Legal
Privacy Policy
Last updated: 2026-04-17
1. Data Controller
Design Excellent Group SL
NIF: B02759603
Calle Blanquerna 53, 07003 Palma de Mallorca, Spain
Email: [email protected]
2. What Data We Collect
2.1 Account data
When you register: full name, email address, role (creator or learner), and hashed password. If you sign in with Google, we receive your Google profile name, email, and avatar URL.
2.2 Course & learning data
Courses you create or enroll in, lesson progress, submission files you upload (PDF, DOCX, PPTX, ZIP), accessibility preferences (theme, font size, toolbar settings).
2.3 Technical data
IP address, browser type, device type, pages visited, timestamps. Collected automatically via server logs and Supabase analytics.
2.4 Tracking pixels (school-level)
If a school creator configures Meta Pixel, Google Tag Manager, or TikTok Pixel, the corresponding official script runs on that school's pages. Eduspera stores only the Pixel ID — never raw third-party code. You can manage your cookie preferences via our Cookie Policy.
3. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Course delivery, progress tracking | Contract (Art. 6(1)(b)) |
| Accessibility preference storage | Consent (Art. 6(1)(a)) |
| Email notifications (submissions) | Legitimate interest (Art. 6(1)(f)) |
| Security logging, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Tracking pixels on school pages | Consent (Art. 6(1)(a)) via cookie banner |
| Contact form submissions | Consent (Art. 6(1)(a)) |
4. Data Retention
- Account data: retained while your account is active + 30 days after deletion request.
- Course content: retained while the course exists. Deleted when the creator deletes the course.
- Submission files: retained until the creator or learner deletes them, or 2 years after course deletion.
- Logs & IP addresses: 90 days.
- Contact form messages: 1 year.
5. Your Rights
Under GDPR (EU/EEA) and CCPA/CPRA (California), you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — request deletion ("right to be forgotten").
- Portability — receive your data in a machine-readable format.
- Restriction — limit how we process your data.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — at any time, without affecting prior processing.
- Do not sell / share (CCPA) — we do not sell or share personal information for cross-context behavioral advertising.
To exercise any right, email [email protected]. We respond within 30 days (GDPR) or 45 days (CCPA).
6. International Transfers
Your data is stored in the EU (Supabase Frankfurt region). Cloudflare Stream and OpenAI Whisper may process video/audio data in the US under Standard Contractual Clauses (SCCs). We do not transfer personal data outside the EU/EEA without adequate safeguards.
7. Children
Eduspera is not directed at children under 16 (EU) or 13 (US/COPPA). If we learn we have collected data from a child, we delete it promptly. Contact us at [email protected].
8. Security
We use HTTPS everywhere, Supabase Row Level Security for data isolation, hashed passwords (bcrypt), signed URLs for file access, and rate limiting on authentication endpoints. No security measure is perfect — if you discover a vulnerability, please report it to [email protected].
9. Cookies
See our Cookie Policy for details on which cookies we use and how to manage them.
10. Changes to This Policy
We may update this policy. Material changes will be communicated via email or a banner on the platform. The "Last updated" date at the top reflects the most recent version.
11. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or your local supervisory authority.
12. Contact
Design Excellent Group SL
Calle Blanquerna 53, 07003 Palma de Mallorca, Spain
[email protected]