Menu
Cart

LuxAI Global Privacy Policy

Last Updated: June 2, 2025

Table of Content:

0. Introduction

LuxAI Group (“LuxAI,” “we,” “our,” or “us”) is committed to protecting the privacy and security of your personal data in accordance with applicable privacy, student, and child protection laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our websites and educational products, as well as your rights and the legal protections that apply. This privacy notice supplements any other specific notices or fair processing policies we may provide and is not intended to override them.

1. Who We Are and What Laws Apply

LuxAI operates through the following legal entities:

U.S.-based Customers:

LuxAI Inc. (a Delaware corporation based in New York), subject to applicable U.S. privacy, student, and child protection laws, including the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), the Protection of Pupil Rights Amendment (PPRA), and state-specific student privacy laws such as California’s Student Online Personal Information Protection Act (SOPIPA), New York Education Law 2-d, Texas House Bill 2087 (TX HB 2087), Maryland’s Student Data Privacy Act, Illinois’ Student Online Personal Protection Act (SOPPA), and Colorado’s Student Data Transparency and Security Act, among other similar state-specific privacy laws where applicable.

UK-based Customers: 

LuxAI Ltd. (London), subject to the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

EU-based Customers:

LuxAI S.A. (Luxembourg), subject to the European Union General Data Protection Regulation (EU GDPR).

Canada-based Customers: 

The applicable LuxAI contracting entity (LuxAI Inc, LuxAI S.A. or LuxAI Ltd as specified in the customer agreement) complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial privacy laws, including but not limited to Ontario’s Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), Alberta’s Freedom of Information and Protection of Privacy Act (FOIP), and British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA).

All Other Customers (International):

The applicable LuxAI contracting entity (LuxAI Inc, LuxAI S.A. or LuxAI Ltd as specified in the customer agreement) complies with the privacy laws of its own jurisdiction and, where applicable, will reasonably cooperate with the customer to support compliance with the customer’s local data protection requirements.

2. What Personal Data We Collect and Process

This section describes the types of personal data LuxAI collects and processes depending on your relationship with us—whether as a customer, account holder (e.g., educator, staff, or parent), or end-user of our services (e.g., student or child). It also outlines data we do not intentionally collect, and data we may process solely on your behalf without using it for our own purposes.

Personal data” (or “personal information”) means any information that can identify an individual, directly or indirectly. It does not include anonymized or aggregated information that cannot reasonably be linked back to an individual.

2.1 Order and Transaction Data

  • Billing and shipping information
  • Payment and transaction details

LuxAI does not store or process payment card information directly. All payments are handled through PCI-DSS-compliant third-party processors that operate independently of LuxAI.

2.2 Contact and Communication Data (e.g., Educators, Staff, Researchers, Parents)

  • Name, address, email, and phone number
  • Affiliated organization and job title
  • Marketing and communication preferences:
    • Contact type (e.g., individual, administrator, educator, researcher)
    • Topic preferences (e.g., AI & Robotics, Education, ElderlyCare)
    • Opt-in/opt-out settings
  • Support messages and inquiries, including device metadata (e.g., IP address, OS, browser)

Please do not submit sensitive information (e.g., health, religion, or child-specific data) via general communication channels. If received, LuxAI will delete such data in accordance with our data minimization policies.

2.3 Account Holder Profile and Usage Data

  • Role-based permissions and associated learner groups
  • Usage metrics: login times, session durations, feature use
  • System activity logs and administrative actions
  • Device metadata: OS, device type, app version, IP address (from LuxAI robots, tablets, or other connected devices)

2.4 End-User Data (Including Children and Students)

This category includes data collected from or about individuals who use LuxAI’s services as learners, including:

  • Profile data: nickname; optionally, full name, gender, age
  • Learning data: assigned goals, activities, logs, and progress
  • Additional data if configured: grade, student ID

2.4.1 Child Data (Under Child Privacy Laws)

“Child Data” means personal information about users below the minimum age for digital consent, typically:

  • Under 13 (U.S. and UK)
  • 13–14 (Canada, depending on province)
  • Under 16 (EU, unless reduced by Member State law)

LuxAI processes Child Data only:

  • Under a valid agreement with a school or research institution acting as the data controller; or
  • With verifiable parental or guardian consent

