Privacy Policy

Effective Date: 18 September 2024

At Edrevel (“we,” “us,” or “our”), we are committed to ensuring the privacy and security of the personal data we process on behalf of our clients. As a data processor, we adhere to the highest standards of compliance with the General Data Protection Regulation (GDPR). This Privacy Policy outlines our obligations and responsibilities under relevant GDPR Articles.

Role of the Processor (Article 28)

As a SaaS provider, we act as a data processor for our clients, who are the data controllers. We only process personal data under the documented instructions of our clients, as specified in our data processing agreements. We ensure that any sub-processors we engage are subject to the same data protection obligations.

We process personal information such as name, address, contact numbers, parents’ information and associated training data such as course name, and course performance-related information.

Processing under the Authority of the Controller (Article 29)

We process personal data solely under the authority and instructions of our clients (the data controllers). We will not process, access, or use personal data for any purpose other than as instructed by the client, unless required by law.

Security of Processing (Article 32)

We implement appropriate technical and organizational measures to ensure the security of personal data. These measures include encryption, access controls, regular security assessments, and data anonymization where applicable, aimed at mitigating risks such as unauthorized access, accidental loss, or data breaches.

Data Breach Notification (Articles 33 and 34)

In the event of a personal data breach, we will notify the data controller without undue delay, and provide all necessary information to help the controller meet their obligations to notify the relevant supervisory authority and, where applicable, affected data subjects.

Data Protection Impact Assessments (DPIA) (Article 35)

Where required, we assist our clients in carrying out Data Protection Impact Assessments (DPIAs) by providing relevant information about our processing activities and security measures. We collaborate with our clients to identify and mitigate any high risks to data subjects’ privacy.

Prior Consultation with Supervisory Authorities (Article 36)

In situations where a DPIA indicates that processing poses a high risk to data subjects and these risks cannot be mitigated, we assist the data controller in consulting with the supervisory authority prior to processing.

Data Protection Officer (DPO) (Articles 37, 38, 39)

We have designated a Data Protection Officer (DPO) to oversee our compliance with GDPR. The DPO is responsible for:

The DPO operates independently and has the full support of our management team to ensure proper implementation of data protection measures.

International Data Transfers (Articles 44, 46, 47)

If we transfer personal data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or Binding Corporate Rules (BCRs), to ensure the protection of personal data in compliance with GDPR. We do not transfer data to third countries unless the required safeguards are fully implemented.

Sub-processors

We may engage third-party sub-processors to assist in providing our services. All sub-processors are subject to data processing agreements and must adhere to the same security and privacy standards as [Company Name]. We provide our clients with a list of sub-processors upon request and ensure that any changes to this list are communicated.

Data Retention

We retain personal data only for the duration necessary to fulfill our contractual obligations or as required by law. Upon termination of our services, we either delete or return personal data to our clients, unless legal obligations require further retention.

Rights of Data Subjects

While our clients (the data controllers) are responsible for handling requests from data subjects (e.g., access, correction, deletion), we assist them by providing necessary information and ensuring that our processing activities comply with data subjects' rights.

Mobile Number Sharing

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties

Single sign on data sharing

When users login to our site through third party authentication, or other identity providers such as Google, Apple, Misrosoft, Meta etc, the information shared with us is not shared with anyone else. We further affirm that such data are not used to develop, improve, or train generalized AI and/or ML models.

How We Use User Data

We are committed to ensuring transparency regarding how we collect, use, and manage user data. Below is a detailed explanation of the types of data we collect and how they are used in our application:

1. Authentication and Account Management

2. User Directory Information

3. Group and Role Management

4. Custom Schema Data

5. Application Analytics and Improvement

6. Data Security

7. No Use for AI/ML Development

We affirm that any data collected is not used to develop, improve, or train generalized Artificial Intelligence (AI) or Machine Learning (ML) models.

8. User Control

Users have full control over their data and can:

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing practices or legal requirements. We will notify our clients of any material changes to this policy and ensure that it remains in compliance with applicable data protection laws.

Contact Information

For any questions regarding this Privacy Policy or our data processing practices, please contact our Data Protection Officer (DPO) at: