Privacy Policy

1. Introduction and Scope

Druid Learning Hub ("Platform," "Service," "we," "us," or "our") is committed to protecting the privacy and personal data of all individuals who use our educational platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use the Druid Learning Hub platform, including all websites, applications, tools, and services operated by us.

This Privacy Policy applies to all Users of the Platform, regardless of their role — Students, Instructors, Parents, Corporate Users, and Administrators — as well as to visitors who browse the Platform without creating an account. It covers data collected through all means, including directly from you, automatically through your use of the Platform, and from third-party sources where applicable.

This Privacy Policy is designed to comply with the following data protection frameworks and legislation:

• The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, for Users in the European Economic Area (EEA);
• The Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) 2019, for Users in Nigeria and for our operations as a Nigeria-based entity;
• The Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, for children under 13 in the United States;
• The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, for student educational records in the United States;
• The California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Cal. Civ. Code §§ 1798.100–1798.199.100, for California residents;
• The Protection of Personal Information Act (POPIA), Act 4 of 2013, for Users in South Africa;
• The UK GDPR and the Data Protection Act 2018, for Users in the United Kingdom.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. Where your consent is the legal basis for processing, we will obtain your explicit consent before collecting or processing your personal data. You may withdraw your consent at any time as described in this Policy.

This Privacy Policy should be read in conjunction with our Terms of Service, Acceptable Use Policy, and Cookie Policy.

2. Data Controller Information

For the purposes of the GDPR (Article 4(7)), the NDPA 2023, and other applicable data protection laws, the data controller responsible for your personal data is:

As the data controller, we determine the purposes and means of processing personal data collected through the Platform. We are responsible for ensuring that all processing activities comply with applicable data protection legislation, including implementing appropriate technical and organisational measures to protect your data.

Where we process personal data on behalf of educational institutions (schools using the SCHOOL learning context), we may act as a data processor under the direction of the school, which serves as the data controller for its students' educational records. In such cases, the processing is governed by a Data Processing Agreement between Druid Learning Hub and the educational institution, in accordance with GDPR Article 28 and the NDPA 2023.

For Users in the European Economic Area who wish to exercise their rights under the GDPR, or who have concerns about our data processing practices, they may contact our Data Protection Officer at the email address above. We are also registered with the Nigeria Data Protection Commission (NDPC) as required under the NDPA 2023.

3. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set out below. Where a term is defined in the GDPR, NDPA, or other applicable law, that statutory definition shall prevail in the relevant jurisdiction:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in GDPR Article 4(1) and Section 65 of the NDPA 2023. This includes, but is not limited to, names, email addresses, IP addresses, location data, online identifiers, and any other information that can directly or indirectly identify an individual.
• "Processing" means any operation or set of operations performed on personal data, whether by automated means or not, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction (GDPR Article 4(2)).
• "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
• "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (GDPR Article 4(7)).
• "Data Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller (GDPR Article 4(8)).
• "Consent" means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them (GDPR Article 4(11)).
• "Child" means a person under the age of 16, or under the age of 13 in the United States (for COPPA purposes), or under the applicable age of digital consent in the User's jurisdiction. Under GDPR Article 8, Member States may set the age of digital consent between 13 and 16.
• "Educational Records" means records directly related to a student that are maintained by an educational agency or institution, or by a party acting for the agency or institution, as defined under FERPA (20 U.S.C. § 1232g(a)(4)).
• "User" means any individual who accesses or uses the Platform, including Students, Instructors, Parents, Corporate Users, and Administrators.
• "Dojo" means the suite of interactive creative tools within the Platform, comprising Code Studio, Data Studio, Web Studio, Design Studio, Visual Logic Designer, and the Design Editor.
• "Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation (GDPR Article 9).
• "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements (GDPR Article 4(4)).

4. Personal Data We Collect

We collect and process the following categories of personal data. The specific data collected varies by User role and the features used:

4.1 Account Data

When you register for an account, we collect:

• Full name (first name and last name);
• Email address;
• Username (chosen by you);
• Password (stored in hashed form using Django's PBKDF2 algorithm — we never store plaintext passwords);
• User role (Student, Instructor, Parent, Corporate, or Administrator);
• Profile information, including biography, avatar image, and display preferences;
• For Students: learning context (SCHOOL or HOME), linked school or parent account, grade level;
• For Parents: linked child accounts, contact information;
• For Corporate Users: organisation name, department, job title;
• For Instructors: qualifications, subject specialisations, affiliated institutions.

4.2 Educational Data

As you use the Platform for learning, we collect:

• Course enrolment records and completion status;
• Module and lesson progress data, including which lessons have been viewed, started, and completed;
• Quiz and assessment responses, scores, and grades;
• Submission records, including timestamps, attempt counts, and instructor feedback;
• Achievement and badge data, including XP (experience points) earned and streak records;
• Learning schedules set by Parents for child accounts;
• Curriculum progress within school-managed accounts;
• Time-on-task metrics (time spent on each lesson, module, and course);
• Skill assessment results and certification records for Corporate Users.

4.3 Code and Content Data

When you use the Platform's interactive tools, we may collect:

• Source code submitted through the Code Studio (Python, JavaScript), including all versions and revisions;
• Notebook files created in the Data Studio, including Python (Pyodide) and SQL (sql.js) cell contents and outputs;
• HTML, CSS, and JavaScript files created in the Web Studio and Design Editor;
• Graphic design projects created in the Design Studio using Fabric.js, including canvas state data;
• Flowchart and system design diagrams created in the Visual Logic Designer;
• Showcase projects submitted for public display;
• Exported project files (ZIP archives, PNG images, .py files);
• Instructor-created course content, including lesson text, starter code, solution code, test cases, and media uploads.

