Data Processing Agreement

SUMMARY (Quick Reference)

What We Collect:

Name, email, educational background
Course enrollments, grades, exam results
Payment information (processed securely)
Learning activity and platform usage
Device/IP information for security

How We Use It:

Deliver educational services and support
Process payments and manage enrollment
Improve platform and learning experience
Comply with legal and tax obligations
Prevent fraud and maintain security

Who We Share With:

Your enrolled university (for degree conferment)
Payment processors (Razorpay, PayU, Stripe)
Email service providers (secure communication)
Analytics tools (aggregated, anonymized data)
NOT sold to third parties or advertisers

Your Rights:

✓ Access your data anytime
✓ Request correction of errors
✓ Request deletion (subject to legal holds)
✓ Get data in portable format
✓ Withdraw marketing consent
✓ Lodge complaint with data authority

Legal Basis:

Contract Performance (delivering your degree program)
Legal Obligation (tax, compliance, university requirements)
Legitimate Interests (improving services, preventing fraud)
Your Explicit Consent (marketing, cookies, optional data)

1. Processing Activities & Data Categories

Enrollment & Account Management:

Purpose: Create and manage your account
Data: Name, email, educational background, address
Duration: Account lifetime + 6 years
Basis: Contract Performance, Legal Obligation

Course Delivery & Learning:

Purpose: Deliver educational content, track progress
Data: Course access, assignments, grades, exam results
Duration: Course period + 7 years (legal requirement)
Basis: Contract Performance

Payment Processing:

Purpose: Process fees and manage billing
Data: Payment method (tokenized), name, amount
Duration: 7 years (tax compliance)
Basis: Contract Performance, Legal Obligation
Security: PCI DSS Level 1, AES-256 encryption

Communications:

Purpose: Course updates, support, program info
Data: Email, phone, communication content
Duration: Until unsubscribe
Basis: Contract, Legitimate Interests, Consent

Analytics & Optimization:

Purpose: Improve platform and services
Data: Usage patterns, device info, behavior (aggregated)
Duration: 12-24 months aggregated data
Basis: Legitimate Interests

Fraud Prevention:

Purpose: Protect accounts and prevent abuse
Data: All data as needed for security
Duration: Investigation + 2 years
Basis: Legitimate Interests, Legal Obligation

2. Data Sharing

We Share Data With:

Universities: Enrollment details, exam results (for degree conferment)
Payment Processors: Secured tokenized transactions
Email/Communication: Mailchimp, SendGrid, Twilio
Analytics: Google Analytics, Hotjar (anonymized)
Support Systems: Zoho CRM, Intercom

NOT Shared With:

✖ Advertisers for targeting
✖ Data brokers or aggregators
✖ Competitors
✖ Employers (unless you authorize)
✖ Anyone without legal requirement

3. Legal Basis for Processing

Under GDPR Article 6:

Contract (6.1.b) - Necessary to provide your education
Legal Obligation (6.1.c) - Tax, compliance, university requirements
Legitimate Interests (6.1.f) - Platform improvement, fraud prevention
Consent (6.1.a) - Marketing, cookies, optional data collection

Special Category Data (Sensitive):

Health info: Only with explicit consent for accommodations
Educational performance: Necessary for degree conferment
Financial data: Necessary for payment processing

4. Your Rights (Data Subject Rights)

Right to Access (GDPR Art. 15, CCPA §1798.100)

Request copy of your data within 30 days
Free of charge, machine-readable format
Email: privacy@edubridgeeducation.com

Right to Rectification (GDPR Art. 16)

Correct inaccurate information
Update incomplete data
Edit profile settings or email corrections

Right to Erasure (GDPR Art. 17, CCPA §1798.105)

Request deletion of data
Exceptions: Legal/contract necessity, 7-year retention
Email request to: privacy@edubridgeeducation.com

Right to Restrict Processing (GDPR Art. 18)

Ask us to pause data collection
We maintain but don't use data during restriction
Available when accuracy disputed, processing unlawful

Right to Data Portability (GDPR Art. 20)

Receive your data in machine-readable format
Transfer to another provider
Educational records included

Right to Object (GDPR Art. 21)

Opt out of marketing communications
Unsubscribe from promotional emails
SMS: Reply STOP, Email: privacy@edubridgeeducation.com

Right to Lodge Complaint

EU/UK: Contact your country's Data Protection Authority
India: Ministry of Electronics & IT
California: California Attorney General

5. International Transfers

Where Data Stored: India (primary), USA/EU (backup/processing)

Legal Mechanism: Standard Contractual Clauses (SCCs)

Safeguards:

Encrypted transfer and storage
Limited staff access
Regular audits and assessments
Supplementary technical measures

6. Data Retention

Data Type	Retention Period	Reason
Account/Identity	Lifetime + 6 years	Legal compliance
Educational Records	7+ years	Legal, university requirement
Financial/Payment	7 years	Tax compliance
Marketing Data	Until unsubscribe + 30 days	Compliance hold
Analytics	12-24 months	Business optimization

7. Data Security

Technical Controls:

TLS 1.2+ encryption in transit
AES-256 encryption at rest
Secure key management (AWS KMS)
Regular security patching
Intrusion detection
Web Application Firewall

Administrative Controls:

Role-based access control
Employee data protection training
Strict confidentiality agreements
Background checks for staff
Security incident response plan

Data Breach Response:

Investigation within 24-48 hours
Notification within 72 hours (GDPR requirement)
Credit monitoring if applicable
Law enforcement notification (if required)

8. Contact Information

📧 Privacy Officer: privacy@edubridgeeducation.com

📧 Data Subject Rights: rights@edubridgeeducation.com

📞 Phone: +971 56 127 3536

🏢 Address: M03 Royal House Building, Hor Al Anz East, Dubai, UAE

Response Times:

Data rights requests: 30 days
Privacy inquiries: 5 business days
Security concerns: 48 hours