate the legal framework of the receiving country.
Sub-processors in third countries are required to implement supplementary safeguards where necessary.
Users may request information about the safeguards applied to their data transfers by contacting us.

12. Data Protection Governance

12.1 Responsibilities

Data Protection Lead — Oversees compliance with this policy, manages data subject requests, and serves as the point of contact for data protection inquiries.
Engineering team — Implements and maintains technical security controls.
All staff — Required to handle personal data in accordance with this policy and receive regular data protection training.

12.2 Policy Review

This policy is reviewed at least annually and updated to reflect changes in:

Applicable law and regulatory guidance.
Platform features and data processing activities.
Organizational structure and sub-processor relationships.
Findings from security audits and incident reviews.

14. Contact

For questions or concerns about data protection:

Data protection inquiries: privacy@keduka.com
General support: support@keduka.com
Website: keduka.com

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.