Please note that code executed in the browser via Pyodide and sql.js runs entirely on your device. We do not capture the runtime execution of your code on our servers. However, when you submit code for grading or save a project, the source code is transmitted to and stored on our servers.

4.4 Usage and Analytics Data

We automatically collect data about how you interact with the Platform:

• Pages visited, features used, and navigation paths;
• Session duration and frequency of visits;
• Click patterns and interaction data within lessons and tools;
• Search queries entered on the Platform;
• Error logs and performance data (e.g., page load times, JavaScript errors);
• Referral sources (how you arrived at the Platform);
• Enrolment and drop-off patterns across courses and modules.

4.5 Device and Technical Data

We automatically collect technical information about your device and connection:

• IP address (which may indicate approximate geographic location);
• Browser type and version (e.g., Chrome 120, Firefox 121, Safari 17);
• Operating system and version (e.g., Windows 11, macOS 14, Ubuntu 22.04);
• Device type (desktop, tablet, mobile) and screen resolution;
• Language and locale settings;
• Time zone;
• Hardware capabilities relevant to client-side code execution (e.g., available memory for Pyodide).

4.6 Cookie Data

We use cookies and similar technologies to collect data as described in Section 16 and in our Cookie Policy. This includes:

• Session cookies required for authentication and maintaining your logged-in state (Django session ID);
• CSRF (Cross-Site Request Forgery) protection tokens;
• Preference cookies that store your display settings (e.g., theme, editor preferences);
• Analytics cookies that help us understand Platform usage patterns.

4.7 Communication Data

When you communicate with us, we collect:

• Emails sent to our support, legal, or general contact addresses;
• Feedback and survey responses submitted through the Platform;
• Instructor feedback on student submissions;
• AI feedback interaction logs (questions asked and responses received through AI assistance features);
• Support ticket contents and resolution records.

4.8 Children's Data

For child Users (under 13 in the US, under 16 in the EU unless a lower age is set by a Member State), we collect only the minimum data necessary for educational purposes:

• First name (or a pseudonym chosen by the parent);
• Age or age range (not full date of birth, unless required by the school);
• Learning context (SCHOOL or HOME);
• Educational progress data (course completion, grades, achievements);
• Code and content submissions made through lessons and Dojo tools;
• The Parent or school account to which the child's account is linked.

We do not collect the following from child accounts: social media handles, precise geolocation, photographs (unless voluntarily uploaded as a profile avatar by a parent), financial information, or any Special Category Data as defined by the GDPR.

5. How We Collect Personal Data

5.1 Data You Provide Directly

We collect personal data that you voluntarily provide to us through:

• Account registration — when you create an account and fill in your profile details;
• Content creation — when you write code, create designs, build notebooks, submit assignments, or publish showcase projects;
• Course enrolment — when you enrol in courses or learning paths;
• Communication — when you send us emails, submit support requests, or provide feedback;
• Parent account setup — when Parents create and configure child accounts, set learning schedules, and provide consent;
• Instructor content authoring — when Instructors create courses, lessons, test cases, and grading rubrics;
• Corporate onboarding — when Corporate Users provide organisational details and skill profiles.

5.2 Data Collected Automatically

We collect certain data automatically when you access or use the Platform:

• Server logs — our web server records your IP address, request URL, HTTP method, response code, User-Agent string, and timestamp for every request;
• Session data — Django's session framework creates a server-side session identified by a session cookie, which tracks your authentication state and CSRF protection tokens;
• Usage analytics — we track page views, feature usage, lesson progress, and interaction patterns to improve the Platform;
• Error tracking — client-side and server-side errors are logged to help us diagnose and fix issues;
• Performance metrics — page load times, API response times, and client-side rendering performance.

5.3 Data from Third Parties

We may receive personal data about you from third-party sources, including:

• Educational institutions — schools may provide student roster data (names, email addresses, class assignments) when onboarding students in the SCHOOL learning context;
• Corporate clients — organisations may provide employee data (names, email addresses, departments, roles) when setting up corporate learning programmes;
• CDN providers — third-party Content Delivery Networks from which we load libraries may process limited technical data (IP addresses, browser information) as described in Section 17;
• AI service providers — when you use AI feedback features, a third-party AI API may process portions of your code or content to generate feedback, as described in Section 18.

6. Legal Bases for Processing

Under the GDPR (Article 6(1)) and the NDPA 2023, we process your personal data only where we have a valid legal basis. The legal bases we rely on depend on the specific processing activity:

6.1 Consent (GDPR Article 6(1)(a))

We rely on your consent for the following processing activities:

• Setting non-essential cookies and analytics tracking (see our Cookie Policy);
• Processing children's personal data where parental consent is required under COPPA or GDPR Article 8;
• Sending marketing communications or educational newsletters;
• Processing your code or content through third-party AI APIs for feedback features;
• Publishing your showcase projects on publicly accessible pages.

Where consent is the legal basis, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You may withdraw consent by adjusting your account settings, contacting us at privacy@druidlearninghub.com, or using the specific opt-out mechanism provided for the relevant feature.

6.2 Performance of a Contract (GDPR Article 6(1)(b))

We process personal data where it is necessary for the performance of our contract with you (the Terms of Service), including:

• Creating and maintaining your user account;
• Providing access to courses, lessons, and Dojo tools;
• Processing your code submissions and providing auto-grading results;
• Storing your projects, progress data, and achievements;
• Enabling Parents to manage child accounts and view educational progress;
• Providing Instructors with student management and grading capabilities;
• Delivering Corporate learning paths, skill assessments, and certification tracking.

6.3 Legitimate Interests (GDPR Article 6(1)(f))

We process personal data where it is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:

• Platform improvement — analysing usage patterns and educational outcomes to improve our courses, tools, and user experience;
• Security — monitoring for unauthorised access, fraud, abuse, and security incidents;
• Bug fixing and performance optimisation — collecting error logs and performance metrics to maintain service quality;
• Educational analytics — aggregating and anonymising data to identify trends in learning effectiveness, course difficulty, and engagement;
• Communication — sending transactional messages (account verification, password resets, submission notifications) and responding to your inquiries;
• Preventing abuse — detecting and preventing cheating, plagiarism, and manipulation of assessment systems.

We conduct a Legitimate Interest Assessment (LIA) for each processing activity based on legitimate interests, balancing the necessity and proportionality of the processing against the potential impact on your privacy rights. You may object to processing based on legitimate interests as described in Sections 13 and 14.

6.4 Legal Obligation (GDPR Article 6(1)(c))

We process personal data where it is necessary to comply with a legal obligation to which we are subject, including:

• Maintaining records as required by Nigerian tax and business regulations;
• Responding to lawful requests from regulatory authorities, including the Nigeria Data Protection Commission (NDPC);
• Complying with court orders, subpoenas, or other legal process;
• Fulfilling data protection notification requirements under the NDPA 2023 and GDPR;
• Maintaining audit logs of administrative actions.

6.5 Vital Interests (GDPR Article 6(1)(d))

In exceptional circumstances, we may process personal data where it is necessary to protect the vital interests of a Data Subject or another natural person. This would apply only in emergencies where a person's life or safety is at risk and no other legal basis is available.

6.6 Public Interest (GDPR Article 6(1)(e))

Where we process data on behalf of educational institutions in the SCHOOL learning context, the processing may be necessary for the performance of a task carried out in the public interest, specifically the provision of education. This basis is particularly relevant where FERPA applies, as the processing of student educational records by schools serves the public interest in education.

7. Purpose of Data Processing

We process your personal data for the following specific purposes. For each purpose, we have identified the corresponding legal basis in accordance with GDPR Article 5(1)(b) (purpose limitation):

We adhere to the principle of data minimisation (GDPR Article 5(1)(c)): we collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes stated above. We do not process personal data for purposes incompatible with those for which it was originally collected, unless we obtain your consent or have another valid legal basis.

8. Children's Privacy

Druid Learning Hub is designed to serve learners of all ages, including children. We take the privacy of children extremely seriously and implement robust safeguards to protect their personal data.

8.1 COPPA Compliance (United States)

In compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) and its implementing regulations (16 C.F.R. Part 312), we adhere to the following practices for children under 13 in the United States:

• We do not knowingly collect personal data from children under 13 without verifiable parental consent;
• Children under 13 may only access the Platform through a Parent-managed account in the HOME learning context, where the Parent provides verifiable consent and maintains ongoing oversight;
• We provide clear and prominent notice to Parents about what personal data we collect from children, how we use it, and our disclosure practices, before collecting any data;
• We use reasonable methods to obtain verifiable parental consent, including email-based consent confirmation with follow-up verification;
• Parents may review, request deletion of, and refuse further collection of their child's personal data at any time;
• We do not condition a child's participation in educational activities on the collection of more personal data than is reasonably necessary;
• We maintain the confidentiality, security, and integrity of children's personal data.

8.2 GDPR Article 8 Compliance (European Union)

Under GDPR Article 8, where the processing of a child's personal data is based on consent, the processing is lawful only if the child is at least 16 years old (or the age specified by the relevant EU Member State, with a minimum of 13). For children below the applicable age, consent must be given or authorised by the holder of parental responsibility over the child. We make reasonable efforts to verify that consent is given or authorised by the parent, taking into consideration available technology.

8.3 School Consent Under FERPA

For students in the SCHOOL learning context in the United States, we recognise that educational institutions may act in loco parentis under FERPA (20 U.S.C. § 1232g) and may consent to the collection of student data on behalf of parents for educational purposes. Schools using the Platform warrant that they have the authority to provide such consent and have notified parents in accordance with FERPA requirements. Schools serve as the data controller for their students' educational records, and we act as a "school official" with a legitimate educational interest as defined under FERPA § 99.31(a)(1).

8.4 Minimum Data Collection for Children

For child accounts, we apply the principle of strict data minimisation:

• We collect only the child's first name or pseudonym, age range, learning context, and the linked Parent or school account;
• We do not require children to provide email addresses for HOME context accounts (the Parent's email is used);
• We do not collect precise geolocation from children;
• We do not serve behavioural advertising or targeted marketing to children;
• We do not enable social features (public profiles, direct messaging) for child accounts without explicit parental approval;
• Showcase submissions from child accounts require Parent or Instructor approval before publication.

8.5 Parental Rights Regarding Children's Data

Parents and legal guardians of children using the Platform have the following rights:

• Right to review — Parents can view all personal data collected from their child through the Parent dashboard;
• Right to deletion — Parents can request the deletion of their child's account and all associated personal data by contacting us at privacy@druidlearninghub.com or through the Parent account settings;
• Right to refuse — Parents can refuse the further collection or use of their child's personal data. If such a refusal prevents us from providing the Service, we will inform the Parent;
• Right to consent without disclosure — Parents can consent to the collection and use of their child's data without consenting to disclosure to third parties (except as necessary for the operation of the Platform);
• Right to be informed — Parents will be notified of any material changes to this Privacy Policy that affect children's data.

