Privacy Policy
Effective Date: October 10, 2025
This Privacy Policy details how Ednux processes Personal Data related to the operation of the LMS and the VCL. We are committed to processing data in accordance with GDPR and CCPA principles, emphasizing privacy-by-design and Self-Sovereign Identity (SSI) principles.
1. Data Controller and Legal Framework
Data Controller: Ednux Technology Services.
Joint Controllership: Where you are enrolled through an institution (Issuer), Ednux and the Issuer may operate as joint controllers for the purposes of educational data processing, with responsibilities delineated by separate agreement.
Legal Basis: Processing is primarily based on Contractual Necessity (Article 6(1)(b) of GDPR) to deliver the LMS and VCL, and Legitimate Interest (Article 6(1)(f) of GDPR) for auditing and refining the Interpretable ML Engine's fairness.
2. Categories of Personal Data Processed
| Data Category | Specific Data Points | Purpose of Processing |
|---|---|---|
| A. Identity & Account Data | Full Name, Email, Institutional ID, Hashed Password, Decentralized Identifier (DID). | Account provisioning, identity resolution for VC issuance, and secure access via Clerk. |
| B. Performance & Interaction Data | Course completion rates, assessment results, submission frequency, collaborative efficacy metrics, time-on-task. | Primary input for the Interpretable ML Engine to calculate objective competency metrics. |
| C. Cryptographic Data | Public Key, VC Hash, VC Revocation Status (on Stellar). | Anchoring the proof of the VC on the Stellar Soroban VDR. This public data contains no direct identifying Personal Data. |
3. Purpose of Processing and Data Minimization
3.1. Core Service Delivery
Data is processed to provide the personalized LMS experience and issue W3C-compliant VCs.
3.2. Interpretable ML Engine Operation
Performance Data is used to train and run the Interpretable ML Engine. This process is continuously audited to ensure algorithmic fairness and mitigate bias in competency scoring, aligning with ethical data practices.
3.3. Stellar VDR Usage (Data Minimization)
We adhere to strict data minimization. We only record the cryptographic hash and revocation status of the VC on the public Stellar Soroban ledger. Your name, scores, and private educational records remain securely in our off-chain database.
4. Data Sharing and Transfer
4.1. Issuing Institutions
We share Performance and Identity Data with your Issuer to comply with their pedagogical and regulatory requirements and to enable them to issue VCs.
4.2. Holder-Controlled Disclosure (SSI)
When you, the Holder, choose to present a VC to a third-party Verifier (e.g., an employer), the sharing is executed under your control. Ednux facilitates this by supporting the use of Zero-Knowledge Proofs (ZKP), allowing you to prove a claim without disclosing the underlying raw, sensitive metric.
4.3. Data Transfer (International)
Data may be transferred to and processed in jurisdictions outside your country of residence. We ensure that any international data transfers are protected by adequate legal mechanisms (e.g., Standard Contractual Clauses, where applicable).
Outside the EU/EEA (including African countries): Where Personal Data is processed in countries that are not subject to the GDPR (for example, Nigeria, Kenya, South Africa, Ghana), Ednux aligns its practices to local privacy frameworks while maintaining GDPR-level safeguards.
- Nigeria (NDPR – Nigeria Data Protection Regulation): When processing data of Nigerian residents, we apply NDPR principles of lawfulness, purpose limitation, data minimization, and security; and we execute appropriate Data Processing Agreements (DPAs) and, where required, conduct DPIAs. Cross‑border transfers follow NDPR provisions on adequate protection and contractual safeguards.
- Kenya (Data Protection Act, 2019): We honor requirements on consent, purpose limitation, data subject rights, and registration of data controllers/processors where applicable, and use appropriate transfer mechanisms recognized by the Office of the Data Protection Commissioner (ODPC).
- South Africa (POPIA): We comply with the conditions for lawful processing, information quality, openness, and security safeguards. International transfers occur only where the recipient jurisdiction or contract provides an adequate level of protection as contemplated under POPIA.
- Other African jurisdictions: Where specific national privacy statutes apply, we map those obligations to our GDPR controls (access, rectification, erasure, portability, objection) and ensure contractual and technical measures meet or exceed local standards.
In all cases, we implement encryption in transit and at rest, strict access controls, and minimum‑necessary processing. Where local law conflicts with GDPR, we adopt the more protective standard for the data subject.
5. Your Data Rights (GDPR/CCPA Alignment)
You maintain full control over your Personal Data, subject to the limitations imposed by the decentralized ledger:
5.1. Right of Access and Portability
You have the right to obtain confirmation of whether your data is being processed. Since Ednux VCs are built on SSI, your core verifiable data is inherently portable and available in your digital wallet.
5.2. Right to Rectification
You can request the correction of inaccurate data in our centralized LMS records.
5.3. Right to Erasure ("Right to be Forgotten")
You may request the deletion of your Personal Data from the Ednux centralized database. Limitation: You acknowledge that the cryptographic data (hash and revocation status) anchored to the immutable Stellar Soroban VDR cannot be deleted or modified due to the core principles of Distributed Ledger Technology.
5.4. Restriction, Objection, and Direct Marketing Controls
You may request that we restrict processing in specific circumstances (e.g., while accuracy is contested) and you may object to processing based on legitimate interests, including profiling. Where we rely on legitimate interests, we will honor your objection unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You can opt out of direct marketing at any time.
5.5. Automated Decision‑Making and Profiling Transparency
Ednux uses an Interpretable ML Engine to compute competency metrics. These scores are designed to be explainable and auditable. You have the right to obtain meaningful information about the logic involved, the significance, and the envisaged consequences of such processing, and to request human review where legally required.
5.6. Withdrawal of Consent
Where processing is based on consent (e.g., certain analytics or communications), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
5.7. Complaints to Supervisory Authorities (Regional)
You may lodge a complaint with a data protection authority in your jurisdiction:
- EU/EEA: Your local Data Protection Authority (DPA).
- Nigeria: Nigeria Data Protection Commission (NDPC) under the NDPR/NDP Act.
- Kenya: Office of the Data Protection Commissioner (ODPC).
- South Africa: Information Regulator (POPIA).
- Other regions: The competent supervisory authority defined by applicable law.
5.8. Identity Verification and Response Times
To protect your data, we may need to verify your identity before acting on a request. We aim to respond within one month (or the timeframe required by local law). Complex or numerous requests may take longer as permitted by law.
5.9. How to Exercise Your Rights
You can submit requests via in‑app privacy settings or by emailing support@ednux.com. Please specify the right you intend to exercise and any relevant context (e.g., course, Issuer, date range) to help us process your request efficiently.
6. Data Security and Retention
Data Security
We employ industry-standard technical and organizational measures, including encryption, pseudonymization, and tokenization, to protect Personal Data from unauthorized access or breach.
Data Retention
We retain Personal Data for the duration of your active account relationship or as required by our agreement with your Issuer. Pseudonymized, non-identifiable data may be retained indefinitely for the purpose of maintaining and auditing the historical integrity of the Interpretable ML Engine.
7. Contact Information
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: support@ednux.com
8. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top of this policy.