Privacy Policy

1. Overview

This Privacy Policy explains what personal data EduGato ("we," "us," "our") collects when you use our website, mobile applications, or any other service we offer (the "Service"), why we collect it, how we use and protect it, who we share it with, and the rights you have over it. We've kept the language plain — if anything is still unclear after reading, write to us at hello@edugato.app and a real human will explain it.

2. What we collect

We collect only what we need to operate, secure, and improve EduGato. The categories below cover everything — there is no fifth, secret bucket.

• Account information — your name, email address, hashed password, profile photo (if uploaded), preferred language, and the role you signed up under (learner, creator, organization). For accounts created via Google, we also store the Google account ID and profile picture URL we receive from Google.
• Learning & progress data — lessons watched, quiz answers and scores, streaks, XP, completion timestamps, audio recordings you submit for speech quizzes, and AI-feedback transcripts. Creators additionally have course drafts, edits, and quiz metadata stored against their account.
• Device & usage data — IP address, approximate location derived from IP (city level), browser type and version, operating system, screen size, time zone, page-view paths, button clicks within the product, and crash reports. We collect this through cookies, local storage, and our analytics SDKs.
• Billing data — for paid subscriptions: billing name, address, country, last four digits of the card, card brand, payment-processor token, invoice history, and tax IDs you provide. Full card numbers are handled by our PCI-compliant payment processor and never reach EduGato servers.
• Communications you send us — emails, support-chat messages, feedback forms, and any attachments you choose to share. We keep these so we can answer follow-up questions and improve our support over time.

3. How we use your data

Each piece of data has a specific job inside EduGato. We do not collect anything "just in case."

• Run the core product — render your courses, save your quiz answers, keep you signed in across devices, deliver AI-generated feedback on your answers, and recommend the next short to watch based on your progress and stated goals.
• Process payments and manage your subscription — charge your card on the schedule shown at checkout, send invoices and receipts, handle taxes and refunds, and detect or block fraudulent transactions.
• Keep your account and the platform secure — detect bot traffic, brute-force attacks, account takeovers, and content that violates our Terms; rate-limit suspicious actions; and maintain audit logs we may need to investigate incidents.
• Communicate with you — send transactional emails (email verification, password reset, billing), respond to support requests, and (only if you have opted in) send product news, learning tips, or surveys.
• Improve EduGato — analyze aggregated, de-identified usage data to understand which lessons work, fix bugs, and design better features. We never sell raw, identifiable usage data to advertisers or data brokers.

4. Our legal basis for processing

If GDPR (EU/EEA/UK) or similar privacy laws apply to you, here is the legal basis we rely on for each category of processing:

• Performance of a contract — we process your account, payment, and learning data to deliver the Service you asked for. Without this data, we literally cannot give you the courses you signed up for.
• Legitimate interests — we process device, usage, and security data to keep the platform safe, debug issues, and run aggregated analytics. We've balanced these interests against your privacy rights and you can object at any time (see "Your rights" below).
• Legal obligation — we keep certain billing, tax, and accounting records for as long as local law requires (typically 5–10 years), and we comply with valid law-enforcement requests where applicable.
• Consent — for optional things (marketing emails, non-essential cookies, AI training opt-ins, beta features), we ask for explicit consent and you can withdraw it at any time without losing access to the core product.

5. How and with whom we share data

EduGato never sells personal data. We do share specific data with carefully selected partners, each under a written data-processing agreement:

• Infrastructure providers — cloud hosting (server logs, account data), email delivery (transactional emails), and content-delivery networks (static assets). They process data only on our instructions and cannot use it for their own purposes.
• Payment processors — to charge your card and detect fraud. They receive billing details and the amount of the transaction, never your learning data or password.
• Analytics & error reporting — privacy-focused analytics that record anonymized usage events and crash reports. We don't share advertising identifiers or sell behavioural profiles.
• Authentication providers — when you sign in with Google, your Google account ID and email come through Google's OAuth flow. The flow is governed by Google's privacy policy.
• Authorities, when legally required — we will share data when compelled by a valid court order, search warrant, or subpoena. We push back on overly broad requests and, where the law allows, notify the affected user before disclosure.
• Buyers in a corporate event — if EduGato is acquired, merged, or files for bankruptcy, your data may be transferred to the successor entity. We will give you reasonable advance notice and, where possible, the option to delete your account before the transfer.