8.6 Deletion of Children's Data

When a Parent requests deletion of their child's data, or when a child's account is closed, we will delete all personal data associated with the child's account within 30 days, except where retention is required by law. This includes educational progress data, code and content submissions, achievement records, and usage analytics. Anonymised or aggregated data that cannot be linked back to the child may be retained for educational research purposes.

9. Data Sharing and Disclosure

We do not sell your personal data to third parties. We share personal data only in the limited circumstances described below, and only to the extent necessary for the specified purpose.

9.1 Service Providers (Data Processors)

We engage third-party service providers who process personal data on our behalf to help operate the Platform. These processors are contractually bound to process data only as we instruct, and are required to implement appropriate technical and organisational security measures in accordance with GDPR Article 28. Our service providers include:

• Hosting providers — who provide the server infrastructure on which the Platform runs;
• AI API providers — who process code and content excerpts to generate AI feedback (only when you opt into AI assistance features);
• Email service providers — who deliver transactional and notification emails on our behalf;
• CDN providers — who deliver static assets (JavaScript libraries, fonts) to your browser, as detailed in Section 17.

All service providers are vetted for data protection compliance and are bound by Data Processing Agreements that include obligations regarding data security, confidentiality, sub-processing restrictions, and data deletion upon termination.

9.2 Educational Institutions

For Students in the SCHOOL learning context, we share educational data with the student's school, including:

• Course enrolment and progress data;
• Grades, assessment scores, and submission records;
• Attendance and engagement metrics;
• Achievement and certification records.

Schools access this data through Instructor and Administrator accounts assigned to their institution. This sharing is necessary for the educational purpose and is governed by our Data Processing Agreement with the school.

9.3 Parents

For Students in the HOME learning context, Parents have access to their linked children's educational data through the Parent dashboard, including progress, grades, submissions, schedules, achievements, and showcase projects. Parents can only view data for children linked to their own account — not data belonging to other families.

9.4 Corporate Clients

For Corporate Users, we share learning progress, skill assessment results, certification completion, and learning path data with the User's employer or sponsoring organisation, as authorised in the corporate licensing agreement. We do not share data beyond what is specified in the agreement.

9.5 Legal Requirements

We may disclose personal data where required or permitted by law, including:

• In response to valid legal process (court orders, subpoenas, search warrants) issued by a court of competent jurisdiction;
• To comply with regulatory requests from data protection authorities, including the Nigeria Data Protection Commission (NDPC), the UK Information Commissioner's Office (ICO), or EU supervisory authorities;
• To enforce our Terms of Service or protect our legal rights;
• To prevent or investigate fraud, security breaches, or illegal activity;
• To protect the safety of any person where there is an imminent threat.

Where legally permitted, we will notify you before disclosing your personal data in response to legal process, unless the notification itself is prohibited by law.

9.6 Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. In such circumstances, we will provide notice to affected Users and ensure the acquiring entity is bound by privacy obligations no less protective than those in this Privacy Policy. Where consent was the legal basis for processing, we will seek fresh consent from affected Users where required by law.

9.7 Data We Do Not Share

We want to be explicit about what we do not do with your data:

• We do not sell personal data to any third party, including data brokers or advertisers;
• We do not share personal data with advertisers for targeted advertising purposes;
• We do not use your code submissions, designs, or other creative content to train proprietary AI models — AI feedback is generated by third-party APIs in real-time and your content is not retained by the AI provider for training;
• We do not share student educational records with marketers, recruiters, or any entity not directly involved in the student's education, except with the student's (or parent's) explicit consent;
• We do not share children's personal data with third parties for commercial purposes;
• We do not disclose personal data to government authorities except where legally compelled to do so through valid legal process.

10. International Data Transfers

Druid Learning Hub is operated by Data Druid Tech Services Limited, a company registered in Nigeria. As we serve Users globally, personal data may be transferred to and processed in countries outside of your country of residence. We take the following measures to ensure that international data transfers comply with applicable data protection laws.

10.1 Transfers from the European Economic Area (EEA)

When we transfer personal data from the EEA to Nigeria or any other country outside the EEA that has not received an adequacy decision from the European Commission under GDPR Article 45, we rely on the following safeguards in accordance with GDPR Articles 46–49:

• Standard Contractual Clauses (SCCs) — We use the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the primary mechanism for transferring personal data to countries without an adequacy finding. These clauses impose contractual obligations on the data importer to protect data in accordance with EEA standards;
• Transfer Impact Assessments — We conduct transfer impact assessments (TIAs) to evaluate the legal framework of the receiving country and determine whether supplementary measures are necessary to ensure an essentially equivalent level of data protection;
• Supplementary measures — Where our TIA identifies risks, we implement supplementary technical (encryption in transit and at rest), organisational (access controls, data minimisation), and contractual measures to mitigate those risks.

10.2 Adequacy Decisions

Where we transfer data to countries that have received an adequacy decision from the European Commission (GDPR Article 45), no additional safeguards are required for transfers to those countries. We monitor adequacy decisions and update our transfer mechanisms accordingly.