 2.4.2 Student Data (Under Education and Privacy Laws)

“Student Data” refers to:

  • Personally identifiable information about a student
  • Collected or processed by LuxAI on behalf of an educational institution
  • Governed by education privacy laws such as FERPA, GDPR, or PIPEDA

Student Data does not include:

  • Technical metadata or diagnostic logs
  • Aggregated or de-identified data that cannot reasonably identify an individual

LuxAI processes Student Data in compliance with:

  • U.S.: FERPA, COPPA, and state laws (e.g., SOPIPA, NY Ed Law 2-d, TX HB 2087)
  • Canada: PIPEDA and provincial laws (e.g., FIPPA, MFIPPA, FOIP)
  • UK/EU: GDPR and UK GDPR (where the school is the data controller)

We publish a list of student data elements collected from schools, following the standardized appendix of the National Data Privacy Agreement (NDPA) developed by the Access 4 Learning (A4L) Consortium. You can view it at luxai.com/data-elements.

2.5 Sensitive and Special Category Data (Not Collected)

LuxAI does not intentionally collect special categories of data as defined under GDPR and similar laws, including:

  • Race or ethnicity
  • Religious or philosophical beliefs
  • Sexual orientation or gender identity
  • Health, biometric, or genetic information
  • Political affiliation or union membership
  • Criminal history or offenses

If such data is inadvertently submitted, it will be deleted in accordance with our data minimization policy.

2.6 Customer-Created Content (Available to Authorized Users)

For customers using LuxAI Studio or similar tools to develop curricula or robot programs:

  • Customers retain full ownership
  • Content is processed only to deliver the contracted service
  • It is not used for analytics, R&D, or shared with third parties
  • Access is limited to:
    • Customer support requests
    • Legal or contractual obligations

If this content includes personal data (e.g., student names), the customer is responsible for ensuring lawful sharing under FERPA, GDPR, PIPEDA, or other applicable laws.

2.7 Aggregated and De-Identified Data

LuxAI may use anonymized data derived from service usage (excluding Customer-Created Content) for the following lawful purposes:

  • Improving services and user experience
  • Demonstrating product effectiveness
  • Conducting internal research or fulfilling regulatory requirements

This data:

  • Cannot identify individuals or institutions
  • Is de-identified using standards like NIST SP 800-188 or ISO/IEC 20889
  • Is protected against re-identification and never used for behavioral targeting or advertising
  • May be retained after service termination if it remains anonymized

Additional safeguards apply to de-identified student data. See Section 6 for details.

2.8 Cookies

LuxAI may use « cookies » to improve your experience in regard of the services and to improve its products. In that case, your Internet navigator places cookies on your hard drive to gather a certain set of information used to customize the navigation in the framework of the services, provide access to social media platforms and/or for analytics purposes, thus enabling certain unique functionalities. For more information on how we use cookies and the cookie options we offer please see our Cookie Policy.

2.9 If You Choose Not to Provide Personal Data

In some cases, we are required by law or contract to collect certain personal data. If you choose not to provide such data, we may not be able to fulfill our obligations (e.g., provide services or ship products). We will inform you if a failure to provide required data affects our ability to serve you.

3. How We Collect Personal Data

We collect personal data using the following methods, depending on your role and how you interact with our services:

3.1 Directly from You: You may provide data when:

  • Creating or managing an account
  • Registering for a demo or purchase
  • Submitting a support ticket or inquiry
  • Completing a form, survey, or feedback request

Examples of data collected: name, email, phone number, organization, shipping address, support content, communication preferences

3.2 Automatically from Your Use of Our Services: Some data is collected automatically to support functionality, performance, and security:

  • Device type and operating system
  • Browser or app version
  • IP address
  • Crash reports and diagnostic data
  • Activity and session logs and interaction metrics

LuxAI does not use automated tracking for behavioral profiling, advertising, or third-party marketing.

3.3 From Educational Institutions or Organizational Customers: When services are provided through a school, university, or institution, personal data may be provisioned by that entity under a service contract. Examples of data collected: student or user profile data and user IDs

3.4 From Trusted Third Parties or Public Sources: We may receive supplementary information from:

  • Authorized resellers
  • Public sources (e.g., institutional websites)
  • Secure integrations with customer systems (e.g., SSO, LMS APIs)

Examples of data collected: professional role, institution name and email address

4. Legal Grounds for Data Processing and Role Responsibilities

LuxAI processes personal data in accordance with the privacy laws applicable to each customer’s location. The lawful basis for processing varies based on the type of data, the individual’s role (e.g., educator, parent, child, student), and the context in which the data is collected.

