Privacy Policy

1. Who we are

Aksusnet ("we", "us") operates the Aksusnet learning platform. This policy describes how we handle personal data when you use the platform as an individual learner, as an administrator of an organization workspace, or as a visitor to the public marketing site.

2. Data we collect

• Account data: email address, first and last name (stored as a single display name), bcrypt password hash (never the plaintext password), OAuth identifiers when you sign in with Google.
• Organization data: organization name, slug, member roles, invitation records.
• Learning data: progress on trails, modules, and units; quiz attempts and scores; bookmarks; issued certificates.
• Billing data: Stripe customer id, subscription status, current period end. Card details are handled by Stripe and never stored on our servers.
• Operational data: request ids, IP addresses, user-agent strings, timestamps of security-relevant events (sign-in, invite accept, admin mutations).

3. How we use data

Personal data is used to provide the service (authentication, org membership, learning progress), to bill subscribing organizations via Stripe, to send transactional emails (invitations, password reset, verification), and to keep security audit trails. We do not sell personal data and we do not use it for advertising.

4. Legal basis (EU / UK)

• Contract: to deliver the service you or your organization subscribed to.
• Legitimate interest: to secure the platform and prevent abuse.
• Consent: for optional features that require it; you can withdraw consent at any time.
• Legal obligation: where tax, accounting, or law enforcement request applies.

5. Processors and sub-processors

• Stripe — payment processing, subscription management.
• Google — optional OAuth sign-in.
• SMTP email provider — transactional email delivery.
• Hosting / database provider — infrastructure for the application and PostgreSQL database.

A current sub-processor list is maintained and available on request.

6. Retention

Account and learning data are retained for the lifetime of the account. On account deletion, personal identifiers are removed and learning records are anonymized or deleted in line with the owning organization's contract. Security audit entries are kept for a reasonable window to support incident investigation.

7. Your rights

Under GDPR / UK GDPR you may request access, rectification, erasure, restriction of processing, objection, and portability.

Self-service from your account. When you are signed in, the Privacy & data page lets you download a signed JSON export of the personal data we hold about you (access / portability) and submit an account-deletion request (erasure). Deletion requests are processed by a privacy operator after identity verification; you will receive an email confirmation when the request is actioned.

For any other GDPR request (rectification, restriction, objection) or questions about a self-service request, email privacy@aksusnet.eu. You also have the right to lodge a complaint with your local supervisory authority. Equivalent rights may exist in other jurisdictions and will be reviewed by counsel before go-live for each market.

8. Security

Traffic is served over TLS. Passwords are hashed with bcrypt (work factor 12). Authentication uses httpOnly, Secure, SameSite=Lax cookies. CSRF protection is enforced for state-changing browser requests via a double-submit cookie. Access to production data is limited to personnel with a specific operational need. Security-relevant events are logged with a request id for incident investigation.

9. Cookies

Aksusnet uses a small set of strictly necessary cookies for sign-in, session security, and CSRF protection. We do not run advertising or analytics cookies. Full details, including how to change your preferences, are in the Cookie Policy.

10. Other jurisdictions

This policy describes the GDPR / UK GDPR baseline we implement today. Equivalent privacy rights exist in other jurisdictions (for example the CCPA/CPRA in California) and will be reviewed by counsel before go-live for each target market. Until that review is complete, any jurisdiction- specific request should be sent to privacy@aksusnet.eu and we will respond in line with applicable law.

Aksusnet does not sell or share personal data for behavioural advertising, and we do not run analytics or advertising cookies at launch — see the Cookie Policy for the current list.

11. Changes

We may update this policy. Material changes will be announced in the application and/or by email to account holders. The effective date is shown at the top of this page.

12. Contact

Questions about this policy? Email privacy@aksusnet.eu. See also our Terms of Service and Cookie Policy.