10.3 Nigeria Data Protection Requirements

Under the NDPA 2023 and NDPR 2019, the transfer of personal data outside Nigeria is permitted where:

• The recipient country or organisation provides an adequate level of data protection as determined by the NDPC;
• Appropriate safeguards are in place, including binding contractual clauses between the data controller and the recipient;
• The Data Subject has provided explicit consent to the transfer after being informed of the possible risks;
• The transfer is necessary for the performance of a contract between the Data Subject and the data controller.

We ensure compliance with Nigerian cross-border transfer requirements and maintain documentation of all international transfers as required by the NDPC.

10.4 Transfers to the United Kingdom

For transfers of personal data from the UK to Nigeria or other countries, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office under the UK GDPR and the Data Protection Act 2018.

10.5 Third-Party CDN Transfers

When you use the Platform, your browser loads resources directly from third-party CDN providers (see Section 17). These requests may involve the transfer of your IP address and browser information to servers located in various countries. These transfers are inherent to the operation of the internet and are outside our direct control. We select CDN providers that maintain appropriate data protection standards and privacy policies.

11. Data Retention

In accordance with the principle of storage limitation (GDPR Article 5(1)(e)), we retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The retention periods below apply unless a longer or shorter retention period is required by applicable law:

11.1 Deletion Procedures

When personal data reaches the end of its retention period, or when you request deletion, we follow these procedures:

• Soft deletion — data is first marked as deleted and excluded from active queries, but remains in the database for a grace period (typically 30 days) to allow recovery in case of accidental deletion;
• Hard deletion — after the grace period, data is permanently removed from the production database;
• Backup purge — data is removed from backups during the next scheduled backup rotation cycle;
• Anonymisation — where full deletion would compromise the integrity of aggregate analytics or educational research, we anonymise the data instead, removing all identifiers so it can no longer be linked to an individual.

12. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with GDPR Article 32 and the NDPA 2023.

12.1 Technical Measures

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). We enforce HTTPS across all Platform pages;
• Encryption at rest — sensitive data stored in our database, including passwords and authentication tokens, is encrypted. Passwords are hashed using Django's PBKDF2-SHA256 algorithm with a unique salt per password;
• CSRF protection — Django's built-in CSRF middleware protects against cross-site request forgery attacks by requiring a valid CSRF token for all state-changing requests;
• Session security — session identifiers are generated using cryptographically secure random number generators, are transmitted only over HTTPS, and are invalidated on logout;
• Input validation — all user inputs are validated on the server side using Django forms. Outputs are auto-escaped by Django's template engine to prevent cross-site scripting (XSS) attacks;
• SQL injection prevention — we use Django's ORM exclusively, which parameterises all database queries to prevent SQL injection;
• Content Security Policy — we implement HTTP security headers including Content-Security-Policy to restrict the loading of scripts and resources to trusted sources;
• Sandboxed code execution — all user code execution occurs in the browser sandbox (Pyodide, sql.js, sandboxed iframes). No user code executes on our servers.

12.2 Organisational Measures

• Access controls — access to personal data is restricted on a need-to-know basis. Administrative access requires authentication and is logged in the audit trail;
• Role-based permissions — the Platform enforces role-based access control (RBAC). Users can only access data appropriate to their role. Parents can only view their own children's data. Instructors can only view their own students' data;
• Ownership verification — every data access request is verified against both the user's role and their ownership relationship to the data (e.g., a Parent must be linked to the child whose data they request);
• Staff training — all personnel with access to personal data receive data protection training;
• Data Protection Impact Assessments — we conduct DPIAs (GDPR Article 35) before implementing new features or processing activities that may pose high risks to individuals' rights and freedoms;
• Vendor assessments — we evaluate the security and privacy practices of third-party service providers before engaging them and require contractual data protection commitments.

12.3 Incident Response

In the event of a personal data breach, we have an incident response plan that includes:

• Detection and containment — immediate identification and containment of the breach;
• Assessment — determination of the nature, scope, and severity of the breach, including the categories of data and number of Data Subjects affected;
• Notification to supervisory authorities — in compliance with GDPR Article 33, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms. Under the NDPA 2023, we will notify the NDPC within the timeframes prescribed by the Act;
• Notification to Data Subjects — in compliance with GDPR Article 34, where a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected Data Subjects without undue delay, informing them of the nature of the breach, the likely consequences, and the measures taken to address it;
• Remediation — implementation of measures to prevent recurrence;
• Documentation — all breaches are documented in an internal breach register, including facts, effects, and remedial actions taken (GDPR Article 33(5)).

13. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (EU) 2016/679. To exercise any of these rights, contact us at dpo@druidlearninghub.com. We will respond to your request within one month (GDPR Article 12(3)), which may be extended by up to two further months for complex or numerous requests.

13.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether or not your personal data is being processed, and, where that is the case, access to the personal data and the following information: the purposes of processing; the categories of personal data concerned; the recipients or categories of recipients; the retention period; the existence of your other rights; information about the source of the data; and whether automated decision-making, including profiling, takes place. You also have the right to obtain a copy of your personal data undergoing processing, in a commonly used electronic format.

13.2 Right to Rectification (Article 16)

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. You can update most of your account data directly through your profile settings.

13.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to obtain the erasure of personal data concerning you without undue delay where:

• The personal data is no longer necessary for the purposes for which it was collected;
• You withdraw consent and there is no other legal basis for the processing;
• You object to the processing and there are no overriding legitimate grounds;
• The personal data has been unlawfully processed;
• The personal data must be erased for compliance with a legal obligation;
• The personal data was collected in relation to the offer of information society services to a child (Article 8(1)).

This right does not apply where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for archiving purposes in the public interest.

