Privacy Policy

Personal Information

We collect information you provide directly to us, such as:

• Name and contact information
• Job title and department
• Organization details
• Account credentials
• Profile information and preferences
• Employee ID (when provided by your organization)
• Manager and team information

Learning Platform Integration Data

When your organization integrates third-party learning platforms:

• xAPI statements from Udemy, Coursera, LinkedIn Learning
• Course enrollment and completion data
• External certifications and badges
• Learning activity timestamps and duration

Usage Information

We automatically collect certain information about your use of our platform:

• Learning progress and completion data
• Assessment results and performance metrics
• Platform usage patterns and preferences
• Device and browser information
• IP address and location data

With Your Organization

Your organization's administrators may have access to your learning progress, assessment results, and other performance data for training and development purposes.

Service Providers

We use carefully selected sub-processors to help deliver our services:

• Supabase (Database hosting) - United States
• Vercel (Application hosting) - Global CDN
• Resend (Email services) - United States
• OpenAI/Anthropic (AI services, optional) - United States

All sub-processors are bound by data processing agreements and appropriate safeguards.

Legal Requirements

We may disclose information if required by law or to protect our rights, property, or safety, or that of our users or the public.

Encryption and Data Protection

• AES-256 encryption for data at rest using industry-standard algorithms
• TLS 1.3 for data in transit with perfect forward secrecy
• Hardware Security Module (HSM) for cryptographic key management
• Annual key rotation procedures for all encryption keys
• Database-level encryption with organization-specific keys

Access Controls and Authentication

• Multi-factor authentication (MFA) required for all administrative access
• Just-in-time (JIT) access for privileged operations
• Role-based access control (RBAC) with principle of least privilege
• Regular access reviews and quarterly certification processes
• Zero-trust network architecture implementation
• Session management with device fingerprinting and anomaly detection

Infrastructure and Network Security

• Web Application Firewall (WAF) with real-time threat protection
• DDoS mitigation and advanced rate limiting mechanisms
• Container security scanning and runtime protection
• Network segmentation and microsegmentation implementation
• Regular penetration testing by certified third-party firms
• 24/7 security monitoring and incident detection

Multi-Tenant Security Architecture

• Complete tenant data separation using UUID-based isolation
• Row-level security (RLS) policies preventing cross-tenant access
• Organization-specific encryption keys and subdomain isolation
• Isolated backup and disaster recovery per organization
• Compliance boundaries enforced at the database and application levels

Security Monitoring and Incident Response

• Security Information and Event Management (SIEM) system
• Real-time threat detection and automated response capabilities
• Digital forensics capabilities for incident investigation
• Incident response plan with defined escalation procedures
• Business continuity and disaster recovery testing
• Compliance monitoring and automated audit trail generation

Security Certifications and Standards

• SOC 2 Type II compliance in progress (annual audits)
• ISO 27001 information security management system alignment
• NIST Cybersecurity Framework implementation
• Regular security assessments and vulnerability management
• Employee security awareness training and certification programs

AI Data Usage and Training

• Customer data is never used for training general AI models or shared with AI providers
• All AI processing occurs within tenant security boundaries with complete data isolation
• Differential privacy techniques applied to all learning analytics to prevent individual identification
• Federated learning approaches used for personalization without centralizing user data
• AI model training limited to aggregated, anonymized, non-personal datasets only

AI Model Security and Privacy

• End-to-end encryption for all AI inference requests and responses
• AI model access controls with role-based permissions and audit logging
• Regular bias auditing and algorithmic fairness assessments
• AI decision-making transparency with explainable AI (XAI) capabilities
• Secure model deployment with runtime protection and monitoring

AI Decision-Making and User Rights

• Human oversight required for all high-impact AI-powered recommendations
• Right to explanation for automated decisions affecting learning paths or assessments
• Opt-out mechanisms available for AI-powered features and personalization
• AI system transparency reports published quarterly
• User control over AI personalization settings and data usage preferences

AI Provider Data Protection

• Data Processing Agreements (DPAs) in place with all AI service providers
• Minimal data sharing limited to non-personal, aggregated information only
• AI provider compliance with GDPR, CCPA, and enterprise security standards
• Regular audits of AI provider security practices and data handling
• Contractual guarantees against unauthorized data use or model training

AI Ethics and Governance

• AI Ethics Review Board oversight for all AI implementations
• Responsible AI development practices following industry best practices
• Regular AI impact assessments for privacy and fairness
• Algorithmic transparency in learning recommendations and assessments
• Continuous monitoring for AI bias and discriminatory outcomes

GDPR Rights (European Economic Area)

• Access: Request a copy of your personal information
• Rectification: Request correction of inaccurate information
• Erasure: Request deletion (subject to legal retention requirements)
• Portability: Receive your data in a machine-readable format
• Restriction: Request limitation of processing
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent where processing is consent-based
• Automated Decision-Making: Right not to be subject to automated decisions
• Lodge a Complaint: File a complaint with your supervisory authority

CCPA Rights (California Residents)

• Right to Know: Request disclosure of personal information collected
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: We do not sell personal information
• Right to Non-Discrimination: Equal service regardless of privacy choices

Categories of Personal Information Collected: Identifiers, professional information, education information, commercial information, internet activity, and inferences.