Privacy Policy
Effective Date: 18 September 2024
At Edrevel (“we,” “us,” or “our”), we are committed to ensuring the privacy and security of the personal data we process on behalf of our clients. As a data processor, we adhere to the highest standards of compliance with the General Data Protection Regulation (GDPR). This Privacy Policy outlines our obligations and responsibilities under relevant GDPR Articles.
Role of the Processor (Article 28)
As a SaaS provider, we act as a data processor for our clients, who are the data controllers. We only process personal data under the documented instructions of our clients, as specified in our data processing agreements. We ensure that any sub-processors we engage are subject to the same data protection obligations.
We process personal information such as name, address, contact numbers, parents’ information and associated training data such as course name, and course performance-related information.
Processing under the Authority of the Controller (Article 29)
We process personal data solely under the authority and instructions of our clients (the data controllers). We will not process, access, or use personal data for any purpose other than as instructed by the client, unless required by law.
Security of Processing (Article 32)
We implement appropriate technical and organizational measures to ensure the security of personal data. These measures include encryption, access controls, regular security assessments, and data anonymization where applicable, aimed at mitigating risks such as unauthorized access, accidental loss, or data breaches.
Data Breach Notification (Articles 33 and 34)
In the event of a personal data breach, we will notify the data controller without undue delay, and provide all necessary information to help the controller meet their obligations to notify the relevant supervisory authority and, where applicable, affected data subjects.
Data Protection Impact Assessments (DPIA) (Article 35)
Where required, we assist our clients in carrying out Data Protection Impact Assessments (DPIAs) by providing relevant information about our processing activities and security measures. We collaborate with our clients to identify and mitigate any high risks to data subjects’ privacy.
Prior Consultation with Supervisory Authorities (Article 36)
In situations where a DPIA indicates that processing poses a high risk to data subjects and these risks cannot be mitigated, we assist the data controller in consulting with the supervisory authority prior to processing.
Data Protection Officer (DPO) (Articles 37, 38, 39)
We have designated a Data Protection Officer (DPO) to oversee our compliance with GDPR. The DPO is responsible for:
- Monitoring our internal compliance
- Advising on DPIAs
- Acting as a point of contact for data subjects and supervisory authorities
- Ensuring that data protection principles are integrated into all of our processes
The DPO operates independently and has the full support of our management team to ensure proper implementation of data protection measures.
International Data Transfers (Articles 44, 46, 47)
If we transfer personal data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or Binding Corporate Rules (BCRs), to ensure the protection of personal data in compliance with GDPR. We do not transfer data to third countries unless the required safeguards are fully implemented.
Sub-processors
We may engage third-party sub-processors to assist in providing our services. All sub-processors are subject to data processing agreements and must adhere to the same security and privacy standards as [Company Name]. We provide our clients with a list of sub-processors upon request and ensure that any changes to this list are communicated.
Data Retention
We retain personal data only for the duration necessary to fulfill our contractual obligations or as required by law. Upon termination of our services, we either delete or return personal data to our clients, unless legal obligations require further retention.
Rights of Data Subjects
While our clients (the data controllers) are responsible for handling requests from data subjects (e.g., access, correction, deletion), we assist them by providing necessary information and ensuring that our processing activities comply with data subjects' rights.
Mobile Number Sharing
No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties
Single sign on data sharing
When users login to our site through third party authentication, or other identity providers such as Google, Apple, Misrosoft, Meta etc, the information shared with us is not shared with anyone else. We further affirm that such data are not used to develop, improve, or train generalized AI and/or ML models.
How We Use User Data
We are committed to ensuring transparency regarding how we collect, use, and manage user data. Below is a detailed explanation of the types of data we collect and how they are used in our application:
1. Authentication and Account Management
- Data Collected: Name, email address, profile picture, and unique user ID (provided by third-party authentication services like Google, Apple, Microsoft, or Meta).
- Purpose: To securely authenticate users, create and manage accounts, and provide personalized access to the application.
- Reason: This data is essential to identify users and ensure secure access to the platform.
2. User Directory Information
- Data Collected: User details (e.g., names, emails) and group affiliations from Google Admin Directory.
- Purpose: To onboard users as students, assign them to classes or groups, and facilitate communication within the application.
- Reason: This enables efficient user organization and role-based permissions within the platform.
3. Group and Role Management
- Data Collected: Group details and membership data from Google Admin APIs.
- Purpose: To manage student enrollments, organize class groups, and support role-based access controls.
- Reason: This data ensures users are correctly assigned and can access appropriate resources and features.
4. Custom Schema Data
- Data Collected: Custom attributes such as Student IDs and enrollment details (retrieved from third party identity providers).
- Purpose: To synchronize data between the application and organizational systems, ensuring accurate user profiles.
- Reason: This supports better data consistency and enhances application functionality.
5. Application Analytics and Improvement
- Data Collected: Usage patterns and interaction logs (collected anonymously).
- Purpose: To improve application features, troubleshoot issues, and enhance user experience.
- Reason: This data helps us optimize performance and address user needs effectively.
6. Data Security
- How We Protect It: All data is encrypted during transit and storage, and access is restricted to authorized personnel only.
- No Sharing or Selling: User data is never shared with third parties, sold, or used for marketing purposes without explicit consent.
7. No Use for AI/ML Development
We affirm that any data collected is not used to develop, improve, or train generalized Artificial Intelligence (AI) or Machine Learning (ML) models.
8. User Control
Users have full control over their data and can:
- Review or update their information through their account settings.
- Revoke access to their data via the respective third-party authentication provider.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing practices or legal requirements. We will notify our clients of any material changes to this policy and ensure that it remains in compliance with applicable data protection laws.
Contact Information
For any questions regarding this Privacy Policy or our data processing practices, please contact our Data Protection Officer (DPO) at:
- privacy@technogemsinc.com
- 4000 Legato Rd, #1100, Fairfax, VA, 22033, USA