13.4 Right to Restriction of Processing (Article 18)

You have the right to obtain restriction of processing where: the accuracy of the personal data is contested (for a period enabling verification); the processing is unlawful and you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of whether our legitimate grounds override yours. When processing is restricted, we will store your data but not process it further without your consent (except for legal claims, protection of rights, or important public interest reasons).

13.5 Right to Data Portability (Article 20)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and the right to transmit that data to another controller without hindrance. This right applies where the processing is based on consent or contract, and the processing is carried out by automated means. For the Platform, this includes your account data, educational progress data, code submissions, and project files. We provide export functionality for Dojo projects (ZIP, .py, PNG) and can provide other data exports upon request.

13.6 Right to Object (Article 21)

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Article 6(1)(e) (public interest) or Article 6(1)(f) (legitimate interests). Where you object, we will cease processing unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims. Where personal data is processed for direct marketing purposes, you have an absolute right to object at any time, and we will cease processing for that purpose without exception.

13.7 Rights Relating to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right does not apply where the decision is necessary for entering into or performing a contract, is authorised by law, or is based on your explicit consent. Where we use auto-grading for code submissions or quiz assessments, we note that: (a) auto-grading is integral to the educational service (contract performance); (b) auto-grading results can always be appealed to a human instructor; and (c) no auto-grading decision produces legal effects — it is an educational assessment tool.

13.8 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. This right is without prejudice to any other administrative or judicial remedy.

14. Your Rights Under NDPA/NDPR

If you are located in Nigeria, you have the following rights under the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) 2019. To exercise any of these rights, contact us at dpo@druidlearninghub.com.

14.1 Right of Access

You have the right to request and obtain information about the personal data we hold about you, the purposes for which we process it, and the categories of recipients with whom we share it. We will provide this information within a reasonable timeframe as specified by the NDPC.

14.2 Right to Rectification

You have the right to request the correction of inaccurate or incomplete personal data we hold about you. We will rectify the data without undue delay and notify any third parties to whom the data was disclosed of the rectification, where reasonably practicable.

14.3 Right to Deletion

You have the right to request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where the processing is unlawful. We will comply with deletion requests within 30 days, subject to any legal retention obligations.

14.4 Right to Data Portability

Under the NDPA 2023, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller. We will facilitate this transfer where technically feasible.

14.5 Right to Object

You have the right to object to the processing of your personal data, including processing for direct marketing purposes. Upon receiving your objection, we will cease the relevant processing unless we can demonstrate compelling legitimate grounds that override your interests.

14.6 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

14.7 Right to Complain to the NDPC

If you believe that the processing of your personal data violates the NDPA 2023 or the NDPR 2019, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC). Contact information for the NDPC can be found at https://ndpc.gov.ng.

15. Your Rights Under Other Laws

15.1 COPPA (United States — Children Under 13)

Under the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506), parents and legal guardians of children under 13 have the right to:

• Review the personal information collected from their child;
• Direct us to delete the child's personal information;
• Refuse the further collection or use of the child's personal information;
• Agree to the collection and use of the child's information without consenting to the disclosure of that information to third parties.

We will not require a child to disclose more information than is reasonably necessary to participate in the Platform's educational activities. To exercise COPPA rights, contact us at privacy@druidlearninghub.com with the subject line "COPPA Request."

15.2 FERPA (United States — Student Records)

Under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g), students (and parents of students under 18) whose data is maintained as educational records through a school's use of the Platform have the right to:

• Inspect and review their educational records;
• Request the amendment of records they believe to be inaccurate, misleading, or in violation of their privacy rights;
• Consent to the disclosure of personally identifiable information from their educational records, except where FERPA authorises disclosure without consent (e.g., to school officials with a legitimate educational interest);
• File a complaint with the U.S. Department of Education Family Policy Compliance Office regarding alleged FERPA violations.

FERPA rights flow through the educational institution. Schools using the Platform should refer to Section 19 for detailed FERPA compliance information.

15.3 CCPA/CPRA (California, United States)

If you are a California resident, you have rights under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199.100), as amended by the California Privacy Rights Act (CPRA), including:

• Right to know — the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share;
• Right to delete — request the deletion of personal information we have collected from you, subject to certain exceptions;
• Right to correct — request the correction of inaccurate personal information;
• Right to opt out of sale or sharing — we do not sell personal information or share it for cross-context behavioural advertising, so this right is already satisfied;
• Right to limit use of sensitive personal information — we do not use or disclose sensitive personal information for purposes beyond those permitted without a right to limit;
• Right to non-discrimination — we will not discriminate against you for exercising any CCPA/CPRA rights.

To exercise your rights under the CCPA/CPRA, submit a request to privacy@druidlearninghub.com with the subject line "CCPA Request." We will verify your identity before processing your request.

15.4 POPIA (South Africa)

If you are located in South Africa, you have rights under the Protection of Personal Information Act (Act 4 of 2013), including the right to:

• Be notified when your personal information is collected;
• Request access to your personal information;
• Request correction, destruction, or deletion of your personal information;
• Object to the processing of your personal information;
• Submit a complaint to the Information Regulator if you believe your privacy rights have been infringed;
• Institute civil proceedings regarding interference with your personal information.

Contact the South African Information Regulator at https://inforegulator.org.za for complaints.

15.5 UK GDPR and Data Protection Act 2018 (United Kingdom)

If you are located in the United Kingdom, you have rights substantially similar to those under the EU GDPR, as enshrined in the UK GDPR (the retained EU GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) and the Data Protection Act 2018. These include the rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk.

