سياسة الخصوصية

This Privacy Policy explains how EdTrust (“EdTrust”, “we”, “us”) collects, uses, stores and protects your personal data when you visit edtrust.io or use our applications (EdManager, EdParent, EdTeacher, EdStudent and EdScan) outside of our home markets.

Because EdTrust serves schools internationally, this Policy is designed to comply with the EU General Data Protection Regulation (GDPR) 2016/679, the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (CCPA / CPRA), and other equivalent regimes where applicable. Local schools remain subject to their own national data protection laws.

1. Data controller

For visitors of edtrust.io and direct customers of EdTrust’s international entity, the data controller is EdTrust, with offices at Technopole El Ghazela, Raoued, Ariana, Tunisie, 2086.

Where the customer is one of our local entities (EdTrust SARL in Tunisia, EdTrust Kenya Ltd in Kenya), that local entity is the controller and this Policy is read together with the country-specific notice on the local site.

You can reach our Privacy team at contact@edtrust.io.

2. Information we collect

2.1 Information you provide

• Identification data: name, email, phone, role, school or organisation.
• Account data: username, hashed password, role.
• Communications content: demo and contact requests, support tickets.
• Customer data processed on behalf of subscribing schools, including learner records, grades, attendance, schedules, assignments, payments.

2.2 Information collected automatically

• Device and connection data: device type, operating system, browser, IP address, mobile network operator.
• Usage data: pages visited, session duration, features used, sign-in logs.
• Approximate location derived from IP address, used for security and fraud prevention.

3. Lawful bases for processing

Under Article 6 GDPR (and equivalent provisions), we rely on:

• Performance of a contract — to provide the services to subscribing schools and their authorised users.
• Legitimate interests — running and improving our business, prospecting, security, and fraud prevention. We balance these interests against your rights and freedoms.
• Consent — for marketing communications, optional analytics, and non-essential cookies. You may withdraw your consent at any time.
• Legal obligation — accounting, tax records, response to lawful requests.

4. Customer data — processor role

When schools use our platform to manage their operations, EdTrust acts as a data processor under Article 28 GDPR. Schools remain the data controller of learner and family records and decide on purposes and means. Our Data Processing Agreement (available on request) sets out the technical and organisational measures we apply, the list of sub-processors, and the procedures for data subject requests, breach notification and audits.

For requests about a specific learner or parent, please contact the school directly; we will assist them as their processor.

5. Recipients and sub-processors

Your data is accessible only to authorised personnel and:

• Hosting: Amazon Web Services (AWS), Frankfurt (eu-central-1) by default.
• Email and CRM: HubSpot, transactional email providers.
• Analytics: HubSpot Analytics, loaded only after consent.
• Payments: PCI-DSS compliant payment processors (where applicable).
• Customer support tooling with contractual confidentiality.

An up-to-date list of sub-processors is available on request at contact@edtrust.io.

6. International data transfers

Some sub-processors are located outside the European Economic Area, the United Kingdom, or your country of residence. Where this is the case, we rely on appropriate safeguards under Articles 44–49 GDPR, in particular:

• European Commission Standard Contractual Clauses (SCCs) (2021/914) and the UK International Data Transfer Addendum;
• adequacy decisions where they apply;
• supplementary technical measures including encryption in transit and at rest, key management, and access controls.

7. Retention

• Marketing prospects: up to 3 years from last interaction.
• Active accounts: for the duration of the subscription.
• After account deletion: all copies removed within 90 days to 12 months from receipt of the request.
• Accounting records: as required by applicable law (typically 7–10 years).
• Sign-in / audit logs: 12 months.

8. Your rights

Depending on your jurisdiction, you may have the right to:

• access the personal data we hold about you;
• request correction or erasure;
• restrict or object to processing;
• data portability in a structured, machine-readable format;
• withdraw your consent at any time;
• opt out of the “sale” or “sharing” of personal information under the CCPA / CPRA — we do not sell personal data, and we honour Global Privacy Control (GPC) signals where technically feasible;
• not be subject to solely automated decisions with legal effects.

To exercise any of these rights, contact contact@edtrust.io. EU/EEA residents may also lodge a complaint with their local supervisory authority; UK residents with the Information Commissioner’s Office (ICO).

9. Security

We apply security controls appropriate to the risk: encryption in transit (TLS 1.2+) and at rest, role-based access, multi-factor authentication for staff, audit logging, regular backups, security reviews, vulnerability management, and continuous training.

10. Children’s data

Our website is intended for school administrators, teachers, parents and partners, not directly for children. When schools use our platform, they remain the data controller for learner data and are responsible for any required parental consent.

11. Cookies

We use essential cookies and, with your consent, analytics and marketing cookies. See the Cookie Policy for details and how to change your choices.

12. Changes to this Policy

We may update this Policy. The date of the latest update is shown at the top of this page. Material changes will be notified by email or through an in-app notice.

13. Contact

• Email: contact@edtrust.io
• Address: Technopole El Ghazela, Raoued, Ariana, Tunisie, 2086