4.1 Supervised Use of Children/Students

Children and students never independently create or manage accounts on our platform. All interactions with our products occur under the supervision of a responsible adult—such as an educator, school administrator, researcher, or parent/legal guardian. We process children’s or students’ data only:

  • With verifiable parental or guardian consent; or
  • Pursuant to a valid agreement with a school, district, or authorized educational or research institution acting as the data controller.

4.1 Regional Legal Bases for Processing

United States (FERPA, COPPA):

LuxAI operates as a “School Official” under FERPA, processing student data on behalf of educational institutions. For users under 13, we comply with COPPA, relying on either school authorization or verifiable parental consent.

Canada (PIPEDA and Provincial Laws):

We comply with PIPEDA and relevant provincial laws. Processing occurs either:

  • With consent from the individual (if an adult) or from a parent or guardian (if the data subject is a minor); or
  • Under the direction of a school board, institution, or research authority.

United Kingdom and European Union (UK GDPR / EU GDPR):

Personal data is processed based on one or more of the following:

  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate interests (where individual rights do not override those interests)
  • Consent (especially for direct-to-parent arrangements)

When institutions contract with us, the institution is the data controller and LuxAI acts solely as their data processor. When parents engage us directly, LuxAI is the data controller and relies on consent as the basis for processing child data.

Other International Regions:

The applicable LuxAI entity will process data under the governing privacy laws of its jurisdiction and, where appropriate, will support institutional customers in meeting their local compliance obligations.

5. How and Why We Use Personal Data

We use personal data to operate our services, fulfill customer requests, support learners, improve user experience, and comply with legal obligations. This includes both data we control (e.g. account and transaction data) and data we process on behalf of institutions (e.g. student and end-user data). All processing is conducted in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, and protection by design and by default, as required under applicable laws.

Student/Child Data: When our services are used by schools or institutions, regulated data such as student or child information is governed by applicable laws, including FERPA, COPPA, PIPEDA, and state or provincial laws. We process such data only under the direction and control of the data controller (e.g., a school, district, public agency, or research institution) as detailed in section 6, or based on verified parental consent when no institution is involved.

5.1 Legal Basis for Processing

The table below is provided to meet the transparency requirements of the EU and UK GDPR, outlining the legal basis for each type of processing activity. While this level of detail is specifically required under European privacy laws, we present it in a clear and accessible format to help all users understand how and why their data is used. Where applicable, we have adapted this section to reflect lawful grounds for processing under other regulatory frameworks in the United States and Canada, such as FERPA, COPPA, and PIPEDA.

EU/UK Definitions of Legal Bases:

  • Performance of a contract: Processing necessary to perform a contract with you or take steps at your request.
  • Legitimate interests: Processing necessary for our business purposes, including to operate and improve our products and services, enhance security, prevent fraud, analyze usage trends, or other operational and administrative purposes, and your interests and fundamental rights do not override those interests.
  • Legal obligation: Processing necessary to comply with legal or regulatory requirements.
  • Consent: Where required, we will seek your clear, informed consent before processing.

Purpose

Types of Personal Data

Legal Basis for Processing

To deliver products and process orders, including billing, invoicing, and order tracking

-Order and Transaction
-Contact & Communication

– Performance of a contract
– Legitimate interest (e.g., processing payments, resolving order issues)

To create and manage user accounts and enable access to features and services, including provisioning for account holders (e.g. educators, parents) and end-users (e.g. students, children)

-Order and Transaction
-Contact & Communication
– Profile and Usage
– End-User

– Performance of a contract (e.g., with school, parent, or institution)
– Parental consent (when provided directly by parent)
– School or institutional authorization (e.g. FERPA, PIPEDA, UK/EU GDPR),

To support learning activities for student or child end users

– End-User

– School or institutional authorization (e.g. FERPA, PIPEDA, UK/EU GDPR),
– Parental consent (where no institution is involved)

To provide customer support and respond to inquiries

– Contact and Communication Data
– Profile and Usage
– End-User
– Customer-Created Content

– Performance of a contract
– Legitimate interest (resolving issues, supporting user experience)
* End-User and Customer-Created Data are used only under the documented direction of the account holder, based on school authorization or parental consent

To provide a secure and reliable platform (e.g., login tracking, abuse prevention, uptime monitoring)

– Contact and Communication Data
– Profile and Usage

– Legitimate interest (platform security and service integrity)
– Legal obligation (where applicable, e.g., audit trails)
– School or institutional authorization (e.g. FERPA, PIPEDA, UK/EU GDPR),

To send product updates, surveys, or educational communications to authorized adult users (e.g., educators, administrators, or parents). We do not send product updates to students or end-users.

– Order and Transaction
– Contact and Communication
– Profile and Usage

– Consent (where required)
– Legitimate interest (to keep users informed, unless user opts out)

To analyze usage data to improve our services and enhance learning outcomes

– Aggregated and De-Identified Data

– Legitimate interest (to improve features and services)
– School or institutional authorization (e.g. FERPA, PIPEDA, UK/EU GDPR), where required
*We only use aggregated or de-identified data for this purpose, and only where such use is permitted under applicable law or authorized by the Customer.

5.2 Marketing Communications Policy

We are committed to protecting your privacy while delivering relevant and useful communications. Where permitted by law and with your consent where required, we personalize marketing based on your preferences and prior interactions (e.g., Order and Transaction Data, Contact and Communication Data, and Account Holder Profile and Usage Data).

Our practices comply with applicable laws, including the EU GDPR, U.S. privacy and marketing laws (e.g., CAN-SPAM, FERPA, COPPA), and Canada’s Anti-Spam Law (CASL).

No Marketing to Students, Children, or End-Users: We do not send marketing communications to students, children under 16, or any other end-users. Marketing is directed only to adult account holders, such as educators, professionals, institutional representatives, or parents.

Who May Receive Marketing: We send marketing communications only to:

  • Institutional or business contacts with whom we have an existing relationship or valid consent; and
  • Consumers who have explicitly opted in (e.g., via a newsletter or signup form).

We do not use profiling or behavioral tracking to send marketing communications and we do not rely on legitimate interest to send marketing to individuals without consent.

Opting Out: All marketing emails include an unsubscribe link or instructions to manage your preferences. Opting out does not affect essential service notifications or legally required communications.

 5.3 Purpose Limitation and Reuse of Data

We only use your data for the purposes described above. If we need to process your data for a new, compatible purpose, we will notify you and explain the legal basis. If the purpose is unrelated, we will seek your explicit consent unless otherwise required or permitted by law.

6. Special Protections for Children’s and Student Data

If LuxAI processes student data on behalf of an educational institution, the customer remains the custodian or controller of Student Data under applicable law, and LuxAI acts solely as a data processor or service provider on the Customer’s behalf.

Whether acting as a School Official (U.S.) or as a data processor (EU, UK, Canada), or as a controller only when engaged directly by parents, we never use children’s or students’ personal data beyond authorized purposes.

  • LuxAI only processes student data as directed by the educational institution.
  • Schools retain control over student records and data processing activities.

Universal Safeguards for Child and Student Data: Across all jurisdictions, LuxAI ensures:

  • Supervised Access: All child/student use is mediated by educators, staff, researchers, or parents.
  • Data Minimization: Only essential data is collected for legitimate educational or developmental use.
  • Security by Design: Strong technical and organizational measures protect data confidentiality and integrity.

We Never:

  • Share, sell, license, or otherwise disclose child or student data for advertising, marketing, or commercial purposes.
  • Use child, student, or customer data for targeted advertising, commercial profiling, or behavioral tracking.
  • Allow unsupervised child or student account creation.
  • Use child or student data for behavioral research or analysis without institutional authorization or verified parental consent.

