Privacy Policy

Last updated: January 1, 2025

1. Introduction

SMERP Tek ("Company," "we," "us," or "our") operates the SMERP EDU platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy applies to all users of our Service, including educational institutions ("Institutions"), their staff ("Administrators"), and students or other individuals whose data is processed through our platform ("End Users").

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, phone number, job title, institution name, and login credentials when you create an account.
• Profile Information: Profile photos, biographical information, and professional credentials you choose to add.
• Educational Records: Student enrollment data, academic records, attendance, grades, and other educational information uploaded by Institutions.
• Financial Information: Billing addresses, payment card details (processed securely by Stripe), and transaction history.
• Communications: Messages, support tickets, feedback, and other communications you send us.

2.2 Information Collected Automatically

• Device Information: IP address, browser type, operating system, device identifiers, and hardware settings.
• Usage Data: Pages visited, features used, time spent, click patterns, and navigation paths.
• Log Data: Server logs including access times, error logs, and API call records.
• Cookies and Similar Technologies: See our Cookie Policy for details.

2.3 Information from Third Parties

• Single Sign-On Providers: If you authenticate via Google or Microsoft, we receive basic profile information from those services.
• Payment Processors: Transaction status and limited payment information from Stripe.
• Integration Partners: Data from third-party systems your Institution chooses to integrate.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Process transactions and send related information
• Send administrative notifications (service updates, security alerts)
• Respond to comments, questions, and support requests
• Monitor and analyze usage patterns and trends
• Detect, investigate, and prevent fraudulent or unauthorized activity
• Comply with legal obligations and enforce our terms
• Develop new features based on user feedback and usage patterns

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and UK, we process personal data under the following legal bases:

• Contract Performance: Processing necessary to provide our Service to you.
• Legitimate Interests: Processing for our legitimate business interests, such as improving our Service and preventing fraud.
• Legal Compliance: Processing necessary to comply with applicable laws.
• Consent: Where you have given specific consent (e.g., marketing communications).

5. Information Sharing and Disclosure

We do not sell your personal information. We may share information in these circumstances:

5.1 With Service Providers

We share data with third-party vendors who perform services on our behalf:

• Stripe: Payment processing
• Google Cloud / Microsoft Azure: Cloud hosting and infrastructure
• Cloudinary: Media storage and optimization
• Resend: Email delivery
• Twilio: SMS notifications
• Elasticsearch: Search functionality

5.2 With Your Institution

If you are an End User (e.g., a student), your Institution may access your data as the data controller.

5.3 For Legal Reasons

We may disclose information when required by law, court order, or government request, or to protect our rights, privacy, safety, or property.

5.4 Business Transfers

In connection with any merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

6. International Data Transfers

We are headquartered in Dubai, United Arab Emirates. Your data may be transferred to and processed in countries outside your country of residence, including the UAE, EU, and USA.

For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers from other jurisdictions, we implement appropriate safeguards as required by applicable law.

7. Data Security

We implement comprehensive security measures to protect your data:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Field-level encryption for sensitive PII
• Multi-factor authentication support
• Regular security audits and penetration testing
• SOC 2 Type II certification
• Employee security training and background checks

While we strive to protect your data, no method of transmission or storage is 100% secure. Please see our Security Practices document for more details.

8. Data Retention

We retain your information for as long as:

• Your account is active
• Needed to provide services to you or your Institution
• Required by applicable law (e.g., tax records, legal holds)
• Necessary to resolve disputes or enforce agreements

For educational records, retention periods are typically governed by your Institution's policies and applicable education laws. After the retention period, data is securely deleted or anonymized.

9. Your Rights

Depending on your location, you may have the following rights:

9.1 GDPR Rights (EEA/UK)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Where processing is based on consent

See our GDPR Data Subject Rights guide for detailed instructions.

9.2 CCPA/CPRA Rights (California)

• Right to know what personal information we collect
• Right to delete personal information
• Right to opt-out of sale (we do not sell personal information)
• Right to non-discrimination for exercising your rights
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

9.3 UAE PDPL Rights

Under the UAE Personal Data Protection Law, you have rights to access, correct, and delete your personal data, as well as restrict and object to certain processing activities.

10. Children's Privacy

Our Service may process data of students under 13 years old through educational institutions. We comply with COPPA (Children's Online Privacy Protection Act) and FERPA (Family Educational Rights and Privacy Act).

Schools using SMERP EDU are responsible for obtaining appropriate consents from parents/guardians as required by law. We do not knowingly collect personal information directly from children under 13 without verified parental consent.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice (e.g., email notification).

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.