UDEMINT — Privacy Policy

Last Updated: October 28, 2025

Udemint ("Udemint", "we", "us", "our") provides an online learning platform. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit or use our website, mobile applications, or other services (collectively, the "Service").

By using the Service you consent to the practices described in this Policy. If you disagree, please do not use the Service.

1. Overview

Udemint ("Udemint", "we", "us", "our") provides an online learning platform. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit or use our website, mobile applications, or other services (collectively, the "Service").

2. Controller & Contact

Data controller: Udemint

Contact: privacy@udemint.org

3. Scope & Legal Basis

This Policy applies to personal data collected from users of the Service, including registered account-holders and visitors.

We process personal data on bases including: (i) performance of a contract (e.g., account & subscription management), (ii) legitimate interests (e.g., improving the Service, preventing abuse), (iii) consent (where required, e.g., analytics cookies), and (iv) legal compliance.

4. Categories of Personal Data We Collect

We collect only the personal data necessary for the Service. Representative categories:

Account & Identity Data

  • Full name, display name
  • Email address
  • Profile image (optional)
  • Password hash (never store plaintext)

Where stored: User model (name, email, image, password field in Account for local auth if used)

Authentication & Security Data

  • Sessions and session tokens, session expiry.
  • Two-factor authentication secrets and backup codes (encrypted).
  • OAuth provider access/refresh tokens (encrypted), ID tokens, provider IDs.

Where stored: Session, Account, TwoFactor models.

Device & Technical Data

  • IP address, device type, user agent, operating system, browser, timestamps.

Where stored: Session.ipAddress, Session.userAgent, logs.

Usage & Service Data

  • Course watch history (courses watched, timestamps, progress, last-watched position).
  • Preferences, saved bookmarks, search history.

Where stored: CourseHistory model.

Subscription Data

  • Subscription plan, billing cycle, expiry date — we do not store any information regarding method of payment.

Where stored: Subscription model.

Support & Communications Data

  • Messages you send to Support, email engagement (open/click metadata), marketing preferences.

Cookies & Tracking

  • Necessary cookies for authentication and session management.
  • Optional analytics and performance cookies (only with consent where required).
  • Optional functional cookies for UX improvements.

5. How We Use Your Data (Purposes & Legal Bases)

  • To provide and operate the Service — create accounts, authenticate sessions, store watch history, playback state (Contract).
  • Subscription management — Communicate billing notices (Contract).
  • Security & fraud prevention — detect abuse, protect accounts (Legitimate interest).
  • Product improvement & analytics — aggregate usage patterns to improve the Service (Legitimate interest or consent for analytics).
  • Personalization — recommend courses, save preferences (Consent or Legitimate interest).
  • Customer support & communications — respond to requests, send service notices (Contract / Legitimate interest).
  • Legal compliance & enforcement — respond to lawful requests, enforce Terms of Service (Legal obligation/Legitimate interest).

6. Cookies & Similar Technologies

We use cookies, local storage, and similar technologies. Cookies fall into categories:

Strictly necessary — required for login, session management, security. (No opt-out unless you disable essential functionality.)
Functional — remember preferences and UI choices. (No opt-out unless you disable essential functionality.)
Analytics — performance and usage analytics. (No opt-out unless you disable essential functionality.)

7. Data Retention

We retain personal data only as long as necessary for the purposes described:

  • Active account data: retained while account exists.
  • Sessions: retained while session exists.
  • Two-factor secrets & backup codes: stored as long as the account is active; deleted upon account deletion. Encrypted at rest.
  • Course watch history: retained for the duration of the active account.
  • Logs & backups: aggregated/anonymized where possible; raw logs retained for a limited period (e.g., 90 days) for security.

8. User Rights (EU/UK/CA etc.)

Depending on your jurisdiction, you may have rights over your data, including:

  • Access — request a copy of personal data we hold.
  • Rectification — correct inaccurate or incomplete data.
  • Deletion ("Right to be forgotten") — request deletion, subject to limits (legal obligations, transactional recordkeeping).
  • Portability — receive your data in a machine-readable format (e.g., JSON/CSV).
  • Restriction — request restriction of processing.
  • Objection — object to certain processing (e.g., profiling / direct marketing).
  • Withdraw consent — withdraw previously given consent (does not affect prior processing).

To exercise rights: send a request to privacy@udemint.org. We verify identity before fulfilling sensitive requests. We respond within applicable legal timeframes (e.g., 30 days in many jurisdictions).

9. Data Subject Requests — Practical Workflow

  • Export: produce a JSON export containing: User fields, Account links (providers), CourseHistory entries, subscription metadata, and support interactions.
  • Deletion: remove or anonymize PII from User, Session, TwoFactor, and related tables; redact or keep minimal retention records required by accounting/law.
  • Correction: update User.name, User.email etc., and propagate to dependent data as necessary.

Make sure to log the request and its completion for auditability.

10. Sharing & Disclosures

We may share personal data in limited circumstances:

  • Service providers / subprocessors — payment processors, hosting providers, analytics vendors, email delivery (we use contracts and only pass necessary data).
  • With your consent — e.g., sharing profile to a public leader-board.
  • Legal obligations — to comply with court orders, law enforcement, or to defend legal claims.
  • Business transfers — in a merger or acquisition, with protections and notice to users.

We require subprocessors to maintain adequate safeguards (contractual terms, data processing agreements).

11. Cross-Border Transfers

If your data is transferred outside your jurisdiction (e.g., outside EEA), we rely on appropriate safeguards: standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms. We will notify users about cross-border transfers in jurisdictions that require it.

12. Security Measures

We maintain reasonable organizational, technical, and administrative controls to protect personal data:

  • Encryption of data in transit (TLS) and at rest for sensitive fields (e.g., 2FA secrets, tokens).
  • Password hashing using strong algorithms (e.g., Argon2, bcrypt).
  • Minimum-privilege access controls; audit logging of admin access.
  • Regular security testing, vulnerability scanning and patching.
  • Incident response plan and breach notification procedures.

Despite these measures, no system is perfectly secure; we will notify affected users and regulators when required by law in the event of a breach.

13. Children

Our Service is not intended for children under the age of 18 (or local age of consent). We do not knowingly collect personal data from children. If we learn we have collected data from a child without parental consent, we will take steps to delete it.

14. Marketing Communications

We send service-related communications (account, billing, security). For promotional emails, we rely on opt-in consent where required. Users can opt out of marketing at any time via preferences or an unsubscribe link.

15. Third-Party Content & Links

The Service may link to third-party sites (e.g., course providers, social networks). We are not responsible for their privacy practices. Review those third parties' privacy policies.

16. Changes to This Policy

We may update this Policy periodically. Material changes will be communicated by email or prominent notice prior to the change taking effect where required. Continued use after updates constitutes acceptance.

17. How to Exercise Your Rights / Contact Us

To make a data request (access, deletion, portability, or objection), please email privacy@udemint.org with:

  • Subject: Data Request
  • Your name, account email, nature of request, and any supporting info to verify identity.

We will verify identity (e.g., by sending a confirmation email) before fulfilling sensitive requests.