 Additional Protections for De-Identified Student Data: When processing de-identified student data, LuxAI ensures:

  • It is used solely to support educational research, product improvement, or service effectiveness (never marketing or behavioral profiling).
  • It is never published or disclosed in a way that could identify the institution without prior written consent, unless required by law or with the institution’s prior written consent.
  • Any third party with access is contractually obligated to:
    • Refrain from re-identification
    • Use data only for permitted, non-commercial purposes
    • Maintain equal or stronger safeguards

7. Data Sharing and Subprocessors

We do not sell, trade, or otherwise transfer to third parties your personal identification information, except as explicitly set out below. We only share customer’s data with trusted third parties under controlled conditions. Specifically, we may disclose data to:

  • Subprocessors under written agreements that include privacy and security obligations equivalent to those in our contracts with customers
  • Service providers that help us deliver our services (e.g., Microsoft Azure, Amazon Web Services, Hubspot)
  • Government authorities, but only when required to do so by law, regulation, or valid legal process

A current list of LuxAI’s subprocessors is available at https://luxai.com/subprocessors/. We provide advance notice of changes to subprocessors where required by applicable law or contract.

8. Data Hosting and Residency

LuxAI stores and processes Customer Data across multiple secure environments, depending on the category of data and the operational function.

Access to hosted data by external parties (such as subprocessors and service providers) is strictly limited and governed by our data sharing practices described in Section 7: Data Sharing and Subprocessors.
Hosting and processing locations are selected based on applicable privacy laws, service delivery requirements, and data sensitivity.

8.1 Educational and Usage Data Hosting

End-User Data (including student and child data), and Account Holder Profile and Usage Data, are hosted in secure cloud environments provided by Microsoft Azure. Hosting regions are selected based on the customer’s location to ensure compliance with applicable data protection laws and to support efficient service delivery.

Based on customer location, data is hosted as follows:

  • U.S. Customers – Data is hosted in the United States
  • U.K. Customers – Data is hosted in the United Kingdom
  • Canadian Customers – Data is hosted in Canada
  • EU/EEA Customers – Data is hosted within the European Union, or in another jurisdiction recognized by the European Commission as providing adequate protection
  • Other International Customers – Data is hosted in one of the regions listed above, or in another jurisdiction explicitly specified in the relevant customer agreement and consistent with legal requirements

Authorized LuxAI personnel may access this data remotely for technical support, diagnostics, or service security, only when necessary and subject to strict contractual, technical, and organizational safeguards.

LuxAI does not transfer this category of data internationally unless compelled by law or explicitly authorized by the customer.

8.2 Business and Operational Data Hosting

Other categories of Customer Data, such as:

  • Contact and Communication Data (e.g., purchase inquiries, support messages)
  • Order and Transaction Data (e.g., invoices, billing records)
  • Customer-Created Content (e.g., uploaded robot programs and educational materials)

may be hosted or processed using third-party business tools, platforms, or infrastructure providers that may operate outside the customer’s jurisdiction. These providers are carefully selected and contractually required to comply with applicable data protection and security standards.

Where required by law, LuxAI uses recognized international safeguards to protect this data, such as data transfer agreements approved by regulators (e.g., Standard Contractual Clauses, the UK Addendum, or adequacy decisions).

9. Data Security

LuxAI implements appropriate administrative, technical, and physical safeguards to protect personal data, including Student Data, from unauthorized access, disclosure, alteration, or destruction. These safeguards are aligned with applicable data protection laws and recognized industry standards.

Access to Customer Data is strictly limited to employees, agents, contractors, and authorized third-party service providers who require access for legitimate operational or contractual purposes. All such individuals and entities are subject to confidentiality obligations and must process data only in accordance with LuxAI’s instructions and applicable data protection laws.

LuxAI’s internal security program is aligned with the CIS Controls, formerly known as the CIS Top 20, a widely adopted cybersecurity framework recognized across public-sector and educational environments, including in the U.S. K–12 sector.

9.1 Breach Response

In the event of a security breach involving personal data, LuxAI will:

  • Take immediate and reasonable steps to investigate, contain, and mitigate the issue
  • Notify affected customers without unreasonable delay, in accordance with applicable law
  • Support the customer in meeting any legal or regulatory obligations related to the breach, including notifications to individuals, regulators, or educational authorities

9.2 Breach Notification for Student Data

If a breach involves Student Data, LuxAI will notify the customer without unreasonable delay and:

  • No later than seventy-two (72) hours after confirming the breach, or
  • Within any shorter timeframe required by applicable law (e.g., forty-eight (48) hours under certain U.S. state statutes), unless a delay is legally permitted to support law enforcement or mitigation efforts.

10. Data Retention

LuxAI retains personal data only for as long as necessary to fulfill the purposes set out in this Privacy Policy, including to provide services, meet legal and contractual obligations, protect legal rights, and support business operations. Retention periods vary depending on the type of data, the context in which it was collected, and applicable legal requirements in the United States, United Kingdom, Canada, and the European Union.

10.1 General Retention Principles

To determine appropriate retention periods, we consider:

  • The amount, nature, and sensitivity of the data
  • The potential risk of harm from unauthorized use or disclosure
  • The purpose for which the data is processed and whether that purpose can be achieved by other means
  • Legal, tax, accounting, and regulatory requirements in applicable jurisdictions

Where applicable, we apply the following default retention guidelines:

  • Order and transaction data (e.g., invoice) is retained for six years by LuxAI S.A. (EU) and LuxAI Ltd (UK), and up to seven years by LuxAI Inc. (U.S.), to comply with financial and tax regulations
  • Communications and support data is retained for the duration of the service relationship and up to two years thereafter, unless extended for legitimate interest or dispute resolution
  • Marketing data is retained until you opt out or withdraw consent, unless retention is justified by a legitimate interest. We also periodically review marketing records for continued lawful basis, including compliance with CASL (Canada) and inactivity thresholds where applicable

We may retain data longer if required by law, regulation, or litigation hold, or with your prior consent.

10.2 Retention of Service-Linked Personal Data

(including End-User such as Child or Student Data, Profile and Usage Data, and Customer-Created Content)

LuxAI applies the following retention and deletion rules to all personal data processed as part of delivering its services, whether under an institutional agreement (e.g., school or research organization) or directly to individual users (e.g., parents and their children):

  • Data is retained for the duration of the service relationship or contractual term
  • Unless earlier deletion is required by law or requested by the customer or institution, LuxAI may retain service-linked data for up to 180 days after the end of the service relationship or contract, to support potential renewal or reactivation, where such retention is permitted by applicable law or agreement
  • Deletion or return requests will be fulfilled within 30 days
  • Backup copies may persist for up to sixty (60) days following deletion from production systems.
  • This applies to:
    • Student and End-User Data
    • Account Holder Profile, Usage and Technical Data (e.g., educators, staff, researchers, parents)
    • Customer-Created Content

10.3 Anonymization and Long-Term Use

LuxAI may store and use de-identified data indefinitely, in accordance with applicable law and Section 2 of this Privacy Policy. De-identified data is not used to re-identify individuals and is subject to technical and organizational safeguards.

10.4 Your Right to Request Deletion

You may request deletion of your personal data at any time, subject to legal or contractual obligations that may require us to retain certain records. The right to request deletion is provided by laws such as the GDPR, UK GDPR, and certain U.S. state privacy laws.

For Student Data or other personal data processed on behalf of an institution, LuxAI acts as a data processor and cannot act independently on deletion requests. In such cases, data access, correction, or deletion requests must be submitted directly to the relevant institution, which acts as the data controller.

11. Your Privacy Rights

We are committed to respecting your privacy and supporting your rights regarding your personal data.

Depending on your location and applicable privacy laws, you may have specific rights under the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), other U.S. state laws, and Canadian laws such as PIPEDA and provincial regulations.

While some of these rights are legally required only for individuals in certain jurisdictions, we voluntarily extend all of the following rights to all users, regardless of location.

Important: Personal Data Processed on Behalf of an Institution

In some cases, we process personal data on behalf of a third-party organization—such as a school, university, healthcare provider, or private business—that uses our platform to manage data about their students, clients, employees, or other end users.

When we act in this capacity:
– We are a data processor, and the organization is the data controller.
– We do not determine how or why that data is processed.
– We cannot independently fulfill privacy rights requests without explicit authorization from the controller.

If your personal data was provided to us by, or collected through, such an organization, that organization’s privacy policy will apply, not this one. Your ability to exercise privacy rights (and the scope of those rights) will depend on the controller’s policies and the applicable law governing their data practices (e.g., GDPR, FERPA, HIPAA, PIPEDA).

To exercise your rights in such cases, please contact the relevant organization directly. We will act on their instructions in accordance with our contractual obligations and the law.

 1. Right to Know (Categories and Practices)

  • The categories of personal data we collect,
  • The purposes for which we use it,
  • The categories of sources,
  • The categories of third parties to whom we disclose it, and
  • The retention period for each category.

2. Right of Access (Specific Data): You may request a copy of the personal data we hold about you and information about how and why we process it.

3. Right to Rectification: You may request that we correct inaccurate or incomplete personal data. We may ask for verification of accuracy.

4. Right to Erasure (Right to Be Forgotten): It is no longer necessary for its original purpose,

  • You withdraw consent,
  • You object to processing,
  • The data was processed unlawfully, or
  • We are required to erase it by law.

We may retain data where legally necessary.

5. Right to Withdraw Consent: If processing is based on your consent, you may withdraw it at any time. This does not affect prior lawful processing, but may limit service availability.

6. Right to Object to Processing: 

  • Processing based on our legitimate interests, or
  • Direct marketing.

We may continue processing if we demonstrate compelling legitimate grounds.

7. Right to Restrict Processing

  • You contest data accuracy,
  • Processing is unlawful but you oppose erasure,
  • We no longer need the data but you require it for legal claims, or
  • You have objected to processing and we are evaluating our grounds for processing.

8. Right to Data Portability:  You may request to receive your personal data in a structured, commonly used, machine-readable format and ask us to transmit it to another controller, where applicable.

9. Right to Opt Out of Sale or Sharing: You may opt out of the sale or sharing of your personal data.

Note: We do not sell or share your data for targeted advertising or profiling.

10. Right to Limit Use of Sensitive Personal Data: If we collect sensitive personal data (e.g., health, biometrics, precise geolocation), you may limit its use to necessary services.

Note: We currently do not collect sensitive personal data as defined by applicable law.

11. Right to Non-Discrimination: 

  • No denial of services,
  • No different pricing or quality,
  • No penalties or adverse treatment.

12. Exercising Your Rights: You may exercise your rights by:
– Emailing us at [email protected], or
– Submitting a request via our online form
To protect your data, we may request identity verification before fulfilling your request.

13. Response Time and Fees: 

– No Fee: Exercising your rights is free. However, we may charge a reasonable fee or deny your request if it is manifestly unfounded, repetitive, or excessive.
– Timeframe: We aim to respond within one month. If additional time is needed, we will notify you and explain why.

Note: Some of the above rights are granted under specific legal frameworks (e.g., GDPR, CCPA/CPRA, PIPEDA). However, we apply them globally to ensure all users benefit from strong privacy protection.

12. Supervisory Authorities and Complaints

If you have concerns about how we handle your personal data or believe your privacy rights have been violated, we encourage you to contact us first at [email protected] so we can attempt to resolve the issue promptly and fairly.

If you are not satisfied with our response, you may have the right to lodge a complaint with a data protection or privacy authority, depending on your location and the nature of the data involved:

United States:

If your concern involves student education records protected under the Family Educational Rights and Privacy Act (FERPA), you may contact the Student Privacy Policy Office (SPPO) at the U.S. Department of Education: https://studentprivacy.ed.gov. For other privacy-related concerns, federal or state-specific laws may apply.

United Kingdom:

You may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.

European Union:

If you are located in Luxembourg, you may contact the Commission nationale pour la protection des données (CNPD) at https://cnpd.public.lu.
Individuals in other EU member states may contact their national Data Protection Authority (DPA). A full list is available at https://edpb.europa.eu/about-edpb/board/members_en.

Canada:

You may contact the Office of the Privacy Commissioner of Canada (OPC) at https://www.priv.gc.ca.
Additionally, residents of the following provinces may contact their respective provincial privacy authorities:

– OntarioInformation and Privacy Commissioner (IPC)

– AlbertaOffice of the Information and Privacy Commissioner (OIPC)

– British ColumbiaOffice of the Information and Privacy Commissioner

13. Policy Updates

We review this Privacy Policy regularly and may update it from time to time to reflect changes in our services, legal obligations, or data protection practices. If we make material changes, we will notify you by email (where contact information is available) or through a prominent notice on our website or platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal data.

To help us maintain accurate and up-to-date records, please inform us promptly of any changes to your personal information.

14. Contact Us

For general, commercial, or product-related inquiries, including questions related to procurement and vendor onboarding, please contact: [email protected]

For regulatory, legal, or data protection matters under applicable privacy laws, you may contact our Data Protection Officer at: [email protected]