16. Cookies and Tracking Technologies

We use cookies and similar technologies on the Platform. A cookie is a small text file placed on your device by a website you visit. Cookies serve different purposes and have different lifetimes. For a comprehensive description of the cookies we use, their purposes, and how you can manage them, please refer to our Cookie Policy.

16.1 Essential Cookies

These cookies are strictly necessary for the Platform to function and cannot be disabled. They include:

• Session cookie (sessionid) — maintained by Django's session framework. This cookie identifies your authenticated session on the server. It contains a randomly generated session ID, not your personal data. It expires after 14 days of inactivity or when you log out;
• CSRF token cookie (csrftoken) — a security cookie required by Django's CSRF middleware to prevent cross-site request forgery attacks. It contains a randomly generated token that is validated on each form submission.

16.2 Functional Cookies

These cookies remember your preferences and settings to enhance your experience:

• Editor theme preferences (light/dark mode for Ace Editor, CodeMirror);
• Layout preferences (panel sizes in split-screen views);
• Language and localisation settings.

16.3 Analytics Cookies

With your consent, we may use analytics cookies to understand how Users interact with the Platform. These cookies collect information in an aggregated form and help us identify usage patterns, popular features, and areas for improvement. We do not use third-party analytics services that track you across other websites.

16.4 Local Storage

In addition to cookies, the Platform uses browser local storage (via the localForage library) to store Dojo project data, unsaved editor content, and cached assets on your device. This data remains on your device and is not transmitted to our servers unless you explicitly save or submit your work. You can clear local storage through your browser settings.

16.5 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies, though this may affect the functionality of the Platform (particularly authentication and CSRF protection). For detailed instructions on managing cookies in your browser, please see our Cookie Policy.

17. Third-Party Services and CDN Resources

The Platform loads resources from third-party Content Delivery Networks (CDNs) to deliver functionality and optimise performance. When your browser loads these resources, the CDN provider receives your IP address, User-Agent string, and other HTTP headers as part of the standard HTTP request. The following CDN resources are used:

Each of these providers operates under their own privacy policy:

• Google Fonts — Google's Privacy Policy applies (https://policies.google.com/privacy). Google states that Google Fonts requests do not use cookies and that the Google Fonts API is designed to limit the collection, storage, and use of data to what is needed to serve fonts efficiently;
• Cloudflare (cdnjs) — Cloudflare's Privacy Policy applies (https://www.cloudflare.com/privacypolicy/). Cloudflare may process limited traffic data including IP addresses for security and performance purposes;
• jsDelivr — jsDelivr's Privacy Policy applies. jsDelivr is an open-source CDN that does not use cookies for tracking purposes;
• esm.sh — esm.sh is an open-source CDN for ES modules. Standard HTTP server logs may be maintained by the operator.

We do not control and are not responsible for the data processing practices of these third-party CDN providers. The data transmitted (IP address, browser information) is inherent to how the internet works — any time your browser requests a resource from any server, this technical information is transmitted. We select CDN providers that we believe maintain responsible data practices and minimise data collection.

17.1 Subresource Integrity

Where supported, we use Subresource Integrity (SRI) attributes on CDN-loaded scripts to ensure that the files delivered by CDNs have not been tampered with. This protects you from supply-chain attacks that could inject malicious code through compromised CDN resources.

18. AI and Automated Processing

The Platform incorporates AI-powered features to enhance the educational experience. This section describes how AI is used, what data is processed, and the safeguards we implement.

18.1 What AI Is Used For

AI features on the Platform include:

• Code feedback — when you use the AI feedback feature in Code Studio or Data Studio, your code is submitted to a third-party AI API to generate suggestions, identify errors, explain concepts, and provide learning guidance;
• Hint generation — AI may be used to generate contextual hints for coding challenges and design exercises;
• Auto-grading assistance — AI may supplement rule-based auto-grading by providing additional feedback on code quality, style, and approach;
• Content recommendations — AI may analyse your learning progress and preferences to suggest relevant courses, lessons, or challenges.

18.2 Data Fed to AI

When AI features are invoked, the following data may be sent to the AI API provider:

• The source code or content you have written in the editor;
• The lesson or challenge instructions (for context);
• Error messages from your code execution;
• Your specific question or request for feedback.

We do not send the following to AI providers: your name, email address, IP address, account credentials, educational records, or any personally identifiable information. AI requests are associated with anonymised session identifiers only.

18.3 AI Data Retention by Providers

Our AI API provider agreements specify that:

• Input data (your code/content) is processed in real-time and is not retained by the AI provider after generating a response, except as required for short-term processing;
• Your code and content is not used by the AI provider to train, fine-tune, or improve their AI models;
• The AI provider acts as a data processor under our instructions and is bound by our Data Processing Agreement.

18.4 Human Oversight

AI-generated feedback is presented as a learning aid, not as a definitive assessment. The following human oversight mechanisms are in place:

• AI feedback is clearly labelled as AI-generated throughout the Platform;
• Students can always request review by a human instructor;
• Final grades and formal assessments are determined by instructors, not by AI;
• AI feedback does not affect your academic record, XP, achievements, or progression — it is advisory only;
• Instructors and administrators can review AI feedback logs to ensure quality and accuracy.

18.5 Opting Out of AI Features

AI feedback features are optional. You can choose not to use them, and doing so will not limit your access to the Platform's core educational features. No AI processing occurs unless you actively invoke the AI feedback button. We do not use AI to make automated decisions that produce legal effects or similarly significantly affect you without human involvement.