6. International data transfers

EduGato is operated from Algeria, and our infrastructure providers may store and process data in the European Union, the United States, and other regions where they host servers. When we transfer personal data outside your home country, we rely on appropriate safeguards — Standard Contractual Clauses (SCCs) approved by the European Commission, equivalent measures for non-EU jurisdictions, and supplementary technical and organizational protections (encryption in transit and at rest) — so that your data continues to receive a level of protection essentially equivalent to the one in your home country.

7. How long we keep your data

We keep personal data only for as long as we need it for the purpose we collected it. Specifically:

• Active account data — for as long as your account exists. When you delete your account, most data is removed within 30 days; encrypted backups may persist for up to 60 days for disaster-recovery purposes before being permanently destroyed.
• Billing and tax records — kept for 7 years to comply with accounting and tax law, even after you delete your account.
• Security and audit logs — kept for 12 months to investigate incidents and abuse; older logs are deleted automatically.
• Support correspondence — kept for 24 months so we can answer follow-up questions and improve our help articles.
• Anonymized analytics — aggregate metrics that no longer identify any individual may be kept indefinitely to track product trends over time.

8. Your rights

Depending on where you live, you have several rights over your personal data. EduGato honors all of them, regardless of jurisdiction:

• Access — request a copy of the personal data we hold about you. You can self-serve from Settings → Privacy → Export my data, or email us if you prefer a manual export.
• Rectification — correct anything inaccurate or out of date from your account settings; for fields you can't change yourself (like creator certifications), email us.
• Erasure — request that we delete your account and the personal data tied to it. See the "Delete my data" section below for the exact process and timing.
• Restriction — ask us to pause processing of certain data while we investigate a dispute or correction request.
• Objection — object to processing based on legitimate interests, including profiling for personalization. We will stop unless we have an overriding lawful reason to continue.
• Portability — receive your data in a structured, machine-readable format (JSON or CSV) and have it transmitted to another provider where technically feasible.
• Lodge a complaint — you have the right to complain to your local data-protection authority (in Algeria, the Autorité nationale de protection des données personnelles; in the EU, your national DPA).

9. Cookies & similar technologies

We use cookies and local storage for three reasons:

• Strictly necessary — keep you signed in, remember your preferred language and theme, prevent CSRF attacks, and load-balance requests. These cannot be disabled because the Service won't work without them.
• Functional — remember UI choices like which onboarding tip you have dismissed or which course you last opened. They make the experience smoother but the Service still works without them.
• Analytics — measure aggregated usage so we can prioritize features. You can refuse these from the cookie banner the first time you visit, or change your choice anytime from Settings → Privacy → Cookies.

10. How we keep your data safe

Security is a continuous effort, not a checkbox. Our current measures include:

• Encryption — all traffic between your device and EduGato uses HTTPS/TLS 1.2+; data at rest is encrypted with AES-256 on our managed databases and object storage.
• Access controls — production data is accessible only to a small number of engineers on a strict need-to-know basis, behind two-factor authentication and audited via centralized logs.
• Password handling — your password is hashed with a modern, slow hashing algorithm (bcrypt or argon2). We never store, log, or transmit it in plain text.
• Vulnerability management — we run automated dependency scanning, periodic penetration tests, and welcome reports through our responsible-disclosure process at security@edugato.app.
• Breach notification — if a personal-data breach is likely to result in a high risk to your rights, we will notify affected users without undue delay and within 72 hours of becoming aware, in line with applicable law.

11. Delete my data

Want to be forgotten? You can delete your account directly from Settings → Account → Delete account. If you can't access the dashboard, email us with the subject "Delete my data" from the address tied to your account. We will confirm receipt within 5 business days, suspend the account immediately, and remove personal data within 30 days. Encrypted backups may retain a copy for up to 60 days, after which they are permanently destroyed. Some records (billing, tax, audit logs) we are legally required to keep for the retention windows listed above, but they will not be used for any active processing.

12. Contact us

Questions, complaints, or curious about a specific piece of data? Reach out and our Data Protection Officer will respond within a few business days.