Privacy Policy

Version 2026-04-19 — last updated April 19, 2026

This Privacy Policy describes how EduBbey collects, uses, and protects personal data. We comply with the EU General Data Protection Regulation (GDPR) and the Malaysian Personal Data Protection Act (PDPA).

1. Who we are

“EduBbey” refers to the operator of the EduBbey platform (the “Service”). For EU users, our data controller for platform-level data (billing, support) is EduBbey. Schools (Tenants) are the data controllers for their own student/staff records; we are their data processor.

2. What we collect

  • Account data: name, email, role, password hash.
  • School data: school name, slug, country, subscription tier.
  • Usage data: pages visited, features used, error logs. Used to improve the Service.
  • Academic data (Tenant-owned): courses, grades, attendance, messages. We process this only to deliver the Service to your school.
  • AI-interaction data: prompts and outputs from AI features, linked to the requesting user, retained for audit and abuse detection.
  • Payment data: handled by Stripe / PayPal — we never store full card numbers.

3. Why we process it

  • To provide, operate, and secure the Service (contractual necessity).
  • To communicate with you about your account (legitimate interest).
  • To comply with legal obligations (tax, lawful requests).
  • To send marketing emails — only with your explicit opt-in consent.

4. Who we share data with

We use vetted processors to run the Service:

  • Infrastructure: our hosting provider (EU / UK data centres).
  • Email delivery: our transactional mail vendor.
  • AI models: Groq, OpenAI-compatible endpoints — prompts are sent over TLS and not used for model training by these vendors under our contracts.
  • Payments: Stripe, PayPal.

We do not sell personal data.

5. International transfers

For users outside the EEA (e.g. Malaysia), data may be processed in the EU, UK, or US. Transfers rely on Standard Contractual Clauses where applicable. Tenants on the Enterprise plan can request region-pinned data residency.

6. Retention

  • Account data: for the lifetime of your account plus 30 days after closure.
  • Academic records: retained by your school per its own policy and applicable law (typically 5–10 years).
  • Billing records: 7 years for tax compliance.
  • Audit log: 2 years.

7. Your rights

You have the right to:

  • Access your personal data (export it as JSON from your profile page).
  • Rectify incorrect data (edit your profile).
  • Erase your account (“delete my account” from your profile — processed within 30 days).
  • Object to marketing emails (unsubscribe link in every marketing message).
  • Portability — the JSON export satisfies this.
  • Complain to a supervisory authority (ICO in the UK, your national DPA in the EU, the PDP Commissioner in Malaysia).

8. Security

  • Data in transit is encrypted (TLS 1.2+).
  • Data at rest is encrypted at the storage layer.
  • Passwords are hashed with bcrypt.
  • Authentication tokens are Sanctum bearer tokens with strict tenant isolation middleware.
  • We apply least-privilege access controls for staff.

9. Children

Student accounts are created by schools under their own lawful basis (typically “public interest” for state schools, or parental consent captured by the school). We do not knowingly onboard users under 13 directly; all minor accounts must be created by a school that has the appropriate consent.

10. Contact & DPO

Privacy questions or requests: email privacy@edubbey.com. Security reports: security@edubbey.com.

11. Changes

We will notify you of material changes by email and in-app banner at least 14 days before they take effect.