18.6 Auto-Grading

The Platform uses automated systems (test case validation, style checking, computed CSS property verification) to assess code and design submissions. These systems are rule-based and deterministic — they compare your output against predefined expected results. Auto-grading results are always subject to instructor review and override. Auto-grading does not constitute solely automated decision-making under GDPR Article 22, as it does not produce legal effects and human review is always available.

19. Educational Records and FERPA

This section provides specific information about our compliance with the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g) for educational institutions in the United States that use the Platform.

19.1 Druid Learning Hub as a School Official

When an educational institution (school, school district, or other educational agency) uses the Platform for its students, Druid Learning Hub functions as a "school official" with a "legitimate educational interest" under FERPA § 99.31(a)(1). We process student educational records only at the direction of the educational institution and only for the purpose of providing the educational services described in our agreement with the institution. We do not use educational records for any purpose other than providing and improving the educational service.

19.2 Educational Records We Maintain

The following data maintained by the Platform may constitute "educational records" under FERPA when they are directly related to a student and are maintained by us on behalf of an educational institution:

• Student name, student ID (as provided by the school), and class/section assignments;
• Course enrolment records;
• Lesson progress, completion status, and time-on-task;
• Quiz and assessment scores;
• Code and content submissions and associated grades;
• Instructor feedback and comments on submissions;
• Achievement records (XP, badges, certifications);
• Attendance and engagement metrics.

19.3 FERPA-Compliant Disclosures

We disclose educational records only as permitted under FERPA, including:

• To school officials (teachers, administrators) within the student's educational institution who have a legitimate educational interest (§ 99.31(a)(1));
• To parents of students under 18, or to eligible students (those 18 or older), upon request (§ 99.10);
• To comply with a judicial order or lawfully issued subpoena, with advance notice to the parent or eligible student where required (§ 99.31(a)(9));
• In connection with a health or safety emergency, to appropriate parties (§ 99.31(a)(10));
• As directory information, only where the school has provided public notice and the parent or student has not opted out (§ 99.31(a)(11)).

We do not disclose educational records to employers, recruiters, marketing companies, or any other third party not authorised under FERPA.

19.4 Institutional Responsibilities

Educational institutions using the Platform are responsible for:

• Providing annual FERPA notification to parents and eligible students;
• Designating Druid Learning Hub as a school official in their annual notification;
• Obtaining any necessary parental consents for the use of the Platform;
• Notifying Druid Learning Hub of any FERPA-related requests or complaints received from parents or eligible students;
• Determining which data, if any, constitutes directory information under their policies.

19.5 Data Return and Deletion

Upon termination of our agreement with an educational institution, we will, at the institution's direction, either return all educational records to the institution in a structured, machine-readable format or securely delete them. Deletion will be completed within 60 days of the institution's written request, and we will provide written confirmation of deletion. We will not retain copies of educational records after deletion, except as required by law.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Platform's features, applicable laws, or industry best practices. When we make changes, we will:

• Update the "Last Updated" date at the top of this Privacy Policy;
• Post the revised Privacy Policy on this page;
• For material changes (changes that significantly affect your rights, the categories of data we collect, or the purposes of processing), we will provide prominent notice through one or more of the following channels:
  • A banner notification on the Platform;
  • An email notification to the email address associated with your account;
  • A notification in your Platform dashboard;
• Allow a notice period of at least 30 days before material changes take effect, to give you time to review the changes and exercise your rights;
• Where required by law (e.g., where consent is the legal basis for processing), seek fresh consent for the changed processing activities.

For changes that relate to children's data or educational records, we will notify parents and educational institutions separately and ensure compliance with COPPA and FERPA notification requirements.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Your continued use of the Platform after the effective date of a revised Privacy Policy constitutes your acknowledgement of the changes. If you do not agree with the revised Privacy Policy, you should discontinue use of the Platform and may request deletion of your account and personal data.

Previous versions of this Privacy Policy are available upon request by contacting privacy@druidlearninghub.com.

21. Contact Information and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy, the processing of your personal data, or your privacy rights, please contact us using the following details:

21.1 Supervisory Authorities

If you are not satisfied with our response to your inquiry or believe that we are processing your personal data in violation of applicable law, you have the right to lodge a complaint with the relevant supervisory authority:

• Nigeria — Nigeria Data Protection Commission (NDPC), https://ndpc.gov.ng
• European Union — The supervisory authority in the EU Member State of your habitual residence or place of work. A list of EU supervisory authorities is maintained by the European Data Protection Board at https://edpb.europa.eu
• United Kingdom — Information Commissioner's Office (ICO), https://ico.org.uk
• South Africa — Information Regulator, https://inforegulator.org.za
• United States (FERPA) — Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Avenue SW, Washington, DC 20202
• United States (COPPA) — Federal Trade Commission (FTC), https://www.ftc.gov

21.2 Response Times

We aim to respond to all data protection inquiries and rights requests within the following timeframes:

• GDPR requests — within one month of receipt (extendable by two further months for complex requests, with notification to you);
• NDPA/NDPR requests — within a reasonable time as prescribed by the NDPC;
• CCPA/CPRA requests — within 45 days of receipt (extendable by an additional 45 days with notification);
• COPPA requests — we will respond within a reasonable time, and in no event more than 30 days;
• General inquiries — within 14 business days.

All rights requests are provided free of charge. In exceptional circumstances where requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee based on administrative costs or refuse the request, in accordance with GDPR Article 12(5). We will inform you of the reasons for any refusal and your right to complain to a supervisory authority.