Data Protection Policy

EdCarry is committed to protecting personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), and other relevant privacy regulations. This Data Protection Policy outlines our commitment and procedures for data protection.

1. Our Commitment

We are committed to protecting the privacy and security of personal data processed through our platform. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved.

2. Data Controller and Processor

In providing our services, EdCarry acts as both a data controller and data processor:

• As Controller: We determine the purposes and means of processing data related to account management, billing, and platform administration.
• As Processor: We process data on behalf of educational institutions (schools) who determine the purposes and means of processing student and staff data.

3. Legal Basis for Processing

We process personal data based on the following legal bases:

• Contractual Necessity: To fulfill our contractual obligations to provide services
• Legitimate Interests: To improve our services, ensure security, and prevent fraud
• Legal Obligations: To comply with applicable laws and regulations
• Consent: Where we have obtained explicit consent for specific processing activities

4. Data Minimization and Purpose Limitation

We adhere to the principles of:

• Data Minimization: We only collect and process data that is necessary for the purposes for which it is processed
• Purpose Limitation: We only process personal data for specified, explicit, and legitimate purposes
• Storage Limitation: We retain personal data only for as long as necessary for the purposes for which it was collected

5. Data Security Measures

We implement comprehensive security measures including:

• Encryption: All data in transit is encrypted using TLS/SSL protocols. Data at rest is encrypted using industry-standard encryption algorithms
• Access Controls: Role-based access controls ensure that only authorized personnel can access personal data
• Authentication: Multi-factor authentication and strong password policies
• Network Security: Firewalls, intrusion detection systems, and regular security audits
• Backup and Recovery: Regular backups with secure storage and tested recovery procedures
• Security Monitoring: Continuous monitoring for security threats and vulnerabilities

6. Data Subject Rights

In accordance with GDPR and other applicable laws, data subjects have the following rights:

6.1 Right of Access

You have the right to obtain confirmation as to whether personal data concerning you is being processed and access to that data.

6.2 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed.

6.3 Right to Erasure ("Right to be Forgotten")

Under certain circumstances, you have the right to request deletion of your personal data.

6.4 Right to Restrict Processing

You have the right to request restriction of processing in certain situations.

6.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

6.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests.

6.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.

To exercise any of these rights, please contact us at support@edcarry.org.

7. Data Processing Agreements

When we process data on behalf of educational institutions, we enter into Data Processing Agreements (DPAs) that define our responsibilities as data processors and ensure compliance with applicable data protection laws.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of individuals, we will:

• Notify the relevant supervisory authority within 72 hours, where feasible
• Notify affected data subjects without undue delay
• Provide details of the breach and measures taken to address it
• Document all data breaches for record-keeping purposes

9. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA) or other regions with data protection laws, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by relevant authorities
• Adequacy decisions by relevant data protection authorities
• Other appropriate legal mechanisms to ensure adequate protection

10. Data Protection Officer

For inquiries regarding data protection, you may contact our data protection team at support@edcarry.org.

11. Compliance and Audits

We regularly review and update our data protection practices to ensure compliance with applicable laws. We may undergo third-party security audits and assessments to verify our security measures.

12. School Responsibilities

Educational institutions using EdCarry are responsible for:

• Obtaining necessary consents for student data in accordance with applicable laws (e.g., COPPA, FERPA)
• Ensuring they have the legal basis to process personal data uploaded to the platform
• Complying with data protection laws applicable to their jurisdiction
• Responding to data subject requests related to data they control

13. Contact Us

If you have questions or concerns about our data protection practices, please contact us:

You also have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates applicable data protection laws.