Privacy Policy

1. Introduction & Scope

This Privacy Policy ("Policy") describes how CodewithCbee ("we", "us", "our", or "the Platform") collects, uses, stores, shares, and protects your personal information when you access or use our website, applications, and related services (collectively, "the Service"). This Policy applies to all categories of users, including Students, Creators (course authors), Schools and institutional administrators, Parents and legal guardians, and general site visitors. By registering for an account or otherwise using the Service, you acknowledge that you have read, understood, and agree to the practices described herein. If you are under 18 years of age, you confirm that your parent or legal guardian has reviewed this Policy and consented on your behalf.

2. Definitions

• "Personal Data" means any information that identifies, relates to, or could reasonably be linked to an identifiable individual.
• "Processing" means any operation performed on Personal Data, whether automated or manual, including collection, recording, organisation, storage, retrieval, use, disclosure, or deletion.
• "Student" means an individual enrolled in one or more courses on the Platform, whether independently or through a school.
• "Creator" means an individual or entity that creates, publishes, or manages educational content on the Platform.
• "School" means an educational institution registered on the Platform that manages students, funds course access, and monitors academic progress.
• "Parent/Guardian" means the parent or legal guardian of a Student under 18 years of age.
• "Service Provider" means a third-party entity that processes Personal Data on our behalf to deliver specific functionality (e.g. payment processing, email delivery, data hosting).

3. Information We Collect

We collect different categories of information depending on your role and how you interact with the Service:

• Account Registration Data: full name, email address, username, password (stored in hashed form), date of birth, and avatar selection. School students also provide their school affiliation and class or grade level.
• Creator Profile Data: display name, institutional affiliation, biography, website URL, and uploaded logo or profile image.
• School Registration Data: school name, contact person name and email, physical address, city, state or region, and administrator login credentials.
• Parent/Guardian Data: parent or guardian name, email address, and selected report frequency (weekly or monthly), collected when a minor under 16 registers with parental consent.
• Learning & Progress Data: lesson completions, quiz scores, assignment submissions, course enrolment records, certificate issuances, earned points, achievement unlocks, and leaderboard rankings.
• Payment Data: transaction reference identifiers, payment amounts, payment status, and payment method type (e.g. card, bank transfer). We never collect, store, or have access to your full card number, CVV, or bank login credentials — these are handled exclusively by our PCI-DSS compliant payment processors.
• Community & User-Generated Content: blog posts, comments, discussion replies, community reactions, engagement data, and any flagged or reported content.
• Automatically Collected Data: IP address, device type and operating system, browser type and version, referring URL, pages visited, time spent on pages, and general geographic location (country/region level) derived from your IP address.
• Communication Data: correspondence sent to our support team, feedback submissions, booking requests, and any other communication directed to us through the Platform.

4. How We Use Your Information

We process your Personal Data for the following purposes:

• Providing the Service: creating and managing your account, processing enrolments, tracking learning progress, issuing certificates, and maintaining leaderboard rankings.
• Payment Processing: initiating and verifying payment transactions, recording transaction history, managing premium subscriptions, processing creator payouts, and funding school-sponsored enrolments.
• Communication: sending transactional notifications (payment receipts, enrolment confirmations, certificate availability), system alerts, password reset instructions, and parent/guardian progress reports.
• Safety & Moderation: moderating community content, reviewing flagged posts, enforcing community guidelines, and maintaining a safe environment suitable for minors.
• Security & Fraud Prevention: detecting and preventing unauthorised access, fraudulent transactions, account abuse, and other security threats through log analysis, anomaly detection, and webhook signature verification.
• Platform Improvement: analysing aggregated, anonymised usage patterns to identify technical issues, improve user experience, optimise course recommendations, and develop new features.
• Legal Compliance: fulfilling our obligations under applicable laws, responding to lawful data requests from regulatory authorities, and enforcing our Terms of Service.
• We do not sell, rent, or trade your Personal Data to any third party for advertising, marketing, or profiling purposes. We do not use your data for behavioural advertising or automated decision-making that produces legal effects.

5. Children’s Privacy

We take the privacy of children extremely seriously. Our Platform is designed as an educational tool for learners of all ages, and we have implemented specific protections for minors: Age Verification: During registration, we collect the user’s date of birth. Users under 16 are required to provide verifiable parental or guardian consent before account creation is completed. Parental Consent: For users under 16, we collect the parent or guardian’s name, email address, and explicit consent acknowledgement. The parent or guardian receives a welcome email confirming the child’s registration and the frequency of progress reports they will receive. Minimal Data Collection: We collect only the minimum information necessary to provide the educational service. We do not request or store unnecessary personal details from minors. Moderated Environment: All community features (blog posts, comments, discussions) are actively moderated. The Platform is entirely advertisement-free. No external links, promotional content, or inappropriate material is presented to users. Parental Rights: Parents and guardians may at any time: (a) review all personal data held about their child; (b) request correction of inaccurate data; (c) request complete deletion of their child’s account and associated data; (d) withdraw consent for continued data processing, which will result in account deactivation; or (e) adjust the frequency and content of progress reports. We comply with the Nigerian Child Rights Act (2003), the Nigeria Data Protection Act (NDPA) 2023, and align our practices with internationally recognised standards for children’s online privacy protection.

6. Data Sharing & Third Parties

We share your Personal Data only with the following categories of Service Providers, solely as necessary to operate and deliver the Service:

• Cloud Infrastructure & Database Provider: We use a reputable cloud database and authentication provider to host our application data, manage user authentication, store uploaded files, and deliver real-time features. Your data is stored in secure, encrypted environments with strict access controls.
• Payment Processors: We use licensed, PCI-DSS compliant payment processors to handle all financial transactions. These processors receive only the information necessary to initiate, verify, and complete payments (e.g. email, transaction amount, reference). We never transmit your full card details through our servers.
• Email Delivery Service: We use a transactional email service to deliver account notifications, verification emails, password reset links, parent/guardian reports, and system communications. This service receives only the recipient email address and the email content.
• All Service Providers are contractually bound to process your data solely for the purposes we specify, maintain appropriate security measures, and delete or return data when the processing relationship ends. We do not share your data with advertisers, data brokers, social media platforms, or any entity for purposes unrelated to delivering the Service.
• We may disclose your data if required to do so by law, regulation, legal process, or enforceable governmental request, or to protect the rights, safety, or property of CodewithCbee, our users, or the public.

7. Cookies, Local Storage & Tracking Technologies

We use only essential cookies and browser local storage to provide core Platform functionality: Session Cookies: Used to maintain your authenticated session, remember your login state, and enable secure navigation between pages. These are strictly necessary and cannot be disabled without losing access to authenticated features. Local Storage: Used to store user preferences (e.g. display settings), cache non-sensitive UI state, and enable offline resilience for certain features. We do NOT use: advertising or targeting cookies; third-party tracking pixels or beacons; social media sharing trackers; cross-site tracking technologies; fingerprinting techniques; or any analytics cookies that transmit data to external advertising networks. Because we use only essential cookies, no cookie consent banner is required under most privacy regulations. However, you can manage cookies through your browser settings — note that disabling session cookies will prevent you from logging into the Platform.

8. Data Security

We implement comprehensive, multi-layered security measures to protect your Personal Data: Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS 1.2 or higher. No unencrypted connections are accepted. Encryption at Rest: Sensitive data stored in our database is encrypted at rest using industry-standard AES-256 encryption. Authentication Security: Passwords are hashed using bcrypt with appropriate salt rounds. Session tokens are cryptographically signed and expire after a defined period of inactivity. Sensitive operations require re-authentication. Access Controls: We enforce row-level security policies ensuring that users can access only their own data. Role-based access controls strictly separate Student, Creator, School, and Administrator permissions. Administrative access requires elevated authentication. Payment Security: All payment webhook communications are verified using HMAC cryptographic signatures to prevent tampering and replay attacks. We never store sensitive payment credentials on our servers. Infrastructure Security: Our hosting infrastructure employs network-level firewalls, intrusion detection, regular security patching, and automated vulnerability scanning. Incident Response: We maintain an incident response plan. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant regulatory authorities within 72 hours of becoming aware of the breach, as required by applicable law. While no system can guarantee absolute security, we continuously review and improve our security practices in line with industry best practices and evolving threats.

9. Creator-Specific Provisions

If you register as a Creator, the following additional provisions apply:

• Content & Intellectual Property: Course content you upload remains your intellectual property. By publishing on the Platform, you grant us a non-exclusive, worldwide licence to host, display, and distribute your content to enrolled students. This licence terminates when you remove your content, subject to any ongoing enrolments.
• Earnings & Payout Data: We collect and store records of course sales, commission calculations, and payout amounts. Payout transaction records are retained as required by tax and financial regulations.
• Public Profile: Your Creator display name, biography, institution, and published courses are publicly visible on the Platform. Your email address is never publicly displayed.
• Approval Process: Creator applications are reviewed by our administrative team. During this process, the information you provided during registration is reviewed solely to verify your identity and suitability as a content creator.
• Content Removal: If your content is removed for policy violations, we retain a record of the removal and the reason for our internal compliance records.

10. School-Specific Provisions

If you register as a School, the following additional provisions apply:

• Student Data Responsibility: Schools are responsible for ensuring they have appropriate authority and consent to enrol students on the Platform. The school administrator acts as the data controller for student data collected within the school’s institutional context.
• Administrative Access: School administrators can view enrolled students’ names, email addresses, enrolment status, and learning progress within courses funded by the school. Administrators cannot access students’ passwords, private community activity, or data unrelated to school-funded courses.
• Funding & Payment Records: Records of school subscription payments, course-funding transactions, and enrolment funding are maintained for the school’s billing and audit purposes.
• Data Portability: Schools may request an export of all student data associated with their institution. Requests are processed within 30 days.
• Termination: If a school terminates its account, student accounts created through the school remain active as independent accounts unless the student or their parent/guardian requests deletion.

11. Parent & Guardian Rights

Parents and legal guardians of minor students have specific rights under this Policy:

• Right of Access: You may request a complete copy of all Personal Data held about your child at any time.
• Right of Correction: You may request that inaccurate or incomplete data about your child be corrected.
• Right of Deletion: You may request that your child’s account and all associated data be permanently deleted. Deletion requests are processed within 30 days.
• Right to Withdraw Consent: You may withdraw your consent for your child’s data processing at any time. Withdrawal will result in account deactivation and cessation of all data processing except where retention is required by law.
• Right to Restrict Processing: You may request that we limit how your child’s data is used (e.g. disable community participation while retaining course access).
• Progress Reports: You will receive regular progress reports about your child’s learning activity at the frequency you selected during registration (weekly or monthly). You may change this frequency or opt out by contacting us.
• To exercise any of these rights, contact us at privacy@codewithcbee.com with the subject line "Parental Request" and include your child’s registered email address or username for verification.

12. Your Rights (All Users)

Regardless of your role, you have the following rights concerning your Personal Data:

• Right of Access: You can view most of your Personal Data directly from your Profile and Settings pages. For a comprehensive data export, contact us.
• Right of Correction: You can update your name, email, username, avatar, and other profile fields at any time through your account settings.
• Right of Deletion: You may request complete account deletion by contacting privacy@codewithcbee.com. Upon verification, we will delete your account and associated Personal Data within 30 days, subject to legal retention requirements.
• Right to Data Portability: You may request a machine-readable copy of your Personal Data (including learning progress, certificates earned, and account information).
• Right to Restrict Processing: You may request that we limit certain processing activities while retaining your account.
• Right to Object: You may object to specific processing activities by contacting us. We will cease the contested processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or any other applicable supervisory authority if you believe your data protection rights have been violated.
• We will respond to all rights requests within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons for the delay.

13. Data Retention & Deletion

We retain your Personal Data only for as long as necessary to fulfil the purposes described in this Policy: Active Accounts: Data is retained for the duration of your active account. Inactive accounts (no login for 24 consecutive months) may be flagged for review, and you will be notified before any action is taken. Account Deletion: When you request account deletion, we permanently delete your Personal Data within 30 days, except for: (a) Payment and transaction records, which are retained for seven (7) years as required by Nigerian financial regulations and tax law; (b) Anonymised, aggregated data that cannot be linked back to you, which may be retained indefinitely for statistical purposes; (c) Data required to resolve any pending disputes, enforce our Terms of Service, or comply with ongoing legal obligations; (d) Backup copies, which are purged in accordance with our backup rotation schedule (maximum 90 days). Community Content: If you delete your account, your published community posts and comments will be anonymised (attributed to "Deleted User") rather than deleted, to preserve the integrity of discussion threads. You may request full deletion of community content prior to account deletion.

14. International Data Transfers

Our primary data infrastructure is hosted in secure data centres. However, certain Service Providers may process data in jurisdictions outside Nigeria. Where your data is transferred internationally, we ensure that: (a) The receiving jurisdiction provides an adequate level of data protection, or (b) Appropriate safeguards are in place, including standard contractual clauses approved by relevant data protection authorities, binding corporate rules, or equivalent mechanisms, or (c) You have explicitly consented to the transfer after being informed of the potential risks. We conduct regular assessments of our Service Providers’ data protection practices to verify ongoing compliance with these requirements.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes: (a) We will send a notification email to all registered users at their registered email address; (b) We will display a prominent notice on the Platform; (c) We will update the "Last Updated" date at the top of this page; (d) For changes that materially affect children’s data processing, we will seek renewed parental consent where required. Continued use of the Service after the effective date of changes constitutes your acceptance of the revised Policy. If you do not agree with the updated Policy, you may delete your account as described in Section 13.

16. Contact Information

If you have questions about this Privacy Policy, wish to exercise any of your data rights, or have concerns about how your Personal Data is handled, please contact us: Email: privacy@codewithcbee.com Subject Line: Please include "Privacy Inquiry", "Data Request", "Parental Request", or "Deletion Request" as appropriate. Response Time: We aim to respond to all inquiries within 5 business days and to fulfil all formal data requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or any other supervisory authority with jurisdiction over your data